DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 7 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does not fall within at least one of the four categories of patent eligible subject matter because claim 7 recites "A computer program causing a computer to function" which is directed towards software per se.  

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not 
Because these limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof, see specification [para. 0016, 0027, 0031, 0047].
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over KUBOTA (US-20060288413-A1) in view of ST. PIERRE (US-20180091547-A1), hereinafter KUBOTA-ST. PIERRE.

Regarding claim 1, KUBOTA teaches “A control device comprising: a controller configured to instruct a mitigation device executing a defending process against an attack on a network to execute the defending process in response to reception of a defending request indicating a request for executing the defending process” ([KUBOTA, Paragraph 0042] “In this instruction detection and prevention system SYS, when the attack detection unit 13 of the primary detection node 10 detects the determination of the attack, the screening request unit 15 requests the screening nodes 30 (30 a, 30B, 30C) corresponding to the primary detection node 10 and the secondary nodes 20 (20A, 20B) to screen from the flow via a network communication line. Further, when the attack detection unit 13 of the primary detection node 10 detects the suspicion of the attack, the suspicion notifying unit 14 notifies the secondary detection nodes 20 together with the flow information that there is the suspicion of the attack via a communication line of a network NW1 etc.”) ([KUBOTA, Paragraph 0045] “The secondary detection nodes (20A, 20B) receiving the notification refers to the terminal information database 21, and judges whether the flow is set as the screening target or not by use of the screening judging unit 22 thereof. If set as the screening target, the corresponding screening nodes 30 (30 a, 30B) are requested to screen from the flow. The screening nodes 30 receiving the screening request executes screening from the flow so that the flow is not relayed across within the network NW1 from this onward.”).
However, KUBOTA does not teach “wherein, when predetermined specific data included in the received defending request is valid, the controller instructs the mitigation device to execute the defending process at an earlier timing after the reception of the defending request than when the specific data is not valid or the specific data is not included in the defending request.”
In analogous teaching ST. PIERRE teaches “wherein, when predetermined specific data included in the received defending request is valid, the controller instructs the mitigation device to execute the defending process at an earlier timing after the reception of the defending request than when the specific data is not valid or the specific data is not included in the defending request.” ([ST. PIERRE, Paragraph 0007] “The attack mitigation devices are further configured to parse messages received from the protected device to identify a status flag indicative of malicious characteristic of message requests sent by the external device.”) ([ST. PIERRE, Paragraph 0026] “When deployed inline, the mitigation device 110 decides on a per-packet basis for all packets entering or leaving the protected network 101 whether to block (drop the packet) or forward (pass to the next-hop device).”) ([ST. PIERRE, Paragraph 0035] “More specifically, in step 302, the attack mitigation device 110 is configured to monitor responses, such as HTTP responses, from the protected devices, such as host 106 c, to the one or more external devices 125 a, 125 b. In some embodiments, all of the devices internal to the protected network 101 are configured to send, responsive to incoming requests, enhanced protocol messages with an agreed-upon flag (referred to hereinafter as the “status flag indicative of malicious characteristic of corresponding message requests” or simply “status flag”) to signal malicious characteristic of given source traffic (i.e., the received incoming requests). For example, if a web server, such as host 106 c, is the protected element and the host 106 c detects through its own internal logic that a source of an incoming request is malicious, the host 106 c could reply with an enhanced protocol response message which includes special HTTP status code that indicates to the mitigation device 110 that the source address should be blacklisted. Some special status codes can include, for example, 401—Unauthorized, 403—Forbidden, or 406—Not Acceptable …… This way the attack mitigation device 110 does not need to perform expensive DPI processing if the request is from the source that is monitored and that has been flagged by protected devices as good/bad.”) ([ST. PIERRE, Paragraph 0027] “DPI techniques used for DDoS attack mitigation can prove to be expensive in terms of CPU cycles and memory usage and can create communication bottlenecks. These communication bottlenecks significantly reduce the effective performance of the mitigation device 110, and thus, its usefulness.”)
Thus, given the teaching of ST. PIERRE, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of validating specific data in order to speed up network attack mitigation as taught by ST. PIERRE into the teaching of a defending process to defend against network attacks as taught by KUBOTA. One of ordinary skill in the art would have been motivated to do so because ST. PIERRE recognizes the need to improve performance and security of network devices. ([ST. PIERRE, Paragraph 2] “the present invention disclose a novel approach of performing packet analysis to identify a potential attack that can reduce the amount of costly DPI analysis performed per-packet by utilizing feedback provided by the protected devices. The disclosed approach provides a number of advantages. In one aspect, software programming code embodying the present invention provides an ability to detect an attack by using various detection methods implemented by the variety of protected devices, which are highly likely to be reliable.”)

