DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/19/2022, 8/2/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Response to Amendments
The amendment filed 07/11/2022 has been entered. Claims 1, 8, 10-11, 14, 17, 19, 29-30 are currently amended. Claims 1-30 are pending in the application.
The objection of claim 17 due to informalities has been withdrawn in light of applicant’s amendment to the claim.
The rejection of claims 10-11, 19 under 35USC 112(b) due to lack of antecedent basis has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s arguments regarding claim rejection under 35 USC 103 (see pages 13-18 of the Remarks filed 7/11/2022) have been fully considered and asserted moot in view of newly applied prior arts incorporated in the current office action.
Examiner acknowledges applicant has amended independent claim 1 (similarly claim 29, claim 30) by including limitations amended with underline reciting “creating a dataset comprising the public IP addresses in the DNS resolutions detected in the information extracted from the data traffic”, “identifying any of the detected transmissions whose respective public IP addresses are not included in the dataset as they were not resolved by the DNS resolutions and are therefore suspicious”, inter alia. 
Applicant mainly argued reference Dandliker does not teach the amended limitation(s) above. Upon review of previously identified prior arts and updated search, examiner asserts reference El-Moussa and newly found reference Levin teaches all elements of claim 1 (similarly 29, 30). See current office action presented below for details.
Applicant is suggested to further incorporate innovative features into independent claims to advance the case.
Claim Objections
Claim 1, 29-30 is objected to because of the following informalities:  
Claim 1, similarly claims 29, 30, recites “identifying any of the detected transmissions whose respective public IP addresses are not included in the dataset as they were not resolved by the DNS resolutions and are therefore suspicious”. The underlined is the result of identifying, therefore intended use. Applicant may recite “identifying any of the detected transmissions as suspicious transmissions whose respective public IP addresses are not included in the dataset as they (the respective public IP addresses) were (are) not resolved by the DNS resolutions”, or more appropriate form.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 7, 9, 11, 14, 25, 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa et al (US20110302656A1, hereinafter, “El-Moussa”), in view of Levin et al (US20190190931A1, hereinafter, “Levin”).
Regarding claim 1, El-Moussa teaches:
A method for protecting a computer system (El-Moussa, [Abstract] A malicious behaviour detector (100) for detecting malicious behaviour on a network), comprising: 
collecting, by a processor (El-Moussa, Fig. 2 processor unit), information extracted from data traffic transmitted (El-Moussa, [0028] In overview, the MBD generally operates in a listening mode … such that all traffic travelling over the LAN 20 is received by the MBD100. And referring to Fig.3 steps S10-S20, and [0047] The method commences and thereafter at steps S10 and S20 the MBD 100 monitors all traffic passing on the LAN 20 and awaits receipt of an Ethernet frame  by looping through steps S10 and S20 until such a frame of data is received (i.e. extract) whereupon the method proceeds to step S30) between multiple local nodes on a private data network (El-Moussa, Fig. 1 LAN 20 (i.e. private network), Host A, B, etc. (local nodes)) and public Internet Protocol (IP) addresses corresponding to multiple remote nodes on a public data network (El-Moussa, Fig. 1 internet 40 (i.e. public data network), Attacker device 50 (i.e. remote node), and [0035] For example, it could try to instigate the blocking of all traffic coming from an IP address suspected of sending malicious packets of data (e.g. by sending a message to the gateway/router device 30 connecting the LAN 20 to the Internet 40 to not forward on any traffic coming from a specified external IP address (e.g. from the IP address associated with device 50). Examiner notes, claim recites “multiple remote nodes” and does not recite any specific features that is/are unique with the multiple remote nodes, while El-Moussa’s Attacker Device shown in Fig. 1 can be interpreted as multiple Attacker Devices. Examiner further notes public IP addresses are IP addresses when device(s) are in public network such as internet 40 of El-Moussa (Fig. 1)); 
detecting, in the collected information, Domain Name System (DNS) resolutions, each DNS resolution identifying a local node requesting the resolution with respect to a uniform resource identifier (URI) and a public IP address corresponding to the URI (El-Moussa, [Abstract] a Domain Name Service, DNS, request and/or response detection module (134) to monitor the requests made by hosts connected to the network and/or responses thereto. And [0033] Similarly, the DNS request detection module 134 inspects all Ethernet frames which contain a DNS query … Having identified a DNS request, the DNS module 134 checks to see if the address to be resolved is a known blacklisted name (or, in the case of a DNS response if the response includes a known blacklisted IP address … see for example the list of known malicious IP addresses contained at the following URL http://www.dshield.org/ sources.html) i.e. a domain name (or an IP address). And [0036] the evidence assessment module 138 determines that there is likely to be malicious behaviour occurring if either it detects a signature match in a received Ethernet frame, or if it detects a DNS request or response associated with a black-listed domain name or IP address); 
creating a dataset comprising the public IP addresses in the DNS resolutions detected in the information extracted from the data traffic (El-Moussa, [0033] If so, it alerts the evidence assessment module of this fact directly and then sends details of the DNS message (request or response) to the logging module 136 (i.e. dataset, it is obvious to one ordinary skilled in the art that logging is collecting/extracting data from data traffic) for logging; otherwise, it just sends details of the message to the logging module 136 for logging without directly alerting the evidence assessment module 138. And [0034] Similarly, whenever a DNS message is detected, details of the DNS message (especially the IP addresses of the source and destination...). Additionally, whenever any new details are logged by the logging module, the logging module 136 is responsible for ensuring that the evidence assessment module 138 reconsiders the new evidence in light of the old);
detecting, in the collected information, transmissions from the local nodes to the public IP addresses at respective times (El-Moussa, [0039] detecting a significant change in the number of DNS requests issued by a particular host (this can be monitored by keeping a record of the top n hosts in terms of the number of DNS requests they send and adding a small probability to any hosts which enter the top n list--preferably such evidence should time out if no further corroborative evidence is found within a certain period of time--e.g. within 4 hours) (i.e. respective times)); 
and initiating a protective action with respect to at least some of the identified transmissions (El-Moussa, Fig. 3B step S100, and [0051] the amassed evidence (for the or each device, etc. for which the threshold is exceeded) is sent to the administrator in a warning message so that the administrator can decide what action to take about the suspected malicious behaviour (i.e. protective action)).  
While El-Moussa teaches the main concept of invention, i.e. detection of malicious behavior of local devices to public device (attacker) by using DNS request detection module to monitor the requests made by hosts connected to the network and/or responses, but does not expressly teach identifying any of the detected transmissions whose respective public IP addresses are not included in the dataset as they were not resolved by the DNS resolutions and are therefore suspicious, however in the same field of endeavor Levin teaches:
identifying any of the detected transmissions whose respective public IP addresses are not included in the dataset as they were not resolved by the DNS resolutions and are therefore suspicious (Levin, discloses method for runtime detection of botnets in containerized environments, see [Abstract]. And [0032] malicious traffic to or from malicious entities such as a command and control (C&C) server 350 is to be blocked. And [0037] The previously resolved domain names that were resolved by previous DNS queries made by the APP container 311. Whether each domain name was resolved by previous DNS queries may be determined based on historical data of DNS query resolutions. DNS queries to domain names associated with domain names that were not resolved by previous DNS queries may be determined to be malicious (i.e. suspicious) such that botnets are detected and such DNS queries to unresolved domain names may be blocked. For example, if a request is issued to name “www.example.com” associated with IP address “1.1.1.1” but no DNS query ever resolved to “www.example.com”, it may be determined that the domain name … is an unresolved domain name. Alternatively or collectively, the previously resolved domain names may include a list (i.e. dataset) of domain names that is embedded in a configuration of the APP container 311, which may be retrieved and checked against domain names returned from DNS queries issued by the APP container 311); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Levin in the malicious behavior detection of El-Moussa by determining whether DNS request is malicious by checking whether IP address associated with domain name has been resolved. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine the DNS request is malicious if the domain name associated with IP address is an unresolved domain name (i.e. IP address is not resolved or associated with the domain name) against DNS policy for botnet detection in containerized environments (Levin, [Abstract]).

