DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to amendment
Regarding the rejection of Claim(s) 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The claims have been amended as required, thus, the rejection is withdrawn.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-34 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3,6-7,9,11-15,18-20,26 and 28-32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shapira et al. (US 2017/0366577 A1), in view of St. Pierre (US 2018/0091547 A1), Dukes et al. (US 9,252,972 B1).

 Regarding claim 1, Shapira discloses a method of monitoring network traffic for a protected network (protected server) using a block (IP address from a range) of internet protocol (IP) addresses the method comprising (Shapira, Fig. 2, [0022] discloses protected servers of an organization's network infrastructure 160, includes a DDoS protection module 140 which allocates 202 a dedicated IP address from within that range. The protected server further obtains 204 an IP address from an Internet Service Provider (ISP) that is kept secret between the DDoS protection module 140 and the protected server. Traffic to the protected servers are monitored through the dedicated IP address assigned to the protected servers):
selecting (module 140 allocates) one or more green addresses (a dedicated IP address), wherein each green address is a different IP address from the block of IP addresses (range of IP addresses) (Shapira, Fig. 2, [0022], discloses a DDoS protection module 140 owns a range (block of IP addresses) of IP addresses. For each protected server of an organization's network infrastructure 160, the DDoS protection module 140 allocates 202 (selecting and assigning a green address from a block of different green addresses to a protected server) a dedicated IP address from within that range/block);
associating the one or more green addresses with the IP address of the server (Shapira, Fig. 2, [0022], discloses a DDoS protection module 140 owns a range (block of different green addresses) of IP addresses. For each protected server of an organization's network infrastructure 160, the DDoS protection module 140 allocates 202 (selecting and associating a green address from a block of green addresses to a protected server, while keeping the actual address of the server secret) a dedicated IP address from within that range. The protected server further obtains 204 an IP address from an Internet Service Provider (ISP) that is kept secret between the DDoS protection module 140 and the protected server. The protected server may be one of a plurality of protected servers in the network organization);
receiving a packet of the network traffic from a client directed to an IP address of the block of IP addresses (Shapira [0023], discloses that the protected server advertises 206 the dedicated IP address as its address to the world using domain name system (DNS). Thus, an end user 120 that identifies the protected server by NAME would use the dedicated IP address for communicating with the protected server), 
the packet including a source address for the client and a destination address from the block of IP addresses (Shapira [0023], discloses that the protected server advertises 206 the dedicated IP address as its address to the world using domain name system (DNS). Thus, an end user 120 that identifies the protected server by NAME would use the dedicated IP address for communicating with the protected server; [0025] discloses the end user 120 been provided with address as the public IP address (a dedicated IP address from within that range) of the protected server 170 it is trying to reach. In the example of FIG. 5, this is IP address 1.1.1.2.); FIGS. 1 and 5, [0032] if the end user 120 source IP address is 1.1.1.1, and it's original destination address is 1.1.1.2), 
Shapira did not explicitly disclose wherein the packet is received prior to any performance of deep packet inspection (DPI) on the packet in association with monitoring the network traffic for the protected network; determining whether the destination address matches the one or more green or is a yellow address; when the determination is that the destination address matches the one or more green addresses, sending the packet to the IP address associated with the matching green address, bypassing any deep packet inspection; wherein the yellow address belongs to the block of IP addresses, but is not a green address; when the determination is that the destination address does not match the one or more green addresses, sending the packet along a fixed yellow path from a router to a scrubber for the scrubber  to analyze the packet using deep packet inspection (DPI), determining by the DPI whether to authenticate the packet, sending the packet only if authenticated or unknown along a pre-established authenticated path to the protected packet and, only if the packet is authenticated, a redirection of the client, wherein the redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any deep packet inspection.
St. Pierre disclose wherein the packet is received prior to any performance of deep packet inspection (DPI) on the packet in association with monitoring the network traffic for the protected network (St. Pierre, Fig. 4, discloses step 402 for receiving a request before any Deep Packet Inspection (DPI); In step 404 the source address is compared to a whitelist of addresses (green addresses); If it is determined to be a to whitelisted address, the packet is sent to step 406 where it reinject the diverted request);
determining whether the destination address matches the one or more green addresses (i.e., whitelist address) or is a yellow address (i.e., blacklist address) (i.e., determining whether the IP address is on the whitelist or blacklist; ¶ 0031; 0043-0045), 
wherein the yellow address (blacklist address) belongs to the block of IP addresses (blacklist addresses), but is not a green address (whitelist address) (St. Pierre, Fig. 4, discloses step 402 for receiving a request before any Deep Packet Inspection (DPI); In step 408 the source address is compared to a blacklist of addresses (yellow addresses); If it is determined to be a to blacklist address, the packet is sent to step 410 where it reinject the diverted request); and 
