DETAILED ACTION
This non-final Office Action is in response to applicant’s original filing on 07/06/2020.  Claims 1-7 are currently pending and have been considered as follows.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Drawings
The drawings filed on 07/06/2020 are accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 07/06/2020 has been placed in the application file, and the information referred therein has been considered as to the merits.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 2 and 3 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 lines 3-6 recite “the processor selects, from the two or more intermediate routers, an intermediate router whose number of edge routers included in a part of the plurality of edge routers is closest to half of a total number of the plurality of edge routers”, but the limitation is unclear and indefinite as to when encompassing the situations of: 1) two or more intermediate routers that each have an equal number of edge routers whereby there is no closest number to half the total number since there could be equal numbers or 2) two or more intermediate routers that have “half of a total number + N” or “half of a total number - N”, where N is a natural integer, these two values would be equally close to half of a total number.  Therefore Claim 2 is indefinite in scope since the processor cannot select the closest of two or more intermediate routers that have equal numbers of edge routers or equally close number of edge routers to half the total number.
Claim 3 lines 3-5 recite “the processor selects, from the two or more intermediate routers, an intermediate router whose maximum value of distance to a part of the plurality of edge routers is shortest”, but the limitation is unclear and indefinite as to when encompassing the situation of two or more intermediate routers that each have a maximum value of distance that are equal to each other, whereby there is no shortest value of distance among the routers.  Therefore Claim 3 is indefinite in scope since the processor cannot select the shortest of two or more intermediate routers that have equal maximum values of distance.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 7 are rejected under 35 U.S.C. 103 as being unpatentable over Talpade et al. (US 20040148520 A1, hereinafter Talpade) in view of Iloglu et al. (US 20060230444 A1, hereinafter Iloglu).
As to Claim 1:
Talpade discloses a network management apparatus that manages a network including a plurality of edge routers and a plurality of intermediate routers connected among the plurality of edge routers (e.g. Talpade “our inventive DDoS detection and mitigation system comprises existing infrastructure within the ISP network 202, including the border routers 220, 222, and 224 and edge routers 226 and 228, and further comprises one or more filter routers 230 (only one filter router is shown in FIG. 2) situated within the ISP network, a plurality of traffic filters 250 located within the filter router 230, pre-provisioned IP-in-IP tunnels 238, 240, 242, 244, and 246 from each border and edge router to each filter router, an analysis engine 232 located within the ISP network, sensors 234/236 associated with each customer network 204/206, and a plurality of sensor filters 248 located in each sensor 234/236. The ISP network 202 may further comprise a plurality of core network routers and connections, which routers and connections interconnect the analysis engine 232, the filter router 230, and the border and edge routers 220, 222, 224, 226, and 228. These core routers and connections are note shown in FIG. 2 for ease of description” [0016]), the network management apparatus comprising:
a memory (e.g. Talpade memory of host platform or intrusion detection system that communicates with analysis engine [0019] within a network operations center [0024]); and
a processor (e.g. Talpade processor of host platform or intrusion detection system that communicates with analysis engine [0019] within a network operations center [0024]) coupled to memory and configured to:
calculate a communication route of traffic that each of the plurality of edge routers transfers to an attack target (e.g. Talpade “Upon receiving an attack notification and based on the customer network being attacked, the analysis engine configures one or more filter routers, which are also located in the ISP network. Specifically, each filter router maintains an IP-in-IP tunnel with all or a subset of the border and edge routers that comprise the ISP network and further maintains through these IP-in-IP tunnels an external border gateway protocol (eBGP) session with each of its connected border and edge routers. The analysis engine configures the filter router(s) to advertise new routing information to the border and edge routers using the eBGP session. The new routing information instructs the border and edge routers to reroute all DDoS and non-DDoS traffic directed at the customer network under attack to the filter router using the IP-in-IP tunnels” [0009]; customer networks that are the subject of the attack [0011]; [0036]) that is attacked from outside the network (e.g. Talpade DDoS attack that originates from the Internet [0017]; “given traffic from any IP address block originating from addresses external to the ISP network 202, it is possible to pre-determine from which peer autonomous system 210, 212, or 208 (i.e., through which border router 220, 222, or 224) that traffic will enter the ISP network 202” [0034]);
