DETAILED ACTION
The following claims are pending in this office action: 1-14
The following claim is amended: 9
The following claims are new: -
The following claims are cancelled: -
Claims 1-14 are rejected. This rejection is FINAL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Rejection Withdrawn
The 35 U.S.C. 112 rejection to claim 9 is withdrawn based on the amendment. 
Interview
In the interest of expedited prosecution, the Examiner recommends conducting an interview before filing a response to the instant Office action.  Such an interview would help foster a mutual understanding of the respective positions of the parties and assist in identifying allowable subject matter or issues for appeal.  If the Applicant agrees that an interview would be beneficial, please contact the Examiner to schedule one.
RESPONSE TO ARGUMENTS
Applicant’s arguments filed in the amendment filed 05/18/2022 have been fully considered but are not persuasive.  The reasons are set forth below.
Applicant’s position is that the searched prior art does not teach a number of elements in the instant application: 
In particular, the Applicant explains that Tews does not teach a packet arrival curve (PAC) and other elements.  Applicant explains:
While Tews recites that “the data collected…include… packet loss… and jitter measurements…”, packet loss and jitter are not the same as packet arrival.   
Nor does Tews teach or suggest detection of a compromised data stream based upon packet arrival, 
much less detection based upon a packet arrival curve (PAC) associated with a router of an IP core.  
Nor does Tews disclose or suggest that a router has an associated PAC…
Tews does not teach or suggest that the bounds are a packet arrival curve.   

Furthermore, Applicant asserts that Chaves does not teach a router determines a compromised packet stream, a destination packet latency curve (DLC), and other elements.   Applicant explains: 
…while the proposed router architecture of Chaves includes collision point router detection (CPRD) and collision point direction detection (CPDD) … Chaves does not teach or suggest that the routers of the IP cores determine a compromised packet stream.
Moreover, the Abstract of Chaves … teaches away from the use of routers for the determination of Chaves.  
Chaves does not teach or suggest that the routing graph is a destination packet latency curve (DLC).
much less includes packet latency associated with an IP core.

Furthermore, Applicant asserts that Talmor does not teach “transmitting, by the router, a notification message indicating that the candidate IP core is the potential attacker to a router of the candidate IP core”.   Applicant explains: 
Talmore does not teach or suggest that the “modified” response is a notification indicating that the attacker is a potential attacker.  

Furthermore, Applicant asserts that Kommareddy does not teach a “transmitting, by the router, a notification message indicating that the candidate IP core is the potential attacker to a router of the candidate IP core”.  Applicant explains: 
Kommareddy does not disclose or suggest that the flow identifier is a notification message indicating that the alleged IP core (i.e. the client) is a potential attacker of a compromised packet stream.
Nor does Kommareddy teach or suggest that flow identifier is transmitted to the alleged IP core (i.e., the client) or that a flag corresponding to a port in a router of the client is updated.  
Nor has the Office Action explained how the alleged flag of Chaves (i.e., the all_attackers variable in algorithms 1 and 2) would be modified by the teachings of Kommareddy.  

Furthermore, Applicant asserts that Kommareddy does not teach “monitoring for additional notification messages for a predefined period of time, where the flag is updated in response to the additional notification messages that are received during the predefined period of time”.  Applicant explains:
Kommareddy does not teach or suggest that the bins are the same flag as previously alleged.
Kommareddy does not teach or suggest that the packets are notification messages
Or that the counter is updated in response to a notification message

Furthermore, Applicant asserts that Kommareddy does not teach “after the predefined period of time, transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the IP core is the potential attacker”.  Applicant explains:
Kommareddy does (not) teach or suggest that a verification is sent by a router of an IP core indicating that the IP core is the potential attacker
Kommareddy does not teach or suggest that the rendezvous node is the attacker

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
See MPEP 2141, Section II.
Claims must be given their broadest reasonable interpretation in light of the specification.  See MPEP 2111.  
 "A person of ordinary skill in the art is also a person of ordinary creativity, not an automaton." KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 421, 82 USPQ2d 1385, 1397 (2007). "[I]n many cases a person of ordinary skill will be able to fit the teachings of multiple patents together like pieces of a puzzle." Id. at 420, 82 USPQ2d 1397. Office personnel may also take into account "the inferences and creative steps that a person of ordinary skill in the art would employ." Id. at 418, 82 USPQ2d at 1396. Also see MPEP 2141.03.  