when the determination is that the destination address matches the one or more green addresses (St. Pierre, Fig. 4, discloses step 404 for determining whether the source address of a request exists in a whitelist and when the source address matches/exists in a whitelist, the request is sent to step 406 where the diverted request is reinjected); and
sending the packet to the IP address associated with the matching green address, bypassing any deep packet inspection (St. Pierre, Fig. 4, discloses step 404 for determining if a source address of a request exists in a whitelist (i.e., matches a green address, if there is a match, the method moves to step 406 where the request is reinjected. Therefore, the request bypasses a DPI).
One of ordinary skill would have been motivated to combine Shapira and St. Pierre because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of St. Pierre in Shapira as doing such would enable attack mitigation devices to be configured to parse messages received from the protected device to identify a status flag indicative of malicious characteristic of message requests sent by the external device, St. Pierre, [Abstract].
Shapira and St. Pierre did not explicitly disclose when the determination is that the destination address does not match the one or more green addresses; sending the packet along a fixed yellow path from a router to a scrubber for the scrubber to analyze the packet using deep packet inspection (DPI), determining by the DPI whether to authenticate the packet, sending the packet only if authenticated or unknown along a pre-established authenticated path to the protected packet and, only if the packet is authenticated, a redirection of the client, wherein the redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any deep packet inspection, and wherein the yellow path is based on router instructions to reach a particular device.
Dukes discloses when the determination is that the destination address does not match the one or more green addresses (Packet with green addresses travel along fast path 91) (Dukes, fig. 3, Col. 9, line 57- Col. 10, line 11, discloses fig. 3, flow control unit 57 receives an inbound packet 78 and selectively directs the packet along fast path 91 to forwarding ASICs 70 for immediate forwarding or along slow path 93/Yellow path for additional analysis by service cards 71. That is, flow control unit 57 receives an incoming packet 78 for a packet flow (e.g., IP traffic or VPN-encapsulated traffic) and determines whether to send the packet to deep packet inspection (DPI) module 73 for processing within one or more of service cards 71. Upon receiving a packet that does not match a current packet flow, flow control unit 57 may direct the packet to service cards 71 for processing);
sending the packet along a fixed yellow path (93 – fig. 3) from a router to a scrubber (72 – fig. 3) for the scrubber to analyze the packet using deep packet inspection (DPI) (Dukes, fig. 3, Col. 9, line 57- Col. 10, line 11, Col. 13, lines 52-67, discloses fig. 3, flow control unit 57 receives an inbound packet 78 and selectively directs the packet along slow path 93 for additional analysis by service cards 71. That is, flow control unit 57 receives an incoming packet 78 for a packet flow (e.g., IP traffic or VPN-encapsulated traffic) and determines whether to send the packet to deep packet inspection (DPI) module 73 for processing within one or more of service cards 71).
determining by the DPI whether to authenticate the packet, sending the packet only if authenticated or unknown along a pre-established authenticated path (fast path 91) to the protected network (Dukes, fig. 3, Col. 9, line 57- Col. 10, line 11, Col. 13, lines 52-67, discloses upon determining that a particular packet flow does not require additional processing, such as determining that the packet flow does not pose a threat, DPI module 73 may issue commands 65 to dynamically configure flow control unit 57 of data plane 52 to direct subsequent packets of the packet flow along fast path 91, thereby bypassing DPI module 73); and, 
performing, only if the packet is authenticated, a redirection of the client, wherein the redirection causes subsequent requests from the client to be sent to the IP address associated with the green address, bypassing any deep packet inspection (Dukes, fig. 3, Col. 9, line 57- Col. 10, line 11, Col. 13, lines 52-67, discloses upon determining that a particular packet flow does not require additional processing, such as determining that the packet flow does not pose a threat, DPI module 73 may issue commands 65 to dynamically configure flow control unit 57 of data plane 52 to direct subsequent packets of the packet flow along fast path 91, thereby bypassing DPI module 73); and 
wherein the yellow path is based on router instructions to reach a particular device (Deep packet inspection (DPI) module 73) (Dukes, fig. 3, Col. 10, lines 53-67, discloses flow control unit 57 receives an inbound packet 78 and selectively directs the packet along fast path 91 to forwarding ASICs 70 for immediate forwarding or along slow path 93 for additional analysis by service cards 71. That is, flow control unit 57 receives an incoming packet 78 for a packet flow (e.g., IP traffic or VPN-encapsulated traffic) and determines whether to send the packet to deep packet inspection (DPI) module 73 for processing within one or more of service cards 71, or whether to bypass DPI module 73).
One of ordinary skill would have been motivated to combine Shapira and Dukes because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of Dukes in Shapira and St. Pierre as doing such would enable a network device includes an internal policy engine that makes local policy decisions for packet flows and controls policies applied by service modules and forwarding components of the network device, Dukes, [Abstract].

