DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement
No information disclosure statement(s) (IDS) was filed before the mailing date of this office action.  Accordingly, no information disclosure statement is being considered by the examiner.
Claim Objections
The following claims are objected to because of the indicated minor discrepancies:
Claim 17: “The method of” should read “The network monitor system of”
Claim 18: “The method of” should read “The network monitor system of”
Claim Rejections - 35 USC § 112
Claim 20 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 20 is a non-transitory computer readable storage medium, but is dependent on claim 17 which further limits a network monitoring system, claim 10. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-13 and 16 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US-PGPUB No. 2021/0144161 A1 Mittal et al. (hereinafter “Mittal”)
Regarding claim 1:
Mittal discloses: 
A method of monitoring a network (see ¶38: “… a method for protecting a computing system coupled to a computer network …”), the method comprising:   
receiving a packet of network traffic (see ¶23: “… … receiving incoming data packets,”); 
determining a source IP address of the packet (see ¶38: “… extracting the SrcIP … values from the header of each received data packet.”);
consulting a database of source IP addresses, each source IP address stored in the
database having an associated probability of threat indicator (PTI) (see ¶39: “… reputation score in a SrcIP address …”), wherein the PTI indicates a probability of threat posed by the source IP address (see ¶39: “… the analyzing step of such method uses the SrcIP value to look up a corresponding reputation score in a SrcIP address reputation database. The reputation score is used when determining the probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system.”); 
assigning the packet's source IP address' PTI to the packet as the packet's PTI (see ¶39: “The reputation score is used when determining the probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system.”); 
selecting one or more inspection checks to perform on the packet, wherein the selection of the one or more inspection checks is a function of the packet's source IP address' PTI (see ¶41-43: “… monitoring the frequency of data packets received which have a particular SrcIP value. … looking up a geo-location from which the received data packet was purportedly sent as based upon the extracted SrcIP value.”, and  
¶39: “The reputation score is used when determining the probability that a received data packet was initiated by an attacker …”); 
performing the selected one or more inspection checks (see ¶41-43: “… the analyzing step of such method includes the step of monitoring the frequency of data packets received which have a particular SrcIP value. … the analyzing step of such method includes the step of looking up a geo-location from which the received data packet was purportedly sent as based upon the extracted SrcIP value. …”); 
assigning treatment of the packet based on a result of the one or more inspection checks performed (see ¶41-42: “… The analyzing step increases the probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system as the frequency of received data packets having the particular SrcIP value increases. … The analyzing step may increase the probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system when the corresponding geo-location is a country or region from which resource attacks are frequently mounted.”, 
¶38: “The method also includes the step of either: a) allocating resources of the computing system to process the data packet when the probability that the data packet was initiated by an attacker mounting a resource attack against the computing system does not exceed a predetermined threshold; or b) denying the allocation of resources of the computing system to process the data packet when the probability that the data packet was initiated by an attacker mounting a resource attack against the computing system exceeds the predetermined threshold.”); and 
adjusting the packet's source IP address' PTI and/or the packet's PTI based on the result of the one or more inspection checks performed (see ¶41: “… the analyzing step … includes the step of monitoring the frequency of data packets received which have a particular SrcIP value … increases the probability that a received data packet was initiated by an attacker … as the frequency of received data packets having the particular SrcIP value increases.”).  
Regarding claim 4:
Mittal discloses:
The method of claim 1, further comprising accessing a collection of inspection checks, each inspection check having an associated check threshold, wherein selecting the one or more inspection checks comprises:
 comparing the packet's source IP address PTI with the check threshold associated with one of the inspection checks (see ¶72-73: “… a decision is made whether or not to provide, or deny, the allocation of resources to a data packet based upon consideration of packet metadata, connection tracking statistics, and system state. Packet metadata … may include variables such as the packet size; the state of packet header flags; the TTL value within the packet header; the geo-location of the source IP address; the reputation score of the source IP address; and/or the results of a reverse path forwarding (RPF) check.”, and 
¶74-75: “… most network devices use a large default TTL value (e.g., 128 or 255) when originating packets. … Thus, the presence of low TTL values in data packet headers may indicate that the data packet is not legitimate. … many source IP addresses have a reputation for serving as a base for distribution of malware and/or “spam”. It can therefore be helpful to consider the reputation score of the source IP address when analyzing whether a data packet is a legitimate request or part of a DoS attack.”); and
 deciding whether or not to select the inspection check based on a result of the comparison (see ¶74: “… the presence of low TTL values in data packet headers may indicate that the data packet is not legitimate.”).  
Regarding claim 5:
Mittal discloses:
The method of claim 1, wherein selecting the one or more inspection checks further comprises continuing to compare the packet's source IP address' PTI with the check threshold associated with a next inspection check of the collection of inspection checks and deciding whether or not select the next inspection check, until the packet's source address' PTI has been compared to all of the inspection checks in the collection or the treatment assigned to the packet causes the packet to be dropped after which no further inspection checks are performed on the packet (see ¶75: “… consider the reputation score of the source IP address when analyzing whether a data packet is a legitimate request or part of a DoS attack.”,  
¶92: “The flowcharts of FIGS. 5 and 6 illustrate the steps of a method performed … to process incoming data packets. These are the steps taken by the resource manager to determine whether resources will be allocated or not, based upon various suspicion scores.”, and  
¶93: “… total packet length, may also be considered to determine the extent of resources that will be required to process the current data packet, assuming that it is not dropped. Flow then passes to step 504 where a resource allocation request is formulated, along with the SrcIP and TTL values.”).