Tews
The features recited by the Applicant are within the scope and content of the prior art.  Applicant states in the remarks that Tews does not teach “detecting a compromised packet stream at least in part upon a packet arrival curve associated with the router”.  
In regards to “detecting a compromised packet stream…associated with a router”, Tews teaches “a controller 212 may communicate with the communication devices … to establish data flows”.  Tews, col. 7, ln. 21-22.  “If the data indicates that the traffic network parameter is outside the traffic network parameter is outside of the anomalous bounds, the one or more processors may determine that the network is functioning abnormally”. Tews, col. 11, ln. 46-49.  “FIG. 11 illustrates a block diagram of a system 700 to monitor network traffic, identify a fingerprint, and use the fingerprint to detect an anomaly according to any suitable embodiments described within…The embodiments herein may be implemented in a network switch, router, security gateway, firewall, communication controller, or the like.” Tews, col. 11, ln. 61 to col. 12, ln. 1.  From these teachings, Tews teaches system 700: a controller/router that detects an anomaly.  The anomaly is a traffic network parameter.  The network traffic parameter is data from data flows.  Thus, it follows that the anomaly is an anomalous data flow.  As the controller/router detects an anomalous data flow, in the broadest interpretation of the phrase “compromised packet stream”, the controller/router detects a compromised packet stream.  
In regards to “at least in part upon a packet arrival curve”, Tew teaches “the jitter measurements may be made with nonparametric statistics to prevent reliance on a pre-determined parametric model.  The non-parametric statistics may be used because a unique shape of the distributions may be deemed as fingerprints”.  Col. 8, ln. 42-45.   “FIG. 11 illustrates a block diagram of a system 700 to monitor network traffic, identify a fingerprint, and use the fingerprint to detect an anomaly”.  Col. 11, ln. 60-62.  “With the measurable fingerprints identified, normal and abnormal conditions may be identified”.  Thus, jitter is used to create a unique shape of the distributions.  Col. 9, ln. 29-30.  “Fig. 8 illustrates a graph 380 with the present distribution 376 with portions 382 and 384 falling outside the bounds 372 and 374, thus indicating a network anomaly.  The bounds 372 and 374 may generally follow the curvature of the baseline distribution”.  Col. 9. ln. 59-63.  Thus, the compromised stream is determined based on a curve that is created based on jitter.  Fig. 5 and Fig. 6 is titled “Timing Delay Distribution per Hour”.  “Server-centric determinism may be measured by calculating delay between polling messages sent from the server 302 to unique client devices… Client determinism is measured by calculating the delay from when the client 304 receives the message 306 until the client 304 sends the response message 308 to the server 302”.   Jitter is determined by calculating packet delay, synonymous with “packet arrival”.  As the anomaly is detected upon using a jitter curve, Tew teaches “detecting a compromised packet stream at least in part upon a packet arrival curve associated with the router”.  

