DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The specification is objected to as failing to provide proper antecedent basis for the claimed subject matter.  See 37 CFR 1.75(d)(1) and MPEP § 608.01(o).  Correction of the following is required:
Regarding claim 3, lines 4-5—“if response to the ping is received it is determined that the client device is not present in the private network,” the specification does not provide proper antecedent basis.  The specification, however, does disclose “if response to the second ping is not received it is determined that the client device is not present in the private network” (emphasis added) at paragraph 25 and similarly at paragraph 40 and Figure 2, el. 214.  
Claims 13 and 19 include similar limitations and are similarly analyzed.
This objection may also be resolved by amending the claims to state --if response to the ping is not received it is determined that the client device is not present in the private network--, for example.
See also MPEP 2164:  “Furthermore, when the limitation is not described in the specification portion of the application as filed but is in the claims, the limitation in and of itself may enable one skilled in the art to make and use the claimed invention. When claimed subject matter is only presented in the claims and not in the specification portion of the application, the specification should be objected to for lacking the requisite support for the claimed subject matter using form paragraph 7.44.” (emphasis added).

Examiner Notes
The following is the examiner’s interpretation and/or suggestions for portions of the claims:
Regarding claim 2, the claim states:  “determining whether one or more private network clients is missing from the private network or was unsuccessfully ARP spoofed by pinging the private network clients from the private network device using the private network device's own IP address” (emphasis added).  It is unclear as to whether the determination of whether the one or more clients is missing is intended to also be performed by the pinging process using the private network device's own IP address.  Accordingly, the examiner interprets the claim to include the determination of whether the one or more clients is missing is not performed by the pinging process using the private network device's own IP address.
Claims 12 and 19 include similar language and are similarly analyzed.

Regarding claims 1 and 3:  claim 1 states:  “identifying the one or more private network clients as successfully spoofed if a ping response is received” (emphasis added) and
claim 3 states:  “wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network” (emphasis added).
In this case, the “if” limitations are contingent limitations.
See MPEP 2111.04 (II): “The broadest reasonable interpretation of a method (or process) claim having contingent limitations requires only those steps that must be performed and does not include steps that are not required to be performed because the condition(s) precedent are not met. For example, assume a method claim requires step A if a first condition happens and step B if a second condition happens. If the claimed invention may be practiced without either the first or second condition happening, then neither step A or B is required by the broadest reasonable interpretation of the claim. If the claimed invention requires the first condition to occur, then the broadest reasonable interpretation of the claim requires step A. If the claimed invention requires both the first and second conditions to occur, then the broadest reasonable interpretation of the claim requires both steps A and B.”
Therefore, in claim 1, if the ping response is not received, then the corresponding step would not be performed and, in claim 3, if the ping response associated with the ping that includes the private network device’s own source IP address or the second recitation of the ping response is not received then the respective steps would not be performed.
Claim 9 includes a similar “if” limitation and is similarly analyzed.
Claim 19 includes similar limitations and is similarly analyzed.

Regarding claim 9, the claim states:  “notifying a user if ARP spoofing for one or more private network client devices is determined to be unsuccessful”.  It is unclear as to whether the claim intends that the ARP spoofing process itself was unsuccessful or if the spoofing was unsuccessful because it failed to prevent malware.  The examiner suggests clarifying the limitation.
Claim 17 includes similar language and is similarly analyzed.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
“a security device configured to protect” in claim 5;
“a malware protection module operable…to detect…and take one or more actions” in claim 11;
“an Address Resolution Protocol (ARP) spoofing module operable to insert” in claim 11;
“the ARP spoofing module…operable to determine” in claim 12; 
“the ARP spoofing module…operable to notify” in claim 17; and
“the ARP spoofing module…operable to increase” in claim 18.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
In this case, the specification provides sufficient corresponding structure for each of the “security device,” “malware protection module,” and “ARP spoofing module”.  See paragraph 28 of the specification:  “network protection module includes a malware protection module 124…as well as ARP spoofing module 126” and paragraph 43 of the specification:  “network security device 300 includes one or more processors 302, memory 304…and one or more storage devices 312…network protection module 322 are also stored on storage device 312, and are executable by network security device 300”.

Claim Objections
Claims 1, 11, and 19 are objected to because of the following informalities:  
Regarding claim 1, line 6—“IP address,” the abbreviation should be written out for at least the first recitation in the respective claim set.
Claims 11 and 19 include similar limitations and are similarly analyzed.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Regarding claim 1, lines 5-6—“one or more of the private network clients,” it is unclear as to whether the clients are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client” to the “one or more private network clients” in lines 3-4.  The examiner suggests amending the limitations to clarify.

Regarding claim 2, line 2—“one or more of the private network clients” and line 3—“the private network clients,” it is unclear as to whether the clients are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client” to the “one or more private network clients” in claim 1.  The examiner suggests amending the limitations to clarify.

Regarding claim 3, line 3—“a private network client device,” line 4—“the ping,” and line 5—“the client device,” it is unclear as to whether the client devices are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  Additionally, it is unclear as to whether the “ping” in line 4 is referring to the ping in claim 1, the “pinging” in claim 2, or the ping in claim 3.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client device”  or “client device” to the “one or more private network clients” in claim 1 and “the ping” to the ping of claim 1.  The examiner suggests amending the limitations to clarify.

