Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

DETAILED ACTION
This is in response to the examiner initiated interview of February 28, 2022 and the amendments filed 03/03/2022 .  Claims 1-21 and 42-44 have been cancelled.  Claims 22, 37 and 40 have been amended.  Claims 45-47 have been added.  Claims 22-41 and 46-47 are pending and have been considered below.

Priority
16459454, filed 07/01/2019 is a division of 15043361, filed 02/12/2016, now U.S. Patent #10341379 and having 1 RCE-type filing therein.

Drawings
The drawings filed on 07/01/2019 are accepted.

Specification
The amendment to the specification filed on 07/01/2019 is accepted.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/07/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Arguments
Applicant’s arguments, with respect to Double patenting have been fully considered and are persuasive.  The Double patenting has been withdrawn in view of the filing  and approval of the terminal disclaimer. 
Applicant’s arguments with respect to newly amended claims 37 and 40 have been considered but are moot in view of the new ground of rejection below.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 37 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Gerlach et al U.S. 9,141,789 B1 in view of Smith et al U.S. 9,350,706 B1 in further view of  Pacella et al U.S. 2009/0288157 A1.
Claim 37: Gerlach et al teaches a network architecture configured to at least mitigate one or more effects of external attacks on one or more users of a managed content distribution network, the network architecture comprising: 
col.4, lines 1-45, when an external user accesses the network 106 via the Internet, the external user will have an associated IP address and possibly a username that the network 106 uses to identify the user. If the external user is a threat to the network 106, the invention takes action to mitigate the threat. All traffic entering the network 106, enters the network 106 through a security device wherein the traffic is broken down into packets with each packet);  
	 one or more processing entities in data communication with the one or more network interfaces and the centralized scrubbing apparatus, the one or more processing entities configured (col.4, lines 20-30, non-limiting example of security devices to include a Managed DDoS Mitigation Device 100, DDoS Management Device 101, Unmanaged DDoS Mitigation Device (also known as a Standalone DDoS Device) 102, Intrusion Protection System (IPS), Intrusion Detection System (IDS) 104, network device or some combination thereof)  to: 
	(i) evaluate the plurality of data packets received by the one or more network interfaces (Fig.3, col.6, lines 11-25, a plurality of IDS may be used to capture, process, and calculate statistics from data in network traffic entering a network 106);  
	(ii) detect identified ones of the plurality of data packets (Fig.3, col.6, lines 11-25, an application and an application rate corresponding to the data may be determined. A filter may be generated that is specific to the application.  A DDoS mitigation may then be activated or modified using the generated filter); and 
	(iii) process the identified ones of the all of the plurality of data packets so as to enable redirection of the identified ones of the plurality of data packets to the centralized scrubbing apparatus (Fig.3, col.6, lines 11-25, A filter may be generated that is specific to the application. A DDoS mitigation may then be activated or modified using the generated filter). 
Gerlach et al fails to teach, however Smith et al in the same field of endeavor teaches
 a centralized scrubbing apparatus configured to receive and remediate data packets forwarded thereto, the scrubbing apparatus comprising a plurality of scrubbing devices (Figs 1A-1B Figs. 1 A-B, Fig.2, col.5, line 40 to col.6, line 65, for redirecting network traffic (e.g., requests from hosts on the Internet to servers at an Internet service provider ("ISP"), servers at a content provider, etc.) that is originally destined fora series of servers that all respond to the same IP address (using a technique known in the art as "anycasting"). This architecture can route the traffic through a series of data scrubbing devices (also referred to as "data scrubbing appliances") via an anycast IP address. Once the data scrubbers have blocked undesirable traffic (such as traffic that is part of a DDoS attack or otherwise is potentially harmful to the servers or other network elements) and have allowed desirable traffic to pass, the desirable traffic must be sent to the original servers); 
 Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Gerlach et al with the additional features of Smith et al in order to provide the ability to for filtering network traffic in an anycasting environment and transmitting the filtered network traffic to the plurality of anycasted servers in a load balanced manner, as suggested Smith et al abstract.
The combination fails to teach, however Pacella et al in the same field of endeavor teaches
          wherein the centralized scrubbing apparatus obviates a need for use of any network addressed tunnels in an edge portion of the data network (par.12, 15, 66 The device may advertise a tunnel and tag information for the security platform, may receive valid and attack traffic via the tunnel, and may forward the valid traffic to a destination associated with the valid traffic. Depending on the tag information, the device may forward the attack traffic to the selected security platform via the tunnel, may receive processed (e.g., analyzed, scrubbed,  etc.) traffic back from the security platform, and may forward the processed (or clean) traffic to the victim of the attack traffic using a secondary or non-tunneled topology).
Cerlach et al with the additional features of Pacella et al in order to provide a security overlay network that advertises one or more tunnels directed to a security platform or array of platforms, and directs attack traffic to the security platform via the one or more tunnels, as suggested Pacella et al par.12.
Claim 39: the combination further teaches:   
		wherein the plurality of scrubbing devices comprises at least a first scrubbing device and a second scrubbing device, the first scrubbing device more capable of remediating data packets than the second scrubbing device (Smith et al, col.8, 29-43, col.9, lines 39-clo.10, line 9);  and 
		wherein the first scrubbing device is configured to receive first data packets, the second scrubbing device is configured to receive second data packets, the first data packets having higher priority than the second data packets (Smith et al, col.8, 29-43, col.9, lines 39-clo.10, line 9). 
The same motivation to modify Gerlach et al in view of Smith et al applied to claim 37 above applies here.

