Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
FINAL ACTION
This action is in response to amendment filed on 3/7/2022. Claims 1, 10, 16, 19, 20, 23 are amended. Claims 11 and 22 are cancelled. Claim 24 is new. Claims 1-10, 12-21, 23 and 24 are pending. 
Response to Arguments
Examiner’s Remarks - 35 USC § 103
Applicant’s arguments with respect to claim(s) 1-10, 12-21 and 23 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-10, 12, 13, 15-21, 23 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Akcin (US Patent No. 9,621,577) in view of DILLEY et al. (WO 2014/055337).

As to claim 1, Akcin teaches a system for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system, the system comprising: 
implemented using a first computer system, in operative communication via a network with a central controller (i.e.,  …teaches in col. 5 lines 5-10 the following: “The detection devices 103a and 103b can then transmit the traffic information 122 to the mitigation gateway 106. The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.”.), 
implemented using a second computer system, in the networked computing system, wherein determine a source address of at least one of the data packets (i.e.,  …teaches in col. 5 lines 5-10 the following: “The detection devices 103a and 103b can then transmit the traffic information 122 to the mitigation gateway 106. The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.”.), 
and send a network traffic log corresponding to a plurality of data packets to the central controller (i.e., …teaches in col. 5 lines 5-10 the following: “The detection devices 103a and 103b can then transmit the traffic information 122 to the mitigation gateway 106. The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.”.), 
the network traffic log comprising the source address and additional information for at least a plurality of the data packets (i.e., …teaches in col. 5 lines 5-10 the following: “The detection devices 103a and 103b can then transmit the traffic information 122 to the mitigation gateway 106. The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.”); 
and the central controller is configured to initiate a mitigation action based on the network traffic log and one or more mitigation rules (i.e., …teaches in col. 5 lines 10-35 the following: “In response to receiving the traffic information 122, the mitigation gateway 106 can aggregate the received traffic information 122 from the detection devices 103a and 103b. In one example, the mitigation gateway 106 can determine if one or more of the IP addresses (or other suitable device identification) reported in the traffic information 122 are associated with the client devices 110 in the remote network 104. If the determination is positive, the mitigation gateway 106 can compile a list of all IP addresses of the client devices 110 involved in the detected attacks on the computing systems 102a and 102b. In another example, the mitigation gateway 106 can also interrogate the local aggregation point 108 to identify the client devices 110 based on, for instance, MAC addresses, local IP addresses, or other suitable signatures of network traffic involved in the detected attacks. As such, the mitigation gateway 106 can determine IP addresses (or other suitable device identification) of the client devices 110 from which the detected attacks were launched based on the aggregated traffic information 122.
(20) The mitigation gateway 106 can then negotiate with the local aggregation point 108 to divert at least a portion of the network traffic originating from the client device 110 and destined to the computing systems 102 to the mitigation gateway 106.”), 
wherein the determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules (i.e., …teaches in col. 11 lines 10-20 the following: “The monitor component 150 can be configured to monitor network traffic through the local aggregation point 108 and/or the network aggregation point 114 for abnormal traffic patterns based on the traffic rules 133. The monitor component 150 can also be configured to indicate an alarm when an abnormal traffic pattern is detected or when a normal traffic pattern is violated. Once the monitor component 150 raises an alarm, in certain embodiments, the monitor component 150 can indicate to one or more of the computing systems 102 the alarm and/or the detected abnormal traffic pattern.”).

