DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to communication filed on 12/30/2020.
Status of claims in the instant application:
Claims 1-7 and 9-22 are pending.
*** Note: There is no “claim 8”.
Priority
The instant application claims benefit of 62/955,615 filed on 12/31/2019.
Information Disclosure Statement
Information Disclosure Statements (IDS) filed on 12/30/2020 and 04/30/2021 have been considered, and a signed copies of the IDS forms have been attached to this office action.
Drawings
Drawings filed on 12/30/2020 have been inspected, and it’s in compliance with MPEP 608.02.
Specification
Specification filed on 12/30/2020 has been inspected and it’s in compliance with MPEP 608.01.
Claim Objections
Claims 13 and 19 are objected to because of the following informalities:
	Claim 13 recites, “The system of claim 1, wherein each of the plurality of detectors is realized a software agent executed over a hardware layer of the respective network node”.
	It appears that the above recited limitation has a missing word after “realized”. May be it’s missing the word “as” or “using”
	Claim 19 also recites language similar to claim 13, and hence objected similarly.
Claim 20 is are objected to because of the following informalities:
	Claim 20 recites, “The method of claim 14, wherein the software agent is realized as any one of: a microservice, a software container, a lightweight virtual machine, wherein the software agent is realized as any one of: a microservice, a software container, a lightweight virtual machine”
	Claim 20 appears to recite, “wherein the software agent is realized as any one of: a microservice, a software container, a lightweight virtual machine” twice (duplicate recitation of the same limitation)
Appropriate corrections are required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f):
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are:
	Claims 1, 2, 4, 5, 6 and 7 recites, “ … each of the plurality of detectors is configured to …”
Because these claim limitations are being interpreted under 35 U.S.C. 112(f), they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
The specification of the instant application (PGPUB US 20210226988 A1) describes the following:
Para [0035]:  In an embodiment, each detector 230 is realized as a lightweight detector executed over a hardware layer of a node 240 including at least a memory and a processor (not shown in FIG. 2). The hardware layer may be provided by a network node such as, but not limited to, a switch, a hub, a router, a load balancer, an analog-to-digital (ADC) converter, and the like. In yet another configuration, the hardware layer may be provided by a compute node, e.g., a server. An example diagram of such a hardware layer is described further below with respect to FIG. 7. The lightweight detector may be realized as a software container, a microservice, a lightweight virtual machine, and the like.
Para [0053]: FIG. 5 is an example illustration depicting a functional block diagram of the detector  230 according to an embodiment. The detector  230 may be implemented as a software agent realized via a software container, a micro-service, a lightweight virtual machine, and the like. The detector 230, and hence the software agent, is executed over a hardware layer of a compute node or a network node, examples of which are provided above. It should be noted that software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the processing circuitry of a compute node or a network node, cause the processing circuitry to perform the various processes described herein. An example schematic diagram for the hardware layer which may be utilized for executing the detector  (software agent) is shown in FIG. 7.”
Additionally, claims 13 and 19 of the instant application recite, “… wherein each of the plurality of detectors is realized a software agent executed over a hardware layer of the respective network node.”
If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f), applicant may:  (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 14 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 14 recites the limitation, “ Page 19 of 30RADW P1654instantiating a plurality of security functions on each of the plurality of detectors, wherein the plurality of security functions;”
	It’s not clear from the claim language if the above limitation is missing for the “wherein …. functions”. Therefore, the language of the claim makes it ambiguous/indefinite and hence rejected as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Appropriate correction is required.
	**** Note: For Examination purposes the “wherein the plurality of security functions” is not given any patentable weight.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-19 and 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20120216282 A1 to Pappu et al. (hereinafter “Pappu”) in view of “NPL: IoT-Based DDoS Attack Detection and Mitigation Using the Edge of SDN” to Yang et al. (hereinafter “Yang”), Presented at “Cyberspace Safety and Security: 11th International Symposium, CSS 2019, Guangzhou, China, December 1–3, 2019”.
