DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
  Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 09/18/2019, 04/14/2021 and 10/04/2021 were filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-6 and 10 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US-PGPUB No. 2020/0059452 A1 Ravichandran et al. (hereinafter “Ravichandran”)
Regarding claim 1: 
	Ravichandran discloses:
A method of detecting and filtering illegitimate communication streams in a satellite communication network (see FIG. 1, ¶30: “… a satellite network 100 (sometimes referred to as a “communication network 100”) …”), the method being executed by a gateway satellite station (¶33: “ … a gateway 115A, 115B …”) able to establish a communication link (¶16: “… uplink …downlink”) between a satellite (¶33: “… a satellite 105.”, see FIG. 1) and an access network (¶33: “… a network 150 …”, see FIG. 1) and comprising the steps of: 
 receiving a communication stream originating from the satellite (see Ravichandran ¶20: “The method … sniffing, at the gateway, at least one of uplink and downlink data, identifying, at the gateway, the signature of the rogue device, broadcasting, at the gateway, the identified signature, and blocking, at the gateway, at least one of the downlink and uplink of the rogue data.”, 
¶33: “… a gateway 115A, 115B may connect a network 150 to a satellite 105.
The gateways 115A, 115B are computer-based communication devices … Each gateway 115A, 115B may be programmed to use different uplink and downlink methods to transmit data to and receive data from satellites 105.”, and  
¶35: “Each system gateway 115A, 115B may be programmed to transmit control and configuration data to satellites 105 as well as receive data, such as telemetry data, from satellites 105.”, See FIG. 1), 
determining a set of characteristics of the communication stream forming a signature of the stream (see Ravichandran ¶19-22: “The method may further include sniffing, at the terminal, at least one of uplink and downlink data, and identifying the signature of the rogue data based on clustering the sniffed data. [0020] The method may further include sniffing, at the gateway, at least one of uplink and downlink data, identifying, at the gateway, the signature of the rogue device, broadcasting, at the gateway, the identified signature, and blocking, at the gateway, at least one of the downlink and uplink of the rogue data. [0021] The signature may further include a data pattern, a type of attack, a frequency of attack, and a status. [0022] The type of attack may be at least one of SYN Flood, UDP Flood, SMBLoris, ICMP Flood, and HTTP Get Flood.”, and see also Table 1), 
applying at least one classification algorithm (¶44: “… clustering algorithms …”) so as to class the signature into a set of legitimate signatures or into a set of illegitimate signatures, if the signature is classed into the set of illegitimate signatures, filtering the communication stream, otherwise transmitting the communication stream to the access network (see Ravichandran ¶19: “The method may further include sniffing, at the terminal, at least one of uplink and downlink data, and identifying the signature of the rogue data based on clustering the sniffed data.”, 
¶44: “The computer(s) … may be programmed to cluster the data using clustering algorithms such as K-means. Data clustering may include identifying data patterns and grouping the data patterns.”, and  
¶75-76: “… the computer 170 determines whether rogue data matching one or more stored signatures was detected. The computer 170 may be programmed to detect rogue data by sniffing data that is communicated via the gateway 115A, clustering the sniffed data, and detecting rogue data based on stored signatures and clustering of the sniffed data. If the computer 170 determines that rogue data was detected, then the process 300 proceeds to a block 360; otherwise the process 300 ends, or alternatively, returns to the decision block 310 … [0076] In the block 360, the computer 170 block the detected rogue data. … the computer 170 may be programmed to block the data from the application that generates the rogue data …, whereas allowing rest of data from the device (i.e., data from other application on the rogue device) to pass through.”). 
Regarding claim 2:
Ravichandran discloses:
The method of detecting and filtering illegitimate communication streams according to Claim 1 comprising, for each new received data packet, the association of the packet with a stream signature (see Ravichandran ¶75: “… the computer 170 determines whether rogue data matching one or more stored signatures was detected.”).  
Regarding claim 3:
Ravichandran discloses:
The method of detecting and filtering illegitimate communication streams according to claim 1, wherein the set of legitimate signatures and the set of illegitimate signatures are predetermined on the basis of a priori observations (see Ravichandran ¶29: “Each terminal in a satellite network may act as a sniffer by logging traffic behavior(s) from all sources into a local memory. Periodically, data from terminal logs are input to a clustering algorithm to group the traffic patterns and to determine the rogue anomalies dynamically.”).  
Regarding claim 4:
Ravichandran discloses: 
The method of detecting and filtering illegitimate communication streams according to claim 1, wherein an illegitimate signature corresponds to a communication stream which exhibits a first given profile of variation of at least one of its characteristics during a first given period and then a second profile of variation different from the first profile of variation, of the at least one characteristic during a second given period (see Ravichandran ¶81: “The computer 160, 170 may be programmed to determine the data pattern, device identifier, application identifier, route of data, etc., and store the signature data in a memory 130, 140. The computer 160, 170 may be programmed to update a change in stored signature of data. For example, upon determining a change of data pattern communicated by a specific device (identified based on the respective device identifier) changed, the computer 160, 170 may be programmed to update the stored data pattern in the signature including the respective device identifier.”).  