Regarding claim 29, El-Moussa/Levin combination teaches:
An apparatus (El-Moussa, Fig. 1 Malicious behaviour detector 100) for protecting a computer system, comprising: a network interface controller (NIC); and at least one hardware processor (El-Moussa, Fig. 2 Interface 110, Processor unit 120) configured: to collect, via the NIC from data traffic transmitted over a private data network (El-Moussa, [0057] The MBD 1100 comprises an interface 1110 for communicating with the LAN 20), information from data traffic transmitted between multiple local nodes on the private data network (El-Moussa, Fig. 1 LAN 20) and public Internet Protocol (IP) addresses corresponding to [multiple remote nodes] on a public data network (El-Moussa, Fig. 1 Internet 40), to perform steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 30, El-Moussa/Levin combination teaches:
A computer software product for protecting a computing system, the product comprising a non-transitory computer-readable medium, storing program instructions (El-Moussa, [0027] The processor unit 120 co-operates with the memory 130 to perform processing functions based on computer program instructions stored in the memory), when read by a computer, cause the computer: to perform steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 7, El-Moussa/Levin teaches:
The method according to claim 1, 
El-Moussa further teaches: and further comprising computing, for a given public IP address, a count of distinct local nodes that transmitted at least one given detected transmission to the given public IP address, comparing the computed count to a specified range, and refraining from the protective action with respect to any of the471188-2002 S4 identified transmissions to the given public IP addresses upon detecting that the computed count is greater than a specified threshold (El-Moussa, [0038] This in itself can be indicative of malicious behaviour because command and control servers for malicious computer worms and zombie botnets, etc. tend to frequently change their IP address to avoid having their IP address blackholed, thus frequent i.e. more than one per hour (i.e. computed count, specified threshold), DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour). Examiner further notes it is obvious to one ordinary skilled in the art that if the determination of remote node suggests the remote node is not malicious node, there is no need to perform the proactive action.