In considering the prior art references as a whole, there is no substantive difference between the claim limitations at issue and the prior art.  First, Applicant asserts jitter is not the same as packet arrival.  Applicant’s argument is inconsistent with the written description of the instant application.  Para. 0039 of the instant application states “The jitter can correspond to the variation of delays.   The upper PAC bound for a packet stream Pr with maximum possible jitter Jp…”.  Like Tew, the instant application is using a fingerprint of jitter (maximum possible jitter for the system) and finding an abnormality when the jitter measured exceeds the jitter fingerprint.  Furthermore, the definition of jitter is consistent with packet arrival.  See:  https://www.ciscopress.com/articles/article.asp?p=606583&seqNum=2.  Jitter is defined as “variation of Packet Arrival Time.”  Accordingly, Applicant’s argument is not convincing.  
Applicant also asserts that Tews does not teach detection of a compromised data stream based upon packet arrival.  Claims must be given their broadest reasonable interpretation in light of the specification.  Tews, as connected above, and as originally stated in the 103 rejection below, contain the limitation of “detection of a compromised data stream based upon packet arrival”.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.
Applicant also asserts that Tews does not teach detection based upon a packet arrival curve (PAC) associated with a router of an IP core.  However, as stated above, Tews does teach a packet arrival curve associated with a router.  A router of an IP core was taught by Chaves (see pg. 2: “Network-on-Chip (NoCs) are the communication structure choice for MPSoCs that integrate a large amount of IP cores.  NoCs integrate routers and links to exchange information being wrapped as packets”).  The Examiner uses Tews to teach detection based upon a packet arrival curve associated with a router that may be integrated with the router of Chaves.  In response to Applicant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Applicant also asserts that Tews does not teach or suggest “that the bounds are a packet arrival curve”.  A “packet arrival curve” or PAC is not interpreted to be a term of art that is restricted to the curve specified by Fig. 5 of the instant application.  Claims must be given their broadest reasonable interpretation in light of the specification.   Accordingly, if Applicant desires for more specific interpretation for a PAC, Applicant is encouraged to make clear the exact meaning of PAC by edits to the claim language.  Tews, as connected above, and as originally stated in the 103 rejection below, contain the limitation of “a packet arrival curve”.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.

Chaves
The features recited by the Applicant are within the scope and content of the prior art.  Applicant states in the remarks that Chaves does not teach 1) “that the routers of the IP cores determine a compromised packet stream”; 2) “that the routing graph is a destination packet latency curve (DLC)”; and 3) “that the routing graph…includes packet latency associated with an IP core”.  
In regards to “detecting, by a router of an intellectual property (IP) core … a compromised packet stream”, Chaves teaches “the MPSoC internal communication infrastructure which performs the data exchange among IP cores”.  Pg. 2, ln. 12-13.  “NoCs integrate routers… to exchange information being wrapped as packets”.  Thus, the router is the internal communication structure of the IP core which exchanges information wrapped as packets.  “Figure 10 depicts the addition of the proposed CPRD DoS Monitor to the router’s data path.  By adding the CPRD DoS monitor before each of the five FIFOs of each router, a NoC is able to distributivity monitor DoS attacks and to locate the router where the attacker’s traffic enters the sensitive communication path”.  Pg. 12, second para.  “…we propose a low cost mechanism for detecting the location and direction of the interference, by enhancing the communication packet structure and placing communication degradation monitors in the NoC routers.” Pg. 1 abstract.  Thus, the Chaves reference teaches a monitor inside a router of an IP core that locates the router where the attacker’s traffic enters.  Traffic is synonymous with packet stream.  The attacker, by inserting the attacker’s traffic, results in a “compromised PE” (an IP core – see pg. 2, ln. 9-11), and so the attacker’s traffic is a “compromised stream”.  Thus, Chaves teaches “detecting, by a router of an intellectual property (IP) core … a compromised packet stream”.  
In regards to “a destination packet latency curve (DLC)”, Chaves teaches “The firmware of the MPSoC-powered IoT device will calculate the packets’ end-to-end latency upon their arrival using the packets’ generation time-stamp”.  Pg. 12, third para. Fig. 15 of Chaves shows “End-to-End latency vs attacker’s packet length for different attack sources (XY Routing)”.  As shown, the graph describes latency in the Y-axis.  The graph also describes the attacker location (AL) in the Z-axis in relation to the detecting router ([Pg. 16, first para.] “Regarding the location of the attacker, as shown in Figure 15, the highest sensitive End-to-End transmission delays were caused when injecting the malicious traffic into the routers closest to the sensitive destination”).  The routing graph “enables the tool to use graph algorithms for finding paths between any source and destination”.  Pg. 7, second para.  Taken together, as AL is representative of the path between the source and destination, Fig. 15 shows a graph latency (Y-Axis) vs. the AL (Z-axis) (see text on Fig. 14: AL is an “illustration of different malicious path length”) from the attacker node to the destination node vs. attacker packet length (X-Axis).  Thus, taken together, the compromised PE is localized using Fig. 15 of Chaves, a graph of packet end-to-end latency vs. path length.  
	In regards to “destination packet latency curve (DLC) associated with the IP core”, Chaves teaches that “experiments were done … placing the attack source in different routers of the NoC (router connected to the infected PE)”.  As the experiments for generating the DLC curve were done by placing the attack source in the NoC which contains the router associated with the IP core (see above), the DLC is associated with the IP core.   
	
