DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Claim(s) 1 and 11 are amended.
Claim(s) 1-20, are pending.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1 – 20 filed on 04/25/2022 (pages 6- 10) have been considered but are moot because the arguments do not apply to the new ground of rejection. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.

Claim(s) 1-2,6,8-9,11-12,16 and 18-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al. (US 7,823,202 B1), in view of Dzierwinski et al. (US 10,063,452 B1).

Regarding claim 1, Nucci discloses a method of detecting route leakage  (hijacking detection system 201) in a network performed by a processor coupled to the network (Nucci, Col. 6, lines 11-17, discloses a prefix hijacking detection system 201 performing a method of analyzing all newly announced routes in the BGP announcements 202 and detects the ones which are potentially prefix hijacking attacks (detecting route leakage) and communicates the detected anomalous prefix 206 and/or the anomalous prefix related information 205 (e.g., time stamp information) to the data correlation system 205 and the network traffic anomaly detection system 203 respectively) comprising:
receiving, input of one or more expected routes (announcements of a valid set of plurality prefix for routes) for the network (Nucci, Col. 2, lines 43-49, discloses a path-vector routing protocol, where a route in BGP system mainly consists of a prefix, which represents the destination network, and an AS path/route, which is a sequence of ASs that the traffic should traverse from the local AS to the origin AS of the prefix. A valid route must be originated from the legitimate AS, to which the relevant prefixes are legitimately assigned by the relevant ISPs or the RIRs;  Fig. 4, Col. 7, lines 36-43 discloses that first, a valid association set is established based on the plurality of prefix announcements (receiving input of one or more expected routes) in the network (step 401). Then in step 403, a first association of a first prefix announcement received in step 402 is compared to the valid association set. If the first association is not contained in the valid association set; a first prefix of the first prefix announcement is identified as the anomalous prefix (step 404));
storing the received input of one or more expected routes (all the currently routable/legitimate/valid prefix) for the network (Nucci, Col. 6, lines 17-23, discloses the prefix hijacking alert system 200 keeps track of the history of prefixes, it may also maintains a universal set of all the currently routable (i.e., legitimate, or valid) prefixes and a corresponding valid association set (containing association between valid prefix and origin AS owning the valid prefix) in the Internet at a certain time);
receiving a routing table from an IP service provider (Nucci, Col. 2, lines 43-49, discloses a path-vector routing protocol, where a route in BGP system mainly consists of a prefix, which represents the destination network, and an AS path/route, which is a sequence of ASs that the traffic should traverse from the local AS to the origin AS of the prefix (Each prefix contains the routing information of a given route/path). A valid route must be originated from the legitimate AS, to which the relevant prefixes are legitimately assigned by the relevant ISPs or the RIRs; Fig. 1, lines col. 4, line 53 – col. 5, line 23 discloses BGP routers such as BGP routers 111, 112, 115, 116, 117, 118, 119, and 120. The BGP protocol includes prefix announcements such as prefix announcements 165, 164, and 162. The AS5 155 may generate a prefix announcement 165 via BGP router 111, which announces a prefix 170 (e.g., a prefix such as 128.119.0.0/16 (routing information is received through the announcement of a prefix). […] A consistent association of the prefix 128.119.0.0/16 and the origin AS AS5 that owning the prefix are established in the prefix announcements 165, 164, and 162. A routing table (a list/table of routes established based on plurality of prefix announcements) may then be established based on these BGP prefix announcements for each BGP router according to an inter-domain routing protocol);
determining using a processor (correlation system 205) configured to check (filtering out the anomalous routes) whether the routing table contains any routes that vary from the one or more expected routes as an indication of route leakage (hijacked prefix) (Nucci, col. 7, lines 9-20 discloses that the anomaly correlation system 205 filters (determining whether the routing table contains any routes that vary from the one or more expected routes) out the anomalous routes from the legitimate ones by correlating anomalous prefixes with the data plane anomalies. For example, an anomalous prefix announcement should manifest itself into one or more data anomalies that coincide with the life span of the anomalous prefix; Col. 5, 38-56, the network traffic anomaly detection system 203 fetches traffic data such as the network traffic flows 204 from the backbone routers (such as the BGP routers 111, 112, 115, 116, 117, 118, 119, and 120 described in reference to FIG. 1 above) to generate the network traffic anomaly 208. The correlation system 205 correlates the anomalous prefix 206 (indication of route leakage) obtained from the prefix hijacking detection system 201 and the network traffic anomaly 208 fed by the network traffic anomaly detection system 203 to generate a prefix hijacking alert 210 (alert indicating a route leakage)); 
generating, using the processor (correlation system 205), an alert to a monitoring device if is determined that the routing table contains routes that vary from the one or more expected routes (Nucci, Col. 7, lines 21-26, discloses the anomaly correlation system 205 outputs the prefix hijacking alert, with suspicious routes that are associated with a data plane anomaly to the network operators for corrective actions),
whereby the method better ensures against route leakage from expected routes (note: this is merely a desired benefit and not a functional process step that will be directly addressed; Nucci, Col. 7, lines 21-26, Corrective actions taken by network operators are directed to better ensure against route leakage from expected routes network);
Nucci did not explicitly disclose authorized administrator.
Dzierwinski disclose authorized administrator.
In particular, Dzierwinski discloses receiving, from an authorized administrator, input of one or more expected routes for the network (Dzierwinski, fig.5, Col. 9, lines 35-44, discloses a process 500, an administrator terminal (terminal operated by an authorized administrator) configures 502 (providing input for an expected route) a first router with a static route, whereby the static route specifies that data addressed to a destination address is to be routed to a second router. The administrator terminal then configures 504 a second router with a static route, whereby the static route specifies that data addressed to the destination address is to be routed to the first router).
One of ordinary skill would have been motivated to combine Nucci and Dzierwinski because these teachings are from the same field of endeavor with respect to routing information needed to route packets from source to destination.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Dzierwinski into the method by Nucci, thereby one or more performance measures of a communication link to determine whether the communication link is defective,  Dzierwinski, [Abstract]. 

