DETAILED ACTION
The following claims are pending in this office action: 1-8
The following claims are amended: 1 and 7-8
The following claims are new: -
The following claim is cancelled: 9
Claims 1-8 are rejected. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/26/2022 has been entered.
RESPONSE TO ARGUMENTS
Applicant’s arguments in the amendment filed 03/28/2022 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment. 
Applicant notes: Independent claims 1, 7, and 8 are amended to recite “wherein the transmission source is extracted from a synchronize packet in the communication data.”  This limitation has been mapped to Nagano (US Pub. 2003/0079031) below and rejected accordingly.  
Independent claims 7 and 8 are amended in a similar way to claim 1 and is mapped to Nagano (US Pub. 2003/0079031) below and rejected accordingly.  
Dependent claims 2-6 depend on independent claim 1.  The amended elements in the independent claim has been mapped to Nagano (US Pub. 2003/0079031) below, and so any additional features to the dependent claims are rejected accordingly.

Specification
The title of the invention is not descriptive.  A new title is required that is clearly indicative of the invention to which the claims are directed. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5, and 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Stute (US Patent No. 9,256,735) (hereinafter “Stute”) in view of Mahler et al. (US Pub. 2016/0241578) (hereinafter “Mahler”) and in view of Nagano (US Pub. 2003/0079031) (hereinafter “Nagano”).

As per claim 1 Stute teaches an information processing device comprising:  a memory; and ([Stute, col. 3, ln. 36-47] the techniques in Stute includes at least one memory)
at least one processor coupled to the memory, ([Stute, col. 3, ln. 36-47] the techniques in Stute includes at least one memory coupled to the processor)
the processor performing operations, the operations comprising: ([Stute, col. 3, ln. 36-47] the operations in Stute may be performed by the processor)
extracting a transmission source from communication data ([Stute, Fig. 5; col. 10, ln. 27-35] raw communication data packets [communication data] are converted to [extracted from] into a set of data types by decomposing the data fields into all base components.  One component is the source address of the data [a transmission source]) received by a predetermined device, ([Fig. 2; col. 4, ln. 63-65] an enterprise security software application configured to receive data packets in a network environment is implemented as a device [see col. 6, ln. 13-30]) and generating first data that include the transmission source and a time associated with the communication data and included in the communication data; and ([col. 10, ln. 36-43; col. 10, ln. 62-67] the data types of the communication data packets are converted to generated event objects [first data], which includes source addresses, and a date/time associated with the data packet)
totaling a first frequency of reception of the communication data for the each transmission source ([Stute, col. 2, ln. 5-11; col. 13; ln. 66-67 to col. 14, ln. 1-5] a count [total] matching the event data [transmission source] is retrieved for a given time period.  [Col. 2, ln. 46-50] the count includes a number of packets entering and leaving the communication network [frequency of reception of communication data]) based on the first data ([col. 12, ln. 8-21] the count includes and is based on the date and time; [col. 16, ln. 20-24] the count recorded are data/packet values based on a source address that communicates from a period of time), in each of a first period and a second period that includes the first period and is longer than the first period, ([col. 12, ln. 11-21] time periods in which the count is done includes one hour per day, every 30 minutes, every 15 minutes, each time period of day, each day of the week, each day of the month, each week of the month, and each day of the year.  ([Col. 21, ln. 16-25] a first period includes a day of week [a shorter period], and a second period which include weeks 0-51 of the year [a second period that is longer than the first period and includes the first period])
Stute does not clearly teach wherein the communication data is communication data in normal operation before an intrusion attempted by an intruder. 
However, Mahler teaches wherein the communication data is communication data in a normal operation ([Mahler, para. 0016; para. 0021] activity data [communication data] is collected from data associated with communications and system activity recorded over a period of weeks [in normal operation]. The attack forecasting component can receive the processed activity data and can predict whether or not anomalous number of events is likely to occur) before an intrusion attempted by an intruder.  ([para. 0028] a future time period [before] is predicted as having an anomalous high level of network activity, such as when the network is predicted to be subject to a DDoS attack [an intrusion attempt by an intruder])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stute with the teachings of Mahler to include wherein the communication data is communication data in normal operation before an intrusion attempted by an intruder.  One of ordinary skill in the art would have been motivated to make this modification because such a system allows a forecast of events that may be provided to network administrators, providing warning and additional capacity to react. (Mahler, para. 0006)
Stute in view of Mahler does not teach wherein the transmission source is extracted from a synchronize packet in the communication data.
However, Nagano teaches wherein the transmission source is extracted from a synchronize packet in the communication data.  ([Nagano, para. 0104] “When a frame header is obtained from the SYN packet, the sender MAC address [transmission source] is extracted from the frame [synchronize packet] data”; [para. 0076] “the communication processing apparatus analyzes the frame of the received traffic data [communication data] to identify the user”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stute in view of Mahler with the teachings of Nagano to include wherein the transmission source is extracted from a synchronize packet in the communication data.  One of ordinary skill in the art would have been motivated to make this modification because such a system allows identification of low-priority users to prevent DoS attacks on TCP connections. (Nagano, para. 0081; para. 0090)