The system of Akcin does not expressly teach:
at least one DDoS honeypot,
the at least one DDoS honeypot is configured to impersonate a legitimate network- based device, receive one or more data packets from the network,
refrain from performing at least one action expected by a source of the data packet in response to a determination that the one or more received data packets are part of the DDoS attack, 
the refraining from performing the at least one action comprising refraining from sending traffic to the source in response to at least one request. 
In this instance the examiner notes the teachings of prior art reference DILLEY.
With regards to applicant’s claim limitation element of, “at least one DDoS honeypot”, DILLEY teaches in page 11 lines 10-25 the following: “directed to the surrogate application. The surrogate application can be, for example, a user-space application that contains logic to respond to the client's messages as described previously with respect to the packet filter module, but that consumes fewer resources than the original handling application (the HTTP server application 207 in this example) to do so. The surrogate application can provide functionality to provide responses to the client, while ignoring most messages. For example, the surrogate application may contain logic that responds to client messages in order to keep the client engaged but also largely ignores or deletes data sent by the client and available on the socket. In some cases, the surrogate application may log the messages sent by the client or other information about the client. Further, in some cases, the surrogate may have logic that simulates aspects of an HTTP server application.”.  
With regards to applicant’s claim limitation element of, “the at least one DDoS honeypot is configured to impersonate a legitimate network- based device, receive one or more data packets from the network”, DILLEY teaches in page 11 lines 10-25 the following: “directed to the surrogate application. The surrogate application can be, for example, a user-space application that contains logic to respond to the client's messages as described previously with respect to the packet filter module, but that consumes fewer resources than the original handling application (the HTTP server application 207 in this example) to do so. The surrogate application can provide functionality to provide responses to the client, while ignoring most messages. For example, the surrogate application may contain logic that responds to client messages in order to keep the client engaged but also largely ignores or deletes data sent by the client and available on the socket. In some cases, the surrogate application may log the messages sent by the client or other information about the client. Further, in some cases, the surrogate may have logic that simulates aspects of an HTTP server application.”.  
With regards to applicant’s claim limitation element of, “refrain from performing at least one action expected by a source of the data packet in response to a determination that the one or more received data packets are part of the DDoS attack”, teaches on page 12 lines 10-20 the following: “surrogate application close minified connections when they represent a burden on the surrogate or the server generally. For example, there may be too many minified connections (e.g., the number of such connections exceed a threshold) or the server load is high (e.g., resource utilization exceeds a threshold), or resource utilization of surrogate may reach a constraint.”. The examiner notes that that the surrogate’s (i.e., honeypot) closing of the connection is functionally equivalent to applicant’s process of refraining because the trouble client (i.e., source of the attack) is expecting a response. Once the connection is close, no response can be afforded.  
With regards to applicant’s claim limitation element of, “the refraining from performing the at least one action comprising refraining from sending traffic to the source in response to at least one request”, teaches on page 12 lines 10-20 the following: “surrogate application close minified connections when they represent a burden on the surrogate or the server generally. For example, there may be too many minified connections (e.g., the number of such connections exceed a threshold) or the server load is high (e.g., resource utilization exceeds a threshold), or resource utilization of surrogate may reach a constraint.”. The examiner notes that that the surrogate’s (i.e., honeypot) closing of the connection is functionally equivalent to applicant’s process of refraining because the trouble client (i.e., source of the attack) is expecting a response. Once the connection is close, no response can be afforded.  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Akcin with the teachings of DILLEY by having Akcin’s DDoS detection system comprise surrogate/honeypot. One would have been motivated to do so to provide a simple and effective means to further detect DDoS attacks, wherein the surrogate/honeypot distinctly identifies questionable traffic to make it easier to ensure network safety where multiple attacks can occur.

As to claim 2, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein the DDoS honeypot performs the determination of whether the one or more received data packets are part of the DDoS attack (i.e., …teaches in col. 5 lines 5-10 the following: “he detection devices 103a and 103b at the computing systems 102 can detect that one or more of the received service requests 120 is part of a DoS attack on the computing systems 102.”.).

As to claim 3, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein the central controller performs an additional determination of whether the one or more received data packets are part of the DDoS attack (i.e., …teaches in col. 5 lines 10-25 the following: “the mitigation gateway 106 can determine if one or more of the IP addresses (or other suitable device identification) reported in the traffic information 122 are associated with the client devices 110 in the remote network 104.”.).

As to claim 4, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim I, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot is part of the DDoS attack (i.e., …teaches in col. 5 lines 25-35 the following: “can determine IP addresses (or other suitable device identification) of the client devices 110 from which the detected attacks were launched based on the aggregated traffic information 122.”).