select, from the plurality of intermediate routers, a first router where the communication routes of a plurality of flows of traffic that a part of the plurality of edge routers transfer to the attack target device merge (e.g. Talpade “Upon receiving an indication of such an attack, the analysis engine 232 configures one or more filter routers 230 to advertise new routing information to each border router 220, 222, and 224 and each edge router 228 (or a subset of the border routers and edge routers if more than one filter router is being used). The filter router 230 advertises this new routing information to the border and edge routers through the IP-in-IP tunnels 238, 240, 244, and 246. The new routing information instructs the border and edge routers to reroute all DDoS and non-DDoS traffic destined for customer network 204 to the filter router 230 using the IP-in-IP tunnels 238, 240, 244, and 246” [0017]; “if multiple filter routers are installed in the ISP network, each filter router may be assigned to only a subset of the border and edge routers in which case IP-in-IP tunnels are only maintained between a filter router and its assigned border/edge routers. Through each IP-in-IP tunnel, the filter router 230 maintains an eBGP session with its corresponding border/edge routers. In addition, the border and edge routers use the IP-in-IP tunnels to redirect DDoS and non-DDoS traffic to the filter router during a DDoS attack” [0031]);
instruct the first router to restrict transfer of the traffic of the attack (e.g. Talpade “When the analysis engine receives a DDoS attack-based notification, it automatically mitigates the attack by configuring one or more filter routers 230” [0024]; “the analysis engine can automatically modulate the severity of filtering at the filter router 230 and sensors 234/236 by disabling certain traffic filters 250 and sensor filters 248, thereby creating multi-level filtering” [0025]; [0033]; [0034]);
detect a change in traffic of the attack in response to a restriction on transfer of the traffic of the attack (e.g. Talpade periodically polling packet-drop-counters maintained by the filter router at each of the tunnels and knowing which filters are dropping packets [0027]; “the analysis engine 232 can determine when the DDoS attack has completed and can restore the network back to its original state. Specifically, by periodically polling the packet-drop-counters maintained by the filter router 230, the analysis engine 232 can determine when the counters are no longer incrementing” [0028]); and
identify an edge router of an inflow source from the part of the plurality of edge routers when a change in the traffic of the attack is detected (e.g. Talpade “the analysis engine 232 also assists in shutting-down DDoS attacks at the edge of the ISP network. Specifically, the analysis engine can periodically poll packet-drop-counters maintained by the filter router 230 at each of the IP-in-IP tunnels 238, 240, 242, 244, and 246 as the traffic filters 250 drop packets. By knowing which filters are dropping packets, the analysis engine can determine which border and/or edge routers 220, 222, 224, 226, and 230, and hence which peer autonomous systems 208, 210, 212, 204, and 206, are being used to produce the DDoS flood. This has the advantage that in-service network routers, such as the border and edge routers, do not need to be accessed when trying to determine and shut-down the source of an attack” [0027]), or identify an edge router of the inflow source of the traffic of the attack from rest of the plurality of edge routers when no change in the traffic of the attack is detected;
But Talpade does not specifically disclose:
an attack target device (although Talpade does refer to target customer networks [0004]; [0009]; [0013]).
However, the analogous art Iloglu does disclose an attack target device (e.g. Iloglu attack a particular server [0006]; target attacked server [0010]; target server [0012]; [0014]).  Talpade and Iloglu are analogous art because they are from the same field of endeavor in management against denial of service attacks on networks.
(e.g. see Iloglu, “monitors network traffic to identify traffic that is designed to attack a particular server within the network and deny service to that traffic: [0006]; “Also attached to the network through edge router 122 is NR 124 and a source of attack data 126. Such a source will target a server that is connected to the network 102 and "flood" the network with communications traffic that is addressed to the attacked server. For example, an attacked server is identified as server 108 that is connected to edge router” [0010] “When such an attack is detected the IRSCP will protect the network by rerouting traffic in accordance with the present invention. The IRSCP 104 sends commands via IBGP or BGP to specific edge routers (e.g., router 122) and possibly other routers handling traffic to the target server 114. These commands cause the traffic from router 122 to be either removed from the network (i.e., black holed by routing the traffic to a null address) or routed to a cleaning center 120” [0012]; “Legitimate traffic is then routed through edge router 116 and edge router 114 for delivery to the attacked server 108. Consequently, only the communications traffic from the attacker that is being sent to attacked server 108 will be removed by the cleaning center 120. All other traffic is routed to the attacked server 108. At step 210, the cleansed traffic is routed to the customers, in this case, attacked server 108. In this manner, the invention provides a dynamic and granular DDOS traffic management technique that limits the impact of an attacker upon the network” [0014]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Talpade and Iloglu before him or her, to modify the disclosure of Talpade with the teachings of Iloglu to include an attack target device as claimed because Talpade provides a method and system for mitigating denial of service attacks that are directed to target customer networks (Talpade [Abstract]-[0037]) which could include particular attack target servers (Iloglu [0006]; [0010]; [0012]; [0014]).  The suggestion/motivation for doing so would have been to provide a dynamic and granular DDOS traffic management technique that limits the impact of an attacker upon the network with precision (Iloglu [0006]; [0012]; [0014]).  Therefore, it would have been obvious to combine Talpade and Iloglu to obtain the invention as specified in the instant claim(s).