In considering the prior art references as a whole, there is no substantive difference between the claim limitations at issue and the prior art.  First Applicant asserts Chaves does not teach or suggest that the routers of the IP cores determine a compromised packet stream. Claims must be given their broadest reasonable interpretation in light of the specification.  Chaves, as connected above, and as originally stated in the 103 rejection below, contain the limitation of “detecting, by a router of an intellectual property (IP) core … a compromised packet stream”.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.  
Applicant also asserts Chaves teaches away from the use of routers for the determination of a compromised IP core/packet stream.  Applicant quotes the Chaves as to teach away from the use of routers, but Chaves is simply stating the state of the prior art and how the methods of Chaves improve on the “countermeasures” to make it so they do not lead “to a significantly increased router complexity and to a high degradation of the MPSoC’s performance”.  In the abstract quoted by the Applicant, Chaves states “we propose a low-cost mechanism for detecting the location and direction of the interference, by enhancing the communication packet structure and placing communication degradation monitors in the NoC routers”.   The degradation monitor itself is a detection method countermeasure, and so it is impossible that Chaves teaches away from the use of detection methods to detect a compromised packet stream.  "The prior art’s mere disclosure of more than one alternative does not constitute a teaching away from any of these alternatives because such disclosure does not criticize, discredit, or otherwise discourage the solution claimed…." In re Fulton, 391 F.3d 1195, 1201, 73 USPQ2d 1141, 1146 (Fed. Cir. 2004).  In this case, none of the alternatives (the teachings of Tews, Talmor, or Kommareddy) is disclosed by Chaves let alone criticized, discredited, or discouraged.  
Applicant also asserts Chaves does not teach or suggest that the routing graph is a destination packet latency curve (DLC). A “destination packet latency curve” or DLC is not interpreted to be a term of art that is restricted to the curve specified by Fig. 6A/6B of the instant application.  Claims must be given their broadest reasonable interpretation in light of the specification.   Accordingly, if Applicant desires for a more specific interpretation for DLC, Applicant is encouraged to make clear the exact meaning of DLC by edits to the claim language.  In Chaves, as connected above, and as originally stated in the 103 rejection below, contain the limitation of “a destination packet latency curve (DLC)”.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.  
Applicant also asserts Chaves does not teach or suggest a packet latency associated with an IP core.  In Chaves, as connected above, and as originally stated in the 103 rejection below, contain the limitation a latency curve associated with an IP core.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.  

Talmore
The features recited by the Applicant are within the scope and content of the prior art.  Applicant states in the remarks that Talmore does not teach “a notification indicating that the attacker is a potential attacker”.  
Talmore teaches “The security module 210 may analyze to identify anomalies indicative to the module 210 that there may be an attack”.  Col. 7, ln. 17-19.  “Upon identifying suspected network attacks…the security module 210 sends a ‘modified’ response back to the potential attacker”.    Col. 7, ln. 27-35.  As the security module sends response (a notification) only when there may be a potential attacker (i.e. not when there is no attacker, or when there is a confirmed attacker), the response is “a notification indicating that the attacker is a potential attacker”.   