As to claim 5, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim I, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that satisfies a specified data pattern is part of the DDoS attack (i.e., …teaches in col. 6 lines 20-30  the following: “monitor network traffic through the local aggregation point 108 for abnormal traffic patterns based on a set of traffic rules 133 (shown in FIG. 5).”.).

As to claim 6, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim I, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack (i.e., …teaches in col. 6 lines 45-60 the following: “…can generate the traffic rules based on machine learning of normal traffic patterns associated with the local aggregation point 108. For example, in one embodiment, the mitigation gateway 106 can monitor and record a volume, a volume change, a temporal pattern of volume or volume change, a destination pattern, and/or other suitable characteristics of network traffic associated with one or more of the client devices 110 or destined for the individual computing systems 102.”. See also col. 7, lines 1-30).

As to claim 7, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the determined source address is to be rate limited (i.e., …teaches in col. 6 lines 1-10 the following: “can transmit a command, a request, or other suitable types of message to the individual client devices 110. The messages can indicate that, for instance, the client devices 110 have been identified as sources of the detected attack and/or no more network traffic to the computing systems 102 to be generated. In response to receiving the messages, an application (e.g., an anti-virus or anti-spam application), a portion of an operating system (e.g., a utility), and/or other suitable components of the individual client devices 110 can reduce or stop sending service request 120 or other types of network traffic”.).

As to claim 8, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the determined source address is to be blocked, discarded, or both (i.e., …teaches in col. 6 lines 10-20 the following: “can block or filter the received service requests 12”).

As to claim 9, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that network traffic from the determined source address is to be diverted to a specified network address (i.e., …teaches in col. 1 lines 35-50 the following: “negotiate with corresponding network aggregation point gateways to divert at least a portion of the network traffic with the determined characteristics to the mitigation gateways. Upon receiving the diverted network traffic, the mitigation gateways can block, filter, reroute, and/or apply other suitable mitigation techniques to the diverted network traffic.”.).

As to claim 10, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein one of the one or more mitigation rules indicates that deep packet inspection (DPI) is to be performed on the network traffic from the determined source address (i.e., …teaches in col. 10 lines 20-35  the following: “the analysis component 144 can aggregate the traffic information 122 and identify occurrences of source IP addresses from the traffic information 122. For instance, in the example above, the source IP addresses “1.2.0.0/16” can be identified as the source for transmitting multiple service requests 120 (FIG. 1) to multiple destination addresses. As a result, the source IP addresses “1.2.0.0/16” is likely associated with sources of the detected attacks. In other embodiments, the analysis component 144 can also be configured to perform sorting, filtering, pattern recognition, and/or other suitable operations to identify the sources of the detected attacks.”).

11. (Cancelled)

As to claim 12, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim I, wherein the central controller is further configured to send at least one of the mitigation rules to at least one network device (i.e., …teaches in col. 5 lines 30-45 the following: “can then negotiate with the local aggregation point 108 to divert at least a portion of the network traffic originating from the client device 110 and destined to the computing systems 102 to the mitigation gateway 106. In the illustrated embodiment, the mitigation gateway 106 can transmit a request for permission to divert 124 to the local aggregation point 108 following, for instance, the Agent Communication Language (“ACL”) or other suitable types of communications protocols. In response, the local aggregation point 108 can transmit a permission message 126 to the mitigation gateway 106. The local aggregation point 108 can allow diversion of all, a portion of, or none of the requested network traffic to the mitigation gateway 106”.).

As to claim 13, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 12, wherein the at least one network device is part of an internet service provider's infrastructure, a hosting provider's infrastructure, or an enterprise's infrastructure (i.e., …teaches in col. 4 lines 15-25 the following: “The remote network 104 can include a local aggregation point 108 configured to aggregate network traffic from multiple client devices 110 …the local aggregation point 108 can include a local ISP gateway.”).