Regarding claim 9, El-Moussa/Levin teaches:
The method according to claim 1, 
El-Moussa further teaches: and further comprising computing, based on the respective times, a count of distinct days having at least one given detected transmission to a given public IP address, comparing the determined count to a specified threshold, and refraining from the protective action with respect to any of the identified transmissions to the given public IP addresses upon detecting that the computed count is less than the specified threshold (El-Moussa, [0038] thus frequent i.e. more than one per hour, DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour, and similarly DNS responses which, provide different IP addresses in response to the same domain name could also indicate that the domain name relates to a malicious server and so should count as evidence). Examiner further notes El-Moussa teaches frequent DNS request for the same domain name can be evidence of malicious behavior, therefore the less frequent request (i.e. computed count is less than the specified threshold) suggests less likely of malicious behavior, i.e. refraining from the protective action.

Regarding claim 11, El-Moussa/Levin teaches:
The method according to claim 1, 
El-Moussa further teaches: and further comprising computing, based on the respective times, a count of distinct hours having at least one given detected transmission to a given public IP address, comparing the determined count to a specified threshold, and refraining from the protective action with respect to any of the identified transmissions to the given public IP address upon detecting that the computed count is less than the specified threshold (El-Moussa, [0038] thus frequent i.e. more than one per hour, DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour, and similarly DNS responses which, provide different IP addresses in response to the same domain name could also indicate that the domain name relates to a malicious server and so should count as evidence). Examiner further notes El-Moussa teaches frequent DNS request for the same domain name can be evidence of malicious behavior, therefore the less frequent request (i.e. computed count is less than the specified threshold) suggests less likely of malicious behavior, i.e. refraining from the protective action. A count of distinct days and a count of distinct hours are interpreted similarly, as count or frequency.

Regarding claim 14, El-Moussa/Levin teaches:
The method according to claim 1, 
El-Moussa further teaches: and further comprising determining a protocol of a given detected transmission to a given public IP address, identifying the determined protocol in a specified list of protocols, computing a count of the detected transmissions to the given public IP address,491188-2002 S4 comparing the computed count to a specified range for the determined protocol, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed count is within the specified range (El-Moussa, [0033] Similarly, the DNS request detection module 134 inspects all Ethernet frames which contain a DNS query (DNS queries are generally sent in a User Datagram Protocol (UDP) datagram encapsulated in an Internet Protocol (IP) packet(s). And [0038] thus frequent i.e. more than one per hour, DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour, and similarly DNS responses which, provide different IP addresses in response to the same domain name could also indicate that the domain name relates to a malicious server and so should count as evidence). 

Regarding claim 25, El-Moussa/Levin teaches:
The method according to claim 1, 
El-Moussa further teaches: and further comprising determining that a given local node is a proxy server, and refraining from the protective action with respect to any given detected transmission from the given local node (El-Moussa, [0026] FIG. 1 illustrates a typical network architecture comprising a Local Area Network (LAN) 20 (e.g. an IEEE 802.3 Ethernet LAN) connected, via a gateway/ router device 30 (which also acts as a proxy DNS server).  

Claims 2, 4 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Neerdaels (US20090119397A1, hereinafter, “Neerdaels”).
Regarding claim 2, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the similar field of endeavor Neerdaels teaches:
and further comprising: analyzing the detected transmissions to identify a subnet of the public data network containing a subset of the public IP addresses that were not resolved by the DNS resolutions but belong to a demilitarized zone (DMZ) subnet associated with the private data network; and refraining from the protective action with respect to any of the identified transmissions to the public IP addresses in the identified subnet (Neerdaels, discloses using ECDN virtual zone as DMZ for enterprise content delivery, see [Abstract]. And [0025] From a security standpoint, the enterprise network manager roughly divides the world of the network into trusted and un-trusted, which usually corresponds to internal and external entities… More sophisticated systems usually create an security entity called a DMZ, which can be thought of as a set of two firewalls, with certain assets like email, DNS, web servers, etc. sitting between them.  Each firewall has a different set of filtering rules, with the innermost generally allowing valid traffic from a host within the DMZ to enter the enterprise. And [Claim 7] the ECDN virtual zone is resolved without reference to the public Internet DNS).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Neerdaels in the malicious behavior detection of El-Moussa/Levin by employing ECDN virtual zone as DMZ that is not resolved to public internet DNS. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the ECDN virtual zone as DMZ for content delivery within enterprise even without DNS resolution in an existing DNS infrastructure (Neerdaels, [0007-0009], [0025]).