Claim 38 is rejected under 35 U.S.C. 103 as being unpatentable over Gerlach et al U.S. 9,141,789 B1 in view of Smith et al U.S. 9,350,706 B1 in further view of  Pacella et al U.S. 2009/0288157 A1 and Pasko U.S. 2006/0282891 A1.
Claim 38: the combination teaches wherein: 
Smith et al, col.8, 29-43, col.9, lines 39-clo.10, line 9); and 
The same motivation to modify Gerlach et al in view of Smith et al applied to claim 37 above applies here.
 The combination fails to teach, however  Pasko in the same field of endeavor teaches:
	the plurality of data packets have routing data associated with at least two different geographic regions (par.50-53, 59); and 
	the at least two different geographic regions comprise at least a first region and a second region (par.50-53, 59);
	the first scrubbing device is configured to only receive data packets associated with the first region, and the second scrubbing device is configured to only receive data packets associated with the second region. (par.50-53, 59). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Gerlach et al with the additional features of Pasko in order to provide the ability to protect a customer network from network attacks, as suggested pasko par. 3.

Claims 40 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over Nguyen et al U.S. 2013/0044758 A1 in view of Jain U.S. 9,276,955 B1 Paatela et al U.S. 2002/0163935 A1.
Claim 40: Nguyen et al teaches a network apparatus for use within a data network, the network apparatus comprising: 
	a processing apparatus (Figs.3-8, items 302, 306, par.20, 44, 47);  
a data traffic interface in data communication with the processing apparatus and configured to at least receive a plurality of data packets originated from an internetwork, the plurality of data packets having at least a network destination address, the network destination address specified by a network-layer protocol associated with the data network (par.22-24, For normal traffic flow, the CE router 108 is configured to receive the ingress IP traffic 120 from the PE.sub.C router 102 and provide the ingress IP traffic 120 to the intended destination 110. The intended destination 110 may be, for example, a customer's local area network ("LAN") or any device connected thereto including, but not limited to, one or more LAN routers, wireless LAN routers, or other IP devices such as computers, servers, video game consoles, or mobile devices (e.g., a smartphone, personal digital assistant, tablet computer, camera, or e-reader); 
	 at least one data storage apparatus in data communication with the processing apparatus, the at least one storage apparatus configured to store at least the plurality of received data packets (par.45);  and 
Figs. 3-8, par.20, 44, 47) to: 
	identify at least a portion of the plurality of data packets for further processing (par.29-30, 33, The DDoS scrubber then determines which packets in the redirected ingress IP traffic 200 are attack packets and which packets are legit packets (i.e., non-attack or normal packets). Although all traffic is diverted to the DDoS scrubber, only legit packets are then re-injected into the traffic flow of the network 100 by the PE.sub.S 106 as the post-processed traffic 202); 
	 insert a switching-layer protocol address into the at least the portion of the plurality of data packets while not altering the network destination address (par.25, The PE.sub.S router 106 is configured to receive the redirected ingress IP traffic 200 from the PE.sub.I router 104 and route the redirected ingress IP traffic 200 to the L2SW 112. The L2SW 112 is configured to receive redirected ingress IP traffic 200 from the PE.sub.I router 104 and provide the redirected ingress IP traffic 200 to the application server 114 for processing (e.g., via DDoS scrubbing or another application service);  and
par.5, 19, 25, The application server 114 processes the redirected ingress IP traffic 200 and sends post-processed traffic 202 to the L2SW 112, which provides the post-processed traffic 202 to the PE.sub.S router 106 for routing to the PE.sub.S router 102. The PE.sub.S router 102 receives the post-processed traffic 202 and then routes the post-processed traffic 202 to the CE router 108 for delivery to the intended destination 110). 
Nguyen et al fails to teach, however Jain in the same field of endeavor teaches 
