DETAILED ACTION
This Notice and Reasons for Allowance is in response to applicants’ request for continued examination filed on 04/01/2022.  Claims 1, 4, 8, 11, 15, and 18 have been amended.  Claims 1-20 are currently pending and have been considered as follows.
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicants’ submission filed on 04/01/2022 has been entered.
The text of those sections of Title 35 U.S. Code not included in this section can be found in the prior office action.
The prior office actions are incorporated herein by reference.  In particular, the observations with respect to claim language, and response to previously presented arguments.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/19/2022 has been placed in the application file, and the information referred therein has been considered as to the merits.
Terminal Disclaimer
The terminal disclaimer filed on 08/17/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of U.S. Patent Number 10,587,638 B2 has been reviewed and is accepted.  The terminal disclaimer has been recorded.
Allowable Subject Matter
Claims 1-20 are allowed.
Examiner’s Statement for Reasons of Allowance
The following is an examiner’s statement of reasons for allowance:
In interpreting the currently amended claims in light of the specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.
Independent Claims 1, 8, and 15 are allowed in view of applicants’ amendment and remarks filed 02/22/2022 and the terminal disclaimer approved on 08/18/2021.  The 35 U.S.C. 112(b) rejection of Claims 4, 11, and 18 is withdrawn.  Claims 2-7, 9-14, and 16-20 depend upon respective independent claims above and are allowed by virtue of their dependencies.
Although, the closest prior art found Holloway et al. (US 8613089 B1) taught “A method and apparatus for denial-of-service (DoS) detection and mitigation in a cloud-based proxy service is described. In one embodiment, the cloud-based proxy service is available as a service over the Internet and does not require customers (e.g., domain owners and/or personnel working on behalf of domain owners) to install additional hardware or software in order to support the service” [column 2 lines 51-57]; “the service assigns visitors a threat score. The threat score may depend on ratings from different domain owners of the service and/or based on properties or actions of the visitors. For example, the service may detect that an IP address belongs to a client device that appears to be infected with a virus; an IP address belongs to a client device that appears to be an automated crawler that does not appear to follow robots.txt and other rules; an IP address belongs to a client device that appears to be an email harvester that harvests emails from websites; an IP address that has been seen posting comment/blog spam, and/or an IP address that has been seen attempting known exploits” [column 25 lines 44- 55],
None of the prior art of record teaches individually or in combination the particular limitations listed below [emphasis added] as recited in applicants’ independent Claims:
[Claim 1] “comparing one or more request metrics for a plurality of requests to one or more previously determined request metrics to identify each client associated with at least one request metric that is non-equivalent to the one or more previously determined request metrics, wherein the identification is based on a high disparity in computational resources employed to provide responses correlated to one or more of the plurality of requests”;
[Claim 8] “comparing one or more request metrics for a plurality of requests to one or more previously determined request metrics to identify each client associated with at least one request metric that is non-equivalent to the one or more previously determined request metrics, wherein the identification is based on a high disparity in computational resources employed to provide responses correlated to one or more of the plurality of requests”;
[Claim 15] “comparing one or more request metrics for a plurality of requests to one or more previously determined request metrics to identify each client associated with at least one request metric that is non-equivalent to the one or more previously determined request metrics, wherein the identification is based on a high disparity in computational resources employed to provide responses correlated to one or more of the plurality of requests”.
The closest prior art of record consisted of the following references.
Banerjee et al. (US 20020184362 A1) disclosed a system and method for extending server security based on source IP addresses is provided. When the server receives a packet request, it determines if the request is legitimate or a malicious attempt to cause denial of service. The determination is made by a server background IP packet monitor that looks up the amount of packets previously requested by the same source IP address in a given time interval. If the packet request is legitimate, the server processes the request and sends a response to the client. If the server background IP packet monitor determines that the packet request was from a malicious client, an predetermined action is taken. The action can be notifying the system administrator or denying the packet request and not sending a response.
Fulton et al. (US 20050262237 A1) disclosed a method for a service monitor of a computing environment includes monitoring application network transactions and behaviors for the computing environment, the computing environment including client subnets accessing servers, the monitoring independent of client site monitors; decomposing the monitored transactions and behaviors into network, server and application quality components; using the components to identify services, servers and client subnets as associated with a quality issue; and implementing an active investigation on the services, servers and client subnets to gather statistical data to assist root cause analysis independent of a network monitoring interruption; The quality issue might be a performance issue, such as excessive response times, excessive loss rates, or small transfer rates. The quality issue might be an availability issue, such as an unreachable network node or a missing web page. The service monitor includes an event detection module configured to decompose the monitored transactions and behaviors into network, server and application quality components and to use the components to identify services, servers and client subnets as being associated with a quality issue. The monitor also includes active investigation modules networked to gather statistical data according to criteria to assist root cause analysis without monitoring interruption.