Regarding Claim 1. Pappu discloses A system for disaggregated detection denial-of-service (DDoS) attacks (Pappu; Abstract, FIG.1: Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities), comprising:
a plurality of detectors deployed on a plurality of network nodes (Pappu, Para [0026, 0029]: … FIG. 1 depicts an example environment 100 comprising one or more DDoS attackers 110A-N and one or more legitimate users 130A-N coupled via a network (e.g., Internet) 120, a DDoS solution 150 having one or more local-tier mechanisms 140A-N and an additional global-tier mechanism 160, one or more security appliance 170 [e.g., Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Anti-DDoS System], a switch 180, and plurality of servers 190. While an embodiment of the local-tier mechanism 140 is shown as a router in FIG. 1, the local-tier mechanism may be implemented in other systems as well (e.g., security appliance, legacy routers) …), [wherein each network node is connected to an edge network], wherein one detector of the plurality of detectors is deployed in each of the plurality of network nodes, wherein each of the plurality of detectors is configured to detect and characterize at least a DDoS attack by analyzing telemetries received by the respective network node in which the detector is deployed (Pappu, Para [0029-0031]: … The example environment shown in FIG. 1 illustrates an example DDoS solution 150 whereby the plurality of servers 190 are monitored for attacks. The DDoS solution 150 can be implemented via a two-tier approach, whereby each tier includes a detection phase and a mitigation phase. The first tier 140 of this embodiment comprises of the local detection and local mitigation phases. In other words, the local-tier is based on a local view of traffic to the servers on an individual basis. The second tier 160 of this embodiment also performs detection and mitigation functions, but performed on a more holistic (e.g., global) basis that accounts for system and network level requirements. That is, the global tier is based on aggregating data from multiple local tiers to give a more comprehensive view of traffic to a server. The detection phase of the second tier includes periodically receiving data from one or more local tier entities. The mitigation phase of the global tier includes applying a more comprehensive policy that can address a particular anomaly as it allows unaffected activity to resume …  the DDoS solution 150 solely comprises of one or more local mechanisms 140A-N performing local detection and mitigation of a high-rate DDoS attack. The detection phase of a local-tier mechanism 140 identifies a high-rate DDoS attack by proactively looking for anomalous traffic patterns localized to the server(s) 190. The mitigation phase of the local-tier mechanism 140 includes controlling a high-rate DDoS attack to particular server(s) by, dynamically applying a policy suited for the type of attack (such as enforcing a punitive action on traffic coming from the attackers …).
However, Pappu does not explicitly teach, but Yang from same or similar field of endeavor teaches, “wherein each network node is connected to an edge network (Yang; Abstract, FIG. 1-2, Pages 7-8: … we use Software Defined Networking (SDN), a promising network architecture, for dropping malicious traffic in propagation path to avoid avalanche effect on the victim server in the traditional network. For the existing works, a lot of time and resources are wasted in using the controller of SDN to detect attacks. Unlike them, we take the features of IoT traffic into consideration and utilize the edge computing to provide local services by putting detection and mitigation method into the OpenFlow (OF) switches of IoT. This achieves a distributed anomaly detection to detect and respond IoT-based DDoS attacks in real time, and avoids the overload of the controller. Machine learning is used in the OF switches with around 99% precision … OF switches. The SDN-compatible OF switches are the end-point of the service provider’s network and they are responsible for forwarding packets. Each OF switch has at least one flow table of flow statistics. The SDNIGs are a subset of OF switches and they are the platform of edge computing, to which we apply DDoS attack detection and mitigation mechanism. The flow statistics in SDNIGs are analyzed to detect the
IoT-based attacks. When the attacks are detected, the policies and rules will be issued in the OF switches for security purpose. SDN Controller. A cluster of controllers provides high reliability and availability services. They are aware of the complete topology of the network to issue forwarding rules to the OF switches …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yang into the teachings of Pappu, because it discloses that “Unlike the existing works, we put IoT-based DDoS attack detection and mitigation mechanism in the SDNIGs. By analyzing the flow statistics and making decisions while a DDoS attack occurs in the edge switches, it is detected and responded in real time and the overload of the controller is avoided (Yang, Page 5)”.
Regarding Claim 2. The combination of Pappu-Yang discloses the system of claim 1, Pappu further discloses, “further comprising:
a controller communicatively connected to the plurality of detectors, wherein the controller is configured to at least provision the plurality of detectors (Pappu, Para [0029]: … The example environment shown in FIG. 1 illustrates an example DDoS solution 150 whereby the plurality of servers 190 are monitored for attacks. The DDoS solution 150 can be implemented via a two-tier approach, whereby each tier includes a detection phase and a mitigation phase. The first tier 140 of this embodiment comprises of the local detection and local mitigation phases. In other words, the local-tier is based on a local view of traffic to the servers on an individual basis. The second tier 160 of this embodiment also performs detection and mitigation functions, but performed on a more holistic (e.g., global) basis that accounts for system and network level requirements. That is, the global tier is based on aggregating data from multiple local tiers to give a more comprehensive view of traffic to a server. The detection phase of the second tier includes periodically receiving data from one or more local tier entities. The mitigation phase of the global tier includes applying a more comprehensive policy that can address a particular anomaly as it allows unaffected activity to resume …).”