Regarding claim 2, Shapira, St. Pierre and Dukes disclose the method of claim 1, wherein sending the packet to the scrubber further includes sending the packet, to be dropped or quarantined based on a determination by the deep packet inspection that the source address or packet is illegitimate (Shapira [0034] discloses the scrubbing center 140 receives and processes the incoming network packet traffic to filter out illegitimate traffic (for example, a DDoS attack type of traffic). The scrubbing center 140 nearest the end user 120 determines 405 whether the incoming network packet is legitimate. Traffic that is considered illegitimate or malicious is dropped 407 by the scrubbing center 140 and thus never reaches the protected network 160).
The motivation to combine is similar to that of claim 1.
	

Regarding claim 3, Shapira, St. Pierre and Dukes disclose the method of claim 1, wherein sending the packet to the scrubber further includes sending the packet to the IP address of the server based on a lack of a determination by the deep packet inspection that the source address is illegitimate or authenticated, without performance of a redirection of the client, so that the subsequent requests from the client will be sent to the scrubber to be analyzed using deep packet inspection (St. Pierre, Fig. 4 discloses step 408 where the method is unable to determine if a request has a whitelist or blacklist address; in step 412 the method determines that the request is not directed to a first URL and at step 416 it is determined that the request is directed to a second URL and the address is added to the whitelist so it can be sent to the desired destination).
The motivation to combine is similar to that of claim 1.

Regarding claim 6, Shapira, St. Pierre and Dukes disclose the method of claim 1, disclose wherein after a second interval or in response to a second trigger event, the method further comprises instead of sending the packet to the IP address associated with the green address, sending the packet to the scrubber even when the determination is that the destination address matches the one or more green addresses. (Dukes, Col. 10, line 53 to Col. 11, line 29, Col. 13, lines 52-67, Fig. 4, discloses DPI module 73 identifies packet flows in the monitored traffic, and transparently reassembles application-layer communications from the packet flows. A set of protocol-specific decoders within the DPI module 73 analyzes the application-layer communications and identifies application-layer transactions. During this process, DPI module 73 discovers new packet flows associated with subscriber sessions and determines subscriber information for the data packets by, for example, determining an IP address or subscriber identifier from the packets. In some cases, DPI module 73 may determine that incoming packet 78 represents a request for a new subscriber session. In addition, DPI module 73 may apply DPI to the data packets to identify a type of software application, i.e., an application identity, for the subscriber packet flow).
The motivation to combine is similar to that of claim 1.