Regarding claim 4, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the similar field of endeavor Neerdaels teaches:
and further comprising identifying a given IP address that belongs to a content delivery network, and refraining from the protective action with respect to any of the identified transmissions to the identified given public IP address (Neerdaels, discloses using ECDN virtual zone as DMZ for enterprise content delivery, see [Abstract]. And [0009] It is yet another general object of the invention to define and implement one or more so-called "virtual" zones within an enterprise namespace to facilitate content delivery behind a corporate firewall over an enterprise content delivery network (ECDN). And [Claim 1] building a list of one or more enterprise domains that are candidates for caching in the ECDN, wherein an enterprise domain that is a candidate for caching has associated therewith a set of one or more IP addresses associated with nearby content servers managed as part of an Internet content delivery network (ICDN)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Neerdaels in the malicious behavior detection of El-Moussa/Levin by employing ECDN virtual zone for enterprise content delivery. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the ECDN virtual zone as DMZ for content delivery within enterprise even without DNS resolution in an existing DNS infrastructure (Neerdaels, [0007-0009], [0025]).

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Lv et al (US20130007233A1, hereinafter, “Lv”).
Regarding claim 3, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the similar field of endeavor Lv teaches:
and further comprising identifying a given IP address that belongs to an autonomous system reserved for internal use by an entity, and refraining from the protective action with respect to any of the identified transmissions to the identified given public IP address (Lv, [0030] each managed network device of an autonomous wireless network needs a unique IP address to support internal control-path communication between them. However, such unique IP address does not have to be externally reachable or managed. Rather, each managed network device can assign (i.e. identifying) to itself an internal IP address within an address space specifically reserved for internal network communications).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lv in the malicious behavior detection of El-Moussa/Levin by assigning an internal IP address within an address space as specifically reserved for internal network communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to link local address space within wireless network as a private network (Lv, [Abstract], [0030]) so that protective action is not necessary.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Wood (US20190081952A1, hereinafter, “Wood”).
Regarding claim 5, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the similar field of endeavor Wood teaches:
and further comprising: analyzing the detected transmissions to identify a given local node that pinged a given public IP address to determine a status of the corresponding remote node; and refraining from the protective action with respect to any of the identified transmissions to the given public IP address (Wood, [0070] The invention also features a system for blocking DNS tunnels,… a process to identify whether a remote IP address is a previous fake IP address previously provided by the system in response to a previous DNS query; a process for finding the actual remote IP address for the at least one data communication packet destined for the fake IP address); Examiner notes claim 5 does not recite in what identified status of the remote node where the protective action is refrained. But it is obvious to one ordinary skilled in the art that if the status of the corresponding remote node suggests the remote node is not malicious node, there is no need to perform the proactive action.  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wood in the malicious behavior detection of El-Moussa/Levin by identifying actual remote IP address for data communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the actual remote IP address so that fake IP address to be replaced with the actual IP address for data communication (Wood, [0070]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Deutschmann et al (US20190124092A1, hereinafter, “Deutschmann”).
Regarding claim 6, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Deutschmann teaches:
and further comprising: analyzing the detected transmissions to identify a given local node that scanned one or more ports on a given remote node to determine one or more respective statuses of services provided by the given remote node at the one or more ports; and refraining from the protective action with respect to any of the identified transmissions to a given public IP address corresponding to the given remote node (Deutschmann, discloses detecting unauthorized access to a device based on scanning network ports, see [Abstract]. And [0012] In addition to scanning a second software port for the open or in use status thereof, a plurality of additional ports can be scanned by way of the code, when executed, attempting to open a network connection on each of the plurality of additional ports and modifying further delivery of data is based on a determination that any one of the plurality of additional ports being in use. Also referring to Fig. 1, End User Device (i.e. local node) and Malfeasant (i.e. remote node)). Examiner notes claim 6 does not recite in what respective status of the remote node where the protective action is refrained. But it is obvious to one ordinary skilled in the art that if the status of the corresponding remote node suggests the remote node is not malicious node, there is no need to perform the proactive action. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Deutschmann in the malicious behavior detection of El-Moussa/Levin by scanning network ports to determine which ports are open for the purpose of detection of remote fraudulent activity. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine particular ports are already in use so as to determine a malfeasant actor has access to the end user device (Deutschmann, [Abstract]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Jeong et al (US20110016525A1, hereinafter, “Jeong”).
Regarding claim 8, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Jeong teaches: 
wherein each given detected transmission to one of the public IP addresses comprises a destination port number, and further comprising computing, for a given public IP address, a count of distinct destination port numbers in the detected transmissions to the given public IP address, comparing the computed count to a specified threshold, and refraining from the protective action with respect to any of the identified transmissions to the given public IP address upon detecting that the computed count is greater than the specified threshold (Jeong, discloses detecting network attack based on visual data analysis, see [Title], [Abstract]. And [0011] a network attack detector for comparing similarities between the traffic image and a previously generated traffic image based on a predetermined similarity threshold to detect the presence of the network attack. For instance, see Fig. 6C, and [0048] the generation of the traffic from multiple source IPs to one destination IP indicates that DDoS attack S602 is being progressed. Examiner notes, this can be interpreted as when the number of destination IP is more, the data indicates there is less chance of presence of network attack). Examiner notes it is obvious to one ordinary skilled in the art that if the determination of remote node suggests the remote node is not malicious node, there is no need to perform the protective action. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Jeong in the malicious behavior detection of El-Moussa/Levin by using number of ports related to destination IP address for analyzing network attack. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect network attack based on destination IP address count on traffic image plot (Jeong, [Abstract]).

