DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Arguments
Applicant’s arguments, see Remarks, filed 05/27/2022, with respect to the rejection(s) of independent claims 1, 11 and 20 under 35 USC § 102 have been fully considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
The rejection of claim 20 under 35 USC § 101 has been fully considered and the amendment overcomes the rejection due to the non-statutory subject matter, therefore, its rejection has been withdrawn.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: 
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 5, 7-12, 15 and 17-20 are rejected under 35 USC § 103 as being unpatentable over USPAT No. 10148688 B1 to Shavell et al. (hereinafter “Shavell”), and further in view of US-PGPUB No. 20180176248 A1 to Nikravesh et al. (hereinafter “Nikravesh”)
Regarding claim 1:
Shavell discloses:
An electronic device (col 11, line 23: “Computing system 610 …”, FIG. 6) comprising: 
a communicator (col 11, line 58: “… communication interface 622…”); 
a memory including at least one command (col 11, line 31 “… system memory 616 …”, …”, col 2, lines 31-32: “… a traceroute command …”); and
at least one processor (col 11, line 30: “… at least one processor 614 …”) configured to execute the at least one command to (col 2, lines 56-59: “… at least one physical processor configured to execute the identification module …”, col 6, lines 45-46: “… identification module 104 may use a traceroute command to identify the set of hops.”): 
based on a user command inputting a first domain name (col 2, lines 31-32: “… executing a traceroute command …”), obtain a first Internet protocol (IP) address (FIG. 5, Traceroute Output 502,”158.8.41.196”) corresponding to the first domain name (col 10, lines 5-7: “As illustrated in FIG. 5, traceroute output 502 may include the IP addresses and roundtrip times …” Note: it is obvious to a person of skill in the art that the traceroute command takes the domain and return the corresponding IP address. For example, tracert google.com would return an IP address of 142.251.16.101, and the number of hops between the client device and the google.com server. Traceroute Output 502 shows that the output is a set of IP addresses which indicates that the input to the traceroute command was a set of domain names, though the inputs (domain names) not shown), 
	based on a user command inputting a second domain name (col 2, lines 33-34: “… repeating the traceroute command at a predetermined interval …”), obtain a second Internet protocol (IP) address corresponding to the second domain name (FIG. 5, Traceroute Output 504,”35.250.42.241”), 
	However, Shavell failed to explicitly disclose the following limitations taught by Nikravesh:
	based on the first IP address being identical to the second IP address (Nikravesh ¶15: “The anycast server instances 110, 120, 130 may each have the same IP address (e.g., 1.1.1.1).”), identify a number of hops included in a network path connecting a server corresponding to the first IP address and the electronic device to each other (Nikravesh, ¶41: “…  the computing device 140 may build a hop-count profile for the transmitting device 122A. The hop-count profile may include the hop-counts to the various anycast server instances 110, 120, 130. “”), 
determine that a man-in-the-middle attack exists in the network path when a communication connection with the server is established based on a smaller number of hops than the identified number of hops (Nikravesh ¶48: “… the computing device 140 may determine or identify which (if any) of the hop counts … fail to match the known/stored hop counts …  by more than the predetermined amount higher or lower … This may indicate that the first … the second … the third spoofed data query, or a combination thereof are, in fact, from a spoofed IP address and/or are part of an attack or other harmful action.”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Shavell to incorporate the functionality of the computing device to detect multiple data queries, analyze IP addresses and trigger a responsive mitigation action as disclosed by Nikravesh, such modification would provide timely detection and identification of MITM attacks, such as IP spoofing, and take mitigation actions.  
Regarding claim 2:
The combination of Shavell and Nikravesh disclose: 
The electronic device as claimed in claim 1, wherein the at least one processor is further configured to identify the number of hops included in the network path connecting the server corresponding to the first IP address and the electronic device to each other based on information on the number of hops stored in the memory (Shavell col 2, lines 12-18: “… the initial set of hops may include only a predetermined number of hops counting outward from the computing device, the new set of hops may include the same predetermined number of hops. … determining that the new set of hops may include the abnormality may include detecting the abnormality within the predetermined number of hops.”). 