As to Claim 7:
Talpade discloses a network management method (e.g. Talpade “it is desirable to have methods and apparatus that overcome the disadvantages of prior systems and detect and mitigate service attacks, including DDoS attacks, against customer networks” [0008]) that manages a network including a plurality of edge routers and a plurality of intermediate routers connected among the plurality of edge routers (e.g. Talpade “our inventive DDoS detection and mitigation system comprises existing infrastructure within the ISP network 202, including the border routers 220, 222, and 224 and edge routers 226 and 228, and further comprises one or more filter routers 230 (only one filter router is shown in FIG. 2) situated within the ISP network, a plurality of traffic filters 250 located within the filter router 230, pre-provisioned IP-in-IP tunnels 238, 240, 242, 244, and 246 from each border and edge router to each filter router, an analysis engine 232 located within the ISP network, sensors 234/236 associated with each customer network 204/206, and a plurality of sensor filters 248 located in each sensor 234/236. The ISP network 202 may further comprise a plurality of core network routers and connections, which routers and connections interconnect the analysis engine 232, the filter router 230, and the border and edge routers 220, 222, 224, 226, and 228. These core routers and connections are note shown in FIG. 2 for ease of description” [0016]), the network management method comprising, by a computer: 
calculating a communication route of traffic that each of the plurality of edge routers transfers to an attack target (e.g. Talpade “Upon receiving an attack notification and based on the customer network being attacked, the analysis engine configures one or more filter routers, which are also located in the ISP network. Specifically, each filter router maintains an IP-in-IP tunnel with all or a subset of the border and edge routers that comprise the ISP network and further maintains through these IP-in-IP tunnels an external border gateway protocol (eBGP) session with each of its connected border and edge routers. The analysis engine configures the filter router(s) to advertise new routing information to the border and edge routers using the eBGP session. The new routing information instructs the border and edge routers to reroute all DDoS and non-DDoS traffic directed at the customer network under attack to the filter router using the IP-in-IP tunnels” [0009]; customer networks that are the subject of the attack [0011]; [0036]) that is attacked from outside the network (e.g. Talpade DDoS attack that originates from the Internet [0017]; “given traffic from any IP address block originating from addresses external to the ISP network 202, it is possible to pre-determine from which peer autonomous system 210, 212, or 208 (i.e., through which border router 220, 222, or 224) that traffic will enter the ISP network 202” [0034]);
selecting, from the plurality of intermediate routers, a first router where the communication routes of a plurality of flows of traffic that a part of the plurality of edge routers transfer to the attack target device merge (e.g. Talpade “Upon receiving an indication of such an attack, the analysis engine 232 configures one or more filter routers 230 to advertise new routing information to each border router 220, 222, and 224 and each edge router 228 (or a subset of the border routers and edge routers if more than one filter router is being used). The filter router 230 advertises this new routing information to the border and edge routers through the IP-in-IP tunnels 238, 240, 244, and 246. The new routing information instructs the border and edge routers to reroute all DDoS and non-DDoS traffic destined for customer network 204 to the filter router 230 using the IP-in-IP tunnels 238, 240, 244, and 246” [0017]; “if multiple filter routers are installed in the ISP network, each filter router may be assigned to only a subset of the border and edge routers in which case IP-in-IP tunnels are only maintained between a filter router and its assigned border/edge routers. Through each IP-in-IP tunnel, the filter router 230 maintains an eBGP session with its corresponding border/edge routers. In addition, the border and edge routers use the IP-in-IP tunnels to redirect DDoS and non-DDoS traffic to the filter router during a DDoS attack” [0031]);
instructing the first router to restrict transfer of the traffic of the attack (e.g. Talpade “When the analysis engine receives a DDoS attack-based notification, it automatically mitigates the attack by configuring one or more filter routers 230” [0024]; “the analysis engine can automatically modulate the severity of filtering at the filter router 230 and sensors 234/236 by disabling certain traffic filters 250 and sensor filters 248, thereby creating multi-level filtering” [0025]; [0033]; [0034]);