Regarding Claim 3. The combination of Pappu-Yang discloses the system of claim 1, Pappu further discloses, “wherein each of the plurality of detectors is further configured to:
generate a mitigation policy; and set the respective network node in which the detector is deployed with the mitigation policy (Pappu, Para [0030]: …  the DDoS solution 150 solely comprises of one or more local mechanisms 140A-N performing local detection and mitigation of a high-rate DDoS attack. The detection phase of a local-tier mechanism 140 identifies a high-rate DDoS attack by proactively looking for anomalous traffic patterns localized to the server(s) 190. The mitigation phase of the local-tier mechanism 140 includes controlling a high-rate DDoS attack to particular server(s) by, dynamically applying a policy suited for the type of attack (such as enforcing a punitive action on traffic coming from the attackers) …).”
Regarding Claim 4. The combination of Pappu-Yang discloses the system of claim 1, Pappu further discloses, “wherein each of the plurality of detectors is further configured to perform a first security function to detect anomalies in the telemetries received by the respective network node, wherein the detected anomalies are indicative of a potential DDoS attack (Pappu, Para [0030]: … In one embodiment, the DDoS solution 150 solely comprises of one or more local mechanisms 140A-N performing local detection and mitigation of a high-rate DDoS attack. The detection phase of a local-tier mechanism 140 identifies a high-rate DDoS attack by proactively looking for anomalous traffic patterns localized to the server(s) 190. The mitigation phase of the local-tier mechanism 140 includes controlling a high-rate DDoS attack to particular server(s) by, dynamically applying a policy suited for the type of attack (such as enforcing a punitive action on traffic coming from the attackers) …).”
Regarding Claim 5. The combination of Pappu-Yang discloses the system of claim 4, Pappu further discloses, “wherein each of the plurality of detectors is further configured to perform a second security function to generate attack signatures based on the detected anomalies (Pappu, Para [0036-0037]: … the DDoS solution 150 includes local tier 140 detection and mitigation. The detection phase monitors and updates flow data in a system by monitoring real-time statistics. The detection phase also includes identifying anomalous traffic patterns in which more than one anomaly algorithms are implemented to detect deviations in traffic. As an example, an algorithm may define "normal" traffic conditions to be a predetermined proportion of sent packets/flows to number of bytes in a given observation period on a specific incoming/outgoing interface or destination address [DA] (server). As such, an "attack" can be considered to be any deviation from "normal" by a certain factor … the local tier 140 detection is performed by one or more linecards 210A-N that are integrated into a device (e.g., flow router 140) in the system (termed "inline"). Given the linecard's 210 position in the system, it can act as a first line of defense and quickly identify anomalous traffic patterns within a short time (e.g., tens of seconds) …).”
Regarding Claim 6. The combination of Pappu-Yang discloses the system of claim 5, Pappu further discloses, “wherein each of the plurality of detectors is further configured to perform a third security function to generate at least one mitigation policy based on the generated attack signatures (Pappu, Para [0093]: … This is an example of an operator-configured mitigation policy that lists a set of DAs that need to be monitored for attacks. If the attack probability (P.sub.attack) is greater than 0.8, up to the maximum value of 1.0, then the configured action to be enforced on traffic from the attacker SAs include CACing (connection admission control of new flows, reducing bandwidth) by an amount determined in proportion to the traffic deviation factor td and logging the attacker (SA) details …)”.