In considering the prior art references as a whole, there is no substantive difference between the claim limitations at issue and the prior art.  Applicant asserts that a modified response with a challenge is not the same as a notification.  The specification of the instant application is silent to the meaning of a “notification”.  A notification is defined by the Oxford English Dictionary as “an automated message sent by a computer program to alert or notify the user of something”.  See https://www.oed.com/view/Entry/ 128600.  Likewise, the response of Talmore is a message: “response… may take the form of one or more TCP/IP data packets” (see col. 5, ln. 6-12); packet is synonymous with message: http://www.tcpipguide.com/free/t_MessagesPacketsFramesDatagramsandCells-2.htm.  The response is sent automatically: see col. 9, ln. 16-18.  The response is “indicative to the module 210 that there may be an attack”.  See col. 7, ln. 18-19.  The module is used by a user (see col. 5, ln. 42-50).  The response, thus, is an automated message sent by a computer program to notify the user of an attack, or a notification.  Accordingly, applicant’s argument is not convincing.  

Kommareddy
The features recited by the Applicant are within the scope and content of the prior art.  In particular, Kommareddy teaches “a flow identifier of suspect flows each having a number of the outgoing packets exceeding by a predetermined value a number of the incoming packets is determined”.  Para. 0026. “The flow identifier unit 1122 extracts from the packet… the flow identifier”.  Para. 0104.  The flow identifier is therefore a packet, which is synonymous with a notification message.  “…the present invention monitors … traffic flows in a communication network to identify flows not conforming to the network transmission protocol, which is an indication of a DoS attack”.  Para. 0004.  “… a traffic ‘flow’ generally refers to a stream of data packets emanating from the same source node…”.  Para. 0006.  As “suspect flows” emanates from the same source node, the node is a suspect node, and indicates a “potential attacker”.  “Each flow … is an equally likely candidate”.  Para. 0075.  Thus, Kommareddy teaches all source 
    PNG
    media_image1.png
    515
    448
    media_image1.png
    Greyscale
nodes are candidates, and a flow identifier indicates that a candidate is a potential attacker node.   “Flow scores are calculated… The last monitor on the path … may perform detection processing… using the flow identifier in the flow records”.  Para. 0078.  The process of detection processing is shown in Fig. 22.  Para. 0050.  The relevant portions are extracted and shown on the left.  A flag is set if the flow score exceeds a threshold a number of times greater than an anomaly count threshold.  As the determination is performed using the flow identifier, the flag is set (updated as it was not set previously) in response to the identifier.  Thus, “in response to the notification message indicating that the candidate is the potential attacker, updating a flag” is taught by Kommareddy.  
Kommareddy also teaches “the monitor accesses packets of the router using line taps … that is deployed at ports”.  Para. 0062. “The term ‘flow’ in the context of the present invention refers to a stream of data packets…”.  Para. 0063.  Thus, as the flow and corresponding flow identifier that determines the flow score refers to packets that are accessed by line taps deployed at ports, Kommareddy teaches that the flag is corresponding to a particular port at a router of a particular node.  
	Kommareddy also teaches detection processing as the last monitor “produces the final and correct suspect list… which is reported as the attacker”.  Para. 0080.  As detection processing comprises setting a flag (see above, Fig. 22, and para. 0050), Kommareddy teaches “the flag indicating that the candidate is the potential attacker”.  
	Kommareddy also teaches “at predefined rehash intervals, each monitor resets all its bin counters”.  Para. 0083.  Furthermore, “At time index 10… time index 20… time index 30… time 40… at time 50” (predefined period) indicates “counters corresponding to the attacks” are incremented/decremented.  Para. 0123.  Thus, the counter flow score associated with the flow IDs are incremented/decremented at some predefined period of time.  Furthermore, “by analyzing the counters, the attacks can be detected”.  Para. 0123.  Thus, a candidate is confirmed to be an attacker after a predefined period of time (time 50).  “the monitor at the rendezvous node reports the result of these intersections as attacks to the detection system”.  Para. 0078. Therefore, a result of determined attacks (verification message) is reported (transmitted) to the detection system.  As the report is generated after time 50, Kommareddy teaches “after a predefined period of time, transmitting a verification message confirming the candidate is an attacker”.  

