DETAILED ACTION
This office action is in response to the application filed on 5/27/2020.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority/Benefit
Applicant’s benefit claim is hereby acknowledged of the provisional application 62/916,641 filed on 10/17/2019, which papers have been placed of record in the file.
Examiner’s Note – Allowable Subject Matter
Claims 4-7 and 11-14 are objected to as being allowable, yet remain dependent upon a rejected and would otherwise be allowable if incorporated into the independent claims along with any intermediate claims.  Claims 18-20, would overcome the prior art if made to overcome the rejections under 35 USC 112 as well as incorporated into the independent claims along with any intermediate claims.

Claim Interpretations - 35 USC § 112(f)
The following is a quotation of 35 U.S.C. 112 (f): 
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
	As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
	Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 
	Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  
Such claim limitation(s) is/are: “A network monitoring device configured and operable to: receive packets in a traffic flow; perform cardinality estimation on the received packet traffic flow; maintain in the storage repository a series of cardinalities for claim 15; 	“The monitoring device of claim 15, wherein determining an alert condition includes: determine if determined cardinality values associated with currently received packet traffic flows is greater than a calculated geometric mean cardinality regarding cardinality values associated with previous received traffic flows by a prescribed 'n' geometric standard deviation of cardinalities; and cause a mitigation system operable to monitor received packets to enter a first state for determining a DoS attack when the determined cardinality values associated with packet traffic flows currently received is determined greater than the calculated geometric mean cardinality associated with previous received traffic flows by a prescribed 'n' geometric standard deviation of cardinalities” in claim 18;

	“The monitoring device of claim 18, wherein determining an alert condition further includes: determine if a determined cardinality values associated with packet traffic flows currently received is greater than a calculated geometric mean cardinality of past cardinality values by a '2n' geometric standard deviation of cardinalities; and cause the mitigation system to enter a second state operable to conduct predefined mitigation actions to prevent a DoS attack when the cardinality values associated with packet claim 19.

	Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112 (b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim(s) 15-20  is/are rejected under 35 U.S.C. 112 (b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Regarding claim(s) 15, the phrase “the storage repository” makes the claims indefinite and unclear in that it lacks antecedent basis.
	Dependent claim(s) 16-20 is/are rejected for the reasons presented above with respect to rejected claim(s) 15 in view of their dependence thereon.

Regarding claim(s) 15, 18, and 19, the claim limitations identified above, respectively invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is devoid of adequate structure for performing the claimed function.  	Therefore, the claims are indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.

Dependent claim(s) 16-20 is/are rejected for the reasons presented above with respect to respective rejected parent claim(s) in view of their dependence thereon. 

	Applicant may:
	(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
	(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

	If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
	(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
	(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 112
	The following is a quotation of 35 U.S.C. 112 (a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
Claims 15, 18, and 19 rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, because the claim purports to invoke 35 U.S.C. 112(f) or pre-AIA  35 
	The dependent claims 16-20 inherit the deficiencies of the claims upon which they ultimately claim; the analysis provided above applies to each of the claims and are rejected as well. 
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, 8-10, and 15-17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kohout et al. (US 2018/0205750 A1), in view of Jain et al. (US 2019/0014084 A1). 

Regarding claims 1 and 15, Kohout teaches:
“A computer method for detecting a Denial of Service (DoS) attack by detecting changes in recent cardinality of a network traffic flow (Kohout, Fig. 3 depicts a monitored ce-2 110 which captures traffic information about the plurality of network devices which ), the method comprising: 	receiving packets in a traffic flow (Kohout, ¶ 40-43 ce-2 receives packets in various flows and captures their information); 	performing cardinality estimation on the received packet traffic flow (Kohout, ¶ 42, 47, 49, 64, and 67-71 teaches analyzing packet flow and determining the cardinality for various message pairs in the flow data for use in machine learning cluster analysis); 	maintaining a series of cardinalities for prior packet traffic flows (Kohout, Fig. 2, ¶ 31 Fig. 3 and ¶ 39-43 depict and disclose edge router capturing and storing traffic flow information.  Kohout, ¶ 36-37 discloses that the information is collected for machine learning algorithms, thus being stored.  Kohout, ¶ 64, and 67-71 teaches that the information being stored includes cardinality information); and 
determining an alert condition for the network traffic flow regarding a suspected DoS attack (Kohout, ¶ 33-34 teaches that the types of conditions which can be determined from the traffic analysis system includes denial of service attacks.  Kohout, ¶ 44 teaches that when a malicious attack is detected an alert is sent to an administrator)”.
Kohout does not, but in related art, Jain teaches:
“detecting changes in cardinalities associated with prior packet traffic flows compared to determined cardinalities of a current packet traffic flow (Jain, ¶ 29 teaches detecting cardinalities to packets including information regarding packet flows.  Jain, Fig. 9 ¶ 58 and Fig. 10 ¶ 59-62 and ¶ 75 teach monitoring cardinality of flows for changes based on hash tables to enable real time analysis of anomalous behavior appearing in traffic flows); and 	based upon the detected changes in cardinalities regarding comparison of the determined cardinalities associated with prior packet traffic flows compared to determined cardinalities of a current packet traffic flow (Jain, Fig. 9 ¶ 58 and Fig. 10 ¶ 59-62 and ¶ 75 teach monitoring cardinality of flows for changes based on hash tables to enable real time analysis of anomalous behavior appearing in traffic flows)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Kohout and Jain, to modify the flow based denial of service detection system of Kohout to include the real time hyperloglog cardinality detection system of Jain.  The motivation to do so constitutes applying a known technique (i.e., real time hyperloglog cardinality detection system) to known devices and/or methods (i.e., flow based denial of service detection system) ready for improvement to yield predictable results. 

