DETAILED ACTION
Amendments submitted on May 9, 2022 for Application No. 16/606847 are presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed May 9, 2022 have been considered but they are not persuasive. In the remarks applicant argues:
I)	On pages 6-7, Applicant argues that the claim objections and 35 USC 101 rejection should be removed.
Applicant’s amendments have overcome the previous issues; therefore, the claim objections and 35 USC 101 rejections have been withdrawn.

II)	On pages 7-8, Applicant argues that the cited prior art does not teach “a predetermined threshold profile for the network device”.
The Examiner disagrees and in no way concedes nor subscribes to Applicant’s summarization or distillation of the art of record. It has been held "All of the disclosures in a reference must be evaluated for what they fairly teach one of ordinary skill in the art." In re Lemelson, 397 F.2d 1006, 1009 (CCPA 1968).
Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing incoming traffic, such as address resolution requests, to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists. Elrod, paragraph 15, specifically recites the “switch employs a policy containing policy rules to measure and examine network traffic flows. Traffic flows meeting a certain profile or exceeding a certain threshold are considered threats…”. As this policy/profile on the switch is used for all network traffic it is considered to be “for the network device” as well as all of the other network devices. The Examiner would additionally note that the claim does not require that the profile be specific to the network device or that each network device would have a different profile. Elrod, paragraphs 15 and 18-23, also teaches the use of an access control list (ACL) as well as determining the source/destination of the incoming packets/threat. This further points to the policy/profile of Elrod at least being used “for the network device”.
Therefore, Elrod does teach the claimed “predetermined threshold profile for the network device” as show below. It has been held that a publication is good for all it teaches to persons of ordinary skill in the art. In re Fritch, 972 F.2d 1260, 1264 (Fed. Cir. 1992). A reference is good for all it teaches. In re Meinhardt, 392 F.2d 273, 280 (CCPA 1968). Finally, it is well established that a reference is good for all it fairly teaches a person having ordinary skill in the art, even when the teaching is a cursory mention. E.g., In re Mills, 470 F.2d 649, 651 (CCPA 1972).

III)	On page 8, Applicant argues that the cited prior art does not teach the newly amended limitation of “a local network”.
Applicant is arguing that the rejection of the previous Office Action does not teach the limitations of the amended claims. The claims in the application have been amended in such a way as to allow new art be used in this rejection because of the change in the scope of the claimed invention. Therefore, the applicant’s arguments are considered moot based upon the new grounds of rejection as set forth below.
  
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1-3, 5-7, and 9-15 are rejected under 35 U.S.C. 103 as being unpatentable over Elrod (US 2007/0157306) in view of Segal (US 2015/0020188).

As per claim 1, Elrod discloses A method for address resolution request control in a network device of a … network (Elrod, abstract, paragraphs 18-19 and claims 1-2, teaches address resolution requests for a network device.), the method comprising: 
comparing address resolution requests submitted to network nodes of the … network from the network device against a predetermined threshold profile for the network device (Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing incoming traffic, such as address resolution requests, to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists.); and 
regulating a flow of address resolution requests from the network device in response to the comparison (Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to determine the source and target of the attack and then redirecting/blocking the traffic based on the source and target of the attack. This can be performed by redirecting/blocking the unsolicited address resolution requests.)  
However, Elrod does not specifically teach that the address resolution requests are sent from “a network device of a local network”.
Segal discloses a network device of a local network … comparing address resolution requests submitted to network nodes of the local network from the network device against a predetermined threshold profile for the network device (Segal, paragraphs 6 and 32, teaches a gateway host 30 exchanging network packets, such as address resolution protocol (ARP) packets, with controlled host 24. The gateway host 30 inspects the packets in accordance with rules and policies. Segal, Figure 2, shows that the controlled host 24 and the gateway host 30 are a part of the same local network 20. Also see Figure 3 and paragraph 37 that teaches sending ARP packets within the same local network 20.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Segal with the teachings of Elrod. Elrod teaches using a policy to detect threats based on ARP requests from outside the local network. Segal teaches using a policy to detect threats based on ARP requests from inside the local network. Therefore, it would have been obvious to have detected threats based on local ARP requests in order to detect attacks as this would have been a simple substitution of one known type of network for another to yield the predictable results of detecting network attacks based on ARP requests. Additionally, Segal teaches that the same device that transmits the ARP packets (gateway host 30) is also the same device that monitors packets against a profile. Therefore, it would have been obvious to have the sender of the ARP packets monitor the local network for an attack instead of the receiver of the ARP packets as this would have been a simple substitution of one device monitoring the network for another to yield the predictable results of detecting network attacks based on ARP requests.