Claims 10, 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Dandliker et al (US20080082662A1, hereinafter, “Dandliker”).
Regarding claim 10, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Dandliker teaches:
and further comprising computing, based on the respective times, a first count of distinct days having at least one given detected transmission from a given local node to a given public IP address, computing a second count of days having at least one given detected transmission from the given local node during at least a specified number of distinct hours, computing a ratio of the first count to the second count, comparing the ratio to a specified threshold, and refraining from the protective action with respect to any of the identified transmissions to the given481188-2002 S4 public IP address upon detecting that the ratio is less than the specified threshold (Dandliker, discloses controlling access to network resources based on reputation, see [Abstract]. And [0080] examining traffic for suspicious patterns may be performed. For instance, significant repeated activity to a URL during non-business hours may be indicative of a spyware program "phoning-home" data). Examiner notes that when suspicious traffic activity occurs during limited non-business hours, the number of days where this limited non-business hours is less than if the traffic activity occurs at business hours, therefore the ratio is more, which indicates suspicious activity. On another hand if traffic activity occurs in business hours, the ratio is less, indicating less chance of suspicious activity, therefore refraining protective action. Although Dandliker does not use ratio to express the determining, with the broadest reasonable interpretation, it is obvious to one ordinary skilled in the art that one can express the rational by using a mathematical ratio.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dandliker in the malicious behavior detection of El-Moussa/Levin by comparing IP address of intercepted packets to database to determine reputation of the IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated based on the reputation of IP address from DNS response to determine whether to allow or block access of client device to network resources (Dandliker, [Abstract]).

Regarding claim 12, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Dandliker teaches:
and further comprising determining a protocol of a given detected transmission to a given public IP address, computing a total volume of data in the detected transmissions to the given public IP address, comparing the computed volume to a specified range for the determined protocol, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed total volume is not within the specified range (Dandliker, [0038] The approaches herein use reputation information to control requests to obtain network resources using HTTP and other web protocols. And [0074] The parameters can be used as indicators about a reputation of a URL.  … global traffic volume and changes in volume; Table shows example URL reputation scores, and [0095] (-7) IronPort SenderBase shows a sudden spike in volume of requests to URL, and URL is a typographical corruption of a popular domain). Examiner notes sudden spike in volume suggests suspicious activity, therefore less sudden spike or less computed volume suggests less chance of suspicious activity, therefore refraining protective action.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dandliker in the malicious behavior detection of El-Moussa/Levin by comparing IP address of intercepted packets to database to determine reputation of the IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated based on the reputation of IP address from DNS response to determine whether to allow or block access of client device to network resources (Dandliker, [Abstract]).

Regarding claim 13, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Dandliker teaches:
and further comprising determining a protocol of a given detected transmission to a given public IP address, computing a count of the detected transmissions in a session comprising the given detected transmission, comparing the computed count to a specified range for the determined protocol, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed count is not within the specified range (Dandliker, [0153] In an embodiment, messaging gateway 608 also implements a proxy for file transfer protocol (FTP) requests of clients. An FTP session uses two TCP connections between the client and server: the Command connection, and the Data connection.  The FTP session is initiated by the client connecting to the server, establishing the Command connection). Examiner notes El-Moussa’s teaching of count of frequency of DNS request (see [0041]) also apply to a session of Dandliker, therefore less frequent request suggests less likely of malicious behavior, i.e. refraining from the protective action. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dandliker in the malicious behavior detection of El-Moussa/Levin by comparing IP address of intercepted packets to database to determine reputation of the IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated based on the reputation of IP address from DNS response to determine whether to allow or block access of client device to network resources (Dandliker, [Abstract]).

Claims 15, 21 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Lim et al (US20180013778A1, hereinafter, “Lim”).
Regarding claim 15, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Lim teaches:
and further comprising determining a destination port number of a given detected transmission, comparing the determined destination port number to specified list of port numbers, and refraining from the protective action with respect to the given detected transmission upon detecting that the determined destination port number is in the specified list (Lim, discloses method for detecting abnormal behavior in a main device and a terminal device by using whitelist. And [0040] the network whitelist (i.e. specified list) may include the IP address and port number of a network connection for the main device 10 and the terminal device 20, the name of a network process, and [0062] at step S125, the network process, IP address, and port number of the main device and the network process, IP address, and port number of the terminal device are compared with the main device-terminal device connection whitelist).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lim in the malicious behavior detection of El-Moussa/Levin by identifying abnormal of network devices using whitelist that includes IP address and port number of the devices. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the abnormal behavior of network devices based on a whitelist (Lim, [Abstract]), i.e. if the device is in a whitelist, protective action is refrained.