Regarding claim 5, line 3—“the one or more private network client devices,” it is unclear as to whether the client devices are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client device” to the “one or more private network clients” in claim 1.  The examiner suggests amending the limitations to clarify.

Regarding claim 6, line 3—“the one or more private network client devices,” it is unclear as to whether the client devices are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client device” to the “one or more private network clients” in claim 1.  The examiner suggests amending the limitations to clarify.

Regarding claim 9, lines 2-3—“one or more private network client devices,” it is unclear as to whether the client devices are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client device” to the “one or more private network clients” in claim 1.  The examiner suggests amending the limitations to clarify.

Regarding claim 10, lines 3-4—“one or more private network client devices,” it is unclear as to whether the client devices are referring to the previous “one or more private network clients” in claim 1 or are separate clients.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client device” to the “one or more private network clients” in claim 1.  The examiner suggests amending the limitations to clarify.

Regarding claim 11 recites the limitation "the one or more private network clients" in 7.  There is insufficient antecedent basis for this limitation in the claim.  For purposes of examination, the examiner shall equate “the one or more private network clients” with “the one or more private network devices”. The examiner suggests amending the limitations to clarify.

Regarding claim 11, line 8—“the private network device,” lines 8-9—“one or more of the private network clients,” and lines 9-10—“the one or more private network clients,” it is unclear as to whether the private network device is referring to the previous “network security device,” in line 1 of claim 11, “one or more private network devices” in line 4 of claim 11, or “the one or more private network clients” in line 7 of claim 11.  Additionally, it is unclear as to whether the “one or more of the private network clients” and “the one or more private network clients” are referring to the “one or more private network devices”.  For purposes of examination, the examiner shall equate “the private network device” with the “network security device” and “one or more private network clients” and “the one or more private network clients” with “the one or more private network devices”.  The examiner suggests amending the limitations to clarify.

Regarding claim 12, line 2—“one or more private network clients,” and line 3—“the private network clients,” and lines 3-4—“the private network device,” it is unclear as to whether the “one or more private network clients” and “the private network clients” are referring to the “one or more private network devices”.  Additionally, it is unclear as to whether the private network device is referring to the previous “network security device,” in claim 11, “one or more private network devices” in claim 11, or “the one or more private network clients” in claim 11.  For purposes of examination, the examiner shall equate “the private network device” with the “network security device” and “one or more private network clients” and “the private network clients” with “the one or more private network devices” of claim 11.  The examiner suggests amending the limitations to clarify.

Regarding claim 13, lines 1-2—“the private network device,” lines 2-3—“a private network client device,” and line 4—“the client device,” it is unclear as to whether “a private network client device” and “the client device” are referring to the “one or more private network devices”.  Additionally, it is unclear as to whether the private network device is referring to the previous “network security device,” in claim 11, “one or more private network devices” in claim 11, or “the one or more private network clients” in claim 11.  For purposes of examination, the examiner shall equate “the private network device” with the “network security device” and “a private network client device” and “the client device” with “the one or more private network devices” of claim 11.  The examiner suggests amending the limitations to clarify.

Regarding claim 14, line 2—“the one or more private network client devices,” it is unclear as to whether the “the one or more private network client devices” are referring to the “one or more private network devices”.  For purposes of examination, the examiner shall equate “the one or more private network client devices” with “the one or more private network devices” of claim 11.  The examiner suggests amending the limitations to clarify.

Regarding claim 17, line 2—“one or more private network client devices,” it is unclear as to whether the “one or more private network client devices” are referring to the “one or more private network devices”.  For purposes of examination, the examiner shall equate “one or more private network client devices” with “the one or more private network devices” of claim 11.  The examiner suggests amending the limitations to clarify.

Regarding claim 18, lines 3-4—“one or more private network client devices,” it is unclear as to whether the “one or more private network client devices” are referring to the “one or more private network devices”.  For purposes of examination, the examiner shall equate “one or more private network client devices” with “the one or more private network devices” of claim 11.  The examiner suggests amending the limitations to clarify.

Regarding claim 19, line 5—“one or more of the private network clients,” line 9—“one or more of the private network clients,” line 10—“the private network clients,” line 13—“a private network client device,” line 14—“the ping,” and line 14—“client device” it is unclear as to whether the clients and client device are referring to the previous “one or more private network clients” in lines 3-4 or are separate clients.  Additionally, it is unclear as to whether the “ping” in line 14 is referring to the ping in line 5, the “pinging” in line 10, or the ping in line 12.  For purposes of examination, the examiner shall equate all recitations referring to at least one “private network client” or “client device” to the “one or more private network clients” in lines 3-4 and “the ping” to the ping of line 5.  The examiner suggests amending the limitations to clarify.

