DETAILED ACTION
This Non Final Office Action is in response to Request for Continued Examination filed on 04/22/2022. Claims 1, 2, 6-12 and 18 have been amended. Claims 3-5 and 13-15 have been cancelled. Claims 1-2, 6-12 and 16-20 filed on 04/22/2022 remain pending in the application.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings filed on 12/01/2016 are accepted.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/22/2022 has been entered.

	
	
Response to Arguments 
Applicant's arguments filed 08/15/2019 have been fully considered but they are not persuasive.
Applicant stated “Claim 1 requires "providing, from the control node, a list of instructions which is correlated to a first selection of address translations," and "providing the first network address with the stenographic information responsive to a first domain translation request." Neither Graham nor Holloway, alone or together, teach these elements. The present application teaches a novel method of communicating information in a network address, including communicating functions for a content node to execute. This allows for broad communication possibilities, particularly in connection with transmission of a list of instructions correlated to the address translations. Neither Graham nor Holloway, alone or in combination, teach this method of providing a list of instructions that correlates with the network addresses that are provided by the control node.”
Examiner respectfully disagrees. Examiner submits that Graham in view of Holloway disclose the above argued limitations. Particularly, Graham discloses “providing the first network address with the stenographic information responsive to a first domain translation request”, where Graham discloses in Col.3 line 45-50 “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 for a particular hostname and receive a DNS response 152 that includes an IP address of the proxy server(s) 120.”, and further discloses in Col. 6, line 5-10, Figure 2 “The request may be received at the proxy server 120 as a result of DNS for the hostname resolving to an IP address of the proxy server 120. … the proxy server 120 determines whether the IP address in which the request is directed is embedded with information”, Col. 7 line 63-67 and Col. 8 line 1-10 “After receiving an indication that the hostname is experiencing traffic indicative of an attack, flow moves to operation 315 where the hostname is assigned a different IP address that includes a predefined portion that identifies that the hostname is experiencing traffic indicative of an attack. In one embodiment, the assigned IP address also includes another predefined portion that identifies the hostname being assigned that IP address. The control server 125 and/or a proxy server 120 may assign this different IP address to the hostname. After assigning the updated IP address to the hostname, flow moves to operation 320 where DNS is updated with the assigned IP address for the hostname. For example, the control server 125 may transmit a DNS update 180 to the DNS system such that DNS request for the hostname return the updated IP address for the hostname.”, examiner notes that the network address is provided to the end user with embedded information in response to end user request.  Figure 3 (330) shows receiving a request from the client by the proxy server, as further disclosed in Col. 6 line 5-7, where the proxy server analyzes the embedded information. Examiner further notes that “each” client device can make a request, as disclosed in Col. 3, line 45-49, and consequently an address translation is established to translate a domain name into a network address, where one request provided by one client device, and the consequent translation corresponds to the first request, first address translation to translate a first network address from a domain name, useable by the requesting end user device to reach data. With respect to “"providing, from the control node, a list of instructions which is correlated to a first selection of address translations," examiner submits that Holloway discloses the above argued limitation, particularly, Holloway illustrates in Figure 1 the control server 125 installing/providing a list of security rules/instructions to the proxy servers 120, and further discloses in Col. 6, line 16-21 “…the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting, null routing, etc., on the proxy servers”, Col. 14 line 16-30 “After identifying a potential DoS attack, the DoS identification and mitigation module 180 may take one or more mitigation  actions as previously described, which may be dependent on the security rules that are set for domain(s) that are affected by the attack”, where the security rules/instructions provided by the control node 125 to the proxy servers 120 are used to correlate the rules with the particular IP address involved in the translation and the request, and apply the particular mitigation based on the particular translated IP, as disclosed in Col. 10 line 59-67, Col. 12 line 39-42 “The page rules 520 may include other rules in some embodiments. After looking up the page rules 520 for the requested domain, the request module 510 may apply the appropriate rules when processing the incoming request.”
Where a mitigation action that is being performed is based on an identified attack and is based on a rule(s), from the plurality of rules, corresponds to the particular function to be executed, where the mitigation action based on a rule is applied to a particular address translation as illustrated in Figure 1 and disclosed in Col. 3 line 56-58 “The proxy server(s) 120 analyze the incoming traffic 154 and take one or more actions on the incoming traffic.”, and Col. 4 line 8-11 “the incoming traffic 154 is received at a particular proxy server 120 as a result of a DNS request 150 for a domain of one of the domain owners 135A-L resolving 152 to an IP address of the proxy server 120”.
Applicant further stated “the present application teaches that the network addresses and address translations can be created on a per-content request basis, such that each network address with stenographic information can be created for a particular content request. Neither Graham nor Holloway, alone or in combination, teach this element.” 
Examiner respectfully disagrees. Examiner submits that Graham discloses in Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 for a particular hostname and receive a DNS response 152 that includes an IP address of the proxy server(s) 120”, where the below explained process disclosed by Graham applies to a request from a client device, translation, based on the request, and the consequent analysis of the embedded information at the proxy server 120 as illustrated in Figure 3 (330), and as described in the above response, “each” client device can make a request, and consequently an address translation is established to translate a domain name into a network address, where one request provided by one client device, and the consequent translation corresponds to the first request, first address translation to translate a first network address from a domain name, useable by the requesting end user device to reach data.
Conclusion: Graham - Holloway disclose the aforementioned limitations of independent and render claims’ limitations obvious before the effective date of the claimed invention. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-8 and 11-18 are rejected under 35 U.S.C. 103 as being unpatentable over Graham-Cumming (US 9584328 B1), hereinafter Graham, in view of Holloway et al. (US 8613089 B1), hereinafter Holloway.