Regarding claim 7, Shapira, St. Pierre and Dukes did not explicitly disclose the method of claim 6, further comprising, for each selected green address, associating a green path with each selected green address and the yellow path with each yellow address (St. Pierre, Fig. 4, discloses steps of 404 and 406 (green path associated with green addresses) are performed when it is determined that the request includes a whitelisted address);
the green path providing a route from the router to the IP address associated with the green address (St. Pierre, Fig. 4, discloses steps 404 and 406 (green path associated with green addresses) are performed when it is determined that the request includes a whitelisted address);
the yellow path providing a route from the router to the scrubber (St. Pierre, Fig. 4, disclose steps 408 and 410 (yellow path associated with yellow addresses) are performed when it is determined that the request includes a whitelisted address); and 
wherein sending the packet to the scrubber instead of the IP address associated with the green address includes sending the packet via the yellow path instead of via the green path provided to the green address (St. Pierre, Fig. 4, discloses where a packet is determined not to be directed to a first URL; In step 416, the method determines that the request is not directed to a second URL and sends the packet to step 420 to perform DPI processing (yellow path to the DPI).
The motivation to combine is similar to that of claim 1.

Regarding claim 9, Shapira, St. Pierre and Dukes disclose the method of claim 1, disclose further including  causing the selected green address to be treated as a yellow address so that a packet using the selected green address is transmitted to the scrubber (Shapira [0022-0023] discloses the DDoS protection module 140 owns a range of IP addresses. The DDoS protection module 140 allocates 202 a dedicated IP address from within that range. The protected server advertises 206 the dedicated IP address as its address to the world using domain name system (DNS). Thus, an end user 120 that identifies the protected server by NAME would use the dedicated IP address for communicating with the protected server.).
 The motivation to combine is similar to that of claim 1.

Regarding clam 11, Shapira discloses a router for routing received packets (Shapira [0044] A GRE tunnel can serve more than one protected IP address in some embodiments, for example in case the customer router is serving two different IP addresses, which are protected by two unique private IP addresses, a single GRE tunnel for these two different IP addresses can be used).
The rest of the limitations of claim 11 are rejected with the same rational as claim 1. 
Regarding claim 12, Shapira, St. Pierre and Dukes disclose the method of claim 11, wherein when the determination as the function of the DPI is that the packet is authenticated, the method further comprises redirecting the client identified by a source address in the packet to a green address of the one or more green addresses (Dukes, fig. 3, Col. 9, line 57- Col. 10, line 11, discloses upon determining that a particular packet flow does not require additional processing, such as determining that the packet flow does not pose a threat, DPI module 73 may issue commands 65 to dynamically configure flow control unit 57 of data plane 52 to direct subsequent packets of the packet flow along fast path 91, thereby bypassing DPI module 73).
The motivation to combine is similar to that of claim 1.

Regarding claim 13, Shapira, St. Pierre and Dukes disclose the method of claim 12, wherein when the determination as the function of the DPI is that the packet is illegitimate, the method further comprises dropping or quarantining the packet (Shapira [0034] discloses that the scrubbing center 140 receives and processes the incoming network packet traffic (incoming network packet includes source and destination address) to filter out illegitimate traffic (for example, a DDoS attack type of traffic – filtering out non green addresses/filtering out destination addresses that do not match the allocated green addresses). The scrubbing center 140 nearest the end user 120 determines 405 whether the incoming network packet is legitimate. Traffic that is considered illegitimate or malicious is dropped 407 by the scrubbing center 140 and thus never reaches the protected network 160. St. Pierre, Fig. 4 also discloses dropping a packet in step 410 after if it is determined in step 408 that the source address is a blacklist address).
The motivation to combine is similar to that of claim 1.

As to claim 14, the claim is rejected under the same rational as the rejection of claim 3. 

Regarding claim 15, Shapira, St. Pierre and Dukes disclose the method of claim 11, further comprising receiving the one or more green addresses from the router (Shapira  [0044] discloses a GRE tunnel can serve more than one protected IP address in some embodiments, for example in case the customer router is serving two different IP addresses, which are protected by two unique private IP addresses, a single GRE (single green address from the router is provided for routing and communication) tunnel for these two different IP addresses can be used).
The motivation to combine is similar to that of claim 1.