Claims 2-10 and 12-18 are additionally rejected for being dependent on at least one rejected base claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4-12, and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Alpert et al. (US 10,257,295 B1) in view of Cao et al. (US 2013/0100824 A1).
Regarding claim 1, Alpert teaches a method of measuring Address Resolution Protocol (ARP) spoofing success for a private network device, comprising: 
inserting the private network device, i.e. an internet sensor (Fig. 1, el. 120), between a router or gateway, e.g., local network 105 may include a router, wherein the router may be a residential gateway (Col. 4, lines 61-65), and one or more private network clients, e.g., client devices and/or mobile devices (Fig. 1, el. 130, 160, 170), by using Address Resolution Protocol (ARP) spoofing, e.g., the internet sensor may periodically transmit unsolicited ART information to the discovered client devices stating that the existing local network 105 default gateway IPv4 address actually corresponds with the MAC address of the internet sensor-ARP spoofing- (Fig. 3, el. 300A; Col. 15, lines 1-21, 50-67); 
sending a ping from the private network device to one or more of the private network clients…, e.g., the internet sensor proactively sends packets such as ICMP pings to client devices (Col. 11, lines 23-53; Col. 20, lines 55-67); and 
identifying the one or more private network clients as successfully ARP spoofed if a ping response is received, e.g., determining that a client device is no longer present on the local network in response to not receiving a response to ICMP ping; continue to monitor for responses to the proactive monitoring from the internet sensor to the client devices using ICMP ping (Col. 11, lines 23-53; Col. 21, lines 4-34).
Alpert does not clearly teach sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway.
Cao teaches sending a ping from the private network device, e.g., an intermediate node that comprises router H and a packet capturing module (Fig. 3, el. 301), to one or more of the private network clients, e.g., Router E (Fig. 3), using the IP address of the router or gateway, e.g., router C (Fig. 3), e.g., a ping packet is created by router H and router H sends the ping packet to router E, wherein the source address of the ping packet is the IP address of router C (Para. 45); and
identifying the one or more private network clients as successfully…spoofed if a ping response is received, e.g. the intermediate node captures the ping reply packet from router E (Para. 47).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert to include sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway, using the known method of creating a ping packet with a source IP address of router C, sending the ping packet to router E, and capturing the ping reply packet from router E, as taught by Cao, in combination with the ARP spoofing system and pinging method of Alpert, for the purpose of locating a fault independently so that maintenance efficiency against a fault is improved and the data transmission quality is ensured (Cao-Para. 7).

Regarding claim 2, Alpert in view of Cao teaches further comprising determining whether one or more private network clients is missing from the private network or was unsuccessfully ARP spoofed by pinging the private network clients from the private network device using the private network device's own IP address, e.g., the internet sensor may determine the presence of client devices 130 and/or mobile devices 160, 170 on the local network 105 by performing proactive monitoring such as using an ICMP ping and if zero packets are observed during a defined threshold for a consecutive period of retries, an alert event is sent, wherein the alert event states that the device is no longer seen on the network (Alpert-Col. 11, lines 23-53).

Regarding claim 4, Alpert in view of Cao teaches wherein the method is repeated periodically to provide updated measurement of ARP spoofing success, e.g., monitoring responses to proactive monitoring such as the ICMP ping and should there be zero packets observed during a defined threshold observed after three 10-minute intervals, communicating an alert event (Alpert-Col. 11, lines 23-53); the internet sensor may periodically transmit unsolicited ARP information to the discovered client devices stating that the existing local network 105 default gateway IPv4 address actually corresponds with the MAC address of the internet sensor (Alpert-Col. 15, lines 13-21); the internet sensor may check the continuity and quality of the accessibility over a particular time period and a threshold connectivity level (Alpert-Col. 21, lines 24-27).

Regarding claim 5, Alpert in view of Cao teaches wherein the private network device is a security device configured to protect one or more of the private network client devices, e.g., the internet sensor may be an electronic device configured to monitor Internet activity of the client devices and/or mobile devices over the local network 105 (Alpert-Col. 4, lines 53-60).

Regarding claim 6, Alpert in view of Cao teaches wherein the method is repeated periodically to provide ongoing protection to the one or more private network client devices, e.g., monitoring responses to proactive monitoring such as the ICMP ping and should there be zero packets observed during a defined threshold observed after three 10-minute intervals, communicating an alert event (Alpert-Col. 11, lines 23-53); the internet sensor may periodically transmit unsolicited ARP information to the discovered client devices stating that the existing local network 105 default gateway IPv4 address actually corresponds with the MAC address of the internet sensor (Alpert-Col. 15, lines 13-21); the internet sensor may check the continuity and quality of the accessibility over a particular time period and a threshold connectivity level (Alpert-Col. 21, lines 24-27).

Regarding claim 7, Alpert in view of Cao teaches wherein the security device comprises one or more of a firewall, an anti-malware module, an Intrusion Detection System (IDS), and an Intrusion Protection System (IPS), e.g., the network abnormality detector may also identify an abnormality associated with the local network by determining that the Internet activity associated with the client device may be the result of malware (Alpert-Col. 22, line 57-Col. 23, line 4), wherein the abnormality detection techniques may be performed on the internet sensor (Alpert-Col. 23, line 65-Col. 24, line 6).

Regarding claim 8, Alpert in view of Cao teaches wherein the ping is an Internet Control Message Protocol (ICMP) ping, e.g., an ICMP ping (Alpert-Col. 11, lines 23-53).