detecting a change in traffic of the attack in response to a restriction on transfer of the traffic of the attack (e.g. Talpade periodically polling packet-drop-counters maintained by the filter router at each of the tunnels and knowing which filters are dropping packets [0027]; “the analysis engine 232 can determine when the DDoS attack has completed and can restore the network back to its original state. Specifically, by periodically polling the packet-drop-counters maintained by the filter router 230, the analysis engine 232 can determine when the counters are no longer incrementing” [0028]); and
identifying an edge router of an inflow source of the attack from the part of the plurality of edge routers when a change in the traffic of the attack is detected (e.g. Talpade “the analysis engine 232 also assists in shutting-down DDoS attacks at the edge of the ISP network. Specifically, the analysis engine can periodically poll packet-drop-counters maintained by the filter router 230 at each of the IP-in-IP tunnels 238, 240, 242, 244, and 246 as the traffic filters 250 drop packets. By knowing which filters are dropping packets, the analysis engine can determine which border and/or edge routers 220, 222, 224, 226, and 230, and hence which peer autonomous systems 208, 210, 212, 204, and 206, are being used to produce the DDoS flood. This has the advantage that in-service network routers, such as the border and edge routers, do not need to be accessed when trying to determine and shut-down the source of an attack” [0027]), or identify an edge router of the inflow source of the attack from rest of the plurality of edge routers when no change in the traffic of the attack is detected;
But Talpade does not specifically disclose:
an attack target device (although Talpade does refer to target customer networks [0004]; [0009]; [0013]).
However, the analogous art Iloglu does disclose an attack target device (e.g. Iloglu attack a particular server [0006]; target attacked server [0010]; target server [0012]; [0014]).  Talpade and Iloglu are analogous art because they are from the same field of endeavor in management against denial of service attacks on networks.
(e.g. see Iloglu, “monitors network traffic to identify traffic that is designed to attack a particular server within the network and deny service to that traffic: [0006]; “Also attached to the network through edge router 122 is NR 124 and a source of attack data 126. Such a source will target a server that is connected to the network 102 and "flood" the network with communications traffic that is addressed to the attacked server. For example, an attacked server is identified as server 108 that is connected to edge router” [0010] “When such an attack is detected the IRSCP will protect the network by rerouting traffic in accordance with the present invention. The IRSCP 104 sends commands via IBGP or BGP to specific edge routers (e.g., router 122) and possibly other routers handling traffic to the target server 114. These commands cause the traffic from router 122 to be either removed from the network (i.e., black holed by routing the traffic to a null address) or routed to a cleaning center 120” [0012]; “Legitimate traffic is then routed through edge router 116 and edge router 114 for delivery to the attacked server 108. Consequently, only the communications traffic from the attacker that is being sent to attacked server 108 will be removed by the cleaning center 120. All other traffic is routed to the attacked server 108. At step 210, the cleansed traffic is routed to the customers, in this case, attacked server 108. In this manner, the invention provides a dynamic and granular DDOS traffic management technique that limits the impact of an attacker upon the network” [0014]).
It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art, having the teachings of Talpade and Iloglu before him or her, to modify the disclosure of Talpade with the teachings of Iloglu to include an attack target device as claimed because Talpade provides a method and system for mitigating denial of service attacks that are directed to target customer networks (Talpade [Abstract]-[0037]) which could include particular attack target servers (Iloglu [0006]; [0010]; [0012]; [0014]).  The suggestion/motivation for doing so would have been to provide a dynamic and granular DDOS traffic management technique that limits the impact of an attacker upon the network with precision (Iloglu [0006]; [0012]; [0014]).  Therefore, it would have been obvious to combine Talpade and Iloglu to obtain the invention as specified in the instant claim(s).
Allowable Subject Matter
Claims 4-6 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure.
Brustoloni (US 20030236999 A1) is cited for methodology for preventing denial of service congestive attacks that spoof source addresses in packets.
D'Souza (US 20050060573 A1) is cited for mitigating DOS attacks by analyzing traffic flow by upstream routers based on attack patterns.
Stone et al. (US 7062782 B1) is cited for tracking DoS attacks using an overlay tracking network to identify ingress edge routers that are the source. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kenneth W Chang whose telephone number is (571)270-7530. The examiner can normally be reached Monday - Friday 9-5pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH W CHANG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
    PNG
    media_image1.png
    35
    280
    media_image1.png
    Greyscale

06.04.2022