In considering the prior art references as a whole, there is no substantive difference between the claim limitations at issue and the prior art.  Applicant asserts “Kommareddy does not disclose or suggest that the flow identifier is a notification message indicating that the alleged IP core (i.e. the client) is a potential attacker of a compromised packet stream”.  First, as explained above, the Examiner uses Kommareddy to disclose a notification message indicating that the candidate node is the potential attacker.  Similar to Talmore, the packets are messages that, through a series of steps as described above and, in the rejection below, report (notify) to the detection system an attack.  The attack is performed by a node which is associated with a particular router.  See para. 0061 of Kommareddy.  The node as an IP core that may be a potential attacker was taught by Chaves (see pg. 2: “Network-on-Chip (NoCs) are the communication structure choice for MPSoCs that integrate a large amount of IP cores.  NoCs integrate routers and links to exchange information being wrapped as packets”; “attacks typically originate from infected IP cores”).  In response to Applicant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  
	Applicant asserts “nor does Kommareddy teach or suggest that the flow identifier is transmitted to the alleged IP core (i.e., the client)”.  Kommareddy is used to teach that a flow identifier, as a notification, is used to update a flag indicating that the candidate IP core is the potential attacker.  The process of the notification transmitted to a router was taught by Talmor (see col. 4, ln. 55-64 of Talmor: “the network traffic management device 110 is coupled to network 108 by… intermediate network devices, such as routers…”; [col. 3, ln. 60-61] “… intermediate network devices may act as links within… LANS”).  The router as a router of an IP core was taught by Chaves.  In response to applicant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  
	Applicant asserts “nor does Kommareddy teach or suggest … that a flag corresponding to a port in a router of the client is updated”.  Claims must be given their broadest reasonable interpretation in light of the specification.   Kommareddy, as connected above, and as originally stated in the 103 rejection below, contain the limitation of “updating a flag corresponding to a port in a router”.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.
	Applicant asserts “nor does has the Office Action explained how the alleged flag of Chaves (i.e., the all_attackers variable in algorithms 1 and 2) would be modified by the teachings of Kommareddy”.  Claims must be given their broadest reasonable interpretation in light of the specification.   Kommareddy, as connected above, and as originally stated in the 103 rejection below, contain the limitation of “updating a flag corresponding to a port in a router”.  Additionally, Examiner explained in the Office Action that the flag of Chaves would be modified in accordance with Fig. 22 of Kommareddy to be updated upon determining a flow identifier/notification message that identifies a potential attacker.  The specifics, as detailed above, involve counters associated with the flow identifier which are determined to exceed an anomalous threshold.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.
	Applicant asserts Kommareddy does not teach or suggest “that the bins are the same flag as previously alleged”.  However, Kommareddy discloses that the bins are used to determine the score which is used to determine the flow.  That the bin uses a predefined interval each new round of detection necessitates the flag is accordingly updated.  “… for the interval ending at time index t, the procedure (attacker determination) is entered”.  See para. 0075, and Fig. 17 of Kommareddy.  “At each interval t, the process is entered at block 2202”.  See para. 0148 and Fig. 22.  “Each time a monitor processes an outgoing packet, it determines if the ratio (anomaly count) of the corresponding bins outgoing counter (score counter) to its incoming counter (detec_threshold) exceeds a pre-defined attack threshold (anomaly count threshold) … if so, the monitor flags the bin”.  See para. 0072.  Thus, the flagged bin corresponds to the flag previous alleged.  Accordingly, Applicant’s argument is not convincing.
	Applicant asserts Kommareddy does not teach or suggest “that the packets are notification messages”.  However, the packets and corresponding flow identifiers are messages (see http://www.tcpipguide.com/free/t_MessagesPacketsFramesDatagramsandCells-2.htm) which serve to automatically report/notify the system of an attack, consistent with the dictionary definition of a notification message.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.