Regarding claim 18, Shapira discloses a router for monitoring network traffic for a protected network using a block of internet protocol (IP) addresses the router comprising (Shapira, [0007] discloses a DDoS protection module provides network layer DDoS protection for a single IP address using a simple yet completely redundant infrastructure. The DDoS protection module establishes traffic absorption and classification scrubbing centers (containing a number of components such as routing servers, scrubbing servers, proxy servers, switches, routers, and more). A single, virtual GRE tunnel is established between the DDoS protection module and the target network using a dedicated IP address of the target network that is kept secret between the DDoS protection module and the protected network):
a memory configured to store instructions (Shapira [0046] discloses any of the devices or systems described herein can be implemented by one or more computing devices. A computing device can include a processor, a memory, a storage device, an I/O interface, and a communication interface, which may be communicatively coupled by way of communication infrastructure),
a processor disposed in communication with the memory, wherein the processor, upon execution of the instructions is configured to (Shapira [0046] discloses any of the devices or systems described herein can be implemented by one or more computing devices. A computing device can include a processor, a memory, a storage device, an I/O interface, and a communication interface, which may be communicatively coupled by way of communication infrastructure):
The rest of the limitations of claim 18 are rejected with the same rational as the rejection of claim 1.

Regarding claim 19, Shapira,  St. Pierre and Dukes disclose the router of claim 18, wherein sending the packet to the scrubber further includes sending the packet to be dropped or quarantined based on a determination by the deep packet inspection that the source address or packet is illegitimate (Shapira [0034] The scrubbing center 140 receives and processes the incoming network packet traffic to filter out illegitimate traffic (for example, a DDoS attack type of traffic). The scrubbing center 140 nearest the end user 120 determines 405 whether the incoming network packet is legitimate. Traffic that is considered illegitimate or malicious is dropped 407 by the scrubbing center 140 and thus never reaches the protected network 160).
The motivation to combine is similar to that of claim 18.

As to claim 20, the claim is rejected with the same rational as the rejection of claim 3.

As to claim 26, the claim is rejected with the same rational as the rejection of claim 9. 

Regarding claim 28, Shapira discloses a scrubber for monitoring network traffic for a protected network using a block of internet protocol (IP) addresses, that includes an IP address for the server (Shapira, Fig. 2, [0022] discloses protected servers of an organization's network infrastructure 160, includes a DDoS protection module 140 which allocates 202 a dedicated IP address from within that range. The protected server further obtains 204 an IP address from an Internet Service Provider (ISP) that is kept secret between the DDoS protection module 140 and the protected server):
a memory configured to store instructions (Shapira [0046] discloses any of the devices or systems described herein can be implemented by one or more computing devices. A computing device can include a processor, a memory, a storage device, an I/O interface, and a communication interface, which may be communicatively coupled by way of communication infrastructure);
a processor disposed in communication with the memory, wherein the processor, upon execution of the instructions is configured to (Shapira [0046] discloses any of the devices or systems described herein can be implemented by one or more computing devices. A computing device can include a processor, a memory, a storage device, an I/O interface, and a communication interface, which may be communicatively coupled by way of communication infrastructure).
As to the rest of the limitations, the limitations are rejected with the same rational as the rejection of claim 1. 

As to claim 29, the claim is rejected with the same rational as the rejection of claim 3.

As to claim 30, the claim is rejected with the same rational as the rejection of claim 2.

As to claim 31, the claim is rejected with the same rational as the rejection of claim 3.

As to claim 32, the claim is rejected with the same rational as the rejection of claim 15.


Claim(s) 10,17,27 and 34 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shapira et al. (US 2017/0366577 A1), in view of St. Pierre (US 2018/0091547 A1), Dukes et al. (US 9,252,972 B1), further in view Hajduczenia (US 2019/0288984 A1). 

Regarding claim 10, Shapira, St. Pierre and Dukes did not explicitly disclose the method of claim 1, wherein the packets received use IPv6.
 Hajduczenia discloses where the packets are received use IPv6 (Hajduczenia, Fig. 2, [0034], discloses customer networks, which may comprise various types of enterprise networks 202, are often connected to a public Internet 204 across an IP interface 206, such as, for example, Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6), depending on customer needs and capabilities of their Internet service provider (ISP). This IP interface 206 is exposed to the whole public Internet 204, announced typically through IP block aggregation via the ISP, and accessible to various types of services in a bidirectional fashion).
One of ordinary skill in the art would have been motivated to combine Shapira, St. Pierre, Dukes and Hajduczenia because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of Hajduczenia in Shapira, St. Pierre and Dukes as doing such would enable a controller to synchronize state information among data centers and to control ingress and egress data traffic for each of the data centers, Hajduczenia, [Abstract].