Regarding Claim 1 (Currently Amended), Graham teaches A method of operating a content delivery network (CDN) (Graham, Col. 4, line 1-7, “content delivery network (CDN)”) comprising 
a plurality of cache nodes that cache content for delivery to end user devices and a control node (Graham, Col. 3, line 22 “set of proxy server(s) 120 (i.e. plurality of cache nodes)”, Col. 4, line 63-67 “the service uses multiple proxy service nodes that are geographically distributed to decrease the distance between requesting client devices (i.e. end user devices) and content”, proxy servers i.e. (caches) deliver content to end user as shown in Figure 1, 120 and 110, Col. Furthermore, Col. 7, line 37-43 discloses  “…an indication that a host name is experiencing traffic indicative of an attack is received…the indication is received at the control server 125 (i.e. part of the control node) based on the hostname receiving an abnormally high amount of traffic as reported by the proxy servers 120 and/or at the proxy servers themselves.”, examiner notes that indication of traffic attack corresponding to contents received at the control server 125 via the proxy, the control node composes of control server and DNS system, where they may be combined into one physical device as disclosed in Col. 4 line 50-55 “the proxy server(s), control server(s), and DNS server(s) may be virtual instances running on the same physical device or may be separate physical devices.”), 
the method comprising:
;
for a domain name system (DNS) translation nodes associated with the CDN, establishing a first address translation[[s]] in the control node to translate a domain name[[s]] into a first network address[[es]] usable by the end user devices for reaching content at the cache nodes (Graham, Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 (i.e. domain name system (DNS) translation nodes) for a particular hostname and receive a DNS response 152 that includes an IP address (i.e. translate hostname into network address for the end user to reach content) of the proxy server(s) 120”, examiner asserts that the control node is composed of control server 125 and DNS system 140, where “each” client device can make a request, and consequently an address translation is established to translate a domain name into a network address, where one request provided by one client device, and the consequent translation corresponds to the first request, first address translation to translate a first network address from a domain name, useable by the requesting end user device to reach data), with a portion[[s]] of the network address[[es]] comprising stenographic information (Graham, Col. 2, 50-55  “information embedded in a predefined portion of the IPv6 (i.e. stenographic information)”, Col. 5 line 20-24 “…server 125 and/or the proxy server(s) 120 include an IP address information embedding module 160 that is configured to embed information and/or unique identification in predefined portion(s) of an IPv6 address.”, examiner asserts that the control node is composed of control server 125 and DNS system 140),
comprising information that indicates [a particular] function with the first address translation established for a first content request (Graham, Figure 3, Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 (i.e. domain name system (DNS) translation nodes) for a particular hostname and receive a DNS response 152 that includes an IP address (i.e. translate hostname into network address for the end user to reach content) of the proxy server(s) 120”, and Col. 8, Line 15-30 “If the destination IP address does include a predefined portion that identifies that the hostname is experiencing traffic indicative of an attack, then flow moves to operation 335 where the proxy server (i.e. cache nodes) takes one or more security actions (i.e. plurality of functions to be executed).”, where plurality of functions disclosed in Col. 8, line 20-35 and claims 3-4, where “each” client device can make a request, and consequently an address translation is established to translate a domain name into a network address, where one request provided by one client device, and the consequent translation corresponds to the first request, first address translation to translate a first network address from a domain name, useable by the requesting end user device to reach data);
providing first network address[[es]] with the stenographic information  a first domain name translation request[[s]] (Graham, Col.3 line 45-50 “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 for a particular hostname and receive a DNS response 152 that includes an IP address of the proxy server(s) 120.”, Col. 6, line 5-10, Figure 2 “The request may be received at the proxy server 120 as a result of DNS for the hostname resolving to an IP address of the proxy server 120. Next, at operation 215, the proxy server 120 determines whether the IP address in which the request is directed is embedded with information”, Col. 7 line 63-67 and Col. 8 line 1-10 “After receiving an indication that the hostname is experiencing traffic indicative of an attack, flow moves to operation 315 where the hostname is assigned a different IP address that includes a predefined portion that identifies that the hostname is experiencing traffic indicative of an attack. In one embodiment, the assigned IP address also includes another predefined portion that identifies the hostname being assigned that IP address. The control server 125 and/or a proxy server 120 may assign this different IP address to the hostname. After assigning the updated IP address to the hostname, flow moves to operation 320 where DNS is updated with the assigned IP address for the hostname. For example, the control server 125 may transmit a DNS update 180 to the DNS system such that DNS request for the hostname return the updated IP address for the hostname.”, examiner notes that the network address is provided to the end user with embedded information in response to end user request.  Figure 2 shows receiving request from the client by the proxy server, as disclosed in Col. 6 line 5-7), 
 (Graham, Col. 3, line 4-7, Col. 7, 33-36, Col 8, 12-15 “information embedded in a portion of the IPv6 address may be used to identify geographic locations of the world”, “a zone or hostname is experiencing traffic indicative of an attack”, “address does include a predefined portion (i.e. stenographic information) that identifies that the hostname is experiencing traffic indicative of an attack”, where network attack is associated with traffic attack).
While Graham teaches IP address with a predefined portion that identifies that a zone or hostname is experiencing traffic indicative of an attack and responding to such an attack with mitigating security functions/actions (Col. 7, 33-36, Col 8, 12-15, Col. 8, line 20-35 and claims 3-4) as indicated in the stenographic information and Graham further discloses that information embedded in a portion of the IPv6 address may be used to identify geographic locations of the world (Col. 3, line 4-7), however, Graham does not explicitly disclose the below limitations. 
Holloway teaches a particular function that should be executed by at least one of the plurality of cache nodes to mitigate the network attack or malicious traffic (Holloway Col. 6, line 16-21 “…the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting, null routing, etc., on the proxy servers and/or the router(s) or switche(s)…the control server(s) 125 each include the DoS identification and mitigation module 126 that identifies DoS and takes steps to mitigate their effectiveness”, Col. 14 line 16-30 “After identifying a potential DoS attack, the DoS identification and mitigation module 180 may take one or more mitigation  actions as previously described, which may be dependent on the security rules that are set for domain(s) that are affected by the attack. Example mitigation actions include rate limiting the traffic for the attacked domain(s), dropping the traffic for the attacked domain(s), routing the traffic for the attacked domain(s) to a particular data center or hardware device that is dedicated to handling attacks (e.g., the dedicated DoS computing device 190), dropping the traffic received from potential attackers, presenting one or more challenges to visitors, increasing the amount of resources  and/or the types of resources being cached for the attacked domain(s), and/or increasing the amount of time a rule or resource is cached.”, examiner asserts that a mitigation action that is being performed based on an identified attack and is based one rule, from the plurality of rules, corresponds to the particular function to be executed).
providing, from the control node, a list of instructions which is correlated to a first selection of address translations, the list of instructions comprising the particular function, and the first selection of address translations comprising the first address translation (Holloway illustrates in Figure 1 the control server 125 installing/providing a list of security rules/instructions to the proxy servers 120, Holloway Col. 6, line 16-21 “…the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting, null routing, etc., on the proxy servers and/or the router(s) or switche(s)”, Col. 14 line 16-30 “After identifying a potential DoS attack, the DoS identification and mitigation module 180 may take one or more mitigation  actions as previously described, which may be dependent on the security rules that are set for domain(s) that are affected by the attack. Example mitigation actions include rate limiting the traffic for the attacked domain(s), dropping the traffic for the attacked domain(s), routing the traffic for the attacked domain(s) to a particular data center or hardware device that is dedicated to handling attacks (e.g., the dedicated DoS computing device 190), dropping the traffic received from potential attackers, presenting one or more challenges to visitors, increasing the amount of resources  and/or the types of resources being cached for the attacked domain(s), and/or increasing the amount of time a rule or resource is cached.”, 
where the security rules/instructions provided by the control node 125 to the proxy servers 120 are used to correlate the rules with the particular IP address involved in the translation and the request, and apply the particular mitigation based on the particular translated IP, as disclosed in Col. 10 line 59-67, Col. 12 line 39-42 “The page rules 520 may include other rules in some embodiments. After looking up the page rules 520 for the requested domain, the request module 510 may apply the appropriate rules when processing the incoming request.”
Where a mitigation action that is being performed based on an identified attack and is based on a rule, from the plurality of rules, corresponds to the particular function to be executed, where the mitigation action based on a rule is applied to a particular address translation as illustrated in Figure 1 and disclosed in Col. 3 line 56-58 “The proxy server(s) 120 analyze the incoming traffic 154 and take one or more actions on the incoming traffic.”, and Col. 4 line 8-11 “the incoming traffic 154 is received at a particular proxy server 120 as a result of a DNS request 150 for a domain of one of the domain owners 135A-L resolving 152 to an IP address of the proxy server 120”); 
receiving, at one of the plurality of cache nodes, the first content request, comprising the first network address; comparing the first network address to the list of instructions; and executing the particular function as indicated in the stenographic information (Holloway Figure 1 and disclosed in Col. 3 line 56-58 “The proxy server(s) 120 analyze the incoming traffic 154 and take one or more actions on the incoming traffic.”, and Col. 4 line 2-11 “The proxy server(s) 120 may analyze the incoming traffic 158 and take one or more actions, including, for example, transmitting the outgoing traffic 159 to the requesting client device. The proxy server(s) 120 may also cache resources for the domains and respond to requests from client devices locally if the requested resource is in cache…the incoming traffic 154 is received at a particular proxy server 120 as a result of a DNS request 150 for a domain of one of the domain owners 135A-L resolving 152 to an IP address of the proxy server 120”, Col. 11 line 1-3 “the incoming downstream traffic module 512 looks up the IP rules 570 for the destination IP address of the packet…in a DoS attack, a particular IP address may receive many packets over a short period of time. In such a case, the IP rules for that IP address may be stored in the caching layers 560 to decrease the time necessary to determine whether to accept or block the packet directed to that IP address.”, as illustrated in Figure 1, where the received requests from a client 110 is received by the proxy server 120, where the proxy server performs analysis pertaining to the translated address and determine based on lookup, i.e. comparison, an appropriate action). 
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to perform a particular mitigation action based on rules and include geographical location information as part of the network address corresponding to the attack, with the motivation of dropping the traffic received if it is of an unexpected type, as recognized by (Holloway, Col. 10, 37-40), and reducing effectiveness of Dos attacks by mitigating attacks based on particular function stored according to rules, as recognized by (Holloway, Col. 12, line 55-60).