Regarding claim 5:
The combination of Shavell and Nikravesh disclose:
The electronic device as claimed in claim 1, wherein the at least one processor is further configured to: 
identify the number of hops included in the network path connecting the server corresponding to the first IP address and the electronic device to each other when it is determined that the first IP address corresponding to the first domain name and an IP address corresponding to a domain name different from the first domain name are identical each other (Nikravesh ¶15: “The anycast server instances 110, 120, 130 may each have the same IP address (e.g., 1.1.1.1).”, ¶41: “…  the computing device 140 may build a hop-count profile for the transmitting device 122A. The hop-count profile may include the hop-counts to the various anycast server instances 110, 120, 130. “), and 
determine that the man-in-the-middle attack exists in the network when the communication connection with the server is established based on the smaller number of hops than the identified number of hops (Nikravesh ¶48: “… the computing device 140 may determine or identify which (if any) of the hop counts … fail to match the known/stored hop counts …  by more than the predetermined amount higher or lower … This may indicate that the first … the second … the third spoofed data query, or a combination thereof are, in fact, from a spoofed IP address and/or are part of an attack or other harmful action.”).  
The same motivation applied to claim 1, applies to claim 5.
Regarding claim 7:
The combination of Shavell and Nikravesh disclose:
The electronic device as claimed in claim 1, wherein the at least one processor is further configured to: 
obtain the first IP address corresponding to the first domain name of a web page when the user command inputting the first domain name (Shavell, col 2, lines 31-32: “… executing a traceroute command …”) is received (Shavell, col 10, lines 5-7: “As illustrated in FIG. 5, traceroute output 502 may include the IP addresses and roundtrip times …”), and 
determine that the man-in-the-middle attack exists in the network path when the communication connection with the server corresponding to the first IP address is established based on one hop (Shavell, see FIG. 4, the computing device 402 and the illegitimate device 414 both connected at the first hop, i.e. Wireless Access Point 404. See also col 7, lines 17-20:” … the wireless access point may be the first hop from the computing device. As illustrated in FIG. 4, a computing device 402 may send and receive network traffic on a local network 414 via a wireless access point 404”).
Regarding claim 8: 
The combination of Shavell and Nikravesh disclose:
The electronic device as claimed in claim 1, wherein the at least one processor is further configured to provide a notification for security of the network path through an output when it is determined that the man-in-the-middle attack exists in the network path (Shavell, col 10, lines 23-25: “… the systems described herein may display a notification to the user about the illegitimate device.”).  
	Regarding claim 9:
The combination of Shavell and Nikravesh disclose: 
The electronic device as claimed in claim 1, wherein the at least one processor is further configured to end the communication connection with the server when it is determined that the man-in-the-middle attack exists in the network path (Shavell, col10, lines 36-38: “… the systems described herein may disconnect the computing device from the wireless network in response to detecting the illegitimate device.”).   
	The same motivation which is applied in claim 1, applies to claim 9.
Regarding claim 10:
The combination of Shavell and Nikravesh disclose:
The electronic device as claimed in claim 1, wherein the at least one processor is further configured to transmit information on security of the network path to an external device connected to the electronic device through the communicator when it is determined that the man-in-the-middle attack exists in the network path (Shavell, col 10, lines 51-53: “… the systems described herein may send information about the wireless network and/or illegitimate device to a security database.”). 
	Regarding claims 11-12, 15 and 17-19: 
Claims 11-12, 15 and 17-19 recite substantially the same limitations as claims 1-2, 5 and 7-9, respectively, in the form of an electronic device implementing the corresponding method, therefore, they are rejected under the same rationale.
Regarding claim 20:
Claim 20 recites substantially the same limitations as claims 1, in the form of a computer readable recording medium including a program for executing the corresponding method of an electronic device, therefore, it is rejected under the same rationale.
Claims 3-4, 6, 13-14 and 16 are rejected under 35 USC § 103 as being unpatentable over Shavell, Nikravesh and further in view of USPAT No. US 10440053 B2 to Wyatt et al. (hereinafter Wyatt) 
Regarding claim 3:
The combination of Shavell and Nikravesh disclose the electronic device as claimed in claim 1, but failed to explicitly disclose the following limitation taught by Wyatt:
wherein the at least one processor is further configured to:  
identify the number of hops included in the network path connecting the server corresponding to the first IP address and the electronic device to each other when a hypertext transfer protocol (HTTP) connection with the server is established based on the first IP address (see Wyatt ¶79: “… AMD 304 may request to load a static HTML page from an un-encrypted endpoint ... The ‘static HTML page’ is a document which is part of the content response (which contains the HTTP status code, any optional HTTP headers, and the HTTP content (i.e., the document)). …  AMD 304 parses this document, and counts the number of secure links encountered in the document.”), 
determine that the man-in-the-middle attack exists in the network when the communication connection with the server is established based on the smaller number of hops than the identified number of hops (see Wyatt ¶80: AMD 304 verifies that received …  secure link count match the expected content response.”, and ¶102: “TABLE 2 … ANOMALOUS_LINK _PROFILE An unexpected count of secure links indicates that so-called ‘SSL Stripping’”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Shavell and Nikravesh to incorporate the functionality of the AMD (Active MITM Detection) component to monitor network connections, and perform certain methods, such as, counting the number of HTTP(S) links (hops) and compare a response result to an expected value, to detect MITM attacks on the network connection,  as disclosed by Wyatt, such modification would provide timely detection and identification of anomalous devices when HTTP connection is established. 