Regarding claims 2, 9, and 16 Kohout in view of Jain teaches:
“The method of claim 1 (Kohout in view of Jain teaches the limitations of the parent claims as discussed above and below), wherein the cardinality estimation on the received packets includes utilization of a sliding HyperLogLog (HLL) process (Jain, _par 59-63 teaches that the measurement of cardinality can be implemented using a loglog bitmap including the use of the hyperloglog algorithm.  Further, Jain ¶ 44 dicloses that the packet data capture can be accomplished using the well known sliding window operation)”.

Regarding claims 3, 10, and 17, Kohout in view of Jain teaches:
The method of claim 2 (Kohout in view of Jain teaches the limitations of the parent claims as discussed above and below), wherein the HLL process includes a sliding window process (Jain, _par 59-63 teaches that the measurement of cardinality can be implemented using a loglog bitmap including the use of the hyperloglog algorithm.  Further, Jain ¶ 44 dicloses that the packet data capture can be accomplished using the well known sliding window operation)”.

Regarding claim 8, Kohout teaches:
“A monitoring system for detecting a Denial of Service (DoS) attack by detecting changes in recent cardinality of a network traffic flow comprising: 	a monitored network comprising a plurality of devices (Kohout, Fig. 3 depicts a monitored ce-2 110 which captures traffic information about the plurality of network devices); 	a storage repository for storing network traffic flow information (Kohout, Fig. 2, ¶ 31 Fig. 3 and ¶ 40-43 depict and disclose edge router capturing and storing at least ephemerally traffic flow information); and 	one or more network monitoring devices communicatively coupled to the monitored network and to the storage repository (Kohout, Fig. 3 depicts a monitored ce-2 110 which captures traffic information about the plurality of network devices which are all networked to each other), wherein the one or more network monitoring devices are configured and operable to: 	receive packets in a traffic flow (Kohout, ¶ 40-43 ce-2 receives packets in various flows and captures their information);  	perform cardinality estimation on the received packet traffic flow (Kohout, ¶ 42, ); 	maintain in the storage repository a series of cardinalities for prior packet traffic flows (Kohout, Fig. 2, ¶ 31 Fig. 3 and ¶ 39-43 depict and disclose edge router capturing and storing traffic flow information.  Kohout, ¶ 36-37 discloses that the information is collected for machine learning algorithms, thus being stored.  Kohout, ¶ 64, and 67-71 teaches that the information being stored includes cardinality information); and 	determine an alert condition for the network traffic flow regarding a suspected DoS attack (Kohout, ¶ 33-34 teaches that the types of conditions which can be determined from the traffic analysis system includes denial of service attacks.  Kohout, ¶ 44 teaches that when a malicious attack is detected an alert is sent to an administrator)”.
Kohout does not, but in related art, Jain teaches:
“detect changes in cardinalities associated with prior packet traffic flows compared to determined cardinalities associated with a current packet traffic flow (Jain, ¶ 29 teaches detecting cardinalities to packets including information regarding packet flows.  Jain, Fig. 9 ¶ 58 and Fig. 10 ¶ 59-62 and ¶ 75 teach monitoring cardinality of flows for changes based on hash tables to enable real time analysis of anomalous behavior appearing in traffic flows);
based upon the detected changes in cardinalities regarding comparison of the cardinalities associated with prior packet traffic flows compared to cardinalities of a current packet traffic flow (Jain, Fig. 9 ¶ 58 and Fig. 10 ¶ 59-62 and ¶ 75 teach monitoring cardinality of flows for changes based on hash tables to enable real time analysis of anomalous behavior appearing in traffic flows)”.
constitutes applying a known technique (i.e., real time hyperloglog cardinality detection system) to known devices and/or methods (i.e., flow based denial of service detection system) ready for improvement to yield predictable results. 
 
Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status 
/STEPHEN T GUNDRY/Examiner, Art Unit 2435