DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
   
   Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 12/17/2019 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 12-16 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT No.10,038,715 B1 to Majkowski et al (hereinafter Majkowski) and further in view of US-PGPUB No.  2012/0079592 A1 to Pandrangi. 

Regarding claim 1:
Majkowski discloses:
A method by one or more network devices implementing a scrubbing center for mitigating distributed denial of service attacks, wherein the scrubbing center is communicatively coupled to a plurality of clients and one or more servers, the method comprising: 
determining a set of packet fingerprints seen in a set of packets sent between the plurality of clients and the one or more servers (see Majkowski ¶10: “A method and apparatus for identifying and mitigating denial of service attacks …”,  
¶42: “The DoS attack may be a distributed DoS (DDoS) attack where multiple clients transmit a large amount of traffic directed at a target.”, 
¶33: “The system illustrated in FIG. 1 includes a set of edge server(s) … that are situated between the client devices … and the origin servers …” 
¶10: “… analysis is performed on incoming SYN packets to determine whether they are malicious SYN packets (e.g., part of an attack) or legitimate traffic. “, and
¶27: “… each different aggregate signature generated for the SYN packet is input into a different fingerprint table …”); 
assigning a risk value to each packet fingerprint in the set of packet fingerprints based on analyzing previous security decisions made for packets having that packet fingerprint (see Majkowski ¶27: “A fingerprint table includes fingerprints and corresponding counters … An attack fingerprint … is a fingerprint whose corresponding counter exceeds a threshold.”, 
¶89: “… the iterator … determines if there is a match of that aggregate signature to the corresponding fingerprint table. If there is a match … the iterator … causes the counter to be incremented.”, and  
¶90: “… if the aggregate signature does not match a fingerprint in the corresponding fingerprint table … the iterator … causes that aggregate signature to be added into that corresponding fingerprint table and the corresponding counter is set to an initial value.”); 
However, Majkowski failed to explicitly disclose the following limitation taught by Pandrangi: 
responsive to detecting an occurrence of a potential distributed denial of service attack, activating a security measure for each of one or more packet fingerprints in the set of packet fingerprints based on the risk value assigned to that packet fingerprint (see Pandrangi ¶22: “… during a DDoS attack, packets that are known to be good … are accepted and other traffic is rate limited … packets that are known to be bad … are dropped.”, and 
¶07: “… assigning confidence scores to the client IP addresses based on a plurality of sources, and utilizing a structured approach to sequentially block higher levels of traffic based on the confidence scores”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Majkowski to incorporate the functionality of the mitigation device and dynamic analyzer to assign confidence scores to IP addresses based on their sources as disclosed by Pandrangi, such modification would allow to identify suspicious and malicious packets, and thus detect and mitigate DDoS attacks.  


Regarding claim 2:
The combination of Majkowski and Pandrangi disclose: 
The method of claim 1, wherein the previous security decisions made for packets having a given packet fingerprint in the set of packet fingerprints includes blacklist statistics, whitelist statistics, or rate limiting statistics for the given packet fingerprint (see Pandrangi ¶03: “Most DDoS mitigation systems use whitelists and blacklists and a combination of packet inspection to mitigate malicious traffic … “, and 
¶28: “… during an attack, packets that were initially inspected can be rate limited”).  

Regarding claim 3:
The combination of Majkowski and Pandrangi disclose: 
The method of claim 1, wherein the activating includes activating a security measure for a given packet fingerprint from the one or more packet fingerprints that blacklists or rate limits the given packet fingerprint in response to a determination that the risk value assigned to the given packet fingerprint indicates that the given packet fingerprint is considered to be malicious or unknown (see Pandrangi ¶22: “… packets that are known to be good (e.g., private network packets) are accepted and other traffic is rate limited … packets that are known to be bad (e.g., present on a blacklist) are dropped.”).   

Regarding claim 4:
The combination of Majkowski and Pandrangi disclose: 
The method of claim 1, wherein the activating includes activating a security measure for a given packet fingerprint from the one or more packet fingerprints that whitelists the given packet fingerprint in response to a determination that the risk value assigned to the given packet fingerprint indicates that the given packet fingerprint is considered to be legitimate (see Pandrangi ¶22: “… during a DDoS attack, packets that are known to be good (e.g., private network packets) are accepted …”).   

