DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-20 are presented for examination.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 05/02/2022. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 1, 3-9, 11-13, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Choyi (US pub, 2010/0071051) in view of Hutchinson et al (US pub, 2020/0244699)
Referring to claims 1 and 9, Choyi teaches a method comprising: 
receiving network traffic from a network-based device ([032], mobile client 110 and/or collaborating network device 120 receive network traffic from a network based device 130) ;
analyzing the network traffic to identify the network-based device as an infected network-based device ([032], when the infected host 130 sends traffic, …towards the collaborating mobile client 110 and/or collaborating network device 120, the collaborating mobile client 110 and/or collaborating network device 120 is able to determine that the received IP packet is a malicious packet based on the source address of the scan or attack IP packet, i.e. 130 is infected network based device); and
Choyi teaches identifying infected device based on traffic analysis and takes proper action after identifying an infected device with worm but expressly lacks response sending a response message to the infected device triggering a tarpitting effect on the network-based device.
However, Hutchinson teaches generating a tarpitting effect by repeatedly sending ([041], response module repeatedly sending responses), in response to identifying the infected network-based device, a response message to the infected network-based device, each response message triggering an action on the network-based device, the plurality of triggered actions constituting the tarpitting effect (see paragraph [041], Example autonomous responses (i.e. multiple responses ~ repeatedly sending) may include cut off connections, shutdown devices, change the privileges of users, delete and remove malicious links in emails, slow down a transfer rate, and other autonomous actions against the devices and/or users, triggering a tarpitting effect on the network based device).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Choyi’s collaborating network device 120 to be coupled with cyber security appliance of Hutchinson that sends autonomous response messages to the infected device that triggers a tarpitting effect on the network-based device, in essence slowing done the spread of the worms and malware infection rate on the network and automatically devise routes through the network structure for its defense mechanisms without human assistance.
Referring to claim 3, Hutchinson teaches the method of claim 1, wherein the response message is a spoofed SYN/ACK packet that replies to a SYN packet of the infected network-based device (see paragraphs [023], [025] a trigger module generates a spoofed transmission and/or response communication [041], example autonomous responses may include cut off connections, shutdown devices [047]).
Referring to claim 4, Hutchinson teaches the method of claim 1, wherein each response message spoofs a source Internet Protocol (IP) address of the intended destination of the network traffic (see paragraphs [089], [091]).
Referring to claim 5, Hutchinson teaches the method of claim 1, wherein the analysis comprises inspecting a volume of network traffic sent to a specified destination under non-attack conditions to establish a baseline traffic level, and suspecting a malware attack in response to a current volume of traffic substantially exceeding the established baseline traffic level (see paragraphs [029],[033], [034] traffic anomalies).
Referring to claim 6, Hutchinson teaches the method of claim 1, wherein the analysis comprises one or more of evaluating total Transmission Control Protocol (TCP) traffic, evaluating total Domain Name System (DNS) traffic, evaluating one or more protocols utilized for worm propagation, evaluating a particular pattern of traffic, evaluating prescribed threat information, evaluating a static signature, and evaluating a network traffic anomaly (see paragraphs [047], [074], [079]). 
Referring to claim 7, Hutchinson teaches the method of claim 1, further comprising preventing the infected network-based device from communicating with other devices (see paragraph [118], thereby attempt to prevent threats to computing devices within its bound).
Referring to claim 8, Choyi teaches the method of claim 1, further comprising one or more of discarding packets from a flagged source address, rate-limiting the network traffic, diverting traffic flow to a specified network address, and performing deep packet inspection on the network traffic (see paragraphs [026] – [028], baiting traffic involve diverting traffic).
Referring to claim 11, Hutchinson teaches the non-transitory computer readable medium of claim 9, wherein each response message is a spoofed SYN/ACK packet that replies to a SYN packet of the infected network-based device (see paragraphs [023], [025] a trigger module generates a spoofed transmission and/or response communication [041], example autonomous responses may include cut off connections, shutdown devices [047]).
Referring to claim 12, Hutchinson teaches the non-transitory computer readable medium of claim 9, wherein each response message spoofs a source Internet Protocol (IP) address of the intended destination of the network traffic (see paragraphs [089], [091]).
