DETAILED ACTION
The present office action is responsive to communications received on 03/31/2022.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claim 1 and 18 were amended.
Claim 19 is newly added.
Claims 1-19 are pending.

Response to arguments
In light of applicant’s amendments, the prior Claim Objections, 35 USC § 112(b) and 35 USC § 101 rejections are withdrawn.
With respect to the 35 USC § 103 rejection:
Applicant’s arguments against Lewis and Chesla are no longer applicable in light of new grounds of rejection over the prior art Crabtree et al. (US 20180295154 A1) which was cited by the examiner in a prior office action, mailed on 1/15/2021, in view of new prior art Duffield et al. (US 20070283436 A1) and Liu (US 20100082513 A1) based on examiner’s updated search as necessitated by applicant’s amendments. 
Applicant’s arguments with respect to claim 4, the mapping of the examiner Stiansen ¶39 and ¶104 explain using multiple data from multiple source illustrated in Stiansen Fig. 23 combined to perform data analytics in order to determine a threat score which is an attack characteristic. See MPEP 2144.07 Art Recognized Suitability for an Intended Purpose [R-08.2012].
With respect to the newly amended claim limitations, the claims mapping has been updated as necessitated by applicant’s amendments.
In response to applicant’s argument that there is no teaching, suggestion, or motivation to combine the references, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, the prior art that was used all disclose either monitoring traffic or threat mitigation in relationship to traffic or explicitly disclose mitigating DDOS attacks.

Claim Objections
Claim 1 objected to because of the following informalities: “at least one other one of the attacks”.  Appropriate correction is required.
Claim 18 objected to because of the following informalities: “analyze analyzing the plurality of attack feeds”.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 8, 10-14, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (US 20180295154 A1) hereinafter referred to as Crabtree in view of Duffield et al. (US 20070283436 A1) hereinafter referred to as Duffield in view of Liu (US 20100082513 A1) hereinafter referred to as Liu.