Regarding claim 5:
The combination of Majkowski and Pandrangi disclose: 
The method of claim 1, further comprising: determining a historical traffic characteristic distribution of the set of packet fingerprints (see Pandrangi ¶06: “The data analyzed can include … historical data about the IP address, current data related to the network traffic associated with the IP address, a comparison between as current services being obtained by the IP address with historically obtained services …”).   

Regarding claim 12:
The combination of Majkowski and Pandrangi disclose: 
The method of claim 1, wherein the set of packet fingerprints includes a packet fingerprint that represents unknown packet fingerprints, wherein unknown fingerprints are packet fingerprints that were not seen enough to establish a valid risk value (see Pandrangi ¶38: “… if a whitelist has not included an IP address, and a new client begins communication during a DDoS attack, the network traffic can be analyzed to determine that the client is malicious and the client can be blocked.”).

Regarding claims 13-16: 
Claims 13-16 recite substantially the same limitations as claims 1-4, respectively, in the form of a non-transitory machine-readable storage media storing instructions to execute the corresponding method, therefore, they are rejected under the same rationale. 

Regarding claim 17: 
The combination of Majkowski and Pandrangi disclose:
A network device configured to implement a scrubbing center that is to be communicatively coupled to a plurality of clients and one or more servers, wherein the scrubbing center is configured to mitigate distributed denial of service attacks, the network device comprising:
 one or more processors (see Majkowski ¶45: “The edge server … includes the incoming downstream traffic processor … the outgoing upstream traffic processor … the outgoing downstream traffic processor …, the incoming upstream traffic processor …”);

In addition to the above limitation, claim 17 recites substantially the same limitations as claim 1 in the form of a network device implementing the corresponding method, therefore, it is rejected under the same rationale. 

Regarding claims 18: 
claim 18 recites substantially the same limitations as claim 5 in the form of a network device implementing the corresponding method, therefore, it is rejected under the same rationale.


Claims 6-10 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Majkowski, Pandrangi and further in view of US-PGPUB No. 2020/0045131 A1 to Nigam et al. (hereinafter Nigam) 
Regarding claim 6:
The combination of Majkowski and Pandrangi disclose the method of claim 5, but failed to explicitly disclose the following limitation taught by Nigam: 
responsive to detecting the occurrence of the potential distributed denial of service attack, assigning a fixed quota to each of one or more packet fingerprint in the set 18Atty. Docket No.: 9034P054 (IMP-105) of packet fingerprints based on the historical traffic characteristic distribution of the set of packet fingerprints and activating a security measure for a given packet fingerprint when a volume of traffic or packet count associated with the given packet fingerprint exceeds the fixed quota assigned to the given packet fingerprint (see Nigam ¶103: “… upon an inquiry with the quota service … it may be determined that there may not be available capacity and resources to fulfill the client request using an endpoint because …  the amount of traffic that has been routed through that endpoint have exceeded available capacity and quota for the time being. Rejections with prescribed corrective actions are sent back to the clients.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Majkowski and Pandrangi to incorporate the functionality of the quota services module to determine the amount of packet traffic routed through an endpoint as disclosed by Nigam, such modification would allow to limit the amount of packet traffic to the assigned fixed quota, and block packets that exceed the allowed quota, thus preventing denial of service attacks.

Regarding claim 7:
The combination of Majkowski and Pandrangi disclose the method of claim 7, but failed to explicitly disclose the following limitation taught by Nigam: 
The method of claim 5, wherein the occurrence of the potential distributed denial of service attack is detected based on determining that a current traffic characteristic distribution of the set of packet fingerprints significantly deviates from the historical traffic characteristic distribution of the set of packet fingerprints (see Nigam ¶102: “… DDOS detection … analyzes the current request in relation to historical requests made in the recent past to detect any possible DDOS attack patterns.”, and 
¶106: “… an unusually high number of requests reported by historical usage service using the specified path may lead to rejection and retry request being sent to the client …”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Majkowski and Pandrangi to incorporate the functionality of determining that the current traffic deviates from historical traffic characteristic distribution as disclosed by Nigam, such modification would further detection of DDOS attack patterns.