As per claim 2, Stute in view of Mahler and Nagano teaches claim 1.  
Stute also teaches wherein a start time of the first period and a start time of the second period are same, or an end time of the first period and an end time of the second period are same.  (Examiner interprets this claim to mean that the first period must have the same start time or the same end time as the second period.  Both limitations have been mapped to expedite prosecution.  [Stute, Col. 12, ln. 11-21] time periods in which the count is done includes one hour per day, every 30 minutes, every 15 minutes, each time period of day, each day of the week, each day of the month, each week of the month, and each day of the year.  ([Col. 21, ln. 16-25] a first period includes a start time of day 0 and an end time of day 364 of a year.  A second period includes a start time of week 0 [a start time that is the same as the first period], and an end time of week 51 [an end time that is the same as the first period])

As per claim 5, Stute in view of Mahler and Nagano teaches claim 1.  
Stute also teaches generating, as the first data, the first data further including a destination related to the transmission source in the communication data, and ([Stute, col. 10, ln. 62-67] An event object [the first data] includes destination address [destination related to the transmission source]) 
totaling the first frequency for each set of the transmission source and the destination. ([Stute, col. 2, ln. 5-11; col. 2, ln. 46-50] the system retrieves counts, a number of packets, quantifying an amount of data corresponding to an event object, which is a frequency of a set of the transmission source and the destination.  [Col. 2, ln. 18-22] the event object is a combination of a source address and a destination address)

As per claim 7,	this method has language that is identical or substantially similar to the steps performed by the device of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 8, Stute teaches a non-transitory computer-readable recording medium embodying a program, the program causing a computer to perform a method.  ([Stute, col. 3, ln. 38-47] a non-transitory computer-readable storage medium may have program instructions stored thereon that, upon execution by one or more computer system, cause execution of the instructions described)
The methods performed by the non-transitory computer readable recording medium has language that is identical or substantially similar to the steps performed by the device of claim 1, and thus is rejected with the same rational applied against claim 1.  

Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over Stute in view of Mahler and Nagano as applied to claim 1 above, and further in view of Peng et al. (US Pub. 2010/0138919) (hereinafter “Peng”)

As per claim 3, Stute in view of Mahler and Nagano teaches claim 1.  
Stute does not clearly teach dividing the first data into a predetermined number of pieces of second data or a plurality of pieces of second data that have predetermined times, totals a second frequency of reception of the communication data for the each transmission source in the second data, and totals the first frequency by integrating the second frequency.  
However, Peng teaches dividing the first data into a predetermined number of pieces of second data or a plurality of pieces of second data that have predetermined times, ([Peng, para. 0063] the collected data [first data] can be divided into subsets of IP addresses, which may be specific IP address of targeted servers [predetermined pieces of second data], over a time period [window time] up to the current time, configurable parameters by the user [predetermined times – see para. 0086], which is associated with when the data was collected) totals a second frequency of reception of the communication data for the each transmission source in the second data, ([para. 0072] a count distribution structure is used to accumulate raw counts [a second frequency] of the source addresses having corresponding values; [para. 0026] the counts are of numbers of received communication data packets having set source addresses, and so the counts are frequencies of reception of communication data and the addresses are of a transmission source) and totals the first frequency by integrating the second frequency.  ([para. 0072] a representation of the matrix of counts for each address, the address distribution data, is updated/integrated [totaled] over each incremental period.  [Para. 0097] the integration is by an incremental learning mode, such as an exponentially weighted moving average, or a simple weighted average [see para. 0100], which both includes a summation, or totaling function applied to the matrix)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stute in view of Mahler and Nagano with the teachings of Peng to include dividing the first data into a predetermined number of pieces of second data or a plurality of pieces of second data that have predetermined times, totals a second frequency of reception of the communication data for the each transmission source in the second data, and totals the first frequency by integrating the second frequency.  One of ordinary skill in the art would have been motivated to make this modification because such a method increases the accuracy.  Specifically, it increases the accuracy of the statistical distribution of values of the corresponding bytes of the bytes of the source IP addresses of packets received. (Peng, para. 0097; para. 0065)