Peracha (US 20090271511 A1) disclosed calculating baseline deviation for one or more transactions based on past data having the same context as current data being examined. The performance data is generated in response to monitoring one or more applications that perform transactions during a time period. The performance data may include transaction metric data and the context data describing conditions under which one or more transactions were performed. A baseline is determined by predicting current or recent transaction performance data values using past transaction performance data associated with the same context. Based on the comparison of the actual and predicted data with the same or similar context, a deviation from the baseline value is determined for the transaction and reported, for example to a user through an interface.
Burns et al. (US 20100281539 A1) disclosed determining whether a network session originates from an automated software agent. In one example, a network device, such as a router, includes a network interface to receive packets of a network session, a bot detection module to calculate a plurality of scores for network session data based on a plurality of metrics, wherein each of the metrics corresponds to a characteristic of a network session originated by an automated software agent, to produce an aggregate score from an aggregate of the plurality of scores, and to determine that the network session is originated by an automated software agent when the aggregate score exceeds a threshold, and an attack detection module to perform a programmed response when the network session is determined to be originated by an automated software agent. Each score represents a likelihood that the network session is originated by an automated software agent.
Gyorffy (US 20120159267 A1) disclosed a distributed system including a timer for timing a request time duration substantially including a period of time that the client device is waiting for results to be received via a network from a server in response to a request sent by the client device. A network interface may receive a value of a service time duration from the server. The service time duration may correspond to time that the server spent servicing the request. A processor may subtract the service time duration from the request time duration to thereby calculate a difference time duration, and automatically control the network interface to issue one or more alert messages to a network operation center (NOC) via the network when the difference time duration is greater than a difference time threshold. The difference time threshold may be determined according to a type of the request.
Backholm et al. (US 20140177497 A1) disclosed a method, which can be implemented on a system, allows a network component (e.g., the policy and charging rules function in a UMTS network) to determine whether a mobile device is idle or active. Based on this determination, the network component may modify the behavior of a network element (e.g., a base station, eNode B or Node B) in relation to promotion or demotion of the mobile device's radio state. In some embodiments, the disclosed system can include a client side component on the mobile device which can determine criteria to be used by the network component to govern and optimize changes in mobile device radio state in a manner that conserves device and network resources.
Kwan et al. (US 20150039749 A1) disclosed a method of detecting anomalies in network traffic. The method includes: receiving a plurality of accounting reports from an application assurance device, the accounting reports indicating a metric of network performance; aggregating the metric from a plurality of accounting reports to determine a plurality of aggregated metrics corresponding to a plurality of intervals; storing the aggregated metrics in a database in association with the corresponding plurality of intervals; determining a rolling baseline for a current time period based on metrics of intervals corresponding to a primary partition and a sub-partition; comparing a metric for a current time period to the rolling baseline; and determining that an anomaly is occurring if the metric for the current time period differs from the rolling baseline by more than a pre-defined threshold.
BEN SIMHON et al. (US 20160147583 A1) disclosed a normal behavior characterization module configured to receive values for a first metric of a plurality of metrics and generate a baseline profile indicating normal behavior of the first metric based on the received values. The system also includes an anomaly identification module configured to identify an anomaly in response to present values of the metric deviating outside the baseline profile. The system also includes an anomaly behavior characterization module configured to analyze a plurality of prior anomalies identified by the anomaly identification module and develop a model of the anomalies of the first metric. The system also includes an anomaly scoring module configured to determine a first score for a present anomaly detected by the anomaly identification module for the first metric. The first score is based on characteristics of the present anomaly and the model of the anomalies of the first metric.
However, the prior art of record, taken by itself or in any combination, do not anticipate or make obvious the invention of the present application and in particular the claim features listed above.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Beckett et al., (“New sensing technique for detecting application layer DDoS attacks targeting back-end database resources”, May 2017, IEEE International Conference on Communication, pp. 1-7).
Martin et al. (US 20080225740 A1) 
DUFFIELD et al. (US 20110122792 A1)
Marck et al. (US 20130291107 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

05.06.2022