FINAL ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Amendment A, received on 14 March 2022, has been entered into record.  In this amendment, claims 1, 4, 16, and 22 have been amended, claims 6 have been canceled, and claims 24 and 25 have been added.
Supplemental amendment, received 8 April 2022, has been entered into record. In this amendment, claims 1, 4, 11, 12, 15, 19, 22, and 24 have been amended.
Claims 1-5 and 7-25 are presented for examination.

Response to Arguments
With regards to the objection to the claims, the applicant has submitted amendments, and the examiner hereby withdraws the objection.
Applicant's arguments filed 14 March 2022 and 8 April 2022 have been fully considered but they are not persuasive. 
It is argued by the applicant that Hamadeh does not disclose a central controller that is characterized by an ability to process the records from a plurality of the network devices. The examiner respectfully disagrees.
	Hamadeh discloses that the system will recognize packets to be processed for traceback that are parts of a DDoS attack that are from a number of different border routers (0106, lines 1-4; 0106, lines 1-4), therefore teachings processing records from a plurality of network devices.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 21 March 2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claim(s) 1, 2, 4, 8, and 22 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hamadeh et al. (WO 2004/008700 A2 and Hamadeh hereinafter).
As to claim 1, Hamadeh discloses a system and method for real-time packet traceback and associated packet marking strategies, the system and method having:
a plurality of network devices, each network device configured to provide records associated with one or more data packets of network traffic, the records including meta-data about the network traffic (0035, lines 1-4; 0106, lines 1-4; 0107, lines 1-10); 
at least one central controller configured to receive one or more of the records (0035, lines 1-4), identify anomalous network traffic, determine a source address of the anomalous network traffic, and initiate a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether one of the data packets is part of the DDoS attack is based on one or more detection rules and wherein each central controller is characterized by an ability to process the records from a plurality of the network devices (0070, lines 2-14; 0106, lines 1-4; 0107, lines 1-10).

As to claim 2, Hamadeh discloses:
an intrusion detection system for generating an alert, and wherein the central controller is configured to receive the alert and to use the alert to determine whether the received data packet is part of the DDoS attack (0143, lines 2-8; 0145, lines 1-3).

As to claim 4, Hamadeh discloses:
receiving one or more records associated with one or more data packets of network traffic, the records including meta-data about the network traffic (0035, lines 1-4; 0106, lines 1-4; 0107, lines 1-10); 
identifying anomalous network traffic (0070, lines 2-14); 
determining a source address of the anomalous network traffic (0070, lines 2-14); 
initiating a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether one or the data packets is part of the DDoS attack is based on one or more detection rules and wherein a central controller is characterized by an ability to process the records from a plurality of network devices (0070, lines 2-14; 0106, lines 1-4; 0107, lines 1-10).

As to claim 8, Hamadeh discloses:
wherein at least one of the one or more mitigation rules indicates that network traffic from the determined source address is to be blocked, discarded, or both (0070, lines 10-12).

As to claim 22, Hamadeh discloses:
a memory (0087, line 3); 
at least one processor, coupled to said memory, and operative to perform operations comprising (0087, lines 3-4): 
receiving one or more records associated with one or more data packets of network traffic, the records including meta-data about network traffic, wherein the central controller is characterized by an ability to process the records from a plurality of network devices (0035, lines 1-4; 0106, lines 1-4; 0107, lines 1-10); 
identifying anomalous network traffic (0070, lines 2-14); 
determining a source address of the anomalous network traffic (0070, lines 2-14); 
initiating a mitigation action based on the source address and one or more mitigation rules, wherein a determination of whether one of the data packet is part of the DDoS attack is based on one or more detection rules (0070, lines 2-14).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh.
As to claim 13, Hamadeh fails to specifically disclose: 
initiating a cancellation of the mitigation action in response to a cessation of the DDoS attack.
However, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to cancel the mitigation action in response to a cessation of a DDoS attack since Hamadeh discloses that mitigation actions are only taken when attacks are detected (0070, lines 2-14).