Regarding claim 9, Alpert in view of Cao teaches further comprising notifying a user if ARP spoofing for one or more private network client devices is determined to be unsuccessful, e.g., if zero packets are observed during a defined threshold for a consecutive period of retries, an alert event is sent-notifying-, wherein the alert event states that the device is no longer seen on the network (Alpert-Col. 11, lines 23-53); the internet sensor may communicate an alert-notifying- to the cloud server 180 which may then notify the customer via e-mail, SMS, text messages, or push notification (Alpert-Col. 11, lines 38-53); sending a notification, such as an alert,-notifying- to a mobile device wherein the alert indicates that the internet security within the system has been breached-ARP spoofing is unsuccessful- in response to the internet sensor detecting abnormal activity over the local network (Alpert-Col. 13, line 65-Col. 14, line 12); the network abnormality detector may also identify an abnormality-ARP spoofing is unsuccessful- associated with the local network by determining that the Internet activity associated with the client device may be the result of malware (Alpert-Col. 22, line 57-Col. 23, line 4).

Regarding claim 10, Alpert in view of Cao teaches further comprising increasing a frequency of ARP packets sent as part of using Address Resolution Protocol (ARP) spoofing in response to determining that ARP spoofing for one or more private network client devices is unsuccessful, e.g., the default gateway MAC address for a new client device may be spoofed after initial discovery-ARP spoofing is unsuccessful- observing traffic from a new client device 308 for ARP packets and the internet sensor 304 may transmit a spoofed ARP packet identifying itself as the router-increasing the frequency of ARP packets sent- (Alpert-Col. 16, lines 11-35), wherein the internet sensor 304 may periodically transmit unsolicited ARP information to the discovered client devices (Alpert-Col. 15, lines 13-21).

Regarding claim 11, Alpert teaches a network security device, i.e. an internet sensor (Fig. 1, el. 120), comprising: 
a processor, e.g., a computer processor (Col. 25, line 41-Col. 26, line 9), and 
a memory, e.g., a machine-readable storage device (Col. 25, line 41-Col. 26, line 9); 
a malware protection module, e.g., a network abnormality detector (Fig. 10, el. 1040), wherein the abnormality detection techniques may be performed on the internet sensor (Col. 23, line 65-Col. 24, line 6), operable when executed on the processor to detect a threat to one or more private network devices and take one or more actions in response to detecting the threat, e.g., the internet sensor may communicate an alert-one or more actions- to the cloud server 180 which may then notify the customer via e-mail, SMS, text messages, or push notification (Col. 11, lines 38-53); sending a notification, such as an alert,-one or more actions- to a mobile device wherein the alert indicates that the internet security within the system has been breached-detecting a threat- in response to the internet sensor detecting abnormal activity over the local network (Col. 13, line 65-Col. 14, line 12); the network abnormality detector-malware protection module- may also identify an abnormality-detecting a threat- associated with the local network by determining that the Internet activity associated with the client device may be the result of malware (Col. 22, line 57-Col. 23, line 4); and 
an Address Resolution Protocol (ARP) spoofing module operable to insert the network security device between a router or gateway, e.g., local network 105 may include a router, wherein the router may be a residential gateway (Col. 4, lines 61-65), and the one or more private network clients by using ARP spoofing, e.g., the internet sensor may periodically transmit unsolicited ART information to the discovered client devices stating that the existing local network 105 default gateway IPv4 address actually corresponds with the MAC address of the internet sensor-ARP spoofing- (Fig. 3, el. 300A; Col. 15, lines 1-21, 50-67), wherein the systems, methods, and techniques may be implemented in digital electronic circuitry, such that the techniques may be implemented in one or more computer programs that are executable on a programmable system including at least one programmable processor (Col. 25, lines 41-57), including 
sending a ping from the private network device to one or more of the private network clients…, e.g., the internet sensor proactively sends packets such as ICMP pings to client devices (Col. 11, lines 23-53; Col. 20, lines 55-67), and 
identifying the one or more private network clients as successfully ARP spoofed if a ping response is received, e.g., determining that a client device is no longer present on the local network in response to not receiving a response to ICMP ping; continue to monitor for responses to the proactive monitoring from the internet sensor to the client devices using ICMP ping (Col. 11, lines 23-53; Col. 21, lines 4-34).
Alpert does not clearly teach sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway.
Cao teaches an Address…spoofing module operable, i.e. a creating unit (Fig. 7, el. 701), to insert the network security device, e.g., an intermediate node that comprises router H and a packet capturing module (Fig. 3, el. 301; Fig. 7), between a router or gateway, e.g., router C (Fig. 3), and the one or more private network clients, e.g., router E (Fig. 3), by using…spoofing, e.g., a ping packet is created by router H and router H sends the ping packet to router E, wherein the source address of the ping packet is the IP address of router C (Para. 45), including
sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway, e.g., a ping packet is created by router H and router H sends the ping packet to router E, wherein the source address of the ping packet is the IP address of router C (Para. 45); and
identifying the one or more private network clients as successfully…spoofed if a ping response is received, e.g. the intermediate node captures the ping reply packet from router E (Para. 47).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert to include an Address Resolution Protocol (ARP) spoofing module operable to insert the network security device between a router or gateway and the one or more private network clients by using ARP spoofing including sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway, using the known method of creating a ping packet with a source IP address of router C, sending the ping packet to router E, and capturing the ping reply packet from router E, as taught by Cao, in combination with the ARP spoofing system and pinging method of Alpert, for the purpose of locating a fault independently so that maintenance efficiency against a fault is improved and the data transmission quality is ensured, (Cao-Para. 7).