As to claim 17, the claim is rejected with the same rational as the rejection of claim 10.

As to claim 27, the claim is rejected with the same rational as the rejection of claim 10. 

As to claim 34, the claim is rejected with the same rational as the rejection of claim 10.

Claim(s) 4-5, 8, 16, 21-25 and 33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shapira et al. (US 2017/0366577 A1), in view of St. Pierre (US 2018/0091547 A1), Dukes et al. (US 9,252,972 B1), further in view of De Lutiis et al. (US 2011/0019547 A1).

Regarding claim 4, Shapira, St. Pierre and Dukes disclose the method of claim 1, but did not explicitly disclose further comprising selecting a new green address, including: selecting a new random IP address from the block of IP addresses to be a new green address of the one or more green addresses and associating the new green address with the IP addresses of the server.
De Lutiis discloses selecting a new green address, including: 
selecting a new random IP address from the block of IP addresses to be a new green address of the one or more green addresses (De Lutiis [0039] discloses the creation of a new mapping between the public network address and the real network address of the server is dynamic in the sense that it is triggered by an event that generates an alert condition; [0110] The first association pair (IPold--IPreal) is either cancelled or blocked in the intermediate unit and a new association pair is created (second public IP address, IPnew--IPreal). This new mapping is used by NAT: NAT re-writes the destination address of the IP packets as they pass through the intermediate unit 20''. The intermediate unit 20'' thus perform an IP dynamic hiding (randomly selecting new one or more green addresses), in which the real server IP address is always hidden and associated with different public IP addresses, in dependence on the presence of a traffic anomaly, i.e., of an event); and 
associating the new green address with the IP addresses of the server (De Lutiis [0033] discloses that in case of alert, in which a malicious attack Is suspected, a new association between a second (new) public network address and the private network address (which remains unchanged) of the server is created. In other words, a new public network address is used by the intermediate unit and a new correspondence (associating the new green address with the IP addresses of the server) between it and the private network address is formed).
One of ordinary skill would have been motivated to combine Shapira, St. Pierre, Dukes and De Lutiis because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of De Lutiis in the combination of Shapira, St. Pierre and Dukes as doing such would enable the association between a second (new) public network address and the private network address (which remains unchanged) of the server, where the new public network address is used by an intermediate unit and a new correspondence between it and the private network address is formed protecting the actual address of the protected server when a malicious attack is suspected, De Lutiis, [0033].

Regarding claim 5, Shapira, St. Pierre, Dukes and De Lutiis disclose the method of claim 4, wherein selecting the new green address is performed periodically after a first time interval or in response to a first trigger event (De Lutiis [0033] discloses that in case of alert, in which a malicious attack Is suspected (first trigger event), a new association between a second (new) public network address and the private network address (which remains unchanged) of the server is created. In other words, a new public network address is used by the intermediate unit and a new correspondence (associating the new green address with the IP addresses of the server) between it and the private network address is formed).
The motivation to combine is similar to that of claim 4.

Regarding claim 8, Shapira, St. Pierre and Dukes disclose the method of claim 1, but did not explicitly disclose wherein selecting the one or more green addresses includes randomly selecting the one or more green addresses.
De Lutiis discloses wherein selecting the one or more green addresses includes randomly selecting the one or more green addresses (De Lutiis [0039] discloses the creation of a new mapping between the public network address and the real network address of the server is dynamic in the sense that it is triggered by an event that generates an alert condition; [0110] The first association pair (IPold--IPreal) is either cancelled or blocked in the intermediate unit and a new association pair is created (second public IP address, IPnew--IPreal). This new mapping is used by NAT: NAT re-writes the destination address of the IP packets as they pass through the intermediate unit 20''. The intermediate unit 20'' thus perform an IP dynamic hiding (randomly selecting new one or more green addresses), in which the real server IP address is always hidden and associated with different public IP addresses, in dependence on the presence of a traffic anomaly, i.e., of an event).
The motivation to combine is similar to that of claim 4.

