DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the first inventor to file provisions of the AIA . 

Applicant(s) Response to Office Action
The response filed on 12/17/2021 has been entered and made of record.

Examiner’s Note – Allowable Subject Matter
As stated previously, Claims 3, 5, 10, and 12 are objected to as being allowable over the prior art, yet remain dependent upon a rejected claim and would otherwise be allowable if incorporated into the independent claim along with any intervening claims.

Response to Amendment/Remarks
Claim 15 has been amended.  Claims 1-15 remain pending in the application.

Applicant's remarks and/or amendments to claims have overcome each and every claim objection and rejection under 35 U.S.C. 101 previously set forth.  Accordingly, said claim rejections as articulated therein are withdrawn.

Applicant's remarks have been fully considered.  The examiner addresses each of the applicant’s remarks below.  The remarks on pg. 7 – pg. 8 ln. 3 have been addressed above.  Remarks pg. 8 ln. 4-10 restate the grounds of rejection under 35 USC 103.  Remarks pg. 8 ln. 10-20 cite various caselaw deemed to be useful in the 
Remarks pg. 9 ln. 1-15 alleges that the cited prior art does not teach various limitations.  Remarks pg. 9 ln. 16-17 states that the office action alleges that Kang discloses “monitoring data traffic transmitted from at least one source computer to a host server”.  We observe that the scope of this limitation only encompasses the words contained in the limitation and not any possible features perhaps disclosed by the applicant’s specification.  Kang, ¶ 25 Ln. 1-5 discloses monitoring and thus capturing the 
Remarks pg. 9 ln. 15 – pg. 10 include a discussion about the fact that Kang teaches an inline monitoring of the packet information.  However, the claim broadly encompasses inline monitoring.  The applicant says that Kang is not relevant to claim 1, however, the prior art is specifically devoted to the problem of solving DOS attacks.  The applicant states that Kang is not effective against DOS attacks and then acknowledges that Kang’s teaching provides some relief against attacks, which is in fact useful.  Remarks pg. 10 ln. 8-12 state that claim relies upon this “modifying” step which was not relied upon in Kang and is irreverent to rebut the usefulness of the Kang reference.  Kang is relied upon to teach “monitoring”, “detecting” a DOS attack, which is accomplishes and “generating” some kind of mitigation in response to detecting the attack.  
Remarks pg. 10 ln. 13-19 restates part of the 103 rejection.  Remarks pg. 10 ln. make a very important concession, “El-Moussa discloses a solution based on a proxy device arranged inline with the traffic path”.  Here we observe that the teachings of Kang and El-Moussa are quite combinable since Kang teaches an inline DOS detection and mitigation strategy and El-Moussa provides a different inline DOS mitigation strategy.  Remarks pg. 10 ln. 22 – pg. 11 ln. 3 allege that this is different than the given claim 
Remarks pg. 11 ln. 4-22 deal with the primary disagreement between the applicant and the examiner regarding the scope of the limitation “generating at least one data frame by modifying at least one data frame obtained from the data traffic transmitted from the at least one source computer being involved in the Denial of Service attack”.  We observe that the limitation does not simply say “modifying at least one data frame” it says “generating at least one data frame by modifying at least one data frame” and the examiner has carefully searched for a reference which accomplishes what the claim actually states.  Mirriam-Webster dictionary defines generate as “to bring into existence”.  Here, the claim is stating that a new frame is being created which is a function of the information of a previous frame that has been changed.  As the applicant states in the current section of the remarks being discussed El-Moussa is using source IP address and destination IP address from an existing frame whose information, using a table as part of the memory structure necessary to create new packets which are NACK messages.  This correctly teaches the first portion of the limitation given the limitation’s plain meaning.  If the applicant intended for the limitation to have a different claim scope, then clarification is required. 
Remarks pg. 12 ln. 1-10 next allege that El-Moussa does not teach “a plurality of data fields in the generated at least one data frame representing address information of the host server as a source of the at least one generated data frame are set to correspond to address information of the at least one source computer being involved in the Denial of Service attack”.  Here the claim scope of the limitation first broadly states 
Remarks pg. 12 ln. 11-15 appear to rely heavily on El-Moussa ¶ 63 while ignoring the previously cited paragraphs.  Remarks Pg. 12 ln. 19 pg. 13 ln. 2 make conclusory statements regarding the previous arguments and as demonstrated above are not persuasive. 
Remarks pg. 13 ln. 3-23 essentially map the remarks made for claim 1 to the remaining claims and are unpersuasive for the same reasons as provide above.  Examiner notes the claims were rejected under AIA  35 USC 103, not pre-AIA  35 USC 103(a).  Remarks pg. 14 presents conclusion and contact information.
	

