DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner Note
This Final office action is being re-mailed as a Letter Restarting Period for Response. This will be mailed as a supplemental Final office action and will reset the response time.
Response to Amendment
This action is in response to the communications and remarks filed on 05/18/2022. Claims 1 and 7-8 have been newly added. Claims 1-8 have been examined and are pending.
Response to Arguments

Acknowledgement to applicant's amendments to claim 8 has been noted. The claim has been reviewed, entered and found obviating to previously raised rejection to previously raised rejection under 35 USC 101. Rejection under 35 USC 101 to claim 8 is hereby withdrawn.
Applicant’s Amendments necessitated a new ground of rejection; accordingly, Applicant’s arguments with respect to amended independent claims 1 and 7-8 (Ramachandran et al, hereinafter (“Ramachandran”), US Patent (7,360,245 B1), in view of, Capalik et al, hereinafter (“Capalik”), US PG Publication (2011/0321165 A1)) have been considered but are moot in view of the new ground of rejections A Ramachandran et al, hereinafter (“Ramachandran”), US Patent (7,360,245 B1), in view of, Eto et al, hereinafter (“Eto”), Japanese Patent Publication (JP2017034449A), applied below.
	
Applicants’ arguments in the instant Amendment, filed on 05/18/2022, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant’s arguments: “Claims 1-2 and 6-8 are rejected under 35 U.S.C. § 103 as being unpatentable over Ramachandran et al, hereinafter ("Ramachandran"), US Patent (7,360,245 B1), in view of, Capalik et al, hereinafter ("Capalik"), US PG Publication (2011/0321165 Al). 
Claims 3-5 are rejected under 35 U.S.C. § 103 as being unpatentable over Ramachandran et al, hereinafter ("Ramachandran"), US Patent (7,360,245 B1), in view of, Capalik et al, hereinafter ("Capalik"), US PG Publication (2011/0321165 Al), in view of Hoshino et al, hereinafter ("Hoshino"), Japanese Patent Application (JP3889701 B2). 
		In response, it is respectfully submitted that the present Amendment overcomes the rejection under 35 U.S.C. § 101 by adding a recitation of a non-transitory, computer-readable storage medium. Accordingly, reconsideration and withdrawal of that ground of rejection are respectfully solicited. 
		It is further submitted that the present claimed invention would not have been obvious over the applied art. Present Claim 1 recites, inter alia, collection circuitry that collects at least one of first information, which is information concerning a first packet transmitted to a dark network, and second information, which is information concerning a second packet transmitted to a specific destination set as a decoy.6” 
The Examiner respectfully submits that while the amendments address the proper statutory class overcoming the 35 USC 101 rejection; however the amended language now presents, specifically, “a dark network”, which is a concept known in the arts and not the former broad terminology of “an address not used in an Internet.” As such, this amendment to the claim limitation is taught by Eto, where Eto teaches a network monitoring system that detects cyber attacks through backscatter extractions in early stage darknet observations where attack spoofing and packets to non-existent network where a series of back scatter generate attack event information from an attack event group with high probability of cyber attack. This form of countermeasures is a form of a decoy, as rejected below . See Eto, Abstract and p. 4, ¶6-7. Thus, independent claims 1 and 7-8 are not allowable subject matter and is rejected below.
Applicant’s arguments: “The other independent claims include similar recitations. 
		The Office Action acknowledges that Ramachandran fails to explicitly teach such features but instead relies on Capalik. Capalik appears to describe a generic teaching of unauthorized activity data and also appears to describe a protected network device. However, neither a generic teaching of unauthorized activity data nor a teaching of a protected network device is the same as a recitation concerning a dark network. Thus, Capalik would not have cured the acknowledged deficiency of Ramachandran with regard to the present claimed invention. 
		Hoshino would not have cured the above-noted deficiencies of Ramachandran and Capalik. 
		Thus, no combination of the applied art would have taught, suggested, resulted in, or otherwise rendered obvious the present claimed invention. Accordingly, reconsideration and withdrawal of those grounds of rejection are respectfully solicited.”
The prior art identified of Eto has been identified to teach the amended language of independent claims 1 and 7-8. Thus, the Examiner respectfully submits that by virtue of dependency, dependent claims 3-5 will be maintained.  
	
	Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-2 and 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Ramachandran et al, hereinafter (“Ramachandran”), US Patent (7,360,245 B1), in view of, Eto et al, hereinafter (“Eto”), Japanese Patent Publication (JP2017034449A), published 02/09/2017 and translated by ESPACENET. 
Regarding currently amended claims 1 and 7-8, Ramachandran teaches a monitoring system comprising; a monitoring method executed by a monitoring system, the monitoring method comprising and a monitoring program for causing a computer to execute: [Ramachandran et al 7360245 B1, col 2, lines 48-52: an anti-spoofing filter implemented in each interface of every router, where information about the IP addresses and physical addresses of hosts/routers in a computer network segment]
monitoring circuitry that monitors traffic of a network; [Ramachandran, Col 5, lines 25-33: computers in the network 10 use TCP/IP protocol suite for communication with each of the four-layer structure where the data link layer 24 coupled to the network layer 26 (monitoring circuitry), handling the forwarding or routing of packets around the network] and 
determination circuitry that determines, based on information concerning the traffic monitored by the monitoring circuitry and the information collected by collection circuitry, whether an attack occurs. [Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry) for Source IP address to physical address mapping of the received packets. Fig. 5 and Col 11, lines 24-31, 50-56, 60-65: The filter 72 also need to receive and process responses to the router's test messages. Through comparison of source IP addresses and updating neighboring router physical address list; invention for detecting source IP address spoofed packets originating from hosts and preventing such packets (i.e. IP address based: Smurf, SYN, LAND, TFN, and Stacheldraht) from leaving a private network.
While Ramachandran teaches the determination circuitry and collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, Ramachandran fails to explicitly teach but Eto teaches collection circuitry that collects at least one of first information, which is information concerning a first packet transmitted to a dark network, and second information, which is information concerning a second packet transmitted to a specific destination set as a decoy; [Eto, Abstract and p. 4, ¶7: A network monitoring system detects cyber attacks and performs countermeasures in early state of darknet observation; where a series of back scatter generate attack event information from an attack event group with high probability of cyber attack. Determination of cyber attacks based on the coupled analysis of response packet to darknet region by the information acquisition unit 11 extraction of packets and information analysis part 12. Examiner interprets that the backscatter contained in observed packets is analogous to a first packet as well as a second packet with associated information concerning the destination; where there will be a plurality of packets each with potential backscatter to be ascertained.].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of method for filtering spoofed packets in a network of Ramachandran before him or her by including the teachings of a network monitoring system of Eto. The motivation/suggestion would have been obvious to try to modify the system of an anti-spoofing filter taught by Ramachandran by adding countermeasures functions where back scatter is extracted from darknet observation information as taught by Eto [Eto, Abstract, p. 4, ¶7, and p. 6, ¶3].  

Regarding claim 2, the combination of Ramachandran and Eto teach claim 1 as described above.
Ramachandran teaches wherein the collection circuitry collects, as the first information, information concerning a response packet to an attack packet falsifying a source IP address received as the first packet. [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: ARP module 86 (collection circuitry); Col 9, lines 45-50: spoof-proof security of network, “per-interface” physical address list of neighboring routers as a host may send false or “faked” RIP response messages (a response packet to an attack packet falsifying a source IP address) in order to mislead neighboring routers.]

Regarding claim 6, the combination of Ramachandran and Eto teach claim 1 as described above.
While Ramachandran teaches the determination circuitry and the collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, Ramachandran fails to explicitly teach but Eto teaches wherein the collection circuitry local network. The darknet observation information with the information acquisition unit 11 receives has been sent to non-existent destination, and many illegal packets due to cyber attacks. For example, one for transmission and TCP SYN Flood attack is carried out, a large amount of response pack TCP SYN-ACK flag is set (back scatter) is sprinkled on the IP network. If there, in the TCP header of the TCP packet provided by darknet observation network as darknet observation information because it has been set SYN-ACK flag, the result of TCP SYN Flood attacks source is spoofed it can be estimated that.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of method for filtering spoofed packets in a network of Ramachandran before him or her by including the teachings of a network monitoring system of Eto. The motivation/suggestion would have been obvious to try to modify the system of an anti-spoofing filter taught by Ramachandran by adding countermeasures functions where back scatter is extracted from darknet observation information of a local network determines the large amount of response packet transported throughout network as taught by Eto [Eto, Abstract, p. 4, ¶¶4-7].  
	