As to claim 15, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein the at least one DDoS honeypot is configured to further send to the central controller only a portion of at least one of the data packets, the portion being application layer information from a payload of the at least one of the data packets indicating a type of query that is being requested (i.e., …teaches in col. 7 lines 30-45 the following: “can then receive a response from the one or more computing systems 102. If the response confirms that the detected abnormal traffic pattern is expected due to, for instance, a product release, an upgrade release, etc., the mitigation gateway 106 can mark the raised alarm as a false alarm. If the response confirms that the detected abnormal traffic pattern is not expected, the mitigation gateway 106 can then initiate the request to divert and divert at least a portion of the network traffic associated with the detected abnormal traffic pattern, as discussed above. In other embodiments, the mitigation gateway 106 can initiate the request for permission to divert upon detecting the abnormal traffic pattern without indicating to the computing systems 102 regarding the abnormal traffic pattern.”.  ...further teaches in col. 12 lines 45-55 the following: “permission may be granted to divert certain types (e.g., web traffic) of network traffic from a particular source.”.).

As to claims 16 and 20, Akcin teaches a method comprising: 
determining whether the one or more received data packets are a part of a DDoS attack (i.e., …teaches in col. 11 lines 10-20 the following: “The monitor component 150 can be configured to monitor network traffic through the local aggregation point 108 and/or the network aggregation point 114 for abnormal traffic patterns based on the traffic rules 133. The monitor component 150 can also be configured to indicate an alarm when an abnormal traffic pattern is detected or when a normal traffic pattern is violated. Once the monitor component 150 raises an alarm, in certain embodiments, the monitor component 150 can indicate to one or more of the computing systems 102 the alarm and/or the detected abnormal traffic pattern.” The examiner notes that the abnormal traffic pattern is a signature of a DDoS attack); 
determining a source address of at least one of the data packets corresponding to the DDoS attack (i.e., …teaches in col. 5 lines 5-10 the following: “…The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.”); 
sending a network traffic log corresponding to a plurality of data packets to a central controller (i.e.,. …teaches in col. 5 lines 5-10 the following: “The detection devices 103a and 103b can then transmit the traffic information 122 to the mitigation gateway 106. The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.”), 
the network traffic log comprising the source address and additional information for at least a plurality of the data packets (i.e., …teaches in col. 5 lines 5-10 the following: “The detection devices 103a and 103b can then transmit the traffic information 122 to the mitigation gateway 106. The traffic information 122 can include an indication of the attack as well as information regarding sources of the attack.” …); 
and initiating a mitigation action based on the network traffic log and one or more mitigation rules (i.e., …teaches in col. 5 lines 10-35 the following: “In response to receiving the traffic information 122, the mitigation gateway 106 can aggregate the received traffic information 122 from the detection devices 103a and 103b. In one example, the mitigation gateway 106 can determine if one or more of the IP addresses (or other suitable device identification) reported in the traffic information 122 are associated with the client devices 110 in the remote network 104. If the determination is positive, the mitigation gateway 106 can compile a list of all IP addresses of the client devices 110 involved in the detected attacks on the computing systems 102a and 102b. In another example, the mitigation gateway 106 can also interrogate the local aggregation point 108 to identify the client devices 110 based on, for instance, MAC addresses, local IP addresses, or other suitable signatures of network traffic involved in the detected attacks. As such, the mitigation gateway 106 can determine IP addresses (or other suitable device identification) of the client devices 110 from which the detected attacks were launched based on the aggregated traffic information 122. (20) The mitigation gateway 106 can then negotiate with the local aggregation point 108 to divert at least a portion of the network traffic originating from the client device 110 and destined to the computing systems 102 to the mitigation gateway 106.”), 
wherein the determination of whether the received data packet is part of the DDoS attack is based on one or more detection rules (i.e., …teaches in col. 11 lines 10-20 the following: “The monitor component 150 can be configured to monitor network traffic through the local aggregation point 108 and/or the network aggregation point 114 for abnormal traffic patterns based on the traffic rules 133.”).