As per claim 2, Elrod in view of Segal discloses The method as claimed in claim 1, further comprising: providing a set of identifiers representing network nodes, the set of identifiers generated from one or more of: a local list of network nodes generated using successful address requests by the network device; a list of network nodes that the network device may issue an address request to; a remote list of network nodes generated using successful address requests by the network device; and a last known set of identifiers representing network nodes (Elrod, paragraph 21, teaches identifying devices based on their IP addresses. Elrod, paragraphs 22-23, 29, 34, 37, and 45, also teaches redirecting/blocking the address resolution requests based on various identifiers such as VLAN ID. These identifiers would be for devices that have sent/received address resolution requests. Elrod, paragraphs 18, also teaches using access control lists to allow/block traffic which would include device identifiers.)

As per claim 3, Elrod in view of Segal discloses The method as claimed in claim 1, wherein regulating a flow of address resolution requests further comprises: defining an observation window; and determining a status of an address resolution request throttle within the observation window from one of: non-throttled, in which the flow of address resolution requests from the network device is not regulated; and throttled, in which the flow of address resolution requests from the network device is regulated (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period (observation window) to setup and update the policy. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Elrod, paragraph 27, recites “traffic that does not violate policy rules … passes through the switch normally”.)
 
As per claim 5, Elrod in view of Segal discloses The method as claimed in claim 3, further comprising: in a throttled status, checking connections requested by the network device against the set of identifiers representing network nodes; and blocking a connection to a network node (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy, such as an access control list, at a switch that is performed in real time on incoming traffic. Incoming traffic is compared to a policy in real-time. If the traffic is considered to be a threat then it can be blocked based on the access control list. Elrod, paragraphs 36-37, also teaches blocking all incoming traffic from a specific IP address.)

As per claim 6, Elrod in view of Segal discloses The method as claimed in claim 3, further comprising: evaluating a throttle status at the end of the observation window (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. As this is being performed in real-time it is constantly being re-evaluated. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time.)  

As per claim 7, Elrod in view of Segal discloses The method as claimed in claim 6, further comprising: extending the observation window in the event that the threshold profile for the network device is exceeded (Elrod, paragraphs 15, 18-24, 26-27, 38, 40-43, and 46, teaches storing a policy/ACL at a switch that represents incoming traffic from devices that are considered to be a threat. As this is being performed in real-time it is constantly being re-evaluated for each new time period (observation window). Incoming traffic is compared to the policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time as well as continuing to monitor the suspicious traffic (extending the observation window) after the threat has been determined. Therefore, the policy/ACL is updated over time through multiple time periods.) 

As per claim 9, Elrod in view of Segal discloses The method as claimed in claim 6, further comprising exiting a throttled status (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. As this is being performed in real-time it is constantly being re-evaluated. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Therefore, certain packets are throttled and other packets are not throttled which would be in a non-throttle status.)

As per claim 10, Elrod discloses A non-transitory machine-readable storage medium encoded with instructions executable by a processor of a network … for throttling address resolution requests (Elrod, abstract and paragraphs 7, 15, 18-23, 34, 38, 41-43, and 46, teaches throttling traffic such as address resolution requests.), the machine-readable storage medium comprising instructions to: 
monitor … outgoing address resolution requests to a target device of the … network from the network device (Elrod, paragraphs 15, 18-23, 26-27, and 41, teaches monitoring incoming traffic, such as address resolution requests.); and 
compare data representing a frequency of requests to the target device from the network device against a threshold profile for the network device (Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing the number of incoming address resolution requests to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists. Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to stop the threat.)
However, Elrod does not specifically teach that the address resolution requests are sent from “a network device of a local network”.
Segal discloses instructions executable by a processor of a network device of a local network … monitor, by the processor of the network device, outgoing address resolution requests to a target device of the local network from the network device (Segal, paragraphs 6 and 32, teaches a gateway host 30 exchanging network packets, such as address resolution protocol (ARP) packets, with controlled host 24. The gateway host 30 inspects the packets in accordance with rules and policies. Segal, Figure 2, shows that the controlled host 24 and the gateway host 30 are a part of the same local network 20. Also see Figure 3 and paragraph 37 that teaches sending ARP packets within the same local network 20.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Segal with the teachings of Elrod. Elrod teaches using a policy to detect threats based on ARP requests from outside the local network. Segal teaches using a policy to detect threats based on ARP requests from inside the local network. Therefore, it would have been obvious to have detected threats based on local ARP requests in order to detect attacks as this would have been a simple substitution of one known type of network for another to yield the predictable results of detecting network attacks based on ARP requests. Additionally, Segal teaches that the same device that transmits the ARP packets (gateway host 30) is also the same device that monitors packets against a profile. Therefore, it would have been obvious to have the sender of the ARP packets monitor the local network for an attack instead of the receiver of the ARP packets as this would have been a simple substitution of one device monitoring the network for another to yield the predictable results of detecting network attacks based on ARP requests.