Referring to claim 13, Choyi teaches an apparatus comprising: a memory; and at least one processor, coupled to said memory (see paragraph [045], [046]) and operative to perform operations comprising:
receiving network traffic from a network-based device (see paragraph [032], mobile client 110 and/or collaborating network device 120 receive network traffic from a network based device 130);
analyzing the network traffic to identify the network-based device as an infected network-based device ([032], when the infected host 130 sends traffic, …towards the collaborating mobile client 110 and/or collaborating network device 120, the collaborating mobile client 110 and/or collaborating network device 120 is able to determine that the received IP packet is a malicious packet based on the source address of the scan or attack IP packet, i.e. 130 is infected network based device); and
Choyi teaches identifying infected device based on traffic analysis and takes proper action after identifying an infected device with worm but expressly lacks response sending a response message to the infected device triggering a tarpitting effect on the network-based device.
However, Hutchinson teaches generating a tarpitting effect by repeatedly sending ([041], response module repeatedly sending responses), in response to identifying the network-based device as an infected network- based device, a response message to the infected network-based device, each response message triggering an action on the network-based device, the plurality of triggered actions constituting the tarpitting effect (see paragraph [041], Example autonomous responses (i.e. multiple responses ~ repeatedly sending) may include cut off connections, shutdown devices, change the privileges of users, delete and remove malicious links in emails, slow down a transfer rate, and other autonomous actions against the devices and/or users, triggering a tarpitting effect on the network based device).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Choyi’s collaborating network device120 to be coupled with cyber security appliance of Hutchinson that sends autonomous response messages to the infected device that triggers a tarpitting effect on the network-based device, in essence slowing done the spread of the worms and malware infection rate on the network and automatically devise routes through the network structure for its defense mechanisms without human assistance.
Referring to claim 15, Hutchinson teaches the apparatus of claim 13, wherein each response message is a spoofed SYN/ACK packet that replies to a SYN packet of the infected network-based device (see paragraphs [023], [025] a trigger module generates a spoofed transmission and/or response communication [041], example autonomous responses may include cut off connections, shutdown devices [047]).
Referring to claim 16, Hutchinson teaches the apparatus of claim 13, wherein each response message spoofs a source Internet Protocol (IP) address of the intended destination of the network traffic (see paragraphs [089], [091]).
Referring to claim 17, Hutchinson teaches the apparatus of claim 13, wherein the analysis comprises inspecting a volume of network traffic sent to a specified destination under non-attack conditions to establish a baseline traffic level, and suspecting a malware attack in response to a current volume of traffic substantially exceeding the established baseline traffic level (see paragraphs [029], [033], [034] traffic anomalies).
Referring to claim 18, Hutchinson teaches the apparatus of claim 13, wherein the analysis comprises one or more of evaluating total Transmission Control Protocol (TCP) traffic, evaluating total Domain Name System (DNS) traffic, evaluating one or more protocols utilized for worm propagation, evaluating a particular pattern of traffic, evaluating prescribed threat information, evaluating a static signature, and evaluating a network traffic anomaly (see paragraphs [047], [074], [079]).
Referring to claim 19, Hutchinson teaches the apparatus of claim 13, the operations further comprising preventing the infected network-based device from communicating with other devices (see paragraph [118], thereby attempt to prevent threats to computing devices within its bound).
Referring to claim 20, Choyi teaches the apparatus of claim 13, the operations further comprising one or more of discarding packets from a flagged source address, rate-limiting the network traffic, diverting traffic flow to a specified network address, and performing deep packet inspection on the network traffic (see paragraphs [026] – [028], baiting traffic involve diverting traffic). 
Claim 2, 10, and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Choyi in view of Hutchinson in further view of Kuusinen et al (US pub, 20010049731)
Referring to claim 2, Choyi teaches identifying infected device based on traffic analysis and takes proper action after identifying an infected device with worm.
