DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
   			   Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 03/14/2022 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 5-8, 11-13 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 20210105250 A1 to Grinius et al. (hereinafter “Grinius”) and further in view of US-PGPUB No. 20180375685 A1 to Zhuang et al. (hereinafter “Zhuang”)
Regarding claim 1:
Grinius discloses:
A method comprising: 
publishing a valid route origin authorization (ROA) for a specified IP address (see Grinius ¶37-41: “… recording, in response to confirmation that the registrant corresponds to an authorized autonomous system and that the subnet is an available subnet, the at least one IP address subnet information as a subnet record in a database along with state metadata … creating at least one route object corresponding to the at least one subnet and recording the route objects as RADb records … confirming that the information in the route objects has been propagated to transit provider routers … in response to the confirming, changing the state metadata to indicate that the at least one IP address subnet is in a valid state that is available for assignment to client devices … A decision as to the type of pre-validations, such as ROA … can be made.” See also Fig. 2); 
performing a modified Resource Public Key Infrastructure (RPKI) validation using the published valid route origin authorization (ROA) in response to the advertisement of the flowspec rule (see Grinius ¶41-42: “A registrant of IP addresses provides information about its available IP resources … using various data control mechanisms, such as a UI, a RESTful API, and/or other mechanisms for providing data. … The RPKI Validator can collect all ROA information from all RIRs at regular time intervals.”);
However, Grinius failed to explicitly disclose the following limitations taught by Zhuang:
detecting a distributed denial-of-service (DDoS) attack to a given IP address (see Zhuang ¶123: “The traffic analysis server on the private network D1 may detect … that the destination IP 20.1.1.1 is under the DDoS attack.”); 
             advertising a flowspec rule from a given autonomous system network to one or more neighboring autonomous system networks in response to the detection of the distributed denial-of- service (DDoS) attack (see Zhuang ¶123: “The traffic analysis server on the private network D1 may detect … that the destination IP 20.1.1.1 is under the DDoS attack. In this case, the traffic analysis server may generate a FlowSpec route according to an attack feature and advertise the FlowSpec route to the connected edge device RTD.”, and 
¶137: “After the edge device RTD receives the FlowSpec route advertised by the traffic analysis server, the edge device RTD may advertise the FlowSpec route to other edge devices RTA and RTB on the AS200.”);  
           implementing the flowspec rule to mitigate the distributed denial-of-service (DDoS) attack in response to the validation of the flowspec rule (see Zhuang ¶87: “… four types of commonly used traffic processing behaviors (traffic discarding, rate limiting, packet DSCP value modification, redirect to a VPN) are defined. The four types of processing behaviors as extended community attributes are carried in a BGP FlowSpec route. “, and 
¶90-91: “The target data stream is a data stream to be processed by the to-be-advertised FlowSpec route … the target data stream may be an attack data stream… the first network device may detect an IP address of a device attacked by a distributed denial of service (DDoS) attack.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Grinius to incorporate the functionality of the traffic analysis server to generate a FlowSpec route according to an attack feature and advertise the FlowSpec route to the connected edge device, as disclosed by Zhuang, such modification would allow the system to uniquely identify the destination IP that is under a DDoS attack, thus enabling to implement timely mitigation procedures. 

Regarding claim 2:
The combination of Grinius and Zhuang disclose: 
The method of claim, wherein a first entity performs the publication of the valid route origin authorization, the detection of the distributed denial-of-service (DDoS) attack, and the advertisement of the flowspec rule to the one or more neighboring entities (see Zhuang ¶07: … a first network device is provided configured to advertise a Flow Specification (FlowSpec) route. The first network device includes an analysis unit configured to analyze a data stream entering a network on which the first network device is located, to obtain a traffic characteristic of a target data stream, and a route advertisement unit configured to advertise a FlowSpec route … “, and 
¶89-90: “The first network device analyzes a data stream entering a network on which the first network device is located to obtain a traffic characteristic of a target data stream, where the first network device is configured to advertise a FlowSpec route … the first network device may detect an IP address of a device attacked by a distributed denial of service (DDoS) attack.”). 