Regarding claim 21, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Lim teaches:
wherein a given detected transmission comprises a given protocol and a given destination port number, and further comprising comparing the destination port number to a list of valid destination port numbers for the given protocol, and refraining from the protective action with respect to the given detected transmission upon detecting the given destination port number in the list (Lim, discloses method for detecting abnormal behavior in a main device and a terminal device by using whitelist. And [0040] the network whitelist (i.e. the list) may include the IP address and port number of a network connection for the main device 10 and the terminal device 20, the name of a network process, and [0062] at step S125, the network process, IP address, and port number of the main device and the network process, IP address, and port number of the terminal device are compared with the main device-terminal device connection whitelist).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lim in the malicious behavior detection of El-Moussa/Levin by identifying abnormal of network devices using whitelist that includes IP address and port number of the devices. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify the abnormal behavior of network devices based on a whitelist (Lim, [Abstract]), i.e. if the device is in a whitelist, protective action is refrained.  

Claims 16, 22 are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Gottlieb et al (US 9,130,982B2, hereinafter, “Gottlieb”).
Regarding claim 16, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Gottlieb teaches:
and further comprising determining a geo-location of a given destination IP address in a given detected transmission, computing a count of the detected transmissions to any of the destination IP addresses having the same geo-location, comparing the computed count to a specified threshold, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed count is less than the specified threshold (Gottlieb, discloses detecting anomalous attacks in internet network flow, see [Abstract]. And [Col. 6 lines 55-67] DDoS attacks may employ bots located in geographically diverse regions.  Therefore it is expected that the number of unique geographical areas from which traffic is observed for a destination could be relatively large when a DDoS attack is in progress…The IP Geolocation Diversity Indicator maintains a count of the unique geographical locations from where traffic is observed for a given destination within the current time window.  As before, this is compared against a long term rate (i.e. specified threshold) to determine the presence of geolocation anomalies for the given destination. And [Col. 7 lines 28-30] An analyst can filter alerts based on destination IP addresses or destination IP prefixes of interest in conjunction with some subset of indicator types). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gottlieb in the malicious behavior detection of El-Moussa/Levin by using IP geolocation diversity Indicator associated with destination IP specific for counting a number of internet traffic messages. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the counting average of internet traffic message to determine anomalous attacks (Gottlieb, [Abstract]).