With respect to claim 1, Crabtree discloses: A method for reducing a time to mitigate future attacks that are part of an on-going campaign, comprising: (Crabtree ¶68 discloses utilizing predictive change to infrastructure recommendations to “alert an enterprise of ongoing cyberattack early in the attack”).
receiving a plurality of attack feeds on at least one protected object in a secured environment; (Crabtree Fig. 3 illustrates attack feeds including “threat intel feeds” to protect an object in a secure environment from cyber-attacks, see ¶68).
analyzing the plurality of attack feeds to determine characteristics of an on-going attack campaign comprising multiple attacks that take place over time against the secured environment, (Crabtree ¶69 “all available information about the ongoing attack and existing cybersecurity knowledge are analyzed, including through predictive simulation in near real time 402 to develop both the most accurate appraisal of current events and actionable recommendations concerning where the attack may progress and how it may be mitigated.” Wherein the progression is interpreted as occurring over time).
determining a set of optimal mitigation resources assigned to the secured environment; (Crabtree ¶69 “the system's predictive capabilities may be employed to assist in creation of a plan for changes of the IT infrastructural that should be made that are optimal for remediation of cybersecurity risk”).
selecting, based on the set of optimal mitigation resources and the on-going attack campaign characteristics, at least one optimal workflow scheme; (based on the detected on-going attack, Crabtree ¶66 “the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 246.” The system selects the most optimal scheme and presents it to the user wherein Crabtree ¶54 discloses a “pathway simulation” could be done wherein a pathway could be interpreted as workflow also ¶58 Fig. 1A illustrates another example that can be interpreted as an optimal workflow scheme).
and initiating a proactive mitigation action to mitigate a predicted future attack of the on-going campaign (Crabtree ¶64 discloses the administrator then receiving “predictive information on where the attack may progress, what enterprise information is at risk and actionable recommendations on repelling the intrusion and mitigating the damage” wherein the predictive information on attack progress is mapped to the predicting future attack of the on-going campaign).
Crabtree does not explicitly disclose that the cyber-attack could be distributed denial of service (DDoS) and at least one of the attacks of the on-going DDoS attack campaign starting at a time in the future relative to at least one other one of the attacks of the on-going DDoS attack campaign;
However, Duffield in an analogous art discloses: at least one of the attacks of the on-going DDoS attack campaign starting at a time in the future relative to at least one other one of the attacks of the on-going DDoS attack campaign; (Duffield proposes a solution utilizing ¶4 “coarse-grained detection techniques or, alternatively, fine-grained detection techniques to identify anomalies that could indicate a DDoS attack was underway” wherein underway is interpreted as on-going. Additionally, Duffield claim 1 summarizes the invention when reciting “collecting a first set of data associated with a first data flow at a router in a service provider network; detecting whether an anomaly is present in said first data flow, said anomaly comprising at least a first deviation from a predicted model of said first data flow; in response to the detection of an anomaly in said first data flow, receiving a second set of data associated with a second data flow; analyzing at least a portion of said second set of data to determine whether said anomaly represents an attack on a computer network” wherein the second data flow is an ongoing attack starting at a time following the first data flow wherein the anomaly was detected. See Duffield ¶19-21 and Figs. 4 A-C for full details of analyzing time-series collected of a DDoS attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree wherein the cyber-attack could be distributed denial of service (DDoS) and at least one of the attacks of the on-going DDoS attack campaign starting at a time in the future relative to at least one other one of the attacks of the on-going DDoS attack campaign as disclosed by Duffield for load reduction in the process of measuring and performing attack detection such a load reduction may be significant given the relative long time over which some DDoS attacks may occur, see Duffield ¶21.
Crabtree does not explicitly disclose initiating a proactive mitigation action to mitigate a predicted future attack of the on-going campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. 
However, Liu in an analogous art discloses: selecting, based on the set of optimal mitigation resources and the on-going attack campaign characteristics, at least one optimal workflow scheme; (Liu ¶27 discloses an ongoing attack campaign when reciting “building attack tree models (e.g., models of the expected or actual progression of an attack from one node to the next in a distributed environment) for use in near-future predictions and adaptive flood control. For example, an attack may begin at a leaf node and move to others (e.g., neighboring nodes)” wherein the attack could be a DDoS attack Liu ¶38 “DDoS attack is underway” wherein ¶144 discloses as part of determining the optimal action value, methods “may be utilized to locate the optimal actions or policies”).
and initiating a proactive mitigation action to mitigate a predicted future attack of the on-going DDoS campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. (in addition to the mapping above of the on-going DDoS attack, Liu ¶41 discloses utilizing attack patterns to predict attack behavior and ¶242 concludes that the selected “Q (s5, 42-5-4) may be shown to be the optimal state action. In other words, this evaluation may conclude that a multi-layer perceptron network with 42 input nodes, 5 hidden nodes and 4 output nodes may be an optimal prevention method.” Wherein the 42 input nodes, 5 hidden nodes and 4 output nodes are mapped to resources in the set of optimal mitigation resources in a selected workflow Q (s5, 42-5-4)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree as disclosed above with selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme as disclosed by Liu in order to obtain the approximate optimal architecture with a given input vector for a specific attack (see Liu ¶156).

With respect to claim 2, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein the DDoS attack also includes a subsequent step in the DDoS attack being part of a DDoS attack campaign. (Liu ¶27 discloses an ongoing attack campaign when reciting “building attack tree models (e.g., models of the expected or actual progression of an attack from one node to the next in a distributed environment) for use in near-future predictions and adaptive flood control. For example, an attack may begin at a leaf node and move to others (e.g., neighboring nodes)” and wherein the attack could be DDoS according to Liu ¶38 “DDoS attack is underway”).

With respect to claim 3, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein the plurality of attack feeds include at least one of: attack detection indications, attack insights, and attack predictions. (Crabtree ¶64 discloses attack prediction when receiving “predictive information on where the attack may progress”).