Regarding Claim 7. The combination of Pappu-Yang discloses the system of claim 6, Pappu further discloses, “wherein the first security function, the second security function, and the third security function are instantiated on-demand, wherein each of the plurality of detectors is configured to execute a plurality of instances of each of the first security function, the second security function, and the third security function (Pappu, Abstract, Para [0050-0061], FIG. 3: … The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis … FIG. 3 depicts a flow diagram illustrating an example process 300 of local-tier detection and mitigation, according to one embodiment … During local-tier detection, more than one algorithm is applied to monitor and detect a traffic anomaly, and ultimately a DDoS attack. Among the many detection algorithms proposed in literature, all detection algorithms are based on several assumptions and have specific constraints. Each algorithm is plagued with a certain false positive and false negative rate. As such, multiple algorithms are employed so that a DDoS attack can be identified with a high level of certainty …  If a traffic anomaly is not observed (block 330--No), the system returns to block 310 where it continues to run anomaly detection algorithms. If a traffic anomaly is observed (block 320--Yes), the system proceeds to perform local-tier mitigation. Upon the determination that a traffic anomaly has been observed (see FIG. 4), the system enters a threat-detected mode 330; whereupon operator-configured mitigation actions can be initiated. In addition, a proactive alert can be issued via activity updates/logs and an operator can be notified at the first sign of any unusual activity. Further details regarding the processes of this threat-detected mode is described below relating to FIG. 5 …)”.
Regarding Claim 9. The combination of Pappu-Yang discloses the system of claim 2, Pappu further discloses, “wherein the controller is further configured to generate a forensic report based on attacks detected by the plurality of detectors  (Pappu, Para [0044]: … The BSR module 230 can run anomaly algorithm(s) at different levels of granularity to detect any traffic deviations from "normal." Additional features peripheral to this main function can be performed by the BSR module 230, such as providing periodic reports of flow or aggregate records to other modules … )”.
Regarding Claim 10. The combination of Pappu-Yang discloses the system of claim 2, Pappu further discloses, “wherein the controller is further configured to: instantiate a new detector on one of the plurality of network nodes (Pappu, Para [000076-0077]: … FIG. 6 depicts a flow diagram illustrating an example process 600 of local-tier mitigation, according to one embodiment. After local-tier detection, any observed traffic anomalies on a certain level (e.g., DA) cause the system to enter a threat-detected mode and perform local-tier mitigation …  if the DA is not perceived to be under attack (decision block 605--No), this may indicate "no attack" and the anomaly algorithms can continue to be executed (block 610). Note that additional heuristic measurements such as low average packet size, large percentage of TCP or UDP packets, or a high number of flows, etc. may be considered as part of anomaly algorithms being run as well, in order to detect traffic deviations …)”.
Regarding Claim 11. The combination of Pappu-Yang discloses the system of claim 2, Pappu further discloses, “wherein the controller is further configured to: cause setting of a first detector with a mitigation policy determined by a second detector (Pappu, Para [0080]: … After all SAs have been checked (decision block 645--Yes), the system returns to running anomaly algorithms at block 610 and determines whether a noticeable deviation in traffic can still be observed (e.g., is the DA still under attack). The process can repeat again and a new list of SAs (which may be different each time depending on which SA is sending traffic to the server) is created again (block 615) for which to apply local-tier mitigation policies  …)”.
Regarding Claim 12. The combination of Pappu-Yang discloses the system of claim 1, Pappu further discloses, “wherein each detector of the plurality of detectors is deployed is activated, upon receiving a layer-1 anomaly (Pappu, Para [0037]: …  the local tier 140 detection is performed by one or more linecards 210A-N that are integrated into a device (e.g., flow router 140) in the system (termed "inline"). Given the linecard's 210 position in the system, it can act as a first line of defense and quickly identify anomalous traffic patterns within a short time (e.g., tens of seconds) …)”.
Regarding Claim 13. The combination of Pappu-Yang discloses the system of claim 1, Pappu further discloses, “wherein each of the plurality of detectors is realized a software agent executed over a hardware layer of the respective network node (Pappu, Para [0037]: … the local tier 140 detection is performed by one or more linecards 210A-N that are integrated into a device (e.g., flow router 140) in the system (termed "inline"). Given the linecard's 210 position in the system, it can act as a first line of defense and quickly identify anomalous traffic patterns within a short time (e.g., tens of seconds) …)”.