    PNG
    media_image2.png
    373
    225
    media_image2.png
    Greyscale
	Applicant asserts Kommareddy does not teach or suggest “that the counter is updated in response to a notification message”.  However, Kommareddy clearly discloses that counters are updated by sampling packets containing the flow identifier (the notification message).  See Fig. 5 and para. 0104. The relevant portion of Fig. 5 is extracted and displayed on the right.  As shown, without sampling the packets, the counters would not be updated.  Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Accordingly, Applicant’s argument is not convincing.
	Applicant asserts Kommareddy does not “teach or suggest that a verification is sent by a router of an IP core indicating that the IP core is the potential attacker”.  Kommareddy is used to teach that a verification is sent by a router.  The router as a router of an IP core, and that the IP core is a potential attacker is taught by Chaves (see pg. 2: “Network-on-Chip (NoCs) are the communication structure choice for MPSoCs that integrate a large amount of IP cores.  NoCs integrate routers and links to exchange information being wrapped as packets”; “attacks typically originate from infected IP cores”).  In response to Applicant’s arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).  
	Applicant asserts Kommareddy does not “teach or suggest that the rendezvous node is the attacker”.  However nowhere in the claims is there a limitation that the last/rendezvous node/ip core is to report that it is the attacker”.  Though understanding the claim language may be aided by explanations contained in the written description, it is important not to import into a claim limitations that are not part of the claim. For example, a particular embodiment appearing in the written description may not be read into a claim when the claim language is broader than the embodiment. Superguide Corp. v. DirecTV Enterprises, Inc., 358 F.3d 870, 875, 69 USPQ2d 1865, 1868 (Fed. Cir. 2004).  Accordingly, Applicant’s argument is not convincing.

A person of ordinary skill in the in the pertinent art would have been able to use prior art references cited.  If the only facts of record pertaining to the level of skill in the art are found within the prior art of record, the court has held that an invention may be held to have been obvious without a specific finding of a particular level of skill where the prior art itself reflects an appropriate level. Chore-Time Equipment, Inc. v. Cumberland Corp., 713 F.2d 774, 218 USPQ 673 (Fed. Cir. 1983). See also Okajima v. Bourdeau, 261 F.3d 1350, 1355, 59 USPQ2d 1795, 1797 (Fed. Cir. 2001). At the time of filing, it would have been obvious to use the prior art cited to satisfy the amended limitations.  Thus the invention, as claimed, would be within the level of ordinary skill in the art.  
The Applicant has not provided any objective indicia of nonobviousness in the record to be considered, and it is assumed that there are no secondary considerations supporting nonobviousness.
In conclusion, the Applicant’s arguments are not persuasive.  The Graham factors, as analyzed above, support a finding that the amended claims are within the metes and bounds possessed by the public.  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Chaves et al. "DoS attack detection and path collision localization in NoC-based MpsoC architectures;" Journal of Low Power Electronics and Applications 9.1; February, 2019 (hereinafter “Chaves”) in view of Tews et al. (US Patent No. 11,165,802) (hereinafter “Tews”), and in view Talmor et al. (US Patent No. 10,721,269) (hereinafter “Talmor”).