Regarding claim 2, Nucci and Dzierwinski disclose the method of claim 1, wherein the input of one or more expected routes (routing table – list of expected routes) for the network includes one of a list and a range of IP addresses (Dzierwinski, Col. 3, line 65-Col. 4, line 5, discloses a router may be configured with routing tables that are usable (a range of expected IP addresses) to identify a device to which to forward the data based at least in part on a destination address associated with the data. Fig. 5, Col. 9, lines 35-44, discloses a process 500, an administrator terminal (terminal operated by an authorized administrator) configures 502 (providing input for an expected route) a first router with a static route, whereby the static route specifies that data addressed to a destination address is to be routed to a second router. The administrator terminal then configures 504 a second router with a static route, whereby the static route specifies that data addressed to the destination address is to be routed to the first router). 
The motivation to combine is similar to that of claim 1.

Regarding claim 6, Nucci and Dzierwinski disclose the method of claim 1, further comprising:
at the monitoring device generating a communication (alert) to inform at least one of the IP service provider and a network administrator (network operators) of a route leak received by the network (Nucci, Col. 7, lines 21-26, discloses the anomaly correlation system 205 outputs the prefix hijacking alert, with suspicious routes that are associated with a data plane anomaly to the network operators for corrective actions).
The motivation to combine is similar to that of claim 1.

Regarding claim 8, Nucci and Dzierwinski disclose the method of claim 1, wherein the method is performed by a monitoring system coupled to the network (Nucci, Col. 1, lines 32-35, discloses that it is important for Internet Service Providers (ISPs) to monitor the health of their routing information, and detect prefix hijacking and any anomalous traffic associated with hijacked prefixes in real-time, Col. 1, lines 32-35. Nucci also discloses monitoring and generating a prefix hijacking alert in a network, wherein a plurality of network traffic flows are routed based at least on a plurality of prefix announcements from one or more Border Gateway Protocol (BGP) router. Identifying an anomalous prefix from the plurality of prefix announcements, identifying a network traffic anomaly from the plurality of network traffic flows, and correlating the anomalous prefix and the network traffic anomaly to generate the prefix hijacking alert, [Abstract]).
The motivation to combine is similar to that of claim 1.