Regarding Claim 2 (Currently Amended), Graham as modified by Holloway teaches The method of claim 1, further comprising:
determining, in the control node, that a network attack or malicious traffic should be mitigated (Graham teaches in Col. 5 line 20-24 and Figure 1 (125) a control server, i.e. control node, where the control server includes an IP address info. embedding module 160, where such module embeds the IP address with information that identifies whether the domain is experiencing attacks as shown in Figure 3 (315), which needs be addressed/mitigated by the proxy servers 120 in Figure 1, such that when the proxy server receives  a packet and checks the embedded portion, performs a security action if the information indicates attack, where the mere action of identification and embedding such information at the control server reads on the above determining, where the control server determine that there is an attack. Graham discloses in Col. 2 line 50-65 the embedded information includes configuration settings for security reasons such that it would allow the proxy to perform mitigation/security actions as illustrated in Figure 3 (335) e.g. filter packets block packets of unsecured sessions.); 
mitigating the network attack or malicious traffic by dropping the first content request[[s]] associated with first content request[[s]] based, at least in part, on the stenographic information (Graham, Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 (i.e. domain name system (DNS) translation nodes) for a particular hostname and receive a DNS response 152 that includes an IP address”, where “each” client device can make a request, and consequently an address translation is established to translate a domain name into a network address, where one request provided by one client device, and the consequent translation corresponds to the first request, first address translation to translate a first network address from a domain name, useable by the requesting end user device to reach data, to initiate a traffic request to proxy server 120, Figure 3 (335), Col. 2 line 50-67 and Col. 3 line 1-3, Col. 4 line 60-63 pre-defined portion, which is embedded by the control server 125 (i.e. part of the control node), where the pre-defined portion is associated with a plurality of functions/actions in order to apply security measures by the proxy server(i.e. cache nodes), number of actions, where the list of actions include “rate limiting the traffic for that destination IP address; dropping the packet; routing the packet to a particular data center or hardware device that is dedicated to handling attacks (which may have a relatively large network connection (a large amount of bandwidth) and/or be particularly robust to handle the attack Such as including network card(s) with a relatively large buffer (typically larger than conventional network devices) to store a relatively large amount of packets, extra processing units, larger memory, etc., to handle the attack); dropping the traffic received from potential attackers…etc.” as disclosed in Col. 8, line 20-35 and claims 3-4))