Regarding Claim 14. Pappu discloses A method for disaggregated detection denial-of-service (DDoS) attacks (Pappu; Abstract, FIG.1: Methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities), comprising:
deploying a plurality of detectors on a plurality of network nodes (Pappu, Para [0026, 0029]: … FIG. 1 depicts an example environment 100 comprising one or more DDoS attackers 110A-N and one or more legitimate users 130A-N coupled via a network (e.g., Internet) 120, a DDoS solution 150 having one or more local-tier mechanisms 140A-N and an additional global-tier mechanism 160, one or more security appliance 170 [e.g., Intrusion Prevention System (IPS), Intrusion Detection System (IDS), Anti-DDoS System], a switch 180, and plurality of servers 190. While an embodiment of the local-tier mechanism 140 is shown as a router in FIG. 1, the local-tier mechanism may be implemented in other systems as well (e.g., security appliance, legacy routers) …), [wherein each network node is connected to an edge network]; and
Page 19 of 30RADW P1654instantiating a plurality of security functions on each of the plurality of detectors (Pappu; Abstract, Para [0052]: The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack … During local-tier detection, more than one algorithm is applied to monitor and detect a traffic anomaly, and ultimately a DDoS attack. Among the many detection algorithms proposed in literature, all detection algorithms are based on several assumptions and have specific constraints. Each algorithm is plagued with a certain false positive and false negative rate. As such, multiple algorithms are employed so that a DDoS attack can be identified with a high level of certainty …), wherein the plurality of security functions;
activating a first security function to detect anomalies in the telemetries received by the respective network node, wherein the detected anomalies are indicative of a potential DDoS attack (Pappu; Abstract, Para [0052-0054]: …  simple algorithms requiring minimal processing overhead are used to quickly perform a first pass detection. In another embodiment, several complex algorithms are deployed in parallel at the same time. In such an embodiment, if a majority of algorithms deem the traffic deviation to be an attack, this is often a strong indication of an attack. On the other hand, if the number of algorithms that deem the traffic deviation as an attack is a minority, this often signifies a lower risk of a real attack and/or indicates a false positive … A deviation in the traffic ratios is often indicative of a potential threat …);
activating a second security function to generate attack signatures based on the detected anomalies (Pappu, Para [0030-0037, 0063]: … the DDoS solution 150 solely comprises of one or more local mechanisms 140A-N performing local detection and mitigation of a high-rate DDoS attack. The detection phase of a local-tier mechanism 140 identifies a high-rate DDoS attack by proactively looking for anomalous traffic patterns localized to the server(s) 190. The mitigation phase of the local-tier mechanism 140 includes controlling a high-rate DDoS attack to particular server(s) by, dynamically applying a policy suited for the type of attack (such as enforcing a punitive action on traffic coming from the attackers)…); and
activating a third security function to generate at least one mitigation policy based on the generated attack signatures (Pappu, Para [0030, 0032, 0093]: … The mitigation phase of the local-tier mechanism 140 includes controlling a high-rate DDoS attack to particular server(s) by, dynamically applying a policy suited for the type of attack (such as enforcing a punitive action on traffic coming from the attackers) … an operator-configured mitigation policy that lists a set of DAs that need to be monitored for attacks. If the attack probability (P.sub.attack) is greater than 0.8, up to the maximum value of 1.0, then the configured action to be enforced on traffic from the attacker SAs include CACing (connection admission control of new flows, reducing bandwidth) by an amount determined in proportion to the traffic deviation factor td and logging the attacker (SA) details …).
However, Pappu does not explicitly teach, but Yang from same or similar field of endeavor teaches, “wherein each network node is connected to an edge network (Yang; Abstract, FIG. 1-2, Pages 7-8: … we use Software Defined Networking (SDN), a promising network architecture, for dropping malicious traffic in propagation path to avoid avalanche effect on the victim server in the traditional network. For the existing works, a lot of time and resources are wasted in using the controller of SDN to detect attacks. Unlike them, we take the features of IoT traffic into consideration and utilize the edge computing to provide local services by putting detection and mitigation method into the OpenFlow (OF) switches of IoT. This achieves a distributed anomaly detection to detect and respond IoT-based DDoS attacks in real time, and avoids the overload of the controller. Machine learning is used in the OF switches with around 99% precision … OF switches. The SDN-compatible OF switches are the end-point of the service provider’s network and they are responsible for forwarding packets. Each OF switch has at least one flow table of flow statistics. The SDNIGs are a subset of OF switches and they are the platform of edge computing, to which we apply DDoS attack detection and mitigation mechanism. The flow statistics in SDNIGs are analyzed to detect the
IoT-based attacks. When the attacks are detected, the policies and rules will be issued in the OF switches for security purpose. SDN Controller. A cluster of controllers provides high reliability and availability services. They are aware of the complete topology of the network to issue forwarding rules to the OF switches …).”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yang into the teachings of Pappu, because it discloses that “Unlike the existing works, we put IoT-based DDoS attack detection and mitigation mechanism in the SDNIGs. By analyzing the flow statistics and making decisions while a DDoS attack occurs in the edge switches, it is detected and responded in real time and the overload of the controller is avoided (Yang, Page 5)”.