With respect to claim 8, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein selecting, based on the set of optimal mitigation resources and the attack characteristics, further comprises: updating an existing workflow scheme to optimally meet the attack characteristics and the mitigation resources. (Liu ¶242 discloses the selected “Q (s5, 42-5-4) may be shown to be the optimal state action. In other words, this evaluation may conclude that a multi-layer perceptron network with 42 input nodes, 5 hidden nodes and 4 output nodes may be an optimal prevention method.” Wherein the the 42 input nodes, 5 hidden nodes and 4 output nodes are mapped to updated workflow Q (s5, 42-5-4) which optimally utilizes resources in the set of optimal mitigation resources).

With respect to claim 10, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein determining the set of optimal mitigation resources further comprise: checking at least one of: location, type, status and availability of each mitigation resource assigned to the secured environment. (Liu ¶30 discloses training machine learning networks on types of nodes in the system architecture).

With respect to claim 11, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein selecting the at least one optimal workflow scheme defines at least a mitigation action and information for provisioning each mitigation resource in the set of optimal mitigation resources to execute the mitigation action. (Liu ¶243 and 245 discloses an algorithm to provision the needed resources in the selected workflow for optimal path for attack mitigation).

With respect to claim 12, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein the optimal workflow scheme further comprises: an operation regimen defining actions to be performed and a set of parameters for the actions, (Liu, as part of the prior art method to establish an optimal workflow Liu ¶55 discloses “to change the relative weighting of parameters used in a membership function computation, or to modify action(s) to be taken in response to known and/or unknown attack patterns to better mitigate or contain them”).
provisioning instructions, (Liu ¶59 “the information layer agent may be configured to detect if the workload is very different from the expected profile and/or if the workload suddenly changes” wherein the configuration is interpreted as provisioning instructions).
triggering criteria for initiating the operation regimen, (Liu ¶59 discloses “events may be triggered” such as when detecting if a workload is very different from expected).
triggering criteria for terminating the operation regimen resources, (Liu ¶59 discloses triggering criteria of sudden change in workload and “suddenly increases to 5000/second” and detecting an attack which involves stopping attributes as explained in Liu ¶60-63 which is mapped to terminating action recited by the claim language).
detecting trigger events, (Liu ¶59 discloses “events may be triggered” such as when detecting if a workload is very different from expected).
classifications of network entities to protect. (Liu ¶37 “agents may be responsible for collecting relevant data at each node (e.g., resource usage, performance, workload, etc.) The data collection agents may in some embodiments also be configured to transform or classify collected data” wherein the “each node” is mapped to the entities).

With respect to claim 13, Crabtree, Duffield and Liu disclose: The method of claim 12, wherein setting the proactive mitigation further comprising: performing at least one proactive mitigation action defined in the operation regimen upon satisfaction of the triggering criteria for initiating the operation regimen. (Liu ¶62 Table 2 and ¶63 disclose performing at least one proactive mitigation action such as “stop” or “remove” based on triggered criteria).

With respect to claim 14, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein the method is performed by a system deployed in a backbone network. (Duffield ¶16 “DDoS detection schemes are typically implemented in the core routers 106 or in the provider peering edge routers 107 of backbone network 105”).

With respect to claim 16, Crabtree, Duffield and Liu disclose: The method of claim 1, wherein selecting at least one optimal workflow scheme defines a plurality of attack signatures utilized to mitigate the DDoS attack against the secured environment. (based on the mapping above, additionally, Liu ¶6 discloses as part of attack mitigation against secure environment a “Misuse-prevention tools are typically based on a set of signatures that describe known attack states”).

With respect to claim 17, Crabtree, Duffield and Liu disclose: A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute the method according to claim 1. (Rejected based on the same rationale as claim 1).