Regarding Claims 3-5 (Cancelled). 

Regarding Claim 6 (Currently Amended), Graham as modified by Holloway teaches The method of claim [[5]] 1, 
While Graham teaches IP address with a predefined portion that identifies that a zone or hostname is experiencing traffic indicative of an attack and responding to such an attack with mitigating security functions (Col. 7, 33-36, Col 8, 12-15, Col. 8, line 20-35 and claims 3-4) and Graham further discloses that information embedded in a portion of the IPv6 address may be used to identify geographic locations of the world (Col. 3, line 4-7, Col.8, line 15-30), however, Graham does not explicitly disclose the remaining limitation of claim 6. 
Holloway teaches wherein the particular function indicated by the stenographic information comprises at least logging of properties associated with the content requests (Holloway teaches in Col.13, line 48-55 “The incoming downstream traffic module 512 may log properties of the incoming traffic 154 in the logs 540 (e.g., time of arrival, source IP address of the packet, destination IP address of the packet, resource requested, etc.). The logs 540 may be used to generate statistics for the domain owners 135A-L. For example, the logs 540 may be used by the DoS identification and mitigation module 180 to determine whether there is an abnormal amount of traffic”, where the logging is associated with the identification of type of attack which is based on the attacks rule one or more mitigation actions is performed, therefore, a particular mitigation action may comprise the identification of type of attack based on logging and acting/mitigating accordingly). 
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to perform a particular mitigation action based on rules and include geographical location information as part of the network address corresponding to the attack, with the motivation of dropping the traffic received if it is of an unexpected type, as recognized by (Holloway, Col. 10, 37-40), and reducing effectiveness of Dos attacks by mitigating attacks based on particular function stored according to rules, as recognized by (Holloway, Col. 12, line 55-60).

Regarding Claim 7 (Currently Amended), Graham as modified by Holloway teaches The method of claim 1, Graham further teaches further comprising:
responsive to first domain name translation requests (Graham, Col. 3, line 45-49, Figure 1, DNS request 150 (i.e. domain name translation requests)), Col. 3, line 45-49, Figure 1, client devices 110A (i.e. end user devices), Figure 3, corresponding to attack), logging properties associated with the first domain name translation requests (Graham, Col. 7, line 32-62 “IP address with a predefined portion that identifies that a zone is experiencing traffic indicative of an attack”…” indication that a hostname is experiencing traffic indicative of an attack”… “the proxy service node may determine that the number of packets being received to that IP address is abnormally high”, examiner notes that determining high volume of traffic for the same host name implies logging information pertains to the host name to determine high volume traffic).