Regarding claim 9, Nucci and Dzierwinski disclose the method of claim 1, disclose further comprising communicating the generated alert so as to trigger a security feature (corrective measures to intercept and prevent future attacks) employed in the network (Nucci, Col. 7, lines 21-26, discloses a prefix announcement which doesn't have any attack pattern associated with it is considered legitimate, while the rest are considered anomalous. Finally, the anomaly correlation system 205 outputs the prefix hijacking alert, with suspicious routes that are associated with a data plane anomaly to the network operators for corrective actions).
The motivation to combine is similar to that of claim 1.

Regarding claim 11, the claim is rejected with a rational similar to the rejection of claim 1.
Regarding claim 12, the claim is rejected with a rational similar to the rejection of claim 2.
Regarding claim 16, the claim is rejected with a rational similar to the rejection of claim 6.
Regarding claim 18, the claim is rejected with a rational similar to the rejection of claim 8.
Regarding claim 19, the claim is rejected with a rational similar to the rejection of claim 9.

Claim(s) 3-4 and 13-14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al. (US 7,823,202 B1), in view of Dzierwinski et al. (US 10,063,453 B1), further view of Schlamp (US 2019/0098046 A1).

Regarding claim 3, Nucci and Dzierwinski disclose the method of claim 1, wherein the input of one or more expected routes for the network includes one of a list of autonomous systems (AS), a complete AS path (Nucci, Col. 2, lines 43-49, and Fig. 4, Col. 7, lines 36-43 discloses a path-vector routing protocol, where a route in BGP system mainly consists of a prefix, which represents the destination network, and an AS path, which is a sequence of ASs that the traffic should traverse from the local AS to the origin AS of the prefix. A valid route must be originated from the legitimate AS, to which the relevant prefixes are legitimately assigned by the relevant ISPs or the RIRs, Col. 2, lines 43-49).
Nucci and Dzierwinski did not explicitly disclose AS path described as a regular expression, used in border gate protocol (BGP) messaging.
Schlamp discloses wherein the input of one or more expect routes for the network includes an AS path described as a regular expression, used in border gate protocol (BGP) messaging (Schlamp [0232] discloses a plurality of data items (input one or more routes) is retrieved by a computer system (step 1110). Each data item indicates a respective/expected network route on the network. For example, each data item can identify a particular route of network traffic through one or more ASes (List of Autonomous Systems). Therefore, the system receives one or more input route information and each data item identify a particular route of network (plurality of data items identify a list of complete routing paths for a list of autonomous systems) (ASes); In [0153-0154] Schlamp discloses the implementation of the Constructible Automata for Internet Routes (CAIR) framework which is used to identify one or more routing policies of a network (e.g., to identify the routing policies of one or more ASes or routers on the network) and/or to detect potential problems on the network (e.g., to detect the occurrence of malicious activities on the network, such as interception attacks). CAIR can be operated as a stand-alone system, but it lends itself well to the integration with existing Border Gateway Protocol (BGP) monitoring techniques, [0139]. Autonomous Systems (AS) employ Path query languages used to search queries are implement measurement of data based on regular expressions with primary focus on the analysis of path-vector routing protocols such as BGP).
One of ordinary skill would have been motivated to combine are analogous Nucci, Dzierwinski and Schlamp because these teachings are from the same field of endeavor with respect to monitoring and identifying leaks in network routes.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Schlamp into the method by Nucci and Dzierwinski, thereby determine one or more routing policies on the network based on the route automaton, Schlamp, [Abstract]. 