As per claim 11, Elrod in view of Segal discloses The non-transitory machine-readable storage medium as claimed in claim 10, further encoded with instructions to:WO 2019/147270PCT/US2018/015532 18regulate the number of outgoing address resolution requests to the target device from the network device (Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to determine the source and target of the attack and then redirecting/blocking the traffic based on the source and target of the attack. This can be performed by redirecting/blocking the unsolicited address resolution requests.)

As per claim 12, Elrod in view of Segal discloses The non-transitory machine-readable storage medium as claimed in claim 10, further encoded with instructions to: block outgoing address resolution requests from the network device to a previously unvisited target device (Elrod, paragraphs 23, and 36-37, teaches blocking all traffic from an attacking IP address. This would block all requests including requests to previously visited or unvisited target devices.)  

As per claim 13, Elrod in view of Segal discloses The non-transitory machine-readable storage medium as claimed in claim 10, further encoded with instructions to: generate a set of identifiers representing network nodes, the set of identifiers generated from one or more of: a local list of network nodes generated using successful address requests by the network device; a list of network nodes that the network device may issue an address request to; a remote list of network nodes generated using successful address requests by the network device; and a last known set of identifiers representing network nodes (Elrod, paragraph 21, teaches identifying devices based on their IP addresses. Elrod, paragraphs 22-23, 29, 34, 37, and 45, also teaches redirecting/blocking the address resolution requests based on various identifiers such as VLAN ID. These identifiers would be for devices that have sent/received address resolution requests. Elrod, paragraphs 18, also teaches using access control lists to allow/block traffic which would include device identifiers.)

As per claim 14, Elrod discloses A non-transitory computer-readable storage medium encoded with instructions executable by a processor of a network … for throttling address resolution requests, the computer-readable storage medium comprising instructions to: (Elrod, abstract, paragraphs 7 and 15 and claim 16, teaches a device with processor.) to: 
determine a frequency of address resolution requests from the network device to a target device of the … network (Elrod, paragraphs 15, 18-19, 26-27, and 41, teaches comparing the number of incoming address resolution requests to a threshold. If the ratio is above a certain threshold then it is determined that a threat exists.); and 
regulate a flow of outgoing address resolution requests to the target device in response to a comparison of the frequency against a threshold profile of the network device (Elrod, paragraphs 20-23 and 42-43, teaches if a threat exists that the traffic is redirected to a security management device for further analysis to determine the source and target of the attack and then redirecting/blocking the traffic based on the source and target of the attack. This can be performed by redirecting/blocking the unsolicited address resolution requests.) 
Segal discloses instructions executable by a processor of a network device of a local network … [monitoring] address resolution requests from the network device to a target device of the local network (Segal, paragraphs 6 and 32, teaches a gateway host 30 exchanging network packets, such as address resolution protocol (ARP) packets, with controlled host 24. The gateway host 30 inspects the packets in accordance with rules and policies. Segal, Figure 2, shows that the controlled host 24 and the gateway host 30 are a part of the same local network 20. Also see Figure 3 and paragraph 37 that teaches sending ARP packets within the same local network 20.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Segal with the teachings of Elrod. Elrod teaches using a policy to detect threats based on ARP requests from outside the local network. Segal teaches using a policy to detect threats based on ARP requests from inside the local network. Therefore, it would have been obvious to have detected threats based on local ARP requests in order to detect attacks as this would have been a simple substitution of one known type of network for another to yield the predictable results of detecting network attacks based on ARP requests. Additionally, Segal teaches that the same device that transmits the ARP packets (gateway host 30) is also the same device that monitors packets against a profile. Therefore, it would have been obvious to have the sender of the ARP packets monitor the local network for an attack instead of the receiver of the ARP packets as this would have been a simple substitution of one device monitoring the network for another to yield the predictable results of detecting network attacks based on ARP requests.