The system of Akcin does not expressly teach:
impersonating a legitimate network-based device; 
receiving one or more data packets at a DDoS honeypot from a network; 
refraining from performing at least one action expected by a source of the data packet in response to the determination that the one or more received data packets are part of the DDoS attack, 
the refraining from performing the at least one action comprising refraining from sending traffic to the source in response to at least one request. 
In this instance the examiner notes the teachings of prior art reference DILLEY.
With regards to applicant’s claim limitation element of, “impersonating a legitimate network-based device”, DILLEY teaches in page 11 lines 10-25 the following: “directed to the surrogate application. The surrogate application can be, for example, a user-space application that contains logic to respond to the client's messages as described previously with respect to the packet filter module, but that consumes fewer resources than the original handling application (the HTTP server application 207 in this example) to do so. The surrogate application can provide functionality to provide responses to the client, while ignoring most messages. For example, the surrogate application may contain logic that responds to client messages in order to keep the client engaged but also largely ignores or deletes data sent by the client and available on the socket. In some cases, the surrogate application may log the messages sent by the client or other information about the client. Further, in some cases, the surrogate may have logic that simulates aspects of an HTTP server application.”.  
With regards to applicant’s claim limitation element of, “receiving one or more data packets at a DDoS honeypot from a network”, DILLEY teaches in page 11 lines 10-25 the following: “directed to the surrogate application. The surrogate application can be, for example, a user-space application that contains logic to respond to the client's messages as described previously with respect to the packet filter module, but that consumes fewer resources than the original handling application (the HTTP server application 207 in this example) to do so. The surrogate application can provide functionality to provide responses to the client, while ignoring most messages. For example, the surrogate application may contain logic that responds to client messages in order to keep the client engaged but also largely ignores or deletes data sent by the client and available on the socket. In some cases, the surrogate application may log the messages sent by the client or other information about the client. Further, in some cases, the surrogate may have logic that simulates aspects of an HTTP server application.”.  
With regards to applicant’s claim limitation element of, “refraining from performing at least one action expected by a source of the data packet in response to the determination that the one or more received data packets are part of the DDoS attack”, teaches on page 12 lines 10-20 the following: “surrogate application close minified connections when they represent a burden on the surrogate or the server generally. For example, there may be too many minified connections (e.g., the number of such connections exceed a threshold) or the server load is high (e.g., resource utilization exceeds a threshold), or resource utilization of surrogate may reach a constraint.”. The examiner notes that that the surrogate’s (i.e., honeypot) closing of the connection is functionally equivalent to applicant’s process of refraining because the trouble client (i.e., source of the attack) is expecting a response. Once the connection is close, no response can be afforded.  
With regards to applicant’s claim limitation element of, “the refraining from performing the at least one action comprising refraining from sending traffic to the source in response to at least one request”, teaches on page 12 lines 10-20 the following: “surrogate application close minified connections when they represent a burden on the surrogate or the server generally. For example, there may be too many minified connections (e.g., the number of such connections exceed a threshold) or the server load is high (e.g., resource utilization exceeds a threshold), or resource utilization of surrogate may reach a constraint.”. The examiner notes that that the surrogate’s (i.e., honeypot) closing of the connection is functionally equivalent to applicant’s process of refraining because the trouble client (i.e., source of the attack) is expecting a response. Once the connection is close, no response can be afforded.  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Akcin with the teachings of DILLEY by having Akcin’s DDoS detection system comprise surrogate/honeypot. One would have been motivated to do so to provide a simple and effective means to further detect DDoS attacks, wherein the surrogate/honeypot distinctly identifies questionable traffic to make it easier to ensure network safety where multiple attacks can occur.

As to claim 17, the system of Akcin and DILLEY as applied to claim 16 above teaches DDoS attack detection, specifically Akcin teaches a method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that satisfies a specified data pattern is part of the DDoS attack (i.e., …teaches in col. 11 lines 10-20 the following: “The monitor component 150 can be configured to monitor network traffic through the local aggregation point 108 and/or the network aggregation point 114 for abnormal traffic patterns based on the traffic rules 133.”).