Regarding claim 4, Nucci and Dzierwinski disclose the method of claim 1, wherein the input of one or more expected routes for the network includes both a) one of a list and a range of IP addresses, and b) one of a list of autonomous systems (AS), a complete AS path (Nucci, Col. 2, lines 43-49 discloses a path-vector routing protocol, where a route in BGP system mainly consists of a prefix, which represents the destination network, and an AS path, which is a sequence of ASs that the traffic should traverse from the local AS to the origin AS of the prefix. A valid route must be originated from the legitimate AS, to which the relevant prefixes are legitimately assigned by the relevant ISPs or the RIRs).
Nucci and Dzierwinski did not explicitly disclose an AS path described as a regular expression, used in border gate protocol (BGP) messaging.
 Schlamp discloses wherein the input of one or more expected routes for the network includes an AS path described as a regular expression, used in border gate protocol (BGP) messaging (Schlamp [0232] discloses a plurality of data items (input one or more routes) is retrieved by a computer system (step 1110). Each data item indicates a respective/expected network route on the network. For example, each data item can identify a particular route of network traffic through one or more ASes (List of Autonomous Systems). Therefore, the system receives one or more input route information and each data item identify a particular route of network (plurality of data items identify a list of complete routing paths for a list of autonomous systems) (ASes); In [0153-0154] Schlamp discloses the implementation of the Constructible Automata for Internet Routes (CAIR) framework which is used to identify one or more routing policies of a network (e.g., to identify the routing policies of one or more ASes or routers on the network) and/or to detect potential problems on the network (e.g., to detect the occurrence of malicious activities on the network, such as interception attacks). CAIR can be operated as a stand-alone system, but it lends itself well to the integration with existing Border Gateway Protocol (BGP) monitoring techniques, [0139]. Autonomous Systems (AS) employ Path query languages used to search queries are implement measurement of data based on regular expressions with primary focus on the analysis of path-vector routing protocols such as BGP).
One of ordinary skill in the art would have been motivated to combine Nucci, Dzierwinski and Schlamp because these teachings are from the same field of endeavor with respect to monitoring and identifying leaks in network routes.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Schlamp into the method by Nucci and Dzierwinski thereby determine one or more routing policies on the network based on the route automaton, [Abstract]. 

Regarding claim 13, the claim is rejected with a rational similar to the rejection of claim 3.
Regarding claim 14, the claim is rejected with a rational similar to the rejection of claim 4.

Claim(s) 5,7,15 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al. (US 7,823,202 B1), in view of Dzierwinski et al. (US 10,063,453 B1), further in view of Ballantyne et al. (US 2008/0144627 A1).

Regarding claim 5, Nucci and Dzierwinski disclose the method of claim 1, but did not explicitly disclose wherein the network is a virtual private network.
Ballantyne discloses wherein the network is a virtual private network (Ballantyne Fig. 1, [0042-0043], discloses route monitoring in a service provider network 150 which may comprise any number of provider edge routers such as router 160, 162, 164 of FIG. 1. Each of the provider edge routers 160, 162, 164 is coupled to a respective customer edge router, such as routers 142, 144, 146. In an embodiment, each of the customer edge routers 142, 144, 146 is associated with a different virtual private network (VPN) 140A, 140B, 140C).
One of ordinary skill in the art would have been motivated to combine Nucci, Dzierwinski and Ballantyne because these teachings are from the same field of endeavor with respect to monitoring network traffic to identify route leakage based on expected/anticipated network routes.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Ballantyne into the method by Nucci and Dzierwinski thereby enabling synchronization of route database associated with the apparatus for a particular router using the particular GRE tunnel, to determine whether the synchronized route database is missing one or more particular routes, and to generate a notification message when the synchronized route database is missing the one or more particular routes, Ballantyne, [Abstract].