Regarding Claim 8 (Currently Amended), Graham as modified by Holloway teaches The method of claim [[7]] 1, further comprising:
transferring information related to the properties associated with the first domain name translation requests the control node (Graham, Col. 7, line 35-45, Figure 1, Control server 125 (i.e. a control node of the CDN, examiner notes that the control server 125 and proxy server 120 and DNS system 140 correspond to the control node) receive information related to the hostname and accordingly determine if the hostname experience traffic due to end user requests); and
in the control node (Graham, Col. 7, line 12-15, 35-45 “The proxy server 120 determines whether the destination IP address includes a predefined portion that identifies that the hostname is experiencing traffic indicative of an attack”, “the indication is received at the control server 125 based on the hostname receiving an abnormally high amount of traffic as reported by the proxy servers 120”, Holloway, Col. 9, line 38-65, Figure 4, launched DoS attack on a proxy server (i.e. caches) identifies the client device geographic location associated with the proxy server).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to include geographical location information as part of the network address corresponding to the attack, with the motivation of dropping the traffic received if it is of an unexpected type, as recognized by (Holloway, Col. 10, 37-40).

Regarding Claim 11 (Currently Amended), Graham teaches A content delivery network (CDN) (Graham, Col. 4, line 1-10, “content delivery network (CDN)”)  having a plurality of cache nodes that cache content for delivery to end user devices (Graham, Col. 3, line 22, Col. 4, line 63-67 “set of proxy server(s) 120”, i.e. plurality of cache nodes), the service uses multiple proxy service nodes that are geographically distributed to decrease the distance between requesting client devices (i.e. end user devices) and content”, proxy servers deliver content to end user as shown in Figure 1, 120 and 110), the CDN comprising: a control node configured to: 
; 
 usable by the end user devices for reaching content at the cache nodes (Graham, Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 for a particular hostname and receive a DNS response 152 that includes an IP address (i.e. translate hostname into network address for the end user to reach content) of the proxy server(s) 120”, examiner notes that the control server is referred to as the control node which provides IP address updates and information to the  DNS system 140 (i.e. (DNS) translation nodes), examiner asserts that the control node is composed of control server 125 and DNS system 140), with portions of the network addresses comprising stenographic information (Graham, Col. 2, 50-55  “information embedded in a predefined portion of the IPv6 (i.e. stenographic information)”, Col. 5 line 20-24 “…server 125 and/or the proxy server(s) 120 include an IP address information embedding module 160 that is configured to embed information and/or unique identification in predefined portion(s) of an IPv6 address.”, examiner asserts that the control node is composed of control server 125 and DNS system 140),
comprising information that indicates [a particular] function (Graham, Figure 3 and Col. 8, Line 15-30 “If the destination IP address does include a predefined portion that identifies that the hostname is experiencing traffic indicative of an attack, then flow moves to operation 335 where the proxy server (i.e. cache nodes) takes one or more security actions (i.e. particular function to be executed).”);
the DNS translation nodes configured to provide ones of the network addresses issued by the end user devices (Graham, Col. 6, line 5-10, Figure 2 “The request may be received at the proxy server 120 as a result of DNS for the hostname resolving to an IP address of the proxy server 120. Next, at operation 215, the proxy server 120 determines whether the IP address in which the request is directed is embedded with information” (i.e. network address is provided to the end user with embedded information in response to end user request), 
[responsive to content requests issued by the end user devices, the control node configured to compare the first network address to the list of instructions and execute the particular function as indicated in the stenographic information]  
While Graham teaches IP address with a predefined portion that identifies that a zone or hostname is experiencing traffic indicative of an attack and responding to such an attack with mitigating security functions/actions (Col. 7, 33-36, Col 8, 12-15, Col. 8, line 20-35 and claims 3-4) as indicated in the stenographic information and Graham further discloses that information embedded in a portion of the IPv6 address may be used to identify geographic locations of the world (Col. 3, line 4-7), however, Graham does not explicitly disclose the below limitations.
Holloway teaches determining a particular function that should be executed by at least one of the plurality of cache nodes to mitigate the network attack or malicious traffic (Holloway Col. 6, line 16-21 “…the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting, null routing, etc., on the proxy servers and/or the router(s) or switche(s)”, Col. 14 line 16-30 “After identifying a potential DoS attack, the DoS identification and mitigation module 180 may take one or more mitigation  actions as previously described, which may be dependent on the security rules that are set for domain(s) that are affected by the attack. Example mitigation actions include rate limiting the traffic for the attacked domain(s), dropping the traffic for the attacked domain(s), routing the traffic for the attacked domain(s) to a particular data center or hardware device that is dedicated to handling attacks (e.g., the dedicated DoS computing device 190), dropping the traffic received from potential attackers, presenting one or more challenges to visitors, increasing the amount of resources  and/or the types of resources being cached for the attacked domain(s), and/or increasing the amount of time a rule or resource is cached.”, examiner asserts that a mitigation action that is being performed based on an identified attack and is based on rules, corresponds to the particular function to be executed).
provide the network addresses responsive to domain name translation requests; and provide a list of instructions which is correlated to a selection of address translations comprising the address translations (Holloway illustrates in Figure 1 the providing of an DNS update 185, which would change the translation as disclosed in Col. 5 line 20-23 and Col. 15 line 50-56, and the control server 125 further installing/providing a list of security rules/instructions to the proxy servers 120, Holloway Col. 6, line 16-21 “…the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting, null routing, etc., on the proxy servers and/or the router(s) or switche(s)”, Col. 14 line 16-30 “After identifying a potential DoS attack, the DoS identification and mitigation module 180 may take one or more mitigation  actions as previously described, which may be dependent on the security rules that are set for domain(s) that are affected by the attack. Example mitigation actions include rate limiting the traffic for the attacked domain(s), dropping the traffic for the attacked domain(s), routing the traffic for the attacked domain(s) to a particular data center or hardware device that is dedicated to handling attacks (e.g., the dedicated DoS computing device 190), dropping the traffic received from potential attackers, presenting one or more challenges to visitors, increasing the amount of resources  and/or the types of resources being cached for the attacked domain(s), and/or increasing the amount of time a rule or resource is cached.”, 
where the security rules/instructions provided by the control node 125 to the proxy servers 120 are used to correlate the rules with the particular IP address involved in the translation and the request, and apply the particular mitigation based on the particular translated IP, as disclosed in Col. 10 line 59-67, Col. 12 line 39-42 “The page rules 520 may include other rules in some embodiments. After looking up the page rules 520 for the requested domain, the request module 510 may apply the appropriate rules when processing the incoming request.”
Where a mitigation action that is being performed based on an identified attack and is based on a rule, from the plurality of rules, corresponds to the particular function to be executed, where the mitigation action based on a rule is applied to a particular address translation as illustrated in Figure 1 and disclosed in Col. 3 line 56-58 “The proxy server(s) 120 analyze the incoming traffic 154 and take one or more actions on the incoming traffic.”, and Col. 4 line 8-11 “the incoming traffic 154 is received at a particular proxy server 120 as a result of a DNS request 150 for a domain of one of the domain owners 135A-L resolving 152 to an IP address of the proxy server 120”);
responsive to content requests issued by the end user devices, the control node configured to compare the first network address to the list of instructions and execute the particular function (Holloway Figure 1 and disclosed in Col. 3 line 56-58 “The proxy server(s) 120 analyze the incoming traffic 154 and take one or more actions on the incoming traffic.”, and Col. 4 line 2-11 “The proxy server(s) 120 may analyze the incoming traffic 158 and take one or more actions, including, for example, transmitting the outgoing traffic 159 to the requesting client device. The proxy server(s) 120 may also cache resources for the domains and respond to requests from client devices locally if the requested resource is in cache…the incoming traffic 154 is received at a particular proxy server 120 as a result of a DNS request 150 for a domain of one of the domain owners 135A-L resolving 152 to an IP address of the proxy server 120”, Col. 11 line 1-3 “the incoming downstream traffic module 512 looks up the IP rules 570 for the destination IP address of the packet…in a DoS attack, a particular IP address may receive many packets over a short period of time. In such a case, the IP rules for that IP address may be stored in the caching layers 560 to decrease the time necessary to determine whether to accept or block the packet directed to that IP address.”, as illustrated in Figure 1, where the received requests from a client 110 is received by the proxy server 120, where the proxy server performs analysis pertaining to the translated address and determine based on lookup, i.e. comparison, an appropriate action, where the identification and mitigation may be performed by the control server, control node, as disclosed in Col. 6 line 11-30). 
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to perform a particular mitigation action based on rules and include geographical location information as part of the network address corresponding to the attack, with the motivation of dropping the traffic received if it is of an unexpected type, as recognized by (Holloway, Col. 10, 37-40), and reducing effectiveness of Dos attacks by mitigating attacks based on particular function stored according to rules, as recognized by (Holloway, Col. 12, line 55-60).