		collect data relating to one or more metrics characterizing the network attack, wherein the collected data is configured to enable anticipation of future malicious internetwork originated attacks (col.2, lines 39-65, a flow collector  is capable of receiving a variety of flow statistics in industry standards from routers and switches. These flow statistics may be in the form of packets in protocols, including, but not limited to, NetFlow, JFlow, SFlow, CFlow and the like. The hardware-based apparatus collects  this data and converts them to granular rate statistics in a round robin database for varying periods such as past hour, past day, past week, past month, past year etc. Based on the past granular traffic statistics, the apparatus can determine corresponding rate-thresholds through continuous and adaptive learning. Once these granular rate thresholds are breached for any traffic parameter, the apparatus can determine the networks being attacked or protocols or transmission control protocol (TCP) or user diagram protocol (UDP) ports under attack once the corresponding adaptive thresholds are violated. In an exemplary embodiment of this invention, the router closer to the edge can then be requested to divert the affected traffic to a scrubbing center potentially including multiple scrubbing appliances. The techniques for such diversion and scrubbing are described well in the literature and are thus not elaborated upon further herein); and
		process the collected data relating to the one or more metrics to generate data relating to the future malicious internetwork-originated attacks, the one or more metrics comprising one or more of: (i) degree of contamination, (ii)scrubbing time, or (iii) indeterminate traffic(col.2, line 63 to col.3, line 6, col3, lines 51-56, col.6, lines25-30 a single hardware-logic based appliance collects traffic statistics data from multiple routers and switches in a service provider network. It then integrates multiple mechanisms to determine the current granular traffic rate to multiple destinations and determines if any of the protected destinations are having a rate anomaly based on behavioral threshold estimation).
 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Nguyen et al with the Jain in order to provide the ability to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network, as suggested Jain abstract.
Claim 41: the combination further teaches 
		collect data relating to one or more metrics, the one or more metrics characterizing the network attack (Jain col.2, lines 39-65 );  and 
		cause distribution of the data relating to one or more metrics to one or more network entities, the distribution enabling at least mitigation of one or more subsequent network attacks (Nguyen et al par. 33-35, 38-39, Jain col.4, lines 4-30). 
The same motivation to modify Nguyen et al in view of Jain as applied to claim 40 above applies here.

Claims 45 and 46 are rejected under 35 U.S.C. 103 as being unpatentable over Gerlach et al U.S. 9,141,789 B1 in view of Smith et al U.S. 9,350,706 B1 in further view of  Pacella et al U.S. 2009/0288157 A1 and Kaashock et al U.S. 2002/0035683 A1.
Claim 45 : the combination fails to teach, however Kaashock et al in the same field of endeavor teaches wherein the detection comprises:
an identification of prospectively spoofed data traffic received by a network entity within the managed content distribution network (par.37-39); and
par.39-42).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Gerlach et al with the additional features of Kaashock et al in order to provide the ability of thwarting denial of service attacks on a victim data center coupled to a network includes monitoring network traffic through monitors disposed at a plurality of points in the network and communicating data from the monitors, over a hardened, redundant network, to a central controller, as suggested Kaashock et al par. 4.
Claim 46: the combination teaches
 wherein the processing comprising computerized logic configured to, based at least on the determination, ignore at least portions of the identified prospectively spoofed data traffic (par.39-42).
The same motivation to modify Gerlach et al in view of Kaashock et al as applied to claim 45 above applies here.
Allowable Subject Matter
Claim 47 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claims 22-36 are allowed.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






Saturday, March 26, 2022
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436