Claims 3, 9, 10, 14, 21, and 23 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh as applied to claims 1, 4, and 22 above, and further in view of George et al. (US 2017/0237767 A1 and George hereinafter).
As to claims 3, 21, and 23, Hamadeh fails to specifically disclose:
wherein the identification of the anomalous network traffic further comprises identifying a UDP reflection DDoS attack and wherein the mitigation action mitigates the UDP reflection DDoS attacks.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by George.
George discloses a system and method for mitigation of network attacks via dynamic re-routing, the system and method having:
wherein the identification of the anomalous network traffic further comprises identifying a UDP reflection DDoS attack and wherein the mitigation action mitigates the UDP reflection DDoS attacks (0006, lines 4-8, 16-18; 0017, lines 1-5).
Given the teaching of George, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of George by identifying a UDP reflection DDoS attack. George recites motivation by disclosing that identifying and mitigating UDP reflection attacks provides protection for the large and stronger DDoS attacks, thus providing better security (0006). It is obvious that the teachings of George would have improved the teachings of Hamadeh by identifying and mitigating UDP reflection attacks in order to provide better security.

As to claim 9, Hamadeh fails to specifically disclose:
wherein at least one of the one or more mitigation rules indicates that network traffic from the determined source address is to be diverted to a specified network address.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by George.
George discloses:
wherein at least one of the one or more mitigation rules indicates that network traffic from the determined source address is to be diverted to a specified network address (0104, lines 1-8).
Given the teaching of George, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of George by indicating that traffic is to be diverted. Please refer to the motivation recited above with respect to claim 3 as to why it is obvious to apply the teachings of George to the teachings of Hamadeh.

As to claim 10, Hamadeh fails to specifically disclose:
wherein at least one of the one or more mitigation rules indicates that deep packet inspection (DPI) is to be performed on the network traffic from the determined source address.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by George.
George discloses:
wherein at least one of the one or more mitigation rules indicates that deep packet inspection (DPI) is to be performed on the network traffic from the determined source address (0104, lines 8-12).
Given the teaching of George, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of George by indicating that DPI is to be performed. Please refer to the motivation recited above with respect to claim 3 as to why it is obvious to apply the teachings of George to the teachings of Hamadeh.

As to claim 14, Hamadeh fails to specifically disclose:
receiving an alert from an intrusion detection system, the alert comprising application layer information from a payload of the data packet indicating a type of query that is being requested.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by George.
George discloses:
receiving an alert from an intrusion detection system, the alert comprising application layer information from a payload of the data packet indicating a type of query that is being requested (0121, lines 11-19).
Given the teaching of George, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of George by receiving an alert of application layer information. Please refer to the motivation recited above with respect to claim 3 as to why it is obvious to apply the teachings of George to the teachings of Hamadeh.
Claims 5 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh as applied to claim 4 above, and further in view of Yoon et al. (US 2012/0117646 A1 and Yoon hereinafter).
As to claim 5, Hamadeh fails to specifically disclose:
wherein one of the one or more detection rules indicates that any data packet that satisfies a specified data pattern is part of the DDoS attack.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by Yoon.
Yoon discloses a system and method for transmission control protocol flooding attack protocol, the system and method having:
wherein one of the one or more detection rules indicates that any data packet that satisfies a specified data pattern is part of the DDoS attack (0007, lines 5-10).
Given the teaching of Yoon, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of Yoon by indicating a data packet satisfies a pattern. Yoon recites motivation by disclosing that indicating a packet that satisfies a pattern as part of a DDoS attack allows for mitigation techniques to be applied, thus providing security (0007). It is obvious that the teachings of Yoon would have improved the teachings of Hamadeh by indicating a packet that satisfies a pattern as part of a DDoS attack in order to provide security.

As to claim 7, Hamadeh fails to specifically disclose:
wherein at least one of the one or more mitigation rules indicates that network traffic from the determined source address is to be rate limited.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by Yoon.
Yoon discloses:
wherein at least one of the one or more mitigation rules indicates that network traffic from the determined source address is to be rate limited (0070, lines 10-12).
Given the teaching of Yoon, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of Yoon by indicating traffic from a source is to be rate limited. Please refer to the motivation recited above with respect to claim 5 as to why it is obvious to apply the teachings of Yoon to the teachings of Hamadeh.

Claims 11 and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh as applied to claim 4 above, and further in view of Jain (US 2017/0264646 A1).
As to claim 11, Hamadeh fails to specifically disclose:
comprising sending at least one of the mitigation rules to at least one of the network devices.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by Jain.
Jain discloses a system and method for software defined behavioral DDoS attack mitigation, the system and method having:
comprising sending at least one of the mitigation rules to at least one of the network devices (Abstract, lines 7-10).
Given the teaching of Jain, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of Jain by sending mitigation rules to a device. Jain recites motivation by disclosing that mitigation rules are sent to a device to configure a device in a network to implement attack mitigation and provide security (Abstract). It is obvious that the teachings of Jain would have improved the teachings of Hamadeh by sending mitigation rules to a device in order to implement mitigation and provide security.