Regarding Claim 12 (Currently Amended), Graham as modified by Holloway teaches The CDN of claim 11, comprising:
Graham does not explicitly disclose the below limitations.
Holloway discloses the cache nodes configured to determine that a network attack or malicious traffic should be mitigated and mitigate the network attack or malicious traffic by dropping content requests associated with ones of the content requests issued at locations indicated by the locality information (Holloway, Col. 10, line 35-40, “proxy server 120 analyzes incoming traffic and may determine to drop traffic if it is of an unexpected type”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to drop contents associated with content request, with the motivation of eliminating potential attackers, as recognized by (Holloway, Col. 14, 25-26).

Regarding Claims 13-15 (Cancelled). 

Regarding Claim 16 (previously presented), Graham as modified by Holloway teaches The CDN of claim 15, wherein the [particular] function indicated by the stenographic information comprises at least one of logging of properties associated with the content requests and dropping traffic associated with the content requests (Graham teaches in Col.8, line 15-30 the predefined portion that enable the proxy server to perform a security function/action).
Graham does not explicitly disclose the below limitation.
Holloway discloses particular function as described in claims 1 and 11, and Col. 10, line 35-40, “proxy server 120 analyzes incoming traffic and may determine to drop traffic if it is of an unexpected type”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to drop contents associated with content request, with the motivation of eliminating potential attackers, as recognized by (Holloway, Col. 14, 25-26).