As to claim 18, the system of Akcin and DILLEY as applied to claim 16 above teaches DDoS attack detection, specifically Akcin teaches a method of claim 16, wherein one of the one or more detection rules indicates that any data packet received by the DDoS honeypot that is a part of network traffic having a volume that exceeds a specified threshold rate is part of the DDoS attack (i.e., …teaches in col. 6 lines 45-60 the following: “can generate the traffic rules based on machine learning of normal traffic patterns associated with the local aggregation point 108. For example, in one embodiment, the mitigation gateway 106 can monitor and record a volume, a volume change, a temporal pattern of volume or volume change, a destination pattern, and/or other suitable characteristics of network traffic associated with one or more of the client devices 110 or destined for the individual computing systems 102. The mitigation gateway 106 can then apply various statistical analysis techniques to the recorded information. For instance, the mitigation gateway 106 can calculate an average, a standard deviation, or other suitable values based on the recorded data. In further embodiments, the traffic rules can also be provided by other suitable entities.”.).

As to claim 19, the system of Akcin and DILLEY as applied to claim 16 above teaches DDoS attack detection, specifically Akcin teaches a method of claim 16, wherein one of the one or more mitigation rules indicates that network traffic from the determined flagged source address is to be blocked, discarded, or both (i.e., …teaches in col. 6 lines 10-20 the following: “can block or filter the received service requests 12”).

As to claim 21, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein the central controller is further configured to extract the source address from the network traffic log and generate one or more rules to mitigate the DDoS attack (i.e., …teaches in col. 5 lines 10-30 the following: “In response to receiving the traffic information 122, the mitigation gateway 106 can aggregate the received traffic information 122 from the detection devices 103a and 103b. In one example, the mitigation gateway 106 can determine if one or more of the IP addresses (or other suitable device identification) reported in the traffic information 122 are associated with the client devices 110 in the remote network 104. If the determination is positive, the mitigation gateway 106 can compile a list of all IP addresses of the client devices 110 involved in the detected attacks on the computing systems 102a and 102b. In another example, the mitigation gateway 106 can also interrogate the local aggregation point 108 to identify the client devices 110 based on, for instance, MAC addresses, local IP addresses, or other suitable signatures of network traffic involved in the detected attacks. As such, the mitigation gateway 106 can determine IP addresses (or other suitable device identification) of the client devices 110 from which the detected attacks were launched based on the aggregated traffic information 122.”.).

22. (Cancelled)

As to claim 23, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, wherein an additional network traffic log (i.e., …teaches in col. 4 lines 10-20 the following: “the provided traffic information 122 can include an indication that the computing systems 102 are under attack. In other embodiments, the provided traffic information 122 can also include information regarding sources of the detected attacks, such as, for instance, IP addresses of sources associated with the detected attacks”.).