Regarding claim 12, Alpert in view of Cao teaches wherein the ARP spoofing module is further operable to determine whether one or more private network clients is missing from the private network or was unsuccessfully ARP spoofed by pinging the private network clients from the private network device using the private network device's own IP address, e.g., the internet sensor may determine the presence of client devices 130 and/or mobile devices 160, 170 on the local network 105 by performing proactive monitoring such as using an ICMP ping and if zero packets are observed during a defined threshold for a consecutive period of retries, an alert event is sent, wherein the alert event states that the device is no longer seen on the network (Alpert-Col. 11, lines 23-53).

Regarding claim 14, Alpert in view of Cao teaches wherein the ARP spoofing module operates periodically to provide ongoing protection to the one or more private network client devices, e.g., monitoring responses to proactive monitoring such as the ICMP ping and should there be zero packets observed during a defined threshold observed after three 10-minute intervals, communicating an alert event (Alpert-Col. 11, lines 23-53); the internet sensor may periodically transmit unsolicited ARP information to the discovered client devices stating that the existing local network 105 default gateway IPv4 address actually corresponds with the MAC address of the internet sensor (Alpert-Col. 15, lines 13-21); the internet sensor may check the continuity and quality of the accessibility over a particular time period and a threshold connectivity level (Alpert-Col. 21, lines 24-27).

Regarding claim 15, Alpert in view of Cao teaches wherein the network security device comprises one or more of a firewall, an anti-malware module, an Intrusion Detection System (IDS), and an Intrusion Protection System (IPS), e.g., the network abnormality detector may also identify an abnormality associated with the local network by determining that the Internet activity associated with the client device may be the result of malware (Alpert-Col. 22, line 57-Col. 23, line 4), wherein the abnormality detection techniques may be performed on the internet sensor (Alpert-Col. 23, line 65-Col. 24, line 6).

Regarding claim 16, Alpert in view of Cao teaches wherein the ping is an Internet Control Message Protocol (ICMP) ping, e.g., an ICMP ping (Alpert-Col. 11, lines 23-53).

Regarding claim 17, Alpert in view of Cao teaches wherein the ARP spoofing module is further operable to notify a user if ARP spoofing for one or more private network client devices is determined to be unsuccessful, e.g., if zero packets are observed during a defined threshold for a consecutive period of retries, an alert event is sent-notifying-, wherein the alert event states that the device is no longer seen on the network (Alpert-Col. 11, lines 23-53); the internet sensor may communicate an alert-notifying- to the cloud server 180 which may then notify the customer via e-mail, SMS, text messages, or push notification (Alpert-Col. 11, lines 38-53); sending a notification, such as an alert,-notifying- to a mobile device wherein the alert indicates that the internet security within the system has been breached-ARP spoofing is unsuccessful- in response to the internet sensor detecting abnormal activity over the local network (Alpert-Col. 13, line 65-Col. 14, line 12); the network abnormality detector may also identify an abnormality-ARP spoofing is unsuccessful- associated with the local network by determining that the Internet activity associated with the client device may be the result of malware (Alpert-Col. 22, line 57-Col. 23, line 4).

Regarding claim 18, Alpert in view of Cao teaches wherein the ARP spoofing module is further operable to increase a frequency of ARP packets sent as part of using Address Resolution Protocol (ARP) spoofing in response to determining that ARP spoofing for one or more private network client devices is unsuccessful, e.g., the default gateway MAC address for a new client device may be spoofed after initial discovery-ARP spoofing is unsuccessful- observing traffic from a new client device 308 for ARP packets and the internet sensor 304 may transmit a spoofed ARP packet identifying itself as the router-increasing the frequency of ARP packets sent- (Alpert-Col. 16, lines 11-35), wherein the internet sensor 304 may periodically transmit unsolicited ARP information to the discovered client devices (Alpert-Col. 15, lines 13-21).