Regarding Claim 17 (previously presented), Graham as modified by Holloway teaches The CDN of claim 11, Graham further teaches comprising:
responsive to ones of the domain name translation requests issued by the end user devices corresponding to content of the CDN experiencing the network attack or malicious traffic (Graham, Col. 3, line 45-49, Figure 1, DNS request 150 (i.e. domain name translation requests)), Col. 3, line 45-49, Figure 1, client devices 110A (i.e. end user devices), Figure 3, corresponding to attack), the DNS translation nodes configured to log properties associated with the domain name translation requests issued by the end user devices (Graham, Col. 7, line 32-62 “IP address with a predefined portion that identifies that a zone is experiencing traffic indicative of an attack”…” indication that a hostname is experiencing traffic indicative of an attack”… “the proxy service node may determine that the number of packets being received to that IP address is abnormally high”, examiner notes that determining high volume of traffic for the same host name implies logging information pertains to the host name to determine high volume traffic, logging of properties on the DNS is updated by the control server 125 through 180 in Figure 1).

Regarding Claim 18 (Currently Amended), Graham as modified by Holloway teaches The CDN of claim [[17]] 11, comprising:
the DNS translation nodes configured to transfer information related to the properties associated with the domain name translation requests issued by the end user devices to the control node (Graham, Col. 7, line 35-45, Figure 1, Control server 125 (i.e. a control node of the CDN) “At operation 310, an indication that a host name is experiencing traffic indicative of an attack is received…., the indication is received at the control server 125 based on the hostname receiving an abnormally high amount of traffic  as reported by the proxy servers 120”, examiner notes that information associated to traffic is transferred to the control serve through the proxy server); and
the control node configured to identify at least one [locality] associated with the network attack or malicious traffic based at least on the information (Graham, Col. 8, line 12-15 “The proxy server 120 determines whether the destination IP address includes a predefined portion that identifies that the hostname is experiencing traffic indicative of an attack”).
Graham  does not disclose the below. 
Holloway, Col. 9, line 38-65, Figure 4, the proxy servers 120A-C, launched DoS attack on a proxy server (i.e. caches) identifies the client device geographic location associated with the proxy server.
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham by incorporating the teaching of Holloway to include geographical location information as part of the network address corresponding to the attack, with the motivation of dropping the traffic received if it is of an unexpected type, as recognized by (Holloway, Col. 10, 37-40).

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Graham in view of Holloway as applied above, further in view of Radlein et al.(US 9774619 B1), hereinafter Radlein.

Regarding Claim 9 (Currently Amended), Graham as modified by Holloway teaches The method and content delivery network (CDN) of claim 1, Holloway further teaches further comprising: 
Graham does not explicitly disclose the below limitations.
Holloway discloses responsive to first domain name translation request[[s]] corresponding to content of the CDN that is experiencing the network attack or malicious traffic (Holloway, Col. 7, line 6-12, “upon detecting a potential attack directed to an IP address…the proxy server and/or control server may cause the DNS records for at least some of those domains to be changed such that they will point to different IP addresses), motivation to claim 1 applies. 
While Graham as modified by Holloway discloses changing DNS mitigating response when an attack is detected (Holloway, Col. 7, line 6-12, Figure 2), however, Graham as modified by Holloway does not disclose ignoring the ones of the domain name translation requests.
Radlein from the same field of invention teaches ignoring the first the domain name translation request[[s]]. (Radlein, Col. 3, line 33-40 “a content delivery system may halt advertisement of an attacked network address within domain name system (DNS) queries”, Col. 5, line 42-46 “access to the previously attacked network addresses has been limited (e.g., by removing the previously attacked network addresses from DNS responses (i.e. ignoring the network address associated with the attack)”)
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham in view of Holloway by incorporating the teaching of Radlein to remove the network address under attack according to the DNS response, with the motivation to mitigate the attack as recognized by (Radlein, Col. 3, line 35-40).

Regarding Claim 19 (Previously Presented) Graham as modified by Holloway teaches The CDN of claim 11, comprising:
Graham does not explicitly disclose the below limitations.
Holloway discloses responsive to ones of the domain name translation requests corresponding to content of the CDN that is experiencing the network attack or malicious traffic (Holloway, Col. 7, line 6-12, “upon detecting a potential attack directed to an IP address…the proxy server and/or control server may cause the DNS records for at least some of those domains to be changed such that they will point to different IP addresses), motivation to claim 1 applies. 
While Graham as modified by Holloway discloses changing DNS mitigating response when an attack is detected (Holloway, Col. 7, line 6-12, Figure 2), however, Graham as modified by Holloway does not disclose ignoring the ones of the domain name translation requests.
 Radlein from the same field of invention teaches the DNS translation nodes configured to ignore the ones of the domain name translation requests (Radlein, Col. 3, line 33-40 “a content delivery system may halt advertisement of an attacked network address within domain name system (DNS) queries”, Col. 5, line 42-46 “access to the previously attacked network addresses has been limited (e.g., by removing the previously attacked network addresses from DNS responses (i.e. ignoring the network address associated with the attack)”)
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham in view of Holloway by incorporating the teaching of Radlein to remove the network address under attack according to the DNS response, with the motivation to mitigate the attack as recognized by (Radlein, Col. 3, line 35-40).

Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Graham in view of Holloway as applied above, further in view of Laurence et al. (US 9641434 B1), hereinafter Laurence.