As to claim 12, Hamadeh discloses:
wherein at least one of the network devices is part of an internet service provider's infrastructure, a hosting provider's infrastructure, or an enterprise's infrastructure (Figure 1).

Claims 15 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh as applied to claim 4 above, and further in view of Marck et al. (US 2018/0054458 A1 and Marck hereinafter).
As to claim 15, Hamadeh discloses:
Inspecting the network traffic in search of packets that correspond to the obtained address information (0070, lines 7-10); 
performing a check to determine if a given one of the searched packets corresponds to an address associated with the address information (0070, lines 7-10); 
responsive to the check indicating that the given one of the searched packets corresponds to the address associated with the address information, configuring a device to mitigate the malicious network traffic (0070, lines 10-14).
Marck fails to specifically disclose:
obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by Marck.
Marck discloses a system and method mitigating distributed denial of service attacks in a cloud environment, the system and method having:
obtaining address information from a third-party threat intelligence provider, the address information corresponding to network traffic that has been identified as malicious network traffic (0008, lines 16-24).
Given the teaching of Marck, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of Marck by obtaining address information corresponding to malicious traffic. Marck recites motivation by disclosing that receiving addresses corresponding to malicious traffic allows for mitigation to be performed, therefore providing security (0008, lines 16-24). It is obvious that the teachings of Marck would have improved the teachings of Hamadeh by obtaining address information corresponding to malicious traffic in order to provide security.

As to claim 16, Hamadeh discloses:
wherein the address information comprises one or more of an address, a source or destination port, a protocol, a payload type, a payload size, contents of a payload, identification of a network traffic pattern, a match of the network traffic pattern with known threat signatures, headers or header metadata, a protocol type, a file analysis, frequency of beaconing, and a hash value (0070, lines 2-10).

Claim 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh in view of Marck as applied to claim 15 above, and further in view of Yoon.
As to claim 17, Hamadeh in view of Marck fails to specifically disclose:
wherein the threat information is a blacklist of IP addresses known or suspected to correspond to malicious network traffic.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh in view of Marck, as taught by Yoon.
Yoon discloses a system and method having:
wherein the threat information is a blacklist of IP addresses known or suspected to correspond to malicious network traffic (0070, lines 12-16).
Given the teaching of Yoon, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh in view of Marck with the teachings of Yoon by using a blacklist of known or suspected IP addresses. Please refer to the motivation recited above with respect to claim 5 as to why it is obvious to apply the teachings of Yoon to the teachings of Hamadeh in view of Marck.

Claim 18 is/are rejected under 35 U.S.C. 103 as being obvious Lotia (et al. (US 2020/0366689 A1 and Lotia hereinafter).
The applied reference has a common applicant with the instant application. Based upon the earlier effectively filed date of the reference, it constitutes prior art under 35 U.S.C. 102(a)(2). 
As to claim 18, Hamadeh in view of Marck fails to specifically disclose:
comparing the threat information and a white list, and removing addresses that are on the white list from the threat information.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh in view of Marck, as taught by Lotia.
Lotia discloses a system and method for botnet detection and mitigation, the system and method having:
comparing the threat information and a white list, and removing addresses that are on the white list from the threat information (0117, lines 1-4).
Given the teaching of Lotia, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh in view of Marck with the teachings of Lotia by removing addresses in a white list from threat information. Lotia recites motivation by disclosing that threat information identifies malicious traffic and is used to provide protection (0116, 0117). It is obvious that the teachings of Lotia would have improved the teachings of Hamadeh in view of Marck by removing addresses in a white list from threat information in order to identify malicious traffic and provide protection.
This rejection under 35 U.S.C. 103 might be overcome by: (1) a showing under 37 CFR 1.130(a) that the subject matter disclosed in the reference was obtained directly or indirectly from the inventor or a joint inventor of this application and is thus not prior art in accordance with 35 U.S.C.102(b)(2)(A); (2) a showing under 37 CFR 1.130(b) of a prior public disclosure under 35 U.S.C. 102(b)(2)(B); or (3) a statement pursuant to 35 U.S.C. 102(b)(2)(C) establishing that, not later than the effective filing date of the claimed invention, the subject matter disclosed and the claimed invention were either owned by the same person or subject to an obligation of assignment to the same person or subject to a joint research agreement. See generally MPEP § 717.02.