With respect to claim 18, Crabtree discloses: A system for reducing a time to mitigate future attacks that are part of an on-going campaign, comprising: (Crabtree ¶68 discloses utilizing predictive change to infrastructure recommendations to “alert an enterprise of ongoing cyberattack early in the attack”).
a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: (Crabtree ¶104 discloses the recited components).
receive a plurality of attack feeds on at least one protected object in a secured environment; (Crabtree Fig. 3 illustrates attack feeds including “threat intel feeds” to protect an object in a secure environment from cyber-attacks, see ¶68).
analyze analyzing the plurality of attack feeds to determine characteristics of an on-going attack campaign comprising multiple attacks that take place over time against the secured environment, (Crabtree ¶69 “all available information about the ongoing attack and existing cybersecurity knowledge are analyzed, including through predictive simulation in near real time 402 to develop both the most accurate appraisal of current events and actionable recommendations concerning where the attack may progress and how it may be mitigated.” Wherein the progression is interpreted as occurring over time).
determine a set of optimal mitigation resources assigned to the secured environment; (Crabtree ¶69 “the system's predictive capabilities may be employed to assist in creation of a plan for changes of the IT infrastructural that should be made that are optimal for remediation of cybersecurity risk”).
select, based on the set of optimal mitigation resources and the on-going attack campaign characteristics, at least one optimal workflow scheme; (based on the detected on-going attack, Crabtree ¶66 “the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 246.” The system selects the most optimal scheme and presents it to the user wherein Crabtree ¶54 discloses a “pathway simulation” could be done wherein a pathway could be interpreted as workflow also ¶58 Fig. 1A illustrates another example that can be interpreted as an optimal workflow scheme).
and initiate a proactive mitigation action to mitigate a predicted future attack of the on-going campaign (Crabtree ¶64 discloses the administrator then receiving “predictive information on where the attack may progress, what enterprise information is at risk and actionable recommendations on repelling the intrusion and mitigating the damage” wherein the predictive information on attack progress is mapped to the predicting future attack of the on-going campaign).
Crabtree does not explicitly disclose that the cyber-attack could be distributed denial of service (DDoS) and at least one of the attacks of the on-going DDoS attack campaign starting at a time in the future relative to at least one other one of the attacks of the on-going DDoS attack campaign;
However, Duffield in an analogous art discloses: at least one of the attacks of the on-going DDoS attack campaign starting at a time in the future relative to at least one other one of the attacks of the on-going DDoS attack campaign; (Duffield proposes a solution utilizing ¶4 “coarse-grained detection techniques or, alternatively, fine-grained detection techniques to identify anomalies that could indicate a DDoS attack was underway” wherein underway is interpreted as on-going. Additionally, Duffield claim 1 summarizes the invention when reciting “collecting a first set of data associated with a first data flow at a router in a service provider network; detecting whether an anomaly is present in said first data flow, said anomaly comprising at least a first deviation from a predicted model of said first data flow; in response to the detection of an anomaly in said first data flow, receiving a second set of data associated with a second data flow; analyzing at least a portion of said second set of data to determine whether said anomaly represents an attack on a computer network” wherein the second data flow is an ongoing attack starting at a time following the first data flow wherein the anomaly was detected. See Duffield ¶19-21 and Figs. 4 A-C for full details of analyzing time-series collected of a DDoS attack).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree wherein the cyber-attack could be distributed denial of service (DDoS) and at least one of the attacks of the on-going DDoS attack campaign starting at a time in the future relative to at least one other one of the attacks of the on-going DDoS attack campaign as disclosed by Duffield for load reduction in the process of measuring and performing attack detection such a load reduction may be significant given the relative long time over which some DDoS attacks may occur, see Duffield ¶21.
Crabtree does not explicitly disclose and initiate a proactive mitigation action to mitigate a predicted future attack of the on-going campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. 
However, Liu in an analogous art discloses: select, based on the set of optimal mitigation resources and the on-going attack campaign characteristics, at least one optimal workflow scheme; (Liu ¶27 discloses an ongoing attack campaign when reciting “building attack tree models (e.g., models of the expected or actual progression of an attack from one node to the next in a distributed environment) for use in near-future predictions and adaptive flood control. For example, an attack may begin at a leaf node and move to others (e.g., neighboring nodes)” wherein the attack could be a DDoS attack Liu ¶38 “DDoS attack is underway” wherein ¶144 discloses as part of determining the optimal action value, methods “may be utilized to locate the optimal actions or policies”).
and initiate a proactive mitigation action to mitigate a predicted future attack of the on-going campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme.  (in addition to the mapping above of the on-going DDoS attack, Liu ¶41 discloses utilizing attack patterns to predict attack behavior and ¶242 concludes that the selected “Q (s5, 42-5-4) may be shown to be the optimal state action. In other words, this evaluation may conclude that a multi-layer perceptron network with 42 input nodes, 5 hidden nodes and 4 output nodes may be an optimal prevention method.” Wherein the 42 input nodes, 5 hidden nodes and 4 output nodes are mapped to resources in the set of optimal mitigation resources in a selected workflow Q (s5, 42-5-4)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree as disclosed above with selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme as disclosed by Liu in order to obtain the approximate optimal architecture with a given input vector for a specific attack (see Liu ¶156).


Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Crabtree et al. (US 20180295154 A1) hereinafter referred to as Crabtree in view of Liu (US 20100082513 A1) hereinafter referred to as Liu.

With respect to claim 19, Crabtree discloses: A method for reducing a time to mitigate future stages of a campaign, comprising: (Crabtree ¶68 discloses utilizing predictive change to infrastructure recommendations to “alert an enterprise of ongoing cyberattack early in the attack”).
receiving a plurality of attack feeds on at least one protected object in a secured environment; (Crabtree Fig. 3 illustrates attack feeds including “threat intel feeds” to protect an object in a secure environment from cyber-attacks, see ¶68).
analyzing the plurality of attack feeds to determine characteristics of a attack campaign comprising multiple stages against the secured environment; (Crabtree ¶69 “all available information about the ongoing attack and existing cybersecurity knowledge are analyzed, including through predictive simulation in near real time 402 to develop both the most accurate appraisal of current events and actionable recommendations concerning where the attack may progress and how it may be mitigated.” Wherein the progression is interpreted as occurring over time).
determining a set of optimal mitigation resources assigned to the secured environment; (Crabtree ¶69 “the system's predictive capabilities may be employed to assist in creation of a plan for changes of the IT infrastructural that should be made that are optimal for remediation of cybersecurity risk”).
selecting, based on the set of optimal mitigation resources and the attack campaign characteristics, at least one optimal workflow scheme; (based on the detected on-going attack, Crabtree ¶66 “the system administrator is notified of the potential threat, along with contextually-based, tactical recommendations for optimal response based on potential impact 246.” The system selects the most optimal scheme and presents it to the user wherein Crabtree ¶54 discloses a “pathway simulation” could be done wherein a pathway could be interpreted as workflow also ¶58 Fig. 1A illustrates another example that can be interpreted as an optimal workflow scheme).
and initiating a proactive mitigation action to mitigate a predicted future stage of the DDoS campaign (Crabtree ¶64 discloses the administrator then receiving “predictive information on where the attack may progress, what enterprise information is at risk and actionable recommendations on repelling the intrusion and mitigating the damage” wherein the predictive information on attack progress is mapped to the predicting future attack of the on-going campaign).
Crabtree does not explicitly disclose that the cyber-attack could be distributed denial of service (DDoS) and initiating a proactive mitigation action to mitigate a predicted future stage of the DDoS campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme.
However, Liu in an analogous art discloses: selecting, based on the set of optimal mitigation resources and the attack campaign characteristics, at least one optimal workflow scheme; (Liu ¶27 discloses an ongoing attack campaign when reciting “building attack tree models (e.g., models of the expected or actual progression of an attack from one node to the next in a distributed environment) for use in near-future predictions and adaptive flood control. For example, an attack may begin at a leaf node and move to others (e.g., neighboring nodes)” wherein the attack could be a DDoS attack Liu ¶38 “DDoS attack is underway” wherein ¶144 discloses as part of determining the optimal action value, methods “may be utilized to locate the optimal actions or policies”).
initiating a proactive mitigation action to mitigate a predicted future stage of the DDoS campaign by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme. (in addition to the mapping above of the on-going DDoS attack, Liu ¶41 discloses utilizing attack patterns to predict attack behavior and ¶242 concludes that the selected “Q (s5, 42-5-4) may be shown to be the optimal state action. In other words, this evaluation may conclude that a multi-layer perceptron network with 42 input nodes, 5 hidden nodes and 4 output nodes may be an optimal prevention method.” Wherein the the 42 input nodes, 5 hidden nodes and 4 output nodes are mapped to resources in the set of optimal mitigation resources in a selected workflow Q (s5, 42-5-4)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree as disclosed above with selecting, based on the set of optimal mitigation resources and the attack characteristics, at least one optimal workflow scheme; and initiating a proactive mitigation action by setting each mitigation resource in the set of optimal mitigation resources according to the selected optimal workflow scheme as disclosed by Liu in order to obtain the approximate optimal architecture with a given input vector for a specific attack (see Liu ¶156).