Regarding claim 7, Nucci and Dzierwinski disclose the method of claim 1, but did not explicitly disclose wherein the method is performed at a customer edge (CE) router of the network coupled directly to a provider edge (PE) router of the IP service provider.
Ballantyne discloses wherein the method is performed at a customer edge (CE) router of the network coupled directly to a provider edge (PE) router of the IP service provider (Ballantyne [0042] discloses a service provider network 150 which may comprise any number of provider edge routers such as router 160, 162, 164 of FIG. 1. Each of the provider edge routers 160, 162, 164 is coupled to a respective customer edge router, such as routers 142, 144, 146. In an embodiment, each of the customer edge routers 142, 144, 146 is associated with a different virtual private network (VPN) 140A, 140B, 140C).
One of ordinary skill would have been motivated to combine Nucci, Dzierwinski and Ballantyne because both teachings are from the same field of endeavor with respect to monitoring network traffic to identify route leakage based on expected/anticipated network routes.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Ballantyne into the method by Nucci and Dzierwinski thereby enabling synchronization of route database associated with the apparatus for a particular router using the particular GRE tunnel, to determine whether the synchronized route database is missing one or more particular routes, and to generate a notification message when the synchronized route database is missing the one or more particular routes, Ballantyne, [Abstract].

Regarding claim 15, the claim is rejected with a rational similar to the rejection of claim 5.
Regarding claim 17, the claim is rejected with a rational similar to the rejection of claim 7.



Claim(s) 10 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nucci et al. (US 7,823,202 B1), in view of Dzierwinski et al. (US 10,063,453 B1), further in view of Bartos et al. (US 9,985,982 B2).

Regarding claim 10, Nucci and Dzierwinski disclose, the method of claim 9, but did not explicitly disclose wherein the security feature includes an artifact analysis system that analyzes the routes that vary from the one or more expected routes and stores the routes in a centralized database. 
Bartos discloses wherein the security feature includes an artifact analysis system that analyzes the routes that vary from the one or more expected routes and stores the routes in a centralized database (Bartos, Col. 4, lines 4-33, discloses a security system 13 or devices 14a-14c monitoring data traffic and determine whether any malicious activities or policy violations (routes that vary from the one or more expected routes) occurred in the network in order to identify Indicators of compromise (IOCs). The IOCs may be based, for example, on system events (e.g., updates, logins, usage), network traffic classifications (e.g., DGA (Domain Generation Algorithm), tunneling data, video streaming), or malware artifacts (e.g., static analysis, registry activity, file activity). The IOCs analyzed may include, virus signatures and IP (Internet Protocol) addresses (verifying if received IP address is different from expected IP address) hashes of malware files, URLs or domain names of command and control servers, any other artifact. If received IP address is different from expected IP address may be considered a leak in a route or action that may indicate a threat, attack, computer intrusion, or other malicious behavior. IOCs associated with an entity are aggregated for use in malware classification to provide early detection of future attack attempts (security features) using intrusion detection systems and antivirus software. The IOCs may be stored in one or more IOC central databases 12).
One of ordinary skill in the art would have been motivated to combine Nucci, Dzierwinski and Bartos because these teachings are from the same field of endeavor with respect to monitoring network traffic to identify route leakage based on expected/anticipated network routes.
Therefore, before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art to incorporate the strategies by Bartos into the method by Nucci and Dzierwinski, thereby enabling the analysis of Indicators of compromise (ICOs), creating a representation of transitions between the IOCs at a security analysis device, and generating at the security analysis device, a feature vector based on the representation of transitions. The feature vector is configured for use by a classifier in identifying malicious entities, Bartos [Abstract].

Regarding claim 20, the claim is rejected with a rational similar to the rejection of claim 10.





Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following publications show the state of the art related to monitoring and identifying route leakage in a computer network.
Tahan 	(US 7,296,291 A1 B2)
Fernandes et al. (US 2006/0168267 A1)
Raj et al. (US 2019/0342258 A1)
Furukawa et al. (US 2016/0182292 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DIXON F DABIPI whose telephone number is (571)270-3673. The examiner can normally be reached 8:30 -5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher L Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.



Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/D.F.D/ Examiner, Art Unit 2451                                                                                                                                                                                             

/Chris Parry/Supervisory Patent Examiner, Art Unit 2451