Regarding claim 5:
	The combination of Grinius and Zhuang disclose: 
The method of claim 1, wherein the performance of the Resource Public Key Infrastructure (RPKI) validation further comprises determining if the flowspec rule has a specified destination prefix (see Zhuang ¶09: “… a BGP update message to which the FlowSpec route belongs includes a destination RD field, and a value of the destination RD field is the identification information”).  

Regarding claim 6:
The combination of Grinius and Zhuang disclose:
The method of claim 1, wherein the performance of the modified Resource Public Key Infrastructure (RPKI) validation further comprises determining whether the valid route origin authorization (ROA) specifies a prefix that contains a destination prefix of the flowspec rule (see Zhuang ¶210: “According to a control policy deployed on the controller, the controller generates a VPNv4 route 2 for vpn1 of PE1 based on the route 1. The route 2 may carry identification information, such as an RD or a name, that can uniquely identify vpn 1. … a field name of the RD that uniquely identifies vpn1 may be referred to as a destination RD.”, 
¶212: “… the foregoing destination RD (that is, the VPN RD) may be mapped to a “destination RD extended community attribute” of a BGP update message to which the FlowSpec route belongs.”).  

Regarding claim 7:
The combination of Grinius and Zhuang disclose:
The method of claim 1, wherein the performance of the modified Resource Public Key Infrastructure (RPKI) validation further comprises determining if an autonomous system that originated the flowspec rule matches an autonomous system number (ASN) specified in the route origin authorization (ROA) (see Grinius ¶17-21: “A Route Origin Authorization (ROA) is a cryptographically signed object that states which Autonomous System is authorized to originate a certain prefix. A ROA can contain three informational elements: …  The AS Number that is authorized … The prefix that may be originated from the AS … The Maximum Length of the prefix … Maximum Length specifies the length of the most specific IP prefix that the AS is authorized to advertise … querying a route origin authorization database may include validation of ROA cryptographically signed objects against a regional internet registry resource public key infrastructure.”).  

Regarding claim 8:
The combination of Grinius and Zhuang disclose:
The method of claim 1, wherein the implementation of the flowspec rule further comprises sending the flowspec rule to one or more routers (see Zhuang ¶85: “A BGP FlowSpec peer relationship is established between a device that establishes BGP FlowSpec routes and a network ingress device, and is used to transmit the BGP FlowSpec routes. After receiving the BGP FlowSpec routes, a BGP FlowSpec peer converts a preferred route into a traffic control policy on a forwarding plane, thereby controlling attack traffic.”).  

Regarding claim 11: 
Claim 11 recites substantially the same limitations as claim 1, in the form of a non-transitory computer readable medium for storing computer executable instructions, therefore it is rejected by the same rationale. 

Regarding claims 12-13 and 16-19: 
Claims 12-13 and 16-19 recite substantially the same limitations as claims 1-2 and 5-8, respectively, in the form of a networked computing system to realize the corresponding method, therefore they are rejected by the same rationale. 

Claims 3-4 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Grinius, Zhuang and further in view of US-PGPUB No.to 20150207818 A1 Gagliano et al. (hereinafter “Gagliano”)
Regarding claim 3: 
The combination of Grinius and Zhuang disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Gagliano: 
 wherein the one or more neighboring entities perform the modified Resource Public Key Infrastructure (RPKI) validation (see Gagliano ¶42: “… the RPKI validation server can also signal the specific address of interest to the edge routers. The routers themselves could then introduce data plane policy. As an example, if the DNS server of interest has IP address 10.1.1.1 and the prefix announced by neighbors is 10.0.0.0/8, the routers may allow (white-list) the route 10.0.0.0/8 in the routing table, but could allow only DNS traffic to and from the host 10.1.1.1, such as based on deep packet inspection (DPI) techniques (packet type, class, source/destination pair, etc.).”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Grinius and Zhuang to incorporate the functionality of the validation server to create dynamic white-listing to allow access to particular IP addresses beyond the edge router in question., as disclosed by Gagliano, such modification would allow the system to enable neighboring entities to implement policies to detect and mitigate flooding DDoS attacks.