Regarding claim 22, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Gottlieb teaches:
wherein a given detected transmission comprises a given public IP address, and further comprising determining a number of the public IP addresses hosted by a datacenter hosting the given IP address, and refraining from the protective action with511188-2002 S4 respect to the given detected transmission upon detecting that the determined number is less than a specified threshold (Gottlieb, [Col. 6 lines 36-46] A botnet originated DDoS attack typically uses a large number of bots to overwhelm a target. In addition, many botnets may also employ random source IP address spoofing to hide the location of individual bots.  It is thus possible that during a large scale DDoS attack the number of unique source IP addresses for a given destination IP may be quite large relative to normal operations. It may be possible to provide early warning of DDoS/RDDoS attacks by considering the number of unique source IP addresses observed within a time window for a given destination IP address). Examiner notes if the determined number IP addresses is less, then it is obvious to one ordinary skilled in the art that it is less likely of attacks, therefore protective action can be refrained. 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gottlieb in the malicious behavior detection of El-Moussa/Levin by identifying attacks based on large number of bots with IP addresses. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the counting average of internet traffic message to determine anomalous attacks (Gottlieb, [Abstract]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied to claim 1, further in view of Chiba et al (US20160366159A1, hereinafter, “Chiba”).
Regarding claim 17, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Chiba teaches:
and further comprising determining that a given destination IP address in a given detected transmission belongs to an autonomous system, computing a count of the detected transmissions to the given destination IP address (Chiba, discloses extraction of traffic features using traffic log, see [Abstract]. And [0006] In an approach for automatically extracting the feature information from the information on communication relating to attacks, the information on communication relating to attacks is summarized based on the categorization into respective items set in advance, for example, date and time, an Internet protocol (IP) address of a communication peer, …, and the number of times of communication. Also see [0060] for traffic logs generated by malware including communication destination IP address. In particular, Fig. 6 shows AS number suggesting autonomous system), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chiba in the malicious behavior detection of El-Moussa/Levin by extracting feature information on communication related to attacks such as internet destination IP address, number of times of communication in an autonomous system. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the extracted feature information from traffic logs to identify attacks (Chiba, [Abstract], [0019]).
El-Moussa further teaches: comparing the computed count to a specified threshold, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed count exceeds the specified threshold (El-Moussa, [0038] This in itself can be indicative of malicious behaviour because command and control servers for malicious computer worms and zombie botnets, etc. tend to frequently change their IP address to avoid having their IP address blackholed, thus frequent i.e. more than one per hour (i.e. computed count, specified threshold), DNS requests to resolve the same domain name can also be considered as evidence of malicious behaviour). Examiner further notes it is obvious to one ordinary skilled in the art that if the determination of remote node suggests the remote node is not malicious node, there is no need to perform the proactive action.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Zawoad et al (US20190387005A1, hereinafter, “Zawoad”).
Regarding claim 18, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Zawoad teaches:
and further comprising determining that a given destination IP address in a given detected transmission belongs to an autonomous system,501188-2002 S4 determining that the autonomous system is not bulletproof, and refraining from the protective action with respect to the given detected transmission (Zawoad, discloses method for determining maliciousness scores for IP addresses and/or network domains, [Abstract]. And [0176] As described above, adversaries may often use "bullet-proof" hosting services to launch attacks in order to avoid law enforcement and other legal repercussions and certain autonomous systems (ASs) are known for to have a higher incidence of malicious activity than other ASs). Examiner notes given the teachings of Zawoad that bulletproof hosting services often launch attacks, it is obvious to one ordinary skilled in the art that not bulletproof autonomous system is less likely launch attacks therefore protective action can be refrained.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zawoad in the malicious behavior detection of El-Moussa/Levin by identifying bullet-proof services in autonomous system. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify risks associated with network where network domain is hosted, in particular by bulletproof hosting services to identify malicious network devices (Zawoad, [Abstract], [0176]).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Alpert et al (US10,257,295B1, hereinafter, “Alpert”).
Regarding claim 19, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Alpert teaches:
and further comprising determining a given destination IP address in a given detected transmission, identifying a subset of the detected transmissions to the given public IP address, identifying, based on the respective times, a most recent transmission in the subset, determining a date for the most recent transmission, comparing the date to a specified threshold date, and refraining from the protective action with respect to the given detected transmission upon detecting that the determined date is after the specified threshold date (Alpert, discloses monitoring abnormality in internet activity, see [Abstract]. And [Col. 5 lines 46-57] if the activity report indicates normal internet traffic activity for when a user is actively using a client device 130 and or mobile device 160, 170, the cloud server 180 may use that report in determining that the property is occupied. In another example, in response to a triggered alarm event within a property, the cloud server 180 may analyze the recent activity report transmitted by the internet sensor 120 to determine user activity within the property.  For instance, if the activity report indicates normal internet traffic activity, the monitor cloud server 180 may determine that there is no security breach within the property).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Alpert in the malicious behavior detection of El-Moussa/Levin by identifying recent internet activity from activity report that indicates normal internet traffic activity. This would have been obvious because the person having ordinary skill in the art would have been motivated to base on recent normal internet traffic activity to determine there is no security breach in the networks (Alpert, [Abstract]).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Ylonen et al (US20030110379A1, hereinafter, “Ylonen”).
Regarding claim 20, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Ylonen teaches:
wherein a given detected transmission comprises a given protocol, and further comprising receiving, from a firewall, a notification that the firewall recognizes the given protocol, and refraining from the protective action with respect to the given detected transmission (Ylonen, discloses maintaining security in a packet-switched information network [Title]. And [0016] The objects of the invention are achieved by implementing packet-level processing in the operating system kernel of a firewall computer, by setting up at least one protocol-specific application gateway somewhere else than in the operating system kernel of the firewall computer, and by instructing the packet-level processing process to recognize packets associated with the protocol that the protocol-specific application gateway handles and to direct the recognized packets to the application gateway. Also see Fig. 1, Firewall 103). Examiner notes when firewall recognizes protocol that malicious transmission is based on, it is obvious to one ordinary skilled in the art that one can rely on firewall to block the malicious transmission therefore protective action is not needed.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ylonen in the malicious behavior detection of El-Moussa/Levin by implementing firewall with protocol-specific application gateway to recognize packets associated with protocol. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the firewall to block malicious transmission associated with protocol that can be recognized related to attacks (Ylonen, [Abstract]), so that further protective action is not necessary.

Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Kim et al (US20180351930A1, hereinafter, “Kim”).
Regarding claim 23, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the similar field of endeavor Kim teaches:
wherein each given detected transmission from a given local node to a given remote node comprises a given protocol and a given destination port number, and further comprising comparing the destination port numbers in the given transmissions to a list of standard port numbers, computing a count of the compared destination port numbers that were not in the list, and refraining from the protective action with respect to the given detected transmission upon detecting that the computed count exceeds a specified threshold (Kim, discloses method for supporting bidirectional communication using unidirectional communication between an internal network and an external network, [Abstract], [0002]. And [0237] each whitelist (i.e. not in the list, where the list can be blacklist) includes a source IP address, a source port number, a destination IP address, a destination port number, a protocol, etc. Also, each whitelist may further include …, the number of permissions per day, the number of uses per day, …). Examiner notes the number of port numbers being more in the whitelist (i.e. not in the blacklist) suggests less likely of network attacks therefore protective action can be refrained.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kim in the malicious behavior detection of El-Moussa/Levin by using whitelist that includes destination IP address and port number in firewall to control bidirectional communication between internal network and external network. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the firewall to block malicious transmission associated with port numbers that can be not included in whitelist (Kim, [Abstract]), so that further protective action is not necessary.

Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Firstenberg et al (US20180069884A1, hereinafter, “Firstenberg”).
Regarding claim 24, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the similar field of endeavor Firstenberg teaches:
and further comprising determining that a given destination IP address in a given detected transmission belongs to an autonomous system, determining that the autonomous system is not rentable, and refraining from the protective action with respect to the given detected transmission (Firstenberg, discloses method for identifying bulletproof autonomous systems, [Title], [0002]. And [0009] the method may include generating an alert for the one or more predicted ASNs, or for transmissions to the IP addresses of the one or more predicted ASNs… generating the alert may include restricting data transmissions between the endpoints and the IP addresses of the one or more predicted ASNs…, each given predicted ASN may include a rentable ASN). Examiner notes Firstenberg’s teachings suggests non-rentable autonomous system is less likely related to suspicious transmission activity therefore protective action can be refrained.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Firstenberg in the malicious behavior detection of El-Moussa/Levin by identifying ASNs and their behaviors such as rentable or non-rentable. This would have been obvious because the person having ordinary skill in the art would have been motivated to employing ASNs with non-rentable AS so that the malicious activity on these servers is less likely (Firstenberg, [Abstract], [0024], [0040]), so that further protective action is not necessary.

Claim 26 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Keanini et al (US20070143852A1, hereinafter, “Keanini”).
Regarding claim 26, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Keanini teaches:
and further comprising identifying one or more of the local nodes as pingers, determining that all of the transmissions to a given destination IP address are from the one or more identified local nodes, and refraining from the protective action with respect to any given detected transmission to the given destination IP address (Keanini, discloses system and method to provide distributed security of a network to profiling a network for vulnerabilities and monitoring exploitations of those vulnerabilities, see [Abstract], [0002]. And [0015] A traffic monitor monitors network traffic for attack signatures corresponding to the determined vulnerabilities to detect malicious activity. In one embodiment, the traffic monitor associates attack signatures with the specific destination (e.g., IP address and/or port) having the corresponding vulnerability. And [0048] the control module 320 uses ping requests to identify hosts on the network and TCP connection attempts to identify open ports of the hosts. Based on this information, the control module 320 sends messages to the identification subsystem 330 instructing it to carry out various analyses to identify and verify vulnerabilities of hosts 191 on the network).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Keanini in the malicious behavior detection of El-Moussa/Levin by using ping request to identify vulnerable hosts. This would have been obvious because the person having ordinary skill in the art would have been motivated to monitor traffic with device profiler to identify hosts of vulnerabilities in a network security system (Keanini, [Abstract]).

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Amoudi et al (US20210014198A1, hereinafter, “Amoudi”).
Regarding claim 27, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Amoudi teaches:
and further comprising determining that a given destination IP address in a given detected transmission corresponds to a mail server, and521188-2002 S4 refraining from the protective action with respect to the given detected transmission (Amoudi, [0043] Since the OPES system 10 is hosted in a DMZ (behind firewalls), only specific IP addresses and specific port numbers will be allowed to communicate with the backend mail server 112 hosted in the computer network 1. And the mail server 112 can be configured to accept only email communications from a node having a predefined IP address such as, for example, the IP address for the email security gateway 14). Examiner notes Amoudi’s teachings suggest with mail server configured to accept only email from a node having a predefined IP address, it is obvious to one ordinary skilled in the art that there is no need for protective action.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Amoudi in the malicious behavior detection of El-Moussa/Levin by using OPES system hosted in a DMS with communication with email server. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter email message destined to computing resource with multilayer filtering (Amoudi, [Abstract], [0080]).

Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa/Levin combination as applied above to claim 1, further in view of Rouvinen (US20200177625A1, hereinafter, “Rouvinen”).
Regarding claim 28, El-Moussa/Levin teaches:
The method according to claim 1, 
The combination of El-Moussa/Levin does not explicitly teach the following limitation(s), in the same field of endeavor Rouvinen teaches:
and further comprising detecting a first given detected transmission to a given public IP address, detecting a second given detected transmission to the given public IP address and whose protocol comprises Simple Network Management Protocol, detecting a third given detected transmission to the given public IP address and whose protocol comprises Internet Control Message Protocol, and refraining from the protective action with respect to the first given detected transmission (Rouvinen, [0048] in some embodiment it is also possible to monitor source IP addresses in the data frames and to analyze if the IP addresses are correct ones or masqueraded, i.e. spoofed, IP addresses, which are not in use at all.  This kind of monitoring may be based on a utilization of a certain communication protocol procedure, such as ICMP, SNMP, HTTP, TCP SYN).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rouvinen in the malicious behavior detection of El-Moussa/Levin by monitoring traffic based on communication protocol procedure such as ICMP, SNMP etc. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect DOS attack based on monitoring communication protocol in order to protect the communication networks against service attacks (Rouvinen, [Abstract], [0001], [0048]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Reves (US20070064617A1) discloses method for detecting nodes in an enterprise network infected with aberrant code where traffic conversation information representative of traffic conversation in the enterprise network over an analysis period is analyzed to identify suspected infected nodes.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436