Claims 4-7 are rejected under 35 U.S.C. 103 as being unpatentable over Crabtree, Duffield and Liu as applied to claims 1-3, 8, 10-14, and 16-17 above, and further in view of Stiansen et al. (US 20160044054 A1) hereinafter referred to as Stiansen.

With respect to claim 4, Crabtree, Duffield and Liu disclose: The method of claim 1, 
They do not explicitly disclose: wherein receiving the plurality of attack feeds further comprises: receiving supplementary data feeds; and analyzing the supplementary data feeds together with the attack feeds to determine attack characteristics. 
However, Stiansen in an analogous art discloses: wherein receiving the plurality of attack feeds further comprises: receiving supplementary data feeds; and analyzing the supplementary data feeds together with the plurality of attack feeds to determine attack characteristics. (Stiansen [0039] discloses “the analyzing the one or more data packets comprising analyzing simultaneously two or more data packets, the data packets being sent under a single communication protocol or different communication protocols. In some embodiments, the analyzing the one or more data packets comprising one or more of the following: identifying a source address of the packets; identifying or track a location of the packets; exploring a history of past analyses; associating a risk category with the packets; and computing a risk score of the packets” which is interpreted that two or more received packets mapped to the plurality of attack feeds and supplementary data feed are analyzed in parallel to history of past analysis, mapped to data analyzed from obtained attack data/feeds, to determine the attack characteristics and assign a risk score).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree, Duffield and Liu as combined above  wherein receiving the plurality of attack feeds further comprises: receiving supplementary data feeds; and analyzing the supplementary data feeds together with the attack feeds to determine attack characteristics disclosed by Stiansen in order to “continuously collect and analyze vast amounts of live high-risk Internet traffic to identify cyber-attacks in a high-speed delivery platform” (see Stiansen [0018]).

With respect to claim 5, Crabtree, Duffield, Liu and Stiansen disclose: The method of claim 4, wherein the supplementary data feeds include relevant data gathered from at least one of: Border Gateway Patrol (BGP), Simple Network Management Protocol (SNMP), Remote Authentication Dial-In User Services (RADIUS), Page 27 of 36RADW P1035 Policy and Charging Rules Function (PCRF), active domain name service (DNS) queries, DNSFIow, logs, FarSight DNSDB, MaxMind, GeolP, Shodan, Threat Intelligence and IP reputation feeds and Layer 7 entities (FW, LB, SWG and such) data, SOC/NOC BI systems logs and data. (Stiansen Fig. 23 paragraph [0229] disclose the Border Gateway Patrol (BGP) as a source to obtain data feeds that includes data for analytics).

