DETAILED ACTION
1.	This office action is in response to the communication filed on 05/15/2020.

Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  

EXAMINER’S AMENDMENT
3.	An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given based on the telephone interview, on 05/02/2022, with attorney Christopher J. Capelli (Reg. No. 38,405).
The application has been amended as follows: 

1. (Currently Amended)  A computer method for detecting a Denial of Service (DoS) attack in a network by a network monitoring device, the computer method comprising the steps:
intercepting data communications occurring between one or more external computers in a monitored computer network ‎seeking connection with one or more host devices in the monitored computer network, ‎the intercepted data communications associated with a connection request to one or more of the host devices;
determining a number (M) of evaluator elements in the connection request for DoS analysis, wherein each evaluator element is associated with a component of the connection request;
determining a DoS evaluator element score, and starting with a first evaluator element of the M evaluator elements, by analyzing an evaluator element using prescribed criteria to determine the DoS evaluator element score for the analyzed evaluator element;
performing one or more DoS mitigation actions on the connection request if the DoS evaluator element score of the analyzed evaluator element is indicative of a DoS attack and performing no further actions in the network device regarding the connection request;
calculating an evaluator consolidated score consisting of one or more of the respective DoS evaluator element scores associated with respective analyzed evaluator elements not determined indicative of a DoS attack;
determining if each evaluator element of the M evaluator elements has been analyzed to determine a respective DoS evaluator element score;
returning to determining a DoS evaluator element score for a succeeding evaluator element to be analyzed if it is determined each evaluator element of the M evaluator elements has not been analyzed; and
determining if the value of the evaluator consolidated score is indicative of a DoS attack by the connection request if it is determined each evaluator element of the M evaluator elements has been analyzed.

3. (Currently Amended) The computer method as recited in claim 1, wherein performing one or more DoS mitigation actions on the connection ‎request if the ‎DoS evaluator element score of an analyzed evaluator element is indicative of ‎a DoS attack includes comparing a determined DoS evaluator element score ‎against a user predetermined value.

4. (Currently Amended) The computer method as recited in claim 3, wherein performing one or more DoS mitigation actions on the connection ‎request if the ‎DoS evaluator element score of the analyzed evaluator element is indicative of ‎a DoS attack includes dropping the connection request and blacklisting the connection request. 

17.‎ (Currently Amended) A computer system for detecting a Denial of Service (DoS) attack in a network‎, the computer system ‎comprising:‎	
one or ‎more data bases having memory configured to store instructions;‎
a processor disposed in communication with said memory, wherein said ‎‎processor upon ‎‎execution of the instructions is configured to: ‎
intercept data communications occurring between one or more external computers in a monitored computer network ‎seeking connection with one or more host devices, ‎the intercepted data communications being associated with a connection request to one or more of the host devices;
determine a number (M) of evaluator elements in the connection request, wherein each evaluator element is associated with a component of the connection request;
determine an evaluator element score, and starting with a first evaluator element of the M evaluator elements, analyze an evaluator element to determine the evaluator element score for the analyzed evaluator element;
calculate an evaluator consolidated score consisting of one or more of the respective evaluator element scores associated with respective analyzed evaluator elements not determined indicative of a DoS attack;
determine if each evaluator element of the M evaluator elements has been analyzed to determine a respective evaluator element score;
return to determining an evaluator element score for a succeeding evaluator element to be analyzed if it is determined each evaluator element of the M evaluator elements has not been analyzed;
determine if the value of the evaluator consolidated score is indicative of a DoS attack by the connection request if it is determined each evaluator element of the M evaluator elements has been analyzed, wherein no further actions are performed on the connection request if a determined evaluator element score is indicative of a DoS attack; and
perform one or more mitigation actions on the connection request if a determined evaluator element score is determined indicative of a DoS attack.   

18.-19.	(Canceled)  

Allowable Subject Matter
4.	In light of the examiner amendment authorized by the applicant’s representative, claims 1-17 and 20 are allowed.

5.	The following is an examiner’s statement of reasons for allowance: 
The present invention is directed toward a method for detecting a Denial of Service (DoS) attack.  Independent claims 1 and 17 identify the uniquely distinct features for intercepting a connection request from one or more external computers to one or more host devices in a computer network; determining a number (M) of evaluator elements in the connection request, wherein each evaluator element is associated with a component of the connection request; starting with a first evaluator element of the M evaluator elements, analyzing an evaluator element using prescribed criteria to determine an evaluator element score for the analyzed evaluator element; if an evaluator element score is indicative of a DoS attack, performing one or more mitigation actions on the connection request, and performing no further actions on the connection request; calculating an evaluator consolidated score consisting of one or more of the respective evaluator element scores associated with respective analyzed evaluator elements not determined indicative of a DoS attack; determining if each evaluator element of the M evaluator elements has been analyzed to determine a respective evaluator element score; returning to determining an evaluator element score for a succeeding evaluator element to be analyzed if it is determined each evaluator element of the M evaluator elements has not been analyzed; and determining if the value of the evaluator consolidated score is indicative of a DoS attack by the connection request if it is determined each evaluator element of the M evaluator elements has been analyzed; taken in combination with the remaining limitations of the independent claims are not found in and/or are not obvious in view of the closest recorded prior arts.
One of the closest prior art, BAR NOY et al. (US 20190334940 A1), discloses a method to identify and analyze attack indicators in a request message to determine whether the request message is associated with a DoS attack, wherein a composite score for the request message is calculated based on the scores assigned to the attack indicators, and wherein the request message is handled in accordance with the composite score. The other closest prior art, Clemons et al. (US 10666620 B1), discloses a method to analyze a request and determine whether the request is legitimate. However, either singularly or in combination, BAR NOY et al. and/or Clemons et al. do/does not disclose the above uniquely distinct features taken in combination with the remaining limitations of the independent claim(s).
Therefore, claims 1, 17, and the respective dependent claims 2-16, 20 are in condition for allowance.

Conclusion
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA, can be reached on 571-272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HUAN V DOAN/Primary Examiner, Art Unit 2437