Regarding claim 2, KUBOTA-ST. PIERRE teach all limitations of claim 1. ST. PIERRE further teaches “wherein, when the specific data is valid, the controller instructs the mitigation device to execute the defending process without executing some or all of processes executed when the specific data is not valid or the specific data is not included.” ([ST. PIERRE, Paragraph 0036] “Accordingly, in step 304, the attack mitigation device 110 may parse the response messages transmitted by the protected devices to identify a status flag indicative of malicious characteristic of message requests being sent by the external devices 125 a, 125 b. In an embodiment, in this step, the received response message(s) may be parsed by the attack mitigation device 110 to determine whether a status flag is set. It should be noted that an unset status flag reflects undetermined malicious characteristic of the external device.”) ([ST. PIERRE, Paragraph 0037] “In response to determining that the status flag is set (decision block 304, “Yes” branch), the attack mitigation device 110 may determine next whether the set status flag identifies traffic that is recognizably malicious (step 306). In one example, the status flag may be set to “true” when the original request message source is determined as being malicious by one of the protected devices and may be set to “false” when the original request message source is determined as being safe by one of the protected devices. In one embodiment, a firewall of the protected network 101 may make the determination in conjunction with an access control list.”) ([ST. PIERRE, Paragraph 0039] “According to an embodiment of the present invention, if the status flag is not set at all (decision block 304, “No” branch), in step 312, the attack mitigation device 110 may perform DPI processing on individual packets to identify malicious characteristics of the monitored requests from the external devices 125 a, 125 b.”)
The same motivation to modify KUBOTA with ST. PIERRE as in the rejection of claim 1, applies. 

Regarding claim 3, KUBOTA-ST. PIERRE teach all limitations of claim 2. Furthermore, this claim recites features similar to those in claim 2. Therefore, claim 3 is rejected with a similar rational as in the rejection of claim 2. ST. PIERRE further teaches “a determination process which is a process of determining whether there is an actual attack on a network which is an execution target of the defending process” ([ST. PIERRE, Paragraph 0039] “the attack mitigation device 110 may perform DPI processing on individual packets to identify malicious characteristics of the monitored requests from the external devices 125 a, 125 b. As a non-limiting example, the individual packets can be analyzed by the attack mitigation device 110 to find keywords which appear in the packets carrying layer-7 protocols data. The analysis may be performed on the header and/or payload portions of the packets. For instance, TCP packets can be analyzed to detect signatures or patterns of DDoS attacks intended to harm devices internal to the protected network 101. Other examples for performing DPI on the monitored packets will be apparent to one of ordinary skill.”).
The same motivation to modify KUBOTA with ST. PIERRE as in the rejection of claim 1, applies. 


Regarding claim 4, this claim recites a communication system that corresponds to the control device of claim 1. Therefore, claim 4 is rejected with a similar rational as in the rejection of claim 1. KUBOTA further teaches “a detection device configured to detect an attack on a network and transmit a defending request indicating a request for executing a defending process for the network;” ([KUBOTA, Paragraph 0046] “Thus, in this instruction detection and prevention system SYS, the plurality of threshold values for the attack suspicion level and the attack determination level are introduced as the threshold values, and, at a point of time when suspicious of the attack, the instruction detection and prevention device that accommodates the attacker terminal (or in close proximity to the attacker terminal) judges based on the self-retained terminal information whether the screening should be done or not, thereby making it possible to prevent an influx of massive attacking traffic into the relay network”).


Regarding claim 5, KUBOTA-ST. PIERRE teach all limitations of claim 4. ST. PIERRE further teaches “wherein the detection device validates the specific data of the defending request in accordance with a predetermined condition related to the detected attack.” ([ST. PIERRE, Paragraph 0045] “In response to determining that the diverted request contain the source IP that has not been whitelisted (decision block 404, “No” branch), in step 408, the attack mitigation device 110 determines if the source address of the external device contained in the diverted request already exists in the blacklist maintained by the attack mitigation device 110. In response to determining that protected resources are requested by one of the blacklisted external devices (decision block 408, “Yes” branch), such request is dropped by the attack mitigation device 110 in step 410 to mitigate the attack, according to an embodiment of the present invention.”)
The same motivation to modify KUBOTA with ST. PIERRE as in the rejection of claim 1, applies. 


Regarding claim 6, this claim recites a method claim that corresponds to the control device of claim 1. Therefore, claim 6 is rejected with a similar rational as in the rejection of claim 1. 


Regarding claim 7, this claim recites a computer program to perform functions that correspond to the control device of claim 1. Therefore, claim 7 is rejected with a similar rational as in the rejection of claim 1. 


The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
HUSTON (US-8990938-B2) discloses a system and method to receive incoming transmission and determine whether or not it is malicious through the use of a sensor/analyzing module. 







Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434