With respect to claim 6, Crabtree, Duffield, Liu and Stiansen disclose: The method of claim 4, further comprising: analyzing the supplementary data feeds and the plurality of attack feeds using a machine learning engine. (Stiansen [0135-0136] disclose assessment of threat using one or more algorithms wherein the “one or more algorithms include an AI or machine learning algorithm”).

With respect to claim 7, Crabtree, Duffield, Liu and Stiansen disclose: The method of claim 5, further comprising: creating an optimal workflow scheme to optimally meet the attack characteristics using the set of optimal mitigation resources. (Liu ¶27 discloses an ongoing attack campaign when reciting “building attack tree models (e.g., models of the expected or actual progression of an attack from one node to the next in a distributed environment) for use in near-future predictions and adaptive flood control. For example, an attack may begin at a leaf node and move to others (e.g., neighboring nodes)” wherein the attack could be a DDoS attack Liu ¶38 “DDoS attack is underway” wherein ¶144 discloses as part of determining the optimal action value, methods “may be utilized to locate the optimal actions or policies” wherein Liu ¶242 discloses an example of optimal mitigation resources to use).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Crabtree, Duffield and Liu as applied to claims 1-3, 8, 10-14, and 16-17 above, and further in view of Ehle (US 10686811 B1) hereinafter referred to as Ehle.

With respect to claim 9, Crabtree, Duffield and Liu disclose: The method of claim 1, 
They do not explicitly disclose: further comprising: checking if the DDoS attack have been mitigated; and updating the at least one optimal workload scheme with new provisions, when the DDoS attack have not been mitigated.
However, Ehle in an analogous art discloses: further comprising: checking if the DDoS attack have been mitigated; and updating the at least one optimal workload scheme with new provisions, when the DDoS attack have not been mitigated. (Ehle Fig. 7 step 710 “was malicious traffic handled properly” and if no then step 712 “initiate detection improvement workflow” and then step 714 “update security model with training data” wherein column 2 lines 64-67 disclose “For example, one such attack may be a distributed denial of service attack (DDoS).”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree, Duffield and Liu as combined above with checking if the DDoS attack have been mitigated; and updating the optimal workload scheme with new provisions, when the DDoS attack have not been mitigated disclosed by Ehle to improve assessment of live data which may be considered less predictable by utilizing machine learning (see Ehle column 1 lines 5-25 and column 2 lines 1-20).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Crabtree, Duffield and Liu as applied to claims 1-3, 8, 10-14, and 16-17 above, and further in view of Xaypanya et al. (US 20140215621 A1) hereinafter referred to as Xaypanya.

With respect to claim 15, Crabtree, Duffield and Liu disclose: The method of claim 1, 
They do not explicitly disclose: wherein the proactive mitigation action is performed by a cloud service. 
However, Xaypanya in an analogous art discloses: wherein the proactive mitigation action is performed by a cloud service. (Xaypanya [0140] discloses “proactive security mechanism 108 may be deployed on one or more local enterprise servers, via a web-based architecture (e.g., as Software as a Service (SaaS), as a cloud-based service”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Crabtree, Duffield and Liu as combined above wherein the proactive mitigation action is performed by a cloud service as disclosed by Xaypanya for providing a continuous secure solution that is in a sandboxed environment and thus immune to remote clients’ systems attacks (see Xaypanya paragraphs [0014 and 0098]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Lam (US 20200028874 A1) ¶50 discloses using machine learning to mitigate “future DDOS attacks”.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANY S GADALLA whose telephone number is (571)272-2322. The examiner can normally be reached Mon to Fri 8:30AM - 5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/H.S.G./Examiner, Art Unit 2493                                                                                                                                                                                                        

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493