Regarding Claim 15. The combination of Pappu-Yang discloses the method of claim 14, Pappu further discloses, “further comprising:
setting the respective network node with the at least one generated mitigation policy (Pappu, Para [0030, 0032, 0093]: … The mitigation phase of the local-tier mechanism 140 includes controlling a high-rate DDoS attack to particular server(s) by, dynamically applying a policy suited for the type of attack (such as enforcing a punitive action on traffic coming from the attackers) … an operator-configured mitigation policy that lists a set of DAs that need to be monitored for attacks. If the attack probability (P.sub.attack) is greater than 0.8, up to the maximum value of 1.0, then the configured action to be enforced on traffic from the attacker SAs include CACing (connection admission control of new flows, reducing bandwidth) by an amount determined in proportion to the traffic deviation factor td and logging the attacker (SA) details …).”
Regarding Claim 16. The combination of Pappu-Yang discloses the method of claim 14, Pappu further discloses, “further comprising:
reporting, in real-time, all detected DDoS attacks to a controller (Pappu, Para [0107]: … After the local and global-tier mitigation policies begin to take effect, the traffic patterns (e.g., computed ratios/thresholds) monitored by the local and global tier detection phases should begin to return to a "normal" state as the DDoS attack subsides. With the traffic patterns returning to normal (as indicated by the computed ratios and traffic deviation parameters returning to normal baseline values), any mitigation policies implemented in the local and global tier of the DDoS solution 150 can be terminated. In one embodiment, the DDoS solution 150 can automatically suspend any mitigation policies that were applied. In another embodiment, control of the mitigation policies can be transferred to an operator for manual or real-time handling. In a case where indicators of an attack remain, mitigation policies can continue to be implemented until traffic patterns return to normal …).”
Regarding Claim 17. The combination of Pappu-Yang discloses the method of claim 14, Pappu further discloses, “further comprising:
receiving at least a first detector of the plurality of detectors a mitigation policy generated by a second detector (Pappu, Para [0080]: … After all SAs have been checked (decision block 645--Yes), the system returns to running anomaly algorithms at block 610 and determines whether a noticeable deviation in traffic can still be observed (e.g., is the DA still under attack). The process can repeat again and a new list of SAs (which may be different each time depending on which SA is sending traffic to the server) is created again (block 615) for which to apply local-tier mitigation policies  …)”.
Regarding Claim 18. The combination of Pappu-Yang discloses the method of claim 14, Pappu further discloses, “wherein the telemetries are layer 3-4 telemetries (Pappu, Para [0077-0078]: … Alternatively, if the DA is not perceived to be under attack (decision block 605--No), this may indicate "no attack" and the anomaly algorithms can continue to be executed (block 610). Note that additional heuristic measurements such as low average packet size, large percentage of TCP or UDP packets, or a high number of flows, etc. may be considered as part of anomaly algorithms being run as well, in order to detect traffic deviations …)”.
Regarding Claim 19. The combination of Pappu-Yang discloses the method of claim 14, Pappu further discloses, “wherein each of the plurality of detectors is realized a software agent executed over a hardware layer of the respective network node (Pappu, Para [0026, 0037]: … the local tier 140 detection is performed by one or more linecards 210A-N that are integrated into a device (e.g., flow router 140) in the system (termed "inline"). Given the linecard's 210 position in the system, it can act as a first line of defense and quickly identify anomalous traffic patterns within a short time (e.g., tens of seconds) …)”.
Regarding Claim 21. The combination of Pappu-Yang discloses the method of claim 14, Pappu further discloses, “wherein each detector of the plurality of detectors is deployed is activated, upon receiving a layer-1 anomaly (Pappu, Para [0037]: …  the local tier 140 detection is performed by one or more linecards 210A-N that are integrated into a device (e.g., flow router 140) in the system (termed "inline"). Given the linecard's 210 position in the system, it can act as a first line of defense and quickly identify anomalous traffic patterns within a short time (e.g., tens of seconds) …)”.
Regarding Claim 22. This claim contains all the same or similar limitations as claim 14, and hence similarly rejected as claim 14.