Claims 3, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Alpert in view of Cao in view of Garg et al. (US 2019/0058731 A1) in view of Matsukawa (US 2017/0222972 A1) and further in view of Hasegawa et al. (US 2011/0216673 A1).
Regarding claim 3, Alpert in view of Cao teaches all elements of claim 2.
Alpert in view of Cao further discloses observing traffic from a new client device 308 for ARP packets and transmitting a spoofed ARP packet identifying itself as the router (Alpert-Col. 16, lines 11-27).
Alpert in view of Cao does not clearly teach wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Garg teaches wherein if a response to a ping from the private network device, e.g., a user device (Fig. 1, el. 120),…to a private network client device, e.g., a gateway device (Fig. 1, el. 110), is received it is determined that the ARP spoofing was unsuccessful, e.g., sending a ping packet to the IP address of the gateway device and observing the ping reply packet, wherein if the user device receives the ping reply packet directly from the gateway device, the MAC address of the last sender should match the MAC address of the gateway device and if the MAC address of the last sender is different than the expected MAC address of the gateway or router device then the incorrect mapping is due to an ARP spoofing attack (Para. 37).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao to include wherein if a response to a ping from the private network device to a private network client device is received it is determined that the ARP spoofing was unsuccessful, using the known method of sending a ping packet to the IP address of the gateway device and observing the ping reply packet, wherein if the user device receives the ping reply packet directly from the gateway device, the MAC address of the last sender should match the MAC address of the gateway device and if the MAC address of the last sender is different than the expected MAC address of the gateway or router device then the incorrect mapping is due to an ARP spoofing attack, as taught by Garg, in combination with the ARP spoofing system of Alpert in view of Cao, for the purpose of detecting an incorrect or correct IP address to MAC address mapping indicative of whether ARP spoofing has taken place.
Alpert in view of Cao in view of Garg does not clearly teach wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Matsukawa teaches wherein if a response to a ping from the private network device, i.e. a setting unit (Fig. 2, el. 12), using the private network device's own source IP address to a private network client device, i.e. an IP device (Fig. 2, el. 20), is received it is determined that the…spoofing was unsuccessful, e.g., sending, from the setting unit, a ping confirmation data (echo request) to the IP device 20 (Para. 79), wherein the ping confirmation data includes a transmission source IP address that is the IP address of the setting unit (Para. 81); the ping confirmation data is used to confirm whether or not communications can be performed with the IP device 20 and if the setting unit receives the response from the IP device and the source IP address data of the ping response matches the IP address of port number 14 of the correspondence table, then it is confirmed that the IP device 20 is correctly connected to a port (Para. 80).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao in view of Garg to include wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, using the known method of sending, from the setting unit, a ping confirmation data (echo request) to the IP device, wherein the ping confirmation data includes a transmission source IP address that is the IP address of the setting unit and wherein the ping confirmation data is used to confirm whether or not communications can be performed with the IP device and if the setting unit receives the response from the IP device and the source IP address data of the ping response matches the IP address of port number 14 of the correspondence table, then it is confirmed that the IP device is correctly connected to a port, as taught by Matsukawa, in combination with the ARP spoofing system of Alpert in view of Cao in view of Garg, for the purpose of aiding in the determination of whether spoofing has been performed by matching the IP addresses in a correspondence table by determining whether the source device is able to communicate and receive replies from a destination device.
Alpert in view of Cao in view of Garg in view of Matsukawa does not clearly teach if response to the ping is received it is determined that the client device is not present in the private network.
Hasegawa teaches if response to the ping is received it is determined that the client device is not present in the private network, e.g., transmitting, by the investigation terminal, a ping request to the unknown terminal 90/D and judges whether routes KD and TL overlap (Para. 102), wherein the routes are judged to overlap if the ping reply is received (Para. 98); if route KD and route TL are judged to overlap, the terminal D can be judged not to exist in the same direction as the terminal K (it is not connected to the same network K (Fig. 19B; Para. 105).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao in view of Garg in view of Matsukawa to include if response to the ping is received it is determined that the client device is not present in the private network, using the known method of transmitting, by the investigation terminal, a ping request to the unknown terminal 90/D and judges whether routes KD and TL overlap, wherein the routes are judged to overlap if the ping reply is received, and wherein if route KD and route TL are judged to overlap, the terminal D can be judged not to exist in the same direction as the terminal K (it is not connected to the same network K, as taught by Hasegawa, in combination with the ARP spoofing system of Alpert in view of Cao in view of Garg in view of Matsukawa, for the purpose of reducing the number of times whether or not the routes between terminals passes through a same switch is investigated (Hasegawa-Para. 84).  Another benefit of the combination would be to more accurately determine the presence of the devices connected to a particular network.