Claim 3-5 is rejected under 35 U.S.C. 103 as being unpatentable over Ramachandran et al, hereinafter (“Ramachandran”), US Patent (7,360,245 B1), in view of, Eto et al, hereinafter (“Eto”), Japanese Patent Publication (JP2017034449A), published 02/09/2017 and translated by ESPACENET, in view of Hoshino et al, hereinafter (“Hoshino”), Japanese Patent Application (JP3889701 B2).
Regarding claim 3, the combination of Ramachandran and Eto teach claim 1 as described above.
While Ramachandran teaches the collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: ARP module 86 (collection circuitry); however, the combination of Ramachandran and Eto fail to explicitly teach but Hoshino teaches wherein the collection circuitry collects, as the second information, information concerning a reflection attack packet received as the second packet. [Hochino, ¶¶0058 and 0073: configuration of a reflection attack packet as illustrated in Fig. 6; an example of reply packet is the PC91 in Fig. 6 using Internet Control Message Protocol (ICMP) echo command]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Ramachandran and Eto before him or her by including the teachings of a packet path tracking system of Hoshino. The motivation/suggestion would have been obvious to try to an anti-spoofing filter taught by Ramachandran by adding an attacking terminal of Hochino [Hochino, ¶¶0056-0059].

Regarding claim 4, the combination of Ramachandran and Eto teach claim 1 as described above.
While Ramachandran teaches the determination circuitry and collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, the combination of Ramachandran and Eto fail to explicitly teach but Hoshino teaches wherein the determination circuitry compares the first information collected by the collection circuitry and the traffic information monitored by the monitoring circuitry and, when reception times of the first information and the traffic information are in a same time period [Hochino, ¶0014: Then, the illegal packet received by the server 2 subjected to the DoS attack or the like is compared with the packets recorded in the packet log recording devices 9, 10, and 11, respectively, and the path through which the illegal packet propagated is specified. ¶0088] and a source IP address of the first information is same as a destination IP address of the traffic information, determines that an attack falsifying the source IP address is detected. [Hochino, ¶0034: The attacking terminal 14 replaces its source address (source IP address) with the IP address of the target terminal 16 (forged) as shown in “PC 41” in FIG]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Ramachandran and Eto before him or her by including the teachings of a packet path tracking system of Hoshino. The motivation/suggestion would have been obvious to try to an anti-spoofing filter taught by Ramachandran by adding falsifying techniques of Hochino [Hochino, ¶0034].

Regarding claim 5, the combination of Ramachandran and Eto teach claim 1 as described above.
While Ramachandran teaches the determination circuitry and collection circuitry [See Ramachandran et al 7360245 B1, See Col 2, lines 54-59 and Col 11, lines 38-41: The filter 72 (determination circuitry) should also be able to use ARP-mapping-interface 84 to request ARP module 86 (collection circuitry)]; however, the combination of Ramachandran and Eto fail to explicitly teach but Hoshino teaches wherein the determination circuitry compares the second information collected by the collection circuitry and the traffic information monitored by the monitoring circuitry and, when reception times of the second information and the traffic information 3Docket No. 14737US01 Preliminary Amendment are in a same time period and a source IP address of the second information is same as a destination IP address of the traffic information, determines that a reflection attack is detected. [Hochino, ¶0092-0093: ICMP has dependent information part (i.e. Time Exceeded Message) is assumed to be the same as the original packet, by masking. By using the new packet, the original packet dependent portion is extracted from the replay attack packet]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings of Ramachandran and Eto before him or her by including the teachings of a packet path tracking system of Hoshino. The motivation/suggestion would have been obvious to try to an anti-spoofing filter taught by Ramachandran by adding estimating of dependent information to determine reflection attack [Hochino, ¶0092-0093].

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/Primary Examiner, Art Unit 2497