Regarding Claim 10 (Currently Amended), Graham as modified by Holloway teaches The method and CDN of claims 1 and 11, respectively, Graham further teaches wherein the first network addresses comprise[[s]]
an Internet Protocol version 6 (IPv6) network addresses wherein a portion[[s]] of the first network address[[es]] comprising stenographic information is included in at least a [lower] 64 bits of the first network address[[es]] (Graham, Col. 2, line 23-26, “IPv6 address”, Col. 2, line 32-35 “second portion may be 64 bits used for other information or information identifiers.”), and 
wherein the first network address[[es]] comprise routing information in at least an [upper] 64 bits of the first network addresses (Graham, Col. 2, line 31-35 “the first portion may be 32 bits and could be used for the customer”, Col.3, line 31-34 “domain owners are customers of the cloud-based proxy service”), 
the routing information configured to direct the first content request[[s]] to at least one cache node that caches the content (Graham, Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 for a particular hostname and receive a DNS response 152 that includes an IP address (i.e. network addresses) of the proxy server(s) 120”, Col. 4, line 63-65 “the service uses multiple proxy service nodes that are geographically distributed to decrease the distance between requesting client devices and content”).
While Graham as modified by Holloway teaches network addresses containing routing information corresponding to domain owners and proxy services; and identifier information (Graham, Col. 2, line 30-35), however, Graham as modified by Holloway does not explicitly disclose 
stenographic information are included in at least a lower 64 bits of the network addresses, network addresses comprise routing information in at least an upper 64 bits of the network addresses.
Laurence from the same field of invention teaches stenographic information are included in at least a lower 64 bits of the network addresses (Laurence, Col. 3, line 34-42, Figure 2A “leaving the rest of the 128-bit addresses (128-N bits) free to be used for other purposes (i.e. lower portion as shown in Figure 2A”, Col. 5, line 15-28)… “unused bits (e.g., 32 bits) can be utilized to obfuscate and expand the attack”…” to render DoS and other malicious attacks impractical”, examiner notes that obfuscating the lower bits corresponding to stenographic information),
network addresses comprise routing information in at least an upper 64 bits of the network addresses (Laurence, Col. 3, line 34-42, Figure 2A “While IPv6 source and destination addresses are 128-bit addresses, the IPv6 subnet address space published by the border device 120 may only occupy a portion of the address space (N bits) (i.e. upper portion as shown in Figure 2A”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham in view of Holloway by incorporating the teaching of Laurence to include routing information in the upper portion of the network address and obfuscate in formation in the lower portion of the network address, with the motivation to render DoS and other malicious attacks impractical as recognized by (Laurence, Col. 5, line 26-28).

Regarding Claim 20 (Original), Graham as modified by Holloway teaches The CDN of claim 11, wherein the network addresses comprise Internet Protocol version 6 (IPv6) network addresses, wherein the portions of the network addresses comprising stenographic information are included in at least a [lower] 64 bits of the network addresses (Graham, Col. 2, line 31-35 “the first portion may be 32 bits and could be used for the customer”, Col.3, line 31-34 “domain owners are customers of the cloud-based proxy service”), and wherein the network addresses comprise routing information in at least an [upper] 64 bits of the network addresses (Graham, Col. 2, line 31-35 “the first portion may be 32 bits and could be used for the customer”, Col.3, line 31-34 “domain owners are customers of the cloud-based proxy service”), the routing information configured to direct the content requests to at least one cache node that caches the content.
(Graham, Col. 3, line 45-49, Figure 1, “The client devices 110A-I may each make a DNS request 150 to the DNS system 140 for a particular hostname and receive a DNS response 152 that includes an IP address (i.e. network addresses) of the proxy server(s) 120”, Col. 4, line 63-65 “the service uses multiple proxy service nodes that are geographically distributed to decrease the distance between requesting client devices and content”). 

While Graham as modified by Holloway teaches network addresses containing routing information corresponding to domain owners and proxy services; and identifier information (Graham, Col. 2, line 30-35), however, Graham as modified by Holloway does not explicitly disclose 
stenographic information are included in at least a lower 64 bits of the network addresses, network addresses comprise routing information in at least an upper 64 bits of the network addresses.
Laurence from the same field of invention teaches stenographic information are included in at least a lower 64 bits of the network addresses (Laurence, Col. 3, line 34-42, Figure 2A “leaving the rest of the 128-bit addresses (128-N bits) free to be used for other purposes (i.e. lower portion as shown in Figure 2A”, Col. 5, line 15-28)… “unused bits (e.g., 32 bits) can be utilized to obfuscate and expand the attack”…” to render DoS and other malicious attacks impractical”, examiner notes that obfuscating the lower bits corresponding to stenographic information),
network addresses comprise routing information in at least an upper 64 bits of the network addresses (Laurence, Col. 3, line 34-42, Figure 2A “While IPv6 source and destination addresses are 128-bit addresses, the IPv6 subnet address space published by the border device 120 may only occupy a portion of the address space (N bits) (i.e. upper portion as shown in Figure 2A”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the invention to modify the teaching of Graham in view of Holloway by incorporating the teaching of Laurence to include routing information in the upper portion of the network address and obfuscate in formation in the lower portion of the network address, with the motivation to render DoS and other malicious attacks impractical as recognized by (Laurence, Col. 5, line 26-28).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Burns (US 10469362 B1) discloses services interact with Network Address Translators (“NATs”) based on the set of rules and the API routing information.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BASSAM A NOAMAN whose telephone number is (571)272-2705. The examiner can normally be reached Monday-Friday 8:30 AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BASSAM A NOAMAN/Examiner, Art Unit 2497