Regarding claim 13, Alpert in view of Cao teaches all elements of claim 12.
Alpert in view of Cao further discloses observing traffic from a new client device 308 for ARP packets and transmitting a spoofed ARP packet identifying itself as the router (Alpert-Col. 16, lines 11-27).
Alpert in view of Cao does not clearly teach wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Garg teaches wherein if a response to a ping from the private network device, e.g., a user device (Fig. 1, el. 120),…to a private network client device, e.g., a gateway device (Fig. 1, el. 110), is received it is determined that the ARP spoofing was unsuccessful, e.g., sending a ping packet to the IP address of the gateway device and observing the ping reply packet, wherein if the user device receives the ping reply packet directly from the gateway device, the MAC address of the last sender should match the MAC address of the gateway device and if the MAC address of the last sender is different than the expected MAC address of the gateway or router device then the incorrect mapping is due to an ARP spoofing attack (Para. 37).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao to include wherein if a response to a ping from the private network device to a private network client device is received it is determined that the ARP spoofing was unsuccessful, using the known method of sending a ping packet to the IP address of the gateway device and observing the ping reply packet, wherein if the user device receives the ping reply packet directly from the gateway device, the MAC address of the last sender should match the MAC address of the gateway device and if the MAC address of the last sender is different than the expected MAC address of the gateway or router device then the incorrect mapping is due to an ARP spoofing attack, as taught by Garg, in combination with the ARP spoofing system of Alpert in view of Cao, for the purpose of detecting an incorrect or correct IP address to MAC address mapping indicative of whether ARP spoofing has taken place.
Alpert in view of Cao in view of Garg does not clearly teach wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Matsukawa teaches wherein if a response to a ping from the private network device, i.e. a setting unit (Fig. 2, el. 12), using the private network device's own source IP address to a private network client device, i.e. an IP device (Fig. 2, el. 20), is received it is determined that the…spoofing was unsuccessful, e.g., sending, from the setting unit, a ping confirmation data (echo request) to the IP device 20 (Para. 79), wherein the ping confirmation data includes a transmission source IP address that is the IP address of the setting unit (Para. 81); the ping confirmation data is used to confirm whether or not communications can be performed with the IP device 20 and if the setting unit receives the response from the IP device and the source IP address data of the ping response matches the IP address of port number 14 of the correspondence table, then it is confirmed that the IP device 20 is correctly connected to a port (Para. 80).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao in view of Garg to include wherein if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, using the known method of sending, from the setting unit, a ping confirmation data (echo request) to the IP device, wherein the ping confirmation data includes a transmission source IP address that is the IP address of the setting unit and wherein the ping confirmation data is used to confirm whether or not communications can be performed with the IP device and if the setting unit receives the response from the IP device and the source IP address data of the ping response matches the IP address of port number 14 of the correspondence table, then it is confirmed that the IP device is correctly connected to a port, as taught by Matsukawa, in combination with the ARP spoofing system of Alpert in view of Cao in view of Garg, for the purpose of aiding in the determination of whether spoofing has been performed by matching the IP addresses in a correspondence table by determining whether the source device is able to communicate and receive replies from a destination device.
Alpert in view of Cao in view of Garg in view of Matsukawa does not clearly teach if response to the ping is received it is determined that the client device is not present in the private network.
Hasegawa teaches if response to the ping is received it is determined that the client device is not present in the private network, e.g., transmitting, by the investigation terminal, a ping request to the unknown terminal 90/D and judges whether routes KD and TL overlap (Para. 102), wherein the routes are judged to overlap if the ping reply is received (Para. 98); if route KD and route TL are judged to overlap, the terminal D can be judged not to exist in the same direction as the terminal K (it is not connected to the same network K (Fig. 19B; Para. 105).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao in view of Garg in view of Matsukawa to include if response to the ping is received it is determined that the client device is not present in the private network, using the known method of transmitting, by the investigation terminal, a ping request to the unknown terminal 90/D and judges whether routes KD and TL overlap, wherein the routes are judged to overlap if the ping reply is received, and wherein if route KD and route TL are judged to overlap, the terminal D can be judged not to exist in the same direction as the terminal K (it is not connected to the same network K, as taught by Hasegawa, in combination with the ARP spoofing system of Alpert in view of Cao in view of Garg in view of Matsukawa, for the purpose of reducing the number of times whether or not the routes between terminals passes through a same switch is investigated (Hasegawa-Para. 84).  Another benefit of the combination would be to more accurately determine the presence of the devices connected to a particular network.