Regarding claim 8:
The combination of Majkowski, Pandrangi and Nigam discloses:
The method of claim 7, further comprising: responsive to detecting the occurrence of the potential distributed denial of service attack, activating a security measure for a given packet fingerprint in response to a determination that a change in traffic characteristic of the given packet fingerprint is responsible or partially responsible for the significant deviation (see Nigam ¶103: “… the Platform may find that a perfectly correct and genuine request … However, upon an inquiry with the quota service … it may be determined that there may not be available capacity and resources to fulfill the client request using an endpoint because …  the amount of traffic that has been routed through that endpoint have exceeded available capacity and quota for the time being.”).   

Regarding claim 9:
The combination of Majkowski, Pandrangi and Nigam discloses:
The method of claim 8, wherein the security measure for the given packet fingerprint rate limits the given packet fingerprint more aggressively compared to a packet fingerprint that is determined not to have a change in traffic characteristic that is responsible for the significant deviation (see Nigam ¶159: “The traffic shaper … may rate limit the request and pass along the request. For example, Clients may only be allowed to send traffic at a certain baseline TPS (Transactions per second). Incoming requests may be checked to see if a baseline is breached.”).   

Regarding claim 10:
The combination of Majkowski, Pandrangi and Nigam discloses:
The method of claim 8, further comprising: subsequent to activating the security measure for the given packet fingerprint, deactivating the security measure for the given packet fingerprint in response to a determination that the current traffic characteristic distribution of the set of packet fingerprints conforms to the historical traffic characteristic distribution of the set of packet fingerprints (see Nigam ¶102: “The rate limiter … checks each request … to see if a baseline is breached. In case of a breach, DDOS detection … analyzes the current request in relation to historical requests made in the recent past to detect any possible DDOS attack patterns. Rejection with prescribed request rates are sent back to the clients for review and adjusting their request rate accordingly. Assuming the request … successfully passes through the rate limiter … the request moves on to the throttler …”).   

Regarding claims 19-20: 
claims 19-20 recite substantially the same limitations as claims 7-8, respectively, in the form of a network device implementing the corresponding method, therefore, they are rejected under the same rationale.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Majkowski, Pandrangi and further in view of US-PGPUB No. 2016/0006749 A1 to Cohen et al. (hereinafter Cohen) 
Regarding claim 11:
The combination of Majkowski and Pandrangi disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Cohen: 
wherein at least one packet fingerprint in the set of packet fingerprints represents a cluster of packet fingerprints that are determined to be associated with the same source, client, or operating system (see Cohen ¶10: “… the data analysis system … automatically creates clusters of related data items …”, and  
¶418: “… the system clusters any data items that are related to the seed including … internal IP addresses and/or domain addresses … hosts associated with the network addresses, users associated with the hosts, and/or the like. Additionally, other network traffic information clustered may include information gathered from firewall devices and/or routers of the network …  fingerprints, signatures, and/or hashes associated with malware items and/or particular communications …”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Majkowski and Pandrangi to incorporate the functionality of the data analysis system to generate memory-efficient clustered data as disclosed by Cohen, such modification would allow increased memory efficiency, and automatic analysis of network traffic data adding flexibility and dynamics to the fingerprinting.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Ezell et al.  (US-PGPUB No. 2015/0341312 A1)- disclosed Web Real-Time Communication (WebRTC) designed to allow secure real-time communications between two web browsers.
Kapoor et al. (US-PGPUB No. 2016/0366160 A1)- disclosed methods providing network switching and security services for computer systems which address many aspects of networking, internetworking, access control, security, and other such services.
Alperovitch et al. (US-PGPUB No. 2012/0331556 A1)- disclosed a method that includes generating a fingerprint based on properties extracted from data packets received over a network connection and requesting a reputation value based on the fingerprint.
Compton (USPAT 11032315 B2)- disclosed an apparatus for mitigating a DDoS attack in a networked computing system includes at least one detector coupled with a corresponding router in the networked computing system.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491