Hutchinson teaches sending, the response message triggering a tarpitting effect on the network-based device. Hutchinson teaches the network based device repeatedly temporarily ceases sending malicious network traffic in response to receiving the plurality of response messages (see paragraph [074], response-orchestrator engine to select a possible action when a device is exhibiting malicious behavior….  to end a potentially malicious communication originating from or being received by a device in the network).
Neither Choyi nor Hutchinson expressly teach message setting a TCP window size to zero.
However, Kuusinen teaches wherein the response message sets a Transmission Control Protocol (TCP) window size to zero (see paragraph [044], the terminal MS sets zero as the value of the advertised window field in the TCP acknowledgement messages it sends just before switching to the suspend state).
It would have been obvious to an ordinary person skilled in the art at the time invention was made to modify Choyi’s collaborating network device120 that to be coupled with cyber security appliance of Hutchinson that sends autonomous response messages to the infected device that triggers a tarpitting effect on the network-based device by cutting off connections thereby suspending the transmission state as taught by Kuusinen, pausing the infection on the network in order to automatically devise routes through the network structure for its defense mechanisms without human assistance.
Referring to claim 10, Choyi and Hutchinson teaches the non-transitory computer readable medium of claim 9, Kuusinen teaches wherein the response message sets a Transmission Control Protocol (TCP) window size to zero (see paragraph [044], the terminal MS sets zero as the value of the advertised window field in the TCP acknowledgement messages it sends just before switching to the suspend state).
Referring to claim 14, Choyi and Hutchinson teaches the apparatus of claim 13, Kuusinen teaches wherein the response message sets a Transmission Control Protocol (TCP) window size to zero (see paragraph [044], the terminal MS sets zero as the value of the advertised window field in the TCP acknowledgement messages it sends just before switching to the suspend state).
Response to Arguments
Applicant's arguments with respect to claims above filed on 05/02/2022 have been considered but they are not persuasive. After further search and thorough examination of present application claims 1-20 remain rejected.
In the remarks, applicant argues in substance:
	That- “Hutchison does not however, disclose or suggest generating a tarpitting effect by repeatedly sending in response to identifying the infected network based device, a response message to the infected network based device, each response message triggering an action on the network based device, the plurality of triggered actions constituting a tarpitting effect”.
	In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
	In this case, the examiner respectfully disagrees with applicants interpretation of the secondary reference as it relates to broadly recited claim language described in the independent claim 1. Upon careful review the combination of reference teach the repeat sending of responses where each response triggers an action and the plurality of such action constitute a tarpitting or slow down effect on the network device therefore the infection does not continue to infect the large number of network devices. For example, Hutchinson does not send a response message to take an action and stops as being portrayed by applicants assertion, it continue to send response messages autonomously to control or limit the infection. An ordinary artisan would agree that description in para [041]- [074] of Hutchison would teach the current broad recitation of independent claims.
	Therefore, Choyi and Hutchinson, alone or in combination, properly supports “generating a tarpitting effect by repeatedly sending, in response to identifying the infected network-based device, a response message to the infected network-based device, each response message triggering an action on the network-based device, the plurality of triggered actions constituting the tarpitting effect,” as recited by updated independent Claim 1, In view of the examiner response above, the examiner respectfully submits that Claims 9 and 13 are no patentable in its current form.
	Dependent Claims each depend from one of claims 1, 9 and 13 described above. Accordingly, the examiner respectfully submits that claims 2-8, 10-12. 14-20  are not patentable at least for depending from rejected independent claims 1, 8 and 15. In conclusion, the applicant arguments are not persuasive and no patentable subject matter has been identified given the breath of the claims being recited herein. It is further concluded that distinguishing features in question have been addressed and applicant is invited to schedule an interview to discuss how to further clarify the claims over the cited prior art.
Correspondence Information
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The examiner also requests, when responding to this office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line no(s) in the specification and/or drawing figure(s). This will assist the examiner in prosecuting the application. Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections See 37 CFR 1.111 (c).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFTAB N. KHAN whose telephone number is (571)270-5172.  The examiner can normally be reached on Monday-Friday 8AM-5PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on 571-272-3949.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/AFTAB N. KHAN/
Primary Examiner, Art Unit 2454