Regarding claim 4:
The combination of Grinius and Zhuang disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Gagliano: 
 wherein the modified Resource Public Key Infrastructure (RPKI) validation is initiated by a BGP speaker (see Gagliano ¶26: “BGPSEC extends the RPKI by adding an additional type of certificate, referred to as a BGPSEC router certificate, that binds an AS number to a public signature verification key, the corresponding private key of which is held by one or more BGP speakers within this AS. Private keys corresponding to public keys in such certificates can then be used within BGPSEC to enable BGP speakers to sign on behalf of their AS. The certificates may allow a relying party to verify that a BGPSEC signature was produced by a BGP speaker belonging to a given AS … a goal of BGPSEC is to use signatures to protect the AS Path attribute of BGP update messages so that a BGP speaker can assess the validity of the AS Path in update messages that it receives.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Grinius and Zhuang to incorporate the functionality of the security extension to the BGP, referred to as BGPSEC, to provide improved security for BGP routing, as disclosed by Gagliano, such modification would allow the system to verify the legitimacy and authenticity of BGP route advertisements.

Regarding claims 14-15: 
Claims 14-15 recite substantially the same limitations as claims 3-4, respectively, in the form of a networked computing system to realize the corresponding method, therefore they are rejected by the same rationale.

Claims 9-10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Grinius, Zhuang and further in view of US-PGPUB No.to 20050135428 A1 to Hellgren
Regarding claim 9:
The combination of Grinius and Zhuang disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Hellgren: 
dropping the flowspec rule in response to an invalidation of the flowspec rule (see Hellgren ¶10-11: “… each flow specification is linked to one service. … The GGSN is responsible for determining whether the mobile subscriber is permitted to use a certain service. … If the mobile subscriber is not allowed to use the service, the access to this service is denied. … The GGSN simply discards all the packets which match the denied flow specification.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Grinius and Zhuang to incorporate the functionality of the ICD system to allow or deny access to services (flow specifications), as disclosed by Hellgren, such modification would allow the system to verify the legitimacy of packets, to get access to services.

Regarding claim 10:
The combination of Grinius and Zhuang disclose the method of claim 1, but failed to explicitly disclose the following limitation taught by Hellgren: 
 validating the flowspec rule using an auxiliary validation method (see Hellgren ¶32-33: “… the GGSN performs traffic analysis. The packet will match with a certain flow specification F. The flow specification F is part of service S. … If the user is a prepaid user, then the GGSN 4 will need to get information from the OCS 16 indicating whether or not there are sufficient funds for the particular service. … This can be done in a number of ways. The GGSN can request information from the OCS 16 as to whether or not there are sufficient funds for the requested service with the OCS making the decision. Alternatively, the GGSN may be provided with information from the OCS as to the funds available to the user and will make the determination as to whether or not the user does have sufficient funds.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Grinius and Zhuang to incorporate the functionality of GGSN to perform traffic analysis and to request information and service from the OCS (auxiliary validator), with the OCS making the decision, as disclosed by Hellgren, such modification would allow the system to distribute validation to auxiliary methods, thus decreasing packet latency.

Regarding claim 20: 
Claim 20 recites substantially the same limitation as claim 9, in the form of a networked computing system to realize the corresponding method, therefore it is rejected by the same rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Liang et al. (US-PPGPUB No 20190140960-A1)- disclosed a FlowSpec message processing method and system, and an apparatus, to implement fine-grained control over a service flow of a forwarding device based on a forwarding device interface. 
Eastlake et al. (US-PPGPUB No 20210258251-A1)- disclosed a method and a network node for identifying packet flows. The method includes receiving, by the network node, a packet and determining by the network node whether data contained in the packet matches all segments of a multi-segment flow specification.
Hari et al. (US-PGPUB No. 20170324738-A1)- disclosed an Internet security mechanism configured to provide security for Internet resources of the Internet using an Internet blockchain.
Mortensen et al. (US-PGPUB No. 20210203688-A1)- disclosed the processing of network packets, and specifically to correlating discarded network traffic with network policy events through augmented flow. 
Ghule et al. (US-PGPUB No. 20180176139-A1)- disclosed techniques for triggering security actions for network tunnels against spoofing. Techniques are described for extending Flow Specification (FlowSpec) to include outer header type and inner header type components of an encapsulated packet to match to trigger one or more security actions.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491


/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491