As to claim 16, the claim is rejected with the same rational as the rejection of claim 8.

Regarding claim 21, Shapira, St. Pierre and Dukes disclose the router of claim 18, but did not explicitly disclose wherein the processor upon execution of the instructions is further configured to select a new green address, selecting the new green address comprising; selecting a new random IP address from the block of IP addresses to be a new green address of the one or more green addresses; and associating the new green address with the IP address of the server. 
De Lutiis discloses wherein the processor upon execution of the instructions is further configured to select a new green address, selecting the new green address comprising (De Lutiis [0033] discloses that in case of alert, in which a malicious attack Is suspected, a new association between a second (new) public network address (New green address/path) and the private (real/actual address of the server) network address (which remains unchanged) of the server is created. In other words, a new public network address is used by the intermediate unit and a new correspondence between it and the private network address is formed):
selecting a new random IP address from the block of IP addresses to be a new green address of the one or more green addresses (De Lutiis [0039] discloses the creation of a new mapping between the public network address and the real network address of the server is dynamic in the sense that it is triggered by an event that generates an alert condition; [0110] The first association pair (IPold--IPreal) is either cancelled or blocked in the intermediate unit and a new association pair is created (second public IP address, IPnew--IPreal). This new mapping is used by NAT: NAT re-writes the destination address of the IP packets as they pass through the intermediate unit 20''. The intermediate unit 20'' thus perform an IP dynamic hiding (randomly selecting new one or more green addresses), in which the real server IP address is always hidden and associated with different public IP addresses, in dependence on the presence of a traffic anomaly, i.e., of an event); and 
associating the new green address with the IP address of the server (De Lutiis [0033] discloses that in case of alert, in which a malicious attack Is suspected, a new association between a second (new) public network address and the private network address (which remains unchanged) of the server is created. In other words, a new public network address is used by the intermediate unit and a new correspondence (associating the new green address with the IP addresses of the server) between it and the private network address is formed).
One of ordinary skill would have been motivated to combine Shapira, St. Pierre, Dukes and De Lutiis because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of De Lutiis in the combination of Shapira, St. Pierre  and Dukes as doing such would enable the association between a second (new) public network address and the private network address (which remains unchanged) of the server, where the new public network address is used by an intermediate unit and a new correspondence between it and the private network address is formed protecting the actual address of the protected server when a malicious attack is suspected, De Lutiis, [0033].
 
Regarding claim 22, Shapira, St. Pierre, Dukes and De Lutiis disclose router of claim 21, wherein selecting the new green address is performed periodically after a first time interval or in response to a first trigger event (De Lutiis [0033] discloses that in case of alert, in which a malicious attack Is suspected (first trigger event), a new association between a second (new) public network address and the private network address (which remains unchanged) of the server is created. In other words, a new public network address is used by the intermediate unit and a new correspondence (associating the new green address with the IP addresses of the server) between it and the private network address is formed).
The motivation to combine is similar to that of claim 21.

Regarding claim 23, Shapira, St. Pierre, Dukes and De Lutiis disclose router of claim 22, disclose wherein after a second time interval or in response to a second trigger event, the processor upon execution of the instructions is further configured to, instead of sending the packet to the IP address associated with the green address, send the packet to the scrubber (De Lutiis [0033] discloses that in case of alert, in which a malicious attack Is suspected (first trigger event), a new association between a second (new) public network address and the private network address (which remains unchanged) of the server is created. In other words, a new public network address is used by the intermediate unit and a new correspondence (associating the new green address with the IP addresses of the server) between it and the private network address is formed).
The motivation to combine is similar to that of claim 22.