Regarding claim 5:
	Ravichandran discloses: 
The method of detecting and filtering illegitimate communication streams according to claim 1, wherein the determined characteristics are primaryAtty Dkt. No. 95781.41960 14 characteristics extracted from the communication stream from among the source address of the communication stream, the destination address of the communication stream, the protocol version of the communication stream, the port number of the communication stream (see Ravichandran ¶47: “The computer 160, 170 may be programmed to identify an attack based at least in part on source port and/or destination port during UDP-based communication … a type of data during an ICMP-based communication … source port, destination port, flag, sequence number, acknowledge Number, and/or window Size during a TC-based communication … routing path. The computer(s) 160 may be programmed to categorize a type of an attack and a frequency of the attack.”).  
Regarding claim 6:
	Ravichandran discloses: 
The method of detecting and filtering illegitimate communication streams according to Claim 5, wherein the primary characteristics are extracted from at least one header field of the received data packets (see Ravichandran ¶47: “… the computer 160, 170 may be programmed to identify an attack based at least in part on source port, destination port, flag, sequence number, acknowledge Number, and/or window Size …”).  
Regarding claim 10:
	Claim 10 substantially recites the same limitation as claim 1, in the form of a device implementing the steps of the method, therefore, it is rejected by the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Ravichandran and further in view of US-PGPUB No. 2016/0020923 A1 to McLeod
Regarding claim 7:
	Ravichandran discloses the method of detecting and filtering illegitimate communication streams according to claim 1, but failed to explicitly disclose the following limitation taught by McLeod: 
wherein the determined characteristics are secondary characteristics measured on the data packets of a communication stream, from among the number of data packets transmitted by the communication stream, the duration of the communication stream, the maximum size of a packet of the communication stream, the minimum size of a packet of the communication stream, the average duration between two successive packets transmitted by the communication stream (see McLeod ¶39: “Hybrid flow data is a combination of network flow data and statistics, packet data and metadata (e.g., packet statistics), and an adjustable amount of packet payload data. Examples of flow statistics may include … the start time, end time, and duration of a flow. Examples of packet statistics may include … mean time between packets that were used to generate the flow.”, 
¶81-86: “… … the buildflows program can retrieve and analyze the flow data previously stored in the data store … the buildflow program can determine and store, in the data store, several statistical measures of the flow being analyzed. These statistical measures include but are not limited to: …  a list of the packet inter-arrival times for all packets that make up the flow… a list of the packet sizes (in bytes) of each packet that make up the flow; … the minimum, maximum, mean, variance and standard deviation of the packet inter-arrival; … times for all packets that make up the flow; and the minimum, maximum, mean, variance and standard deviation of the packet size for all packets that make up the flow.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ravichandran to incorporate the functionality of the buildflows program to retrieve and analyze flow data, as disclosed by McLeod, such modification would allow the system to determine flow statistical measures that are important for the system to employ correct mitigation measures, but would result in larger packet latency if these characteristics were incorporated in the header of the packet.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ravichandran and further in view of US-PGPUB No. 2016/0323166 A1 Pandey et al. (hereinafter “Pandey”)
Regarding claim 8:
Ravichandran discloses the method of detecting and filtering illegitimate communication streams according to claim 1, but failed to explicitly disclose the following limitation taught by Pandey: 
comprising the step of applying several distinct classification algorithms and of classing the signature into a set of legitimate signatures if at least one of the said classification algorithms classes the signature into a set of legitimate signatures (see Pandey ¶40: “The classification engines … can extract data from a set of desired fields within each packet and can then apply one or more classification algorithms to this set of data to generate classification data for packet identification purposes.”,  
¶45: “The hash generators … can be configured to generate hash values based upon one or more hash algorithms that are applied to data within each packet. The resulting hash values or keys are used to provide the packet signatures …, and these hash values or keys effectively reduce the size of the packets (e.g., 128 bytes) to smaller data values (e.g., 32 bits) that can still be used to identify different packets. Any desired hash algorithm could be used …”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ravichandran to incorporate the functionality of the classification engines  to apply one or more classification algorithms to a set of data to generate classification data for packet identification purposes, as disclosed by Pandey, such modification would allow the system to classify various types of data, and generate a table of signatures for future comparison and classification matching.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Ravichandran and further in view of US-PGPUB No. 2019/0147670 A1 Chopra et al. (hereinafter “Chopra”)
Regarding claim 9:
	Ravichandran discloses the method of detecting and filtering illegitimate communication streams according to claim 1, but failed to explicitly disclose the following limitation taught by Chopra: 
wherein the classification algorithm is chosen from among a k-neighbours algorithm, a Bayesian naive classification algorithm, a least squares algorithm (see Chopra ¶83: “… classification algorithms may include Linear classifiers (e.g., Fisher's linear discriminant, logistic regression, naive Bayes, and perceptron), Support vector machines (e.g., least squares support vector machines), quadratic classifiers, kernel estimation (e.g., k-nearest neighbor) …”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ravichandran to incorporate the functionality of the streaming analytics module to implement various classification algorithms, as disclosed by Chopra, such modification would allow the system to use different models (linear or non-linear) to properly identify (classify) flow packets.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Daines et al. (USPAT No 7760723-B1)- disclosed a method and techniques to relay a data stream from a data device to a network tunnel. 
Guo et al. (US-PPGPUB No 20190230010-A1)- disclosed a monitoring station deployed in a network that monitors packets over one or more interfaces in the network.
Wang et al. (US-PGPUB No. 20170329783-A1)- disclosed a method of analyzing encrypted streaming media traffic which is applicable to various data stream types, including Real Time Protocol data streams such as VoIP traffic and video (e.g.MPEG) over IP traffic.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491