Claim 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh in view of Marck as applied to claim 15 above, and further in view of George.
As to claim 19, Hamadeh in view of Marck fails to specifically disclose:
wherein at least one of the network devices is configured to block or reroute the given one of the searched packets corresponding to the address associated with the address information.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh in view of Marck, as taught by George.
George discloses:
wherein at least one of the network devices is configured to block or reroute the given one of the searched packets corresponding to the address associated with the address information (0104, lines 1-8).
Given the teaching of George, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh in view of Marck with the teachings of George by blocking or rerouting packets. Please refer to the motivation recited above with respect to claim 3 as to why it is obvious to apply the teachings of George to the teachings of Hamadeh.

Claim 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh in view of Marck as applied to claim 15 above, and further in view of Bhargav-Spantzel et al. (WO 2015/076790 A1 and Bhargav hereinafter).
As to claim 20, Hamadeh in view of Marck fails to specifically disclose:
soliciting a user to review and approve the mitigation action before the mitigation action is initiated.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh in view of Marck, as taught by Bhargav.
Bhargav discloses a system and method for context-aware proactive threat management, the system and method having:
soliciting a user to review and approve the mitigation action before the mitigation action is initiated (Abstract, lines 6-8).
Given the teaching of Bhargav, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh in view of Marck with the teachings of Bhargav by soliciting a user to review and approve mitigation action. Bhargav recites motivation by disclosing that a user confirmation for mitigation operations is performed, improving accuracy in protection (Abstract). It is obvious that the teachings of Bhargav would have improved the teachings of Hamadeh in view of Marck by soliciting a user to review and approve mitigation action in order to improve protection accuracy.

 
Claims 24 and 25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamadeh as applied to claim 4 above, and further in view of Chen et al. (US 2017/0048263 A1 and Chen hereinafter).
As to claim 24, Hamadeh fails to specifically disclose to:
wherein the receiving of the one or more records is repeated for a second network device of the network devices and wherein the identification of the anomalous network traffic is based on the originally received records and the records received from the second network device, and the identification is performed using supervised machine learning.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by Chen.
Chen discloses a system and method for anomaly prediction, the system and method having:
wherein the receiving of the one or more records is repeated for a second network device of the network devices and wherein the identification of the anomalous network traffic is based on the originally received records and the records received from the second network device, and the identification is performed using supervised machine learning (0031, lines 3-7; 0033, lines 1-7).
Given the teaching of Chen, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of Chen by using supervised machine learning to identify anomalies on network traffic based on records. Chen recites motivation by disclosing that analyzing records collected from multiple apparatuses using a KNN algorithm allows for a misuse and anomaly groups to be detected and stored in the pattern database to enable anomaly detection (0031-0034). It is obvious that the teachings of Chen would have improved the teachings of Hamadeh by using supervised machine learning to identify anomalies in order to store patterns for anomaly detection.

	
As to claim 25, Hamadeh fails to specifically disclose to:
wherein the supervised machine learning is performed using a K nearest neighbor (KNN) technique.
Nonetheless, this feature is well known in the art and would have been an obvious modification of the teachings disclosed by Hamadeh, as taught by Chen.
Chen discloses:
wherein the supervised machine learning is performed using a K nearest neighbor (KNN) technique (0033, lines 1-7).
Given the teaching of Chen, a person having ordinary skill in the art before the effective filing date of the claimed invention would have readily recognized the desirability and advantages of modifying the teachings of Hamadeh with the teachings of Chen by using KNN technique. Please refer to the motivation recited above with respect to claim 24 as to why it is obvious to apply the teachings of Chen to the teachings of Hamadeh.

Prior Art Made of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Maher et al. (US 2008/0162679 A1) discloses a system and method for alerting as to denial of service attacks.
Wei et al. (WO 2019/148576 A1) discloses a system and method for DDoS attack detection and mitigation.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SARAH SU whose telephone number is (571)270-3835. The examiner can normally be reached 7:30 AM - 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SARAH SU/Primary Examiner, Art Unit 2431