Regarding claim 4:
The combination of Shavell and Nikravesh disclose the electronic device as claimed in claim 1, but failed to explicitly disclose the following limitation taught by Wyatt:
wherein the at least one processor is further configured to: 
identify the number of hops included in the network path connecting the server corresponding to the first IP address and the electronic device to each other when a hypertext transfer protocol secure (HTTPS) connection with the server is established based on the first IP address (see Wyatt ¶41: “… AMD 304 counts the number of HTTPS href links embedded in the document received as a response to its probe, and compares that count to an expected count.”), and
determine that the man-in-the-middle attack exists in the network when the communication connection with the server is established based on the smaller number of hops than the identified number of hops (see Wyatt ¶09: “… an attacker subverts un-encrypted connections made by the victim, rewriting URLs in plain text documents that would normally be specified as HTTPS … to use plaintext HTTP (Hyper Text Transfer Protocol).”, and 
¶80: AMD 304 verifies that received …  secure link count match the expected content response.”, and ¶102: “TABLE 2 … ANOMALOUS_LINK _PROFILE An unexpected count of secure links indicates that so-called ‘SSL Stripping’”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Shavell and Nikravesh to incorporate the functionality of the AMD (Active MITM Detection) component to monitor network connections, and perform certain methods, such as, counting the number of HTTP(S) links (hops) and compare a response result to an expected value, to detect MITM attacks on the network connection,  as disclosed by Wyatt, such modification would provide timely detection and identification of anomalous devices when HTTPS connection is established.
Regarding claim 6:
The combination of Shavell and Nikravesh disclose the electronic device as claimed in claim 1, but failed to explicitly disclose the following limitation taught by Wyatt:
wherein the at least one processor is further configured to: 
identify the number of hops included in the network path connecting the server corresponding to the first IP address and the electronic device to each other when the first IP address is a public IP address (see Wyatt ¶79: “… AMD 304 … counts the number of secure links encountered …”, 
¶21: “Computer network 100 includes … one or more server systems 120 coupled to a communication network 125 via a plurality of communication links 130.”, and
¶22: “… communication network 125 may be any suitable communication network including a local area network (LAN), a wide area network (WAN … an intranet, a private network … a public network …”), and 
determine that the man-in-the-middle attack exists in the network when the communication connection with the server is established based on the smaller number of hops than the identified number of hops (see Wyatt ¶80: AMD 304 verifies that received …  secure link count match the expected content response.”, and ¶102: “TABLE 2 … ANOMALOUS_LINK _PROFILE An unexpected count of secure links indicates that so-called ‘SSL Stripping’”).
 	 It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Shavell and Nikravesh to incorporate the functionality of the communication network to provide a mechanism for allowing the various components to communicate and exchange information with each other, and is suitable for networks such as a private network and a public network as disclosed by Wyatt, such modification would enable to detect and mitigate anomalous devices in various types of networks, including public networks.
Regarding claims 13-14 and 16: 
Claims 13-14 and 16 recite substantially the same limitations as claims 3-4 and 6, respectively, in the form of an electronic device implementing the corresponding method, therefore, they are rejected under the same rationale. 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Marzorati et al.  (US-PGPUB No. 2019/0222588 A1)- disclosed various methods for detecting a man-in-the-middle (MITM) attack during HTTP(S) communications.
Singhal et al. (US-PGPUB No. 2017/0070419 A1)- disclosed systems and methods for associating multiple transport layer hops between a client and a server.  
Hayward et al. (US-PGPUB No. 20190044974 A1)- disclosed apparatuses, methods, systems and program products for detecting man-in-the-middle attacks on a local area network.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491