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 4, 6-8, 11, and 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kang et al. (US 2012/0151583 A1), in view of El-Moussa et al. (US 2010/0122342 A1). 
Regarding claims 1, 8, and 15, Kang teaches:
“A method for defending against a Denial of Service attack (Kang, ¶ 46, teaches a processor, memory and computer readable medium configured to execute a DDOS detection and mitigation system), the method comprises: 	monitoring data traffic transmitted from at least one source computer to a host server (Kang, ¶ 20-25 monitoring traffic to a protected device from one or more transmitting devices),  	detecting that the at least one source computer transmitting data is involved in a Denial of Service attack (Kang, ¶ 30-31 and 35, for a given flow to a target protected computer a DDOS attack is detected), 	in response to the detection that the at least one source computer is involved in the Denial of Service attack generating (Kang, ¶ 31-34, based on the detection of a DDOS attack, mitigation strategies are generated to thwart the attack)”. 	Kang does not, but in related art, El-Moussa teaches:	“generating at least one data frame by modifying at least one data frame obtained from the data traffic transmitted from the at least one source computer being involved in the Denial of Service attack so that a plurality of data fields in the generated at least one data frame representing address information of the host server as a source of the at least one generated data frame are set to correspond to address information of the at least one source computer being involved in the Denial of Service attack (El-Moussa, ¶ 60-63, a NACK message is generated by modifying a TCP message into a NACK message using the destination address of a protected computer, the source address of the attacking computer, and one of the received TCP sequence numbers of the TCP messages), 	transmitting the generated data frame to the source computer (El-Moussa, ¶ 62-63, the NACK message is sent to the attacker)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Kang and El-Moussa, to modify the distributed denial of service detection and mitigation system of Kang to include the method to send test messages to an attacker causing a denial of service attack.  The motivation to do so as stated by El-Moussa ¶ 61 Ln. 14-18 would be to provide a confirmation that a suspected attacker in a denial of service attack is in fact an attacker rather than an overzealous sender of information. 
 
Regarding claims 4 and 11, Kang in view of El-Moussa teaches:
“The method of claim 1 (Kang in view of El-Moussa teaches the limitations of the parent claims as discussed above), wherein the generation of the at least one data frame further comprises a modification  of a sequence number of a source sequence number to correspond to a received sequence number obtained from the data frame obtained from the data traffic (El-Moussa, ¶ 60-63, a NACK message is generated by modifying a TCP message into a NACK message using the destination address of a protected computer, the source address of the attacking computer, and one of the received TCP sequence numbers of the TCP messages)”.

Regarding claims 6 and 13, Kang in view of El-Moussa teaches:
“The method of claim 1 (Kang in view of El-Moussa teaches the limitations of the parent claims as discussed above), wherein the detection that the at least one source computer transmitting data is involved in a Denial of Service attack is based on at least one predetermined rule (Kang, ¶ 22-25 and 34-35 discusses flows being defined based on their source/destination addresses, protocols and detection of a DDOS attack based on the packet per second rates of the defined flows)”.

Regarding claims 7 and 14, Kang in view of El-Moussa teaches:
“The method of claim 6 (Kang in view of El-Moussa teaches the limitations of the parent claims as discussed above), wherein the at least one predetermined rule is based on at least one of the following: 	utilization rate of a data connection, and detection of used protocols (Kang, ¶ 22-25 and 34-35 discusses flows being defined based on their source/destination addresses, protocols and detection of a DDOS attack based on the packet per second rates of the defined flows)”.
Claim(s) 2 and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kang in view of El-Moussa in view of Pang et al. (US 2016/0357424 A1).
Regarding claims 2 and 9, Kang in view of El-Moussa teaches:
“The method of claim 1 (Kang in view of El-Moussa teaches the limitations of the parent claims as discussed above), wherein the plurality of the data fields comprise at least the following: 	a source network address (El-Moussa, ¶ 60-63, a NACK message is generated by modifying a TCP message into a NACK message using the destination address of a protected computer, the source address of the attacking computer, and one of the received TCP sequence numbers of the TCP messages)”.
Kang in view of El-Moussa does not, but in related art, Pang teaches:	“local end point specific identifier of the source (Pang, ¶ 23 and 37 teach that the flow information in the process of detecting a denial of service attack includes the MAC address of the source read from the header field)”.
Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Kang, Pang, and El-Moussa, to modify the distributed denial of service detection and mitigation system of Kang and El-Moussa to include the method to read the MAC address of the source attacker of a denial of service attack as taught in Pang.  The motivation to do so constitutes applying a known technique (i.e., the method to read the MAC address of the source attacker of a denial of service attack) to known devices and/or methods (i.e., distributed denial of service detection and mitigation system) ready for improvement to yield predictable results.

Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
 	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO 




/STEPHEN T GUNDRY/Examiner, Art Unit 2435 

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435