As per claim 4, Stute in view of Mahler and Nagano teaches claim 1.  
Stute in view of Mahler and Nagano does not clearly teach generating, as the transmission source, the first data including at least one of a location of the transmission source and a function of the transmission source, and totaling the first frequency for the each location and/or function.  
However, Peng teaches generating, as the transmission source, the first data including at least one of a location of the transmission source and a function of the transmission source, and ([Peng, para. 0073] a source IP address [the transmission source generated] can be mapped to a geographical location [a location of the transmission source].  [Para. 0063] the IP address can be mapped to normal traffic or a DosS attack)
totaling the first frequency for the each location and/or function.  ([Peng, para. 0072] a count distribution structure is used to accumulate raw counts [a second frequency] of the source IP addresses [mapped to a geographic location or function] that are to be measured)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stute in view of Mahler and Nagano with the teachings of Peng to include generating, as the transmission source, the first data including at least one of a location of the transmission source and a function of the transmission source, and totaling the first frequency for the each location and/or function.  One of ordinary skill in the art would have been motivated to make this modification because such a modification allows the discovery and identification of organizations or entities that are conducting a DoS attack. (Peng, para. 0003; para. 0073)

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Stute in view of Mahler and in view of Nagano and further in view of Pereira et al. (US Pub. 2014/0143869) (hereinafter “Pereira”).  

As per claim 6, Stute in view of Mahler and Nagano teaches claim 1.  
Stute also teaches wherein the operations further comprises including, as the second period, at least any one of one month, [three months, half a year], and one year.  (Examiner interprets this limitation to mean that the second period is one of one month, three months, half a year, or one year.  All three limitations are mapped to expedite prosecution. [Stute, col. 12, ln. 39-45] the period for recording data includes each day of the month 1-31 [one month] and each day in a year 1-365 [one year]. [Col. 17, ln. 19-22] implicitly, any suitable period may be used, including a three month and a six month period, but a three month and six month period for detecting intruders is clearly disclosed by Pereira below)
Stute in view of Mahler and Nagano does not clearly teach a three month and six month period. 
However, Pereira teaches a three month and six month period.  ([Pereira, para. 0055-0056] a time period of six months, and three months is disclosed for an analysis module)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Stute in view of Mahler and Nagano with the teachings of Pereira to include a three month and six month period.  One of ordinary skill in the art would have been motivated to make this modification because such a modification would allow for potentially suitable period of times to determine malware, or possible further security breaches, on the system that is actively spreading. (Pereira, para. 0030; para. 0056)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Fukunaga et al. (US Pub. 2008/0095153) discloses a pattern extracting unit that extracts a received packet a transmission source address, where the packet is implied to be a SYN packet.  
Huston III et al. (US Pub. 2013/0031605) discloses receiving a TCP SYN packet from an external host device and extracting the sender’s internet protocol address from the SYN packet.  
Foulger et al. (US Pub. 2003/0018769) discloses identifying SYN packets for extracting source addresses.  
Aishwarya et al., Intrusion Detection System – An Efficient way to Thwart against Dos/DDos Attack in the Cloud Environment; 2014 International Conference on Recent Tends in Information Technology;  December 29, 2014; discloses extracting the source IP address of a SYN packet from the IP header of a SYN packet in order to prevent DoS/DDoS attacks.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                       

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493