As to claim 24, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically Akcin teaches a system of claim 1, further comprising at least one network router (i.e., …teaches in col. 4 lines 54-65 a local aggregation point (i.e. router);
and wherein the at least one DDoS honeypot is further configured to determine an intended victim IP address and type of attack and to send the intended victim IP address and the type of attack corresponding to the received one or more data packets to the central controller (i.e., …teaches in col. 4 lines 10-20 the following: “The detection devices 103 can also be configured to provide traffic information 122 to a mitigation gateway 106 associated with a local aggregation point 108 of the remote network 104. In certain embodiments, the provided traffic information 122 can include an indication that the computing systems 102 are under attack.”.) and 
wherein the central controller is further configured to identify the one or more mitigation rules to mitigate the attack traffic directed to the intended victim IP address and to send the one or more mitigation rules to a network router of the at least one network router that handles the traffic directed to the intended victim IP address (i.e., …teaches in col. 5 lines 15-25 the following: “In response to receiving the traffic information 122, the mitigation gateway 106 can aggregate the received traffic information 122 from the detection devices 103a and 103b. In one example, the mitigation gateway 106 can determine if one or more of the IP addresses (or other suitable device identification) reported in the traffic information 122 are associated with the client devices 110 in the remote network 104. If the determination is positive, the mitigation gateway 106 can compile a list of all IP addresses of the client devices 110 involved in the detected attacks on the computing systems 102a and 102b.”.), 
wherein the network router that handles the traffic implements the one or more mitigation rules to mitigate the attack against the intended victim IP address (i.e., …teachers in col. 5 lines 30-45 the following: “The mitigation gateway 106 can then negotiate with the local aggregation point 108 to divert at least a portion of the network traffic originating from the client device 110 and destined to the computing systems 102 to the mitigation gateway 106. In the illustrated embodiment, the mitigation gateway 106 can transmit a request for permission to divert 124 to the local aggregation point 108 following, for instance, the Agent Communication Language (“ACL”) or other suitable types of communications protocols. In response, the local aggregation point 108 can transmit a permission message 126 to the mitigation gateway 106. The local aggregation point 108 can allow diversion of all, a portion of, or none of the requested network traffic to the mitigation gateway 106.” … In response to receiving the permission message 126 allowing diversion of at least a portion of the requested network traffic, in certain embodiments, the mitigation gateway 106 can announce to the local aggregation point 108 one or more preferred Border Gateway Protocol (“BGP”) routes. In response, the local aggregation point 108 can modify routing tables to forward at least a portion of the network traffic to the mitigation gateway 106. In other embodiments, the mitigation gateway 106 can achieve diversion of the requested network traffic in other suitable manners.).
The system of Akcin does not expressly teach: a Honeypot.
In this instance the examiner notes the teachings of prior art reference DILLEY.
With regards to applicant’s claim limitation element of, “Honeypot”, DILLEY teaches in page 11 lines 10-25 the following: “directed to the surrogate application. The surrogate application can be, for example, a user-space application that contains logic to respond to the client's messages as described previously with respect to the packet filter module, but that consumes fewer resources than the original handling application (the HTTP server application 207 in this example) to do so. The surrogate application can provide functionality to provide responses to the client, while ignoring most messages. For example, the surrogate application may contain logic that responds to client messages in order to keep the client engaged but also largely ignores or deletes data sent by the client and available on the socket. In some cases, the surrogate application may log the messages sent by the client or other information about the client. Further, in some cases, the surrogate may have logic that simulates aspects of an HTTP server application.”.  
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Akcin with the teachings of DILLEY by having Akcin’s DDoS detection system comprise surrogate/honeypot. One would have been motivated to do so to provide a simple and effective means to further detect DDoS attacks, wherein the surrogate/honeypot distinctly identifies questionable traffic to make it easier to ensure network safety where multiple attacks can occur.



Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Akcin in view of DILLEY as applied to claim 1 above and further in view of Dousti et al. (US Patent Publication No. 2018/0084005 and Dousti hereinafter).

As to claim 14, the system of Akcin and DILLEY as applied to claim 1 above teaches DDoS attack detection, specifically neither reference expressly teaches a system of claim 1, wherein the central controller is further configured to initiate a cancellation of the mitigation action in response to a cessation of the DDoS attack.
In this instance the examiner notes the teachings of prior art reference Dousti.
Dousti teaches in par. 0041 the following: “After the DDoS attack is over, the router associated
with the DDoS attack mitigation platform receives a BGP message that includes an indicator indicating
that the targeted computer system no longer undergoing the DDoS attack. In response, the DDoS attack
mitigation platform withdraws the advertised new route and stops receiving network traffic intended
for the targeted computer system.”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teachings of Akcin and DILLEY with the teachings of Dousti by having their DDoS detection system comprise a rule termination scheme. One would have been motivated to do so to provide a simple and effective means to allocate network resources, wherein terminating unneeded rules saves network resources performance and makes it easier for a network to recover back to normal after an attack has occurred.




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/BRYAN F WRIGHT/Examiner, Art Unit 2497