Regarding claim 24, Shapira, St. Pierre, Dukes and De Lutiis disclose router of claim 23, wherein the processor upon execution of the Instructions is further configured to, associate a green path with each selected green address and a yellow path with each yellow address (St. Pierre, Fig. 4, discloses the steps (green path associated with green addresses) of 404 and 406 are performed when it is determined that the request includes a whitelisted address);
the green path providing a route from the router to the IP address associated with the green address (St. Pierre, Fig. 4, discloses the steps 404 and 406 (green path associated with green addresses) are performed when it is determined that the request includes a whitelisted address);
the yellow path providing a route from the router to the scrubber (St. Pierre, Fig. 4, discloses the steps 408 and 410 (yellow path associated with yellow addresses) are performed when it is determined that the request includes a whitelisted address); and 
wherein sending the packet to the scrubber instead of the IP address associated with the green address includes sending the packet via the yellow path instead of via the green path provided to the green address (St. Pierre, Fig. 4, discloses where a packet is determined not to be directed to a first URL; In step 416, the method determines that the request is not directed to a second URL and sends the packet to step 420 to perform DPI processing (yellow path to the DPI).
The motivation to combine is similar to that of claim 23.

Regarding claim 25, Shapira, St. Pierre and Dukes disclose the router of claim 18, but did not explicitly disclose wherein selecting the one or more green addresses includes randomly selecting the one or more green addresses.
De Lutiis discloses wherein selecting the one or more green addresses includes randomly selecting the one or more green addresses (De Lutiis [0039] discloses the creation of a new mapping between the public network address and the real network address of the server is dynamic in the sense that it is triggered by an event that generates an alert condition; [0110] The first association pair (IPold--IPreal) is either cancelled or blocked in the intermediate unit and a new association pair is created (second public IP address, IPnew--IPreal). This new mapping is used by NAT: NAT re-writes the destination address of the IP packets as they pass through the intermediate unit 20''. The intermediate unit 20'' thus perform an IP dynamic hiding (randomly selecting new one or more green addresses), in which the real server IP address is always hidden and associated with different public IP addresses, in dependence on the presence of a traffic anomaly, i.e., of an event).
Shapira, St. Pierre, Dukes and De Lutiis are analogous because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of De Lutiis in the combination of Shapira, St. Pierre and Dukes as doing such would enable the association between a second (new) public network address and the private network address (which remains unchanged) of the server, where the new public network address is used by an intermediate unit and a new correspondence between it and the private network address is formed protecting the actual address of the protected server when a malicious attack is suspected, De Lutiis, [0033].

Regarding claim 33, Shapira,  St. Pierre and Dukes disclose scrubber of claim 28, but did not explicitly disclose wherein the green addresses are randomly selected. 
De Lutiis discloses wherein the green addresses are randomly selected (De Lutiis [0039] discloses the creation of a new mapping between the public network address and the real network address of the server is dynamic in the sense that it is triggered by an event that generates an alert condition; [0110] The first association pair (IPold--IPreal) is either cancelled or blocked in the intermediate unit and a new association pair is created (second public IP address, IPnew--IPreal). This new mapping is used by NAT: NAT re-writes the destination address of the IP packets as they pass through the intermediate unit 20''. The intermediate unit 20'' thus perform an IP dynamic hiding (randomly selecting new one or more green addresses), in which the real server IP address is always hidden and associated with different public IP addresses, in dependence on the presence of a traffic anomaly, i.e., of an event).
Shapira, Dukes and De Lutiis are analogous because these teachings are from the same field of endeavor with respect to identifying and preventing unauthorized access to protected resources.
Therefore before the effective filing date of the invention, it would have been obvious to a person of ordinary skill to incorporate the teachings of De Lutiis in the combination of Shapira, St. Pierre and Dukes as doing such would enable the association between a second (new) public network address and the private network address (which remains unchanged) of the server, where the new public network address is used by an intermediate unit and a new correspondence between it and the private network address is formed protecting the actual address of the protected server when a malicious attack is suspected, De Lutiis, [0033].

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following publications show the state of the art related to the use of a public address to obscure the actual IP address of a secured device to control access and prevent attacking from reaching the secured device.
Ishikawa (US 2001/0039623 A1).
Gray, II et al. (US 2010/0218254 A1)
Baldonado et al. (US 2016/0164896 A1)
Gurvich et al. al. (US 2017/0339186 A1)
Hu et al. (US 2018/0020016 A1)
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DIXON F DABIPI whose telephone number is (571)270-3673. The examiner can normally be reached 8:30 -5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher L Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D.F.D/Examiner, Art Unit 2451                                                                                                                                                                                                        
/Chris Parry/Supervisory Patent Examiner, Art Unit 2451