Regarding claim 6:
Mittal discloses:
The method of claim 1, wherein if the packet's source IP address is not included in the database of source IP addresses, the method further includes storing the packet's source IP address in the database of source IP addresses with an associated PTI that is set to a neutral value (see ¶38: “If the IP address was not previously present, it could be added to a database maintained as part of the system.”).  
Regarding claim 7:
Mittal discloses:
The method of claim 1, wherein adjusting the packet's PTI is performed before selecting another of the one or more inspection checks to perform on the packet (see ¶41: “… the analyzing step of such method includes the step of monitoring the frequency of data packets received which have a particular SrcIP value. …  increases the probability that a received data packet was initiated by an attacker …  as the frequency of received data packets having the particular SrcIP value increases. …  the analyzing step of such method includes the step of looking up a geo-location from which the received data packet was purportedly sent as based upon the extracted SrcIP value.”).  
Regarding claim 8:
Mittal discloses:
The method of claim 1, wherein adjusting the packet's PTI is a function of a number of times that at least one of the one or more inspection checks was passed or failed (see p41: “The analyzing step increases the probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system as the frequency of received data packets having the particular SrcIP value increase.”).  
Regarding claim 9:
Mittal discloses:
The method of claim 1, wherein adjusting the packet's source IP address' PTI is a function of a number of times at least one of the one or more inspection checks was passed or failed (see ¶88: “If a particular source IP address has a reputation for being malevolent, then block 416 provides a score having a higher value.” See FIG. 4, block 416). 
Regarding claim 10:
Mittal discloses:
A network monitor system comprising (see ¶38: “… a computing system coupled to a computer network …”): 
a memory configured to store instructions (see ¶113: “… memories and storage … comprise volatile and/or non-volatile memory …”); 
a processor (see ¶113: “Processors …”)
In addition to the above limitations, claim 10 substantially recites the same limitations as claim 1, in the form of a system implementing the corresponding method, therefore it is rejected by the same rationale.
Regarding claims 13-18:
Claims 13-18 substantially recite the same limitations as claims 4-9, respectively, in the form of a system implementing the corresponding method, therefore they are rejected by the same rationale.
Regarding claims 19-20:
Claims 19-20 substantially recite the same limitations as claims 1 and 4, respectively, in the form of a non-transitory computer readable storage medium to store computer programs, therefore they are rejected by the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3 and 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Mittal and further in view of US-PGPUB No. 2013/0139245 A1 to Thomas
Regarding claim 2:
Mittal discloses the method of claim 1, but failed to explicitly disclose the following limitation taught by Thomas: 
dropping the packet if the packet's source IP address' PTI is below a block list threshold, and only selecting the one or more inspection checks if the packet's source IP address' PTI is not below the block list threshold (see Thomas, ¶29: “… classifier 212 can determine if the reputation score for the packet is greater than or less than the bottom threshold. If so, the "YES" branch of decision block 410 is taken, and the packet is dropped from the protected network in block 412. Thus classifier 212 can drop 216 the packet when the reputation score is less than the bottom threshold.” 
See FIG. 4, block 410 and block 412). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Mittal to incorporate the functionality of the classifier to determine the reputation score with respect to the bottom threshold and top threshold values, as disclosed by Thomas, such modification would allow the system to drop packets with reputation score less than the bottom threshold, and allow packets that have a reputation score greater than the top threshold, thus avoiding computationally expensive analysis.
Regarding claim 3:
Mittal discloses the method of claim 1, but failed to explicitly disclose the following limitation taught by Thomas: 
forwarding the packet if the packet's source IP address PTI is above an allow list threshold, and only selecting the one or more inspection checks if the packet's source IP address' PTI is not above the allow list threshold (see Thomas, ¶29: “… classifier … can determine if the reputation score for the packet is greater than or less than … the top threshold. If so, the "YES" branch of decision block 414 is taken, and the packet is admitted to the protected network in block 426.” 
See FIG. 4, block 414 and block 426).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Mittal to incorporate the functionality of the classifier to determine the reputation score with respect to the bottom threshold and top threshold values, as disclosed by Thomas, such modification would allow the system to drop packets with reputation score less than the bottom threshold, and allow packets that have a reputation score greater than the top threshold, thus avoiding computationally expensive analysis. 
Regarding claims 11-12:
Claims 11-12 substantially recite the same limitations as claims 1-2, respectively, in the form of a system implementing the corresponding method, therefore they are rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Pandrangik (US-PGPUB No. 2012/0079592-A1)- disclosed a method and system to mitigate an attack over the Internet which includes collecting information related to a plurality of client IP addresses from a plurality of sources and analyzing the collected information.
Subramanian (US-PGPUB No 20140259140-A)- disclosed a network appliance which can adjust the amount of deep packet inspection performed by the network appliance as a function of load. Reputation of data flows can be determined based on historical information regarding a particular flow in combination with a reputation service determining reputation scores based on properties of the data flow. 
Mondaeev et al. (US-PGPUB No. 20080201772-A1)- disclosed a method of determining whether a data stream includes unauthorized data, the data stream is analyzed using a hardware filter to detect a presence of one or more of a first set of patterns in the data stream.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                       

                                                                                                                                                                                 /ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491