Regarding claim 19, Alpert teaches a method of measuring Address Resolution Protocol (ARP) spoofing success for a private network device, comprising: 
inserting the private network device, i.e. an internet sensor (Fig. 1, el. 120), between a router or gateway, e.g., local network 105 may include a router, wherein the router may be a residential gateway (Col. 4, lines 61-65), and one or more private network clients, e.g., client devices and/or mobile devices (Fig. 1, el. 130, 160, 170), by using Address Resolution Protocol (ARP) spoofing, e.g., the internet sensor may periodically transmit unsolicited ART information to the discovered client devices stating that the existing local network 105 default gateway IPv4 address actually corresponds with the MAC address of the internet sensor-ARP spoofing- (Fig. 3, el. 300A; Col. 15, lines 1-21, 50-67); 
sending a ping from the private network device to one or more of the private network clients…, e.g., the internet sensor proactively sends packets such as ICMP pings to client devices (Col. 11, lines 23-53; Col. 20, lines 55-67); 
identifying the one or more private network clients as successfully ARP spoofed if a ping response is received, e.g., determining that a client device is no longer present on the local network in response to not receiving a response to ICMP ping; continue to monitor for responses to the proactive monitoring from the internet sensor to the client devices using ICMP ping (Col. 11, lines 23-53; Col. 21, lines 4-34); and
determining whether one or more private network clients is missing from the private network or was unsuccessfully ARP spoofed by pinging the private network clients from the private network device using the private network device's own IP address, e.g., the internet sensor may determine the presence of client devices 130 and/or mobile devices 160, 170 on the local network 105 by performing proactive monitoring such as using an ICMP ping and if zero packets are observed during a defined threshold for a consecutive period of retries, an alert event is sent, wherein the alert event states that the device is no longer seen on the network (Col. 11, lines 23-53).
Alpert does not clearly teach sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway; such that if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Cao teaches sending a ping from the private network device, e.g., an intermediate node that comprises router H and a packet capturing module (Fig. 3, el. 301), to one or more of the private network clients, e.g., Router E (Fig. 3), using the IP address of the router or gateway, e.g., router C (Fig. 3), e.g., a ping packet is created by router H and router H sends the ping packet to router E, wherein the source address of the ping packet is the IP address of router C (Para. 45); and
identifying the one or more private network clients as successfully…spoofed if a ping response is received, e.g. the intermediate node captures the ping reply packet from router E (Para. 47).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert to include sending a ping from the private network device to one or more of the private network clients using the IP address of the router or gateway, using the known method of creating a ping packet with a source IP address of router C, sending the ping packet to router E, and capturing the ping reply packet from router E, as taught by Cao, in combination with the ARP spoofing system and pinging method of Alpert, for the purpose of locating a fault independently so that maintenance efficiency against a fault is improved and the data transmission quality is ensured (Cao-Para. 7).
Alpert in view of Cao does not clearly teach such that if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Garg teaches such that if a response to a ping from the private network device, e.g., a user device (Fig. 1, el. 120),…to a private network client device, e.g., a gateway device (Fig. 1, el. 110), is received it is determined that the ARP spoofing was unsuccessful, e.g., sending a ping packet to the IP address of the gateway device and observing the ping reply packet, wherein if the user device receives the ping reply packet directly from the gateway device, the MAC address of the last sender should match the MAC address of the gateway device and if the MAC address of the last sender is different than the expected MAC address of the gateway or router device then the incorrect mapping is due to an ARP spoofing attack (Para. 37).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao to include such that if a response to a ping from the private network device to a private network client device is received it is determined that the ARP spoofing was unsuccessful, using the known method of sending a ping packet to the IP address of the gateway device and observing the ping reply packet, wherein if the user device receives the ping reply packet directly from the gateway device, the MAC address of the last sender should match the MAC address of the gateway device and if the MAC address of the last sender is different than the expected MAC address of the gateway or router device then the incorrect mapping is due to an ARP spoofing attack, as taught by Garg, in combination with the ARP spoofing system of Alpert in view of Cao, for the purpose of detecting an incorrect or correct IP address to MAC address mapping indicative of whether ARP spoofing has taken place.
Alpert in view of Cao in view of Garg does not clearly teach such that if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, and if response to the ping is received it is determined that the client device is not present in the private network.
Matsukawa teaches such that if a response to a ping from the private network device, i.e. a setting unit (Fig. 2, el. 12), using the private network device's own source IP address to a private network client device, i.e. an IP device (Fig. 2, el. 20), is received it is determined that the…spoofing was unsuccessful, e.g., sending, from the setting unit, a ping confirmation data (echo request) to the IP device 20 (Para. 79), wherein the ping confirmation data includes a transmission source IP address that is the IP address of the setting unit (Para. 81); the ping confirmation data is used to confirm whether or not communications can be performed with the IP device 20 and if the setting unit receives the response from the IP device and the source IP address data of the ping response matches the IP address of port number 14 of the correspondence table, then it is confirmed that the IP device 20 is correctly connected to a port (Para. 80).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao in view of Garg to include such that if a response to a ping from the private network device using the private network device's own source IP address to a private network client device is received it is determined that the ARP spoofing was unsuccessful, using the known method of sending, from the setting unit, a ping confirmation data (echo request) to the IP device, wherein the ping confirmation data includes a transmission source IP address that is the IP address of the setting unit and wherein the ping confirmation data is used to confirm whether or not communications can be performed with the IP device and if the setting unit receives the response from the IP device and the source IP address data of the ping response matches the IP address of port number 14 of the correspondence table, then it is confirmed that the IP device is correctly connected to a port, as taught by Matsukawa, in combination with the ARP spoofing system of Alpert in view of Cao in view of Garg, for the purpose of aiding in the determination of whether spoofing has been performed by matching the IP addresses in a correspondence table by determining whether the source device is able to communicate and receive replies from a destination device.
Alpert in view of Cao in view of Garg in view of Matsukawa does not clearly teach if response to the ping is received it is determined that the client device is not present in the private network.
Hasegawa teaches if response to the ping is received it is determined that the client device is not present in the private network, e.g., transmitting, by the investigation terminal, a ping request to the unknown terminal 90/D and judges whether routes KD and TL overlap (Para. 102), wherein the routes are judged to overlap if the ping reply is received (Para. 98); if route KD and route TL are judged to overlap, the terminal D can be judged not to exist in the same direction as the terminal K (it is not connected to the same network K (Fig. 19B; Para. 105).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Alpert in view of Cao in view of Garg in view of Matsukawa to include if response to the ping is received it is determined that the client device is not present in the private network, using the known method of transmitting, by the investigation terminal, a ping request to the unknown terminal 90/D and judges whether routes KD and TL overlap, wherein the routes are judged to overlap if the ping reply is received, and wherein if route KD and route TL are judged to overlap, the terminal D can be judged not to exist in the same direction as the terminal K (it is not connected to the same network K, as taught by Hasegawa, in combination with the ARP spoofing system of Alpert in view of Cao in view of Garg in view of Matsukawa, for the purpose of reducing the number of times whether or not the routes between terminals passes through a same switch is investigated (Hasegawa-Para. 84).  Another benefit of the combination would be to more accurately determine the presence of the devices connected to a particular network.

Relevant Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Chaskar et al. (US 2005/0195753 A1)—Chaskar discloses a sniffer device that performs ARP poisoning directed to one or more devices detected on the network segment (Para. 74).

Zhang et al. (US 2012/0213094 A1)—Zhang discloses a filter device appliance that performs ARP spoofing by issuing an ARP packet with the gateway’s IP address and its own MAC address (Para. 39, 46).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMY DUFFIELD whose telephone number is (571)270-1643. The examiner can normally be reached Monday - Friday, 7:00 AM - 3:00 PM (ET).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on (571) 272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




12 May 2022
/Jeremy S Duffield/           Primary Examiner, Art Unit 2498