As per claim 15, Elrod in view of Segal discloses The non-transitory computer-readable storage medium as claimed in claim 14, further encoded with instructions to: define an observation window within which outgoing address resolution requests are monitored (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period (observation window) to setup and update the policy. As the threshold is compared to the ratio of incoming/outgoing address resolution requests there must be a time period for monitoring the number of incoming/outgoing requests. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Elrod, paragraph 27, recites “traffic that does not violate policy rules … passes through the switch normally”.)

Claims 4 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Elrod in view of Segal and further in view of Kim (US 2015/0067764).

As per claim 4, Elrod in view of Segal discloses The method as claimed in claim 3, further comprising: … recording connection parameters of the network device to the set of identifiers representing network nodes (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches having a policy at a switch that is performed in real time. Incoming traffic is compared to a policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. Elrod, paragraph 27, recites “traffic that does not violate policy rules … passes through the switch normally”. Elrod, paragraphs 18, 21-23, 29, 34, 37, and 45, teaches identifying devices based on various identifiers such as IP addresses, MAC addresses, and VLAN IDs. The system can use access control lists to allow/block traffic based on the identifiers.) 
However, Elrod in view of Segal only specifically teaches recording connection parameters for threats (in a throttled status) and does not specifically recite in a non-throttled status, recording connection parameters of the network device to the set of identifiers representing network nodes.
Kim discloses in a non-throttled status, recording connection parameters of the network device to the set of identifiers representing network nodes (Kim, paragraphs 15-16 and 60, teaches updating a whitelist with known good IP addresses. As these are addresses that are known to be good, these are considered to be in a non-throttled/non-threatening status.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kim with the teachings of Elrod in view of Segal. Elrod in view of Segal teaches using and updating an ACL with identifiers of known attacker devices. Kim teaches using and updating an ACL with identifiers of known good devices. Therefore, it would have been obvious to have used and updated an ACL with both identifiers of known attacker devices and known good devices using a whitelist and blacklist in order to prevent unauthorized access by known attackers while also allowing access by known good users.

As per claim 8, Elrod in view of Segal discloses The method as claimed in claim 6, further comprising: storing a copy of the set of identifiers representing network nodes in the event that the threshold profile for the network device is … exceeded; and restarting an observation window (Elrod, paragraphs 15, 18-24, 26-27, 38, 41-43, and 46, teaches storing a policy/ACL at a switch that represents incoming traffic from devices that are considered to be a threat. As this is being performed in real-time it is constantly being re-evaluated for each new time period (observation window). Incoming traffic is compared to the policy in real-time. If the traffic is not a threat it is processed as normal i.e. non-throttled. If the traffic is considered to be a threat then it is forwarded to a security management device for further analysis and redirecting, blocking, or throttling. Elrod, paragraph 26, also specifically teaches monitoring traffic over a time period. Elrod, paragraphs 30-31 and 36, also teaches updating the policy dynamically in real-time. Therefore, the policy/ACL is updated over time through multiple time periods.)
 However, Elrod in view of Segal teaches storing the identifier when the threshold has been exceeded (during a threat) and does not specifically teach storing the identifiers when the “threshold profile … is not exceeded” (not during a threat).
Kim discloses storing a copy of the set of identifiers representing network nodes in the event that the threshold profile for the network device is not exceeded (Kim, paragraphs 15-16 and 60, teaches updating a whitelist with known good IP addresses. As these are addresses that are known to be good, these are considered to be in a non-throttled/non-threatening status which is when the threshold is not exceeded as shown by Elrod.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kim with the teachings of Elrod in view of Segal. Elrod in view of Segal teaches using and updating an ACL with identifiers of known attacker devices. Kim teaches using and updating an ACL with identifiers of known good devices. Therefore, it would have been obvious to have used and updated an ACL with both identifiers of known attacker devices and known good devices using a whitelist and blacklist in order to prevent unauthorized access by known attackers while also allowing access by known good users.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Liljenstolpe (US 2019/0081818) – teaches address resolution request messages and an access control list with a whitelist.
Coggeshall (US 2003/0198219) – teaches timing out after a threshold time period of not receiving a response to the address resolution request.
Wakumoto (US 2007/0101429) – teaches that a device may be malicious if the rate of address resolution requests is above a threshold.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498