**** Note: Pappu also discloses “non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process (Pappu, Para [0035])”
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Pub. No.: US 20120216282 A1 to Pappu et al. (hereinafter “Pappu”) in view of “NPL: IoT-Based DDoS Attack Detection and Mitigation Using the Edge of SDN” to Yang et al. (hereinafter “Yang”), Presented at “Cyberspace Safety and Security: 11th International Symposium, CSS 2019, Guangzhou, China, December 1–3, 2019”, as applied to claim 14 above, and further in view of PAT US 10200384 B1 to Mushtaq et al. (hereinafter “Mushtaq”). 
Regarding Claim 20. The combination of Pappu-Yang discloses the method of claim 14, however it does not explicitly teach, but Mushtaq from same or similar field of endeavor teaches, “wherein the software agent is realized as any one of: a microservice, a software container, a lightweight virtual machine (Mushtaq, col.18,ln.52-65:  FIG. 7 is a block diagram of an illustrative computer network system 700 having a malicious content detection system 750, a server device 710 and a client device 730, each coupled for communication via a communication network 720. The malicious network content detection system 750 may monitor exchanges of network content (e.g., Web content) in real-time rather than intercepting and holding the network content until such time as it can determine whether the network content includes malicious network content. The malicious network content detection system 725 may be configured to inspect exchanges of network content over the communication network 720, identify suspicious network content, and analyze the suspicious network content using a virtual machine to detect malicious network content …), wherein the software agent is realized as any one of: a microservice, a software container, a lightweight virtual machine.”
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mushtaq into the combined teachings of Pappu-Yang, because it discloses that “a two-phase malware detection approach to detect malware contained in network traffic monitored in real-time. In a first or “static” phase, a heuristic is applied to network traffic to identify and filter packets that appear suspicious in that they exhibit characteristics associated with malware. In a second or “dynamic” phase, the suspicious packets (and typically only the suspicious packets) are replayed within one or more virtual machines. For example, if a user is trying to download a file over a network, the file is extracted from the network traffic and analyzed in the virtual machine using an instance of a browser to load the suspicious packets. The results of the analysis constitute monitored behaviors of the suspicious packets, which may indicate that the file should be declared malicious. The two-phase malware detection solution may detect numerous types of malware and, even malware missed by other commercially available approaches. Through its verification technique, the two-phase malware detection solution may also achieve a significant reduction of false positives relative to such other commercially available approaches (Mushtaq, col.2,ln.11-44)”.

Pertinent Prior Arts
The following prior arts made of record and not relied upon are considered pertinent to applicant's disclosure.
	US 20090013404 A1; Chow et al.: Chow discloses that when  the processing resources of a host system are occupied beyond a trigger point by incoming requests, that host system issues a cool-it message that is broadcast throughout the network, eventually reaching edge routers that, in response to the message, throttle the traffic that they pass into the network. The throttling is applied in increasing amounts with increasing traffic volumes received at the edge routers. The cool-it messages are authenticated to ensure that they are not being used as instruments of a DoS attack. This mechanism also works to control legitimate network congestion, and it does not block users from a host system that is under attack.
	The invention is directed to secure transmissions over communication networks and in particular to an overload protection mechanism against distributed Denial of Service (DDOS) attacks and a method of implementing the defense.
NPL: Towards IoT-DDoS Prevention Using Edge Computing; Bhardwaj et al: Bhardwaj discloses that Application-level DDoS attacks mounted using compromised IoT devices are emerging as a critical problem. The application-level and seemingly legitimate nature of traffic in such attacks renders most existing solutions ineffective, and the sheer amount and distribution of the generated traffic make mitigation extremely costly. This paper proposes a new approach which leverages edge computing to deploy edge functions that gather information about incoming traffic and communicate that information via a fast-path with a nearby detection service. This accelerates the detection and the arrest of such attacks, limiting their damaging impact. Preliminary investigation shows promise for up to 10x faster detection that reduces up to 82% of the Internet traffic due to IoT-DDoS. 
Bhardwaj also discloses detection of a DDoS is best done close to the victim, whereas its mitigation and prevention are most effective close to the attack source. Second, the emergence of a new infrastructure tier at the edge of the network, including mobile edge computing (MEC) access points [33], fog computing gateways [26], and similar elements, presents opportunities to dynamically provision edge functions [25, 48, 44] to handle the vast amounts of Internet traffic created by IoT devices.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAHABUB S AHMED whose telephone number is (571)272-0364.  The examiner can normally be reached on 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MAHABUB S AHMED/Examiner, Art Unit 2434

/DANT B SHAIFER HARRIMAN/Primary Examiner, Art Unit 2434