As per claim 1, Chaves teaches a method for detection and localization of denial-of-service (DoS) attacks, comprising: detecting, by a router of an intellectual property (IP) core in a network-on- chip (NoC) based system-on-chip (SoC) architecture, [a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router]; ([Chaves, Fig. 2; pg. 2, para. 4-8; pg. 3, para. 2] multi-Processors System-on-Chips implemented as Networks-on-Chip is disclosed which includes the processor intellectual property core and associated routers as a system to detect denial of service attacks, identify the collision point of malicious and sensitive data, and find the direction from which the malicious packets enter the sensitive path.  [Fig. 10; pg. 12, para. 2] Figure 10 depicts the addition of a communication degradation monitor in the NoC router to locate the router where the attacker’s traffic enters the sensitive communication path.  Detecting a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router is taught by Tews below)
identifying, by the IP core, ([Chaves, pg. 2, para. 4] the processing elements are processors used by the NoC to process and store information; [pg. 1, abstract] the information evaluated includes information to narrow down a location of an DoS attacker) a candidate IP core in the NoC as a potential attacker based at least in part upon a destination packet latency curve (DLC) associated with the IP core; and ([pg. 12, para. 3] a candidate attacker processing element/IP core is determined based on a packets’ end-to-end latency upon their arrival using the packets’ generation time-stamp.  If the latency is out of the acceptable latency range, the candidate attacker’s location is determined from the Max Latency Router Address and the Max Router Latency value [a destination latency]; [Pg. 7, para. 2] the candidate attacker’s location is determined by the use of Routing Graphs “a tool to use graph algorithms for finding paths between any source and destination [a destination latency curve associated with the IP core]; [Fig. 15] Routing graphs are generated include a curve with latency in the Y-Axis and a representation of the destination in the Z-axis [an illustration of different malicious path length – see description text on Fig. 14], making the graph a “destination latency curve”)
Chaves does not clearly teach detecting a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router; and transmitting, by the router a notification message, indicating that the candidate IP core is the potential attacker.  
However, Tews teaches detecting a compromised packet stream ([Tews, col. 7, ln. 20-23; col. 11, ln. 46-49] the controller [router] communicates with devices [IP cores] to establish data flows and measure a traffic network parameter associated with the data flow [packets of the data stream – see col. 12, ln. 31-34] to detect if the network is outside the anomalous bounds and functioning abnormally [compromised]) at least in part upon a packet arrival curve (PAC) ([col. 8, ln. 42-51] to characterize the communications, multiple conversations [packets arrivals] including empirical distributions and jitter are measured to determine a fingerprint; [Fig. 8; col. 10] the fingerprint is a graphed curve [Fig. 8; col. 10] the fingerprint is a graphed curve of data collected by the communications controller including packet loss statistics [see col. 6, ln. 52-64]) associated with the router; ([Fig. 11; col. 9, ln. 59-67] the controller is implemented in a router)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves with the teachings of Tews to include detecting a compromised packet stream based at least in part upon a packet arrival curve (PAC) associated with the router.  One of ordinary skill in the art would have been motivated to make this modification because a deviation from the expected timing distribution of the measured fingerprint (the PAC) may indicate interesting events (such as a DoS attack) that may be used in an attempt to compromise system operation.  (Tews, col. 3, ln. 52-58)
Chaves in view of Tews does not clearly teach transmitting, by the router, a notification message indicating that the candidate IP core is the potential attacker to a router of the candidate IP core. 	However, Talmor teaches transmitting, by the router a notification message, indicating that the candidate IP core is the potential attacker ([Talmor, col. 5, ln. 20-33; col. 7, ln. 27-35] a network traffic management device [router] includes a security module that sends to a client device [a device capable of connection to other computing devices or candidate IP core – see col. 3, ln. 25-29] a modified response challenge [notification message]; the challenge indicates that the client device is a potential attacker) to a router of the candidate IP core.  ([Col. 4, ln. 55-64;] in an embodiment, between the network traffic management device and the client device is a router configured to connect the client device to the network, and so the challenge is sent to the router of the client device)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews with the teachings of Talmor to include transmitting, by the router a notification message, indicating that the candidate IP core is the potential attacker.  One of ordinary skill in the art would have been motivated to make this modification because denial of service attacks mimic legitimate requests and the technique allows a security module to confirm whether a potential attacker is a legitimate requester or attacker.  (Talmor, col. 8, ln. 5-8)
	
As per claim 5, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves in view of Talmor does not clearly teach wherein the PAC comprises an upper bound for packet arrivals during a corresponding fixed time interval.
However, Tews teaches wherein the PAC comprises an upper bound ([Tewst, Fig. 8; col. 9, ln. 37-67] the PAC comprises an upper bound 372 of the fingerprint) for packet arrivals ([col. 12, ln. 31-34] the method uses data packets received from data flows to form the fingerprint) during a corresponding fixed time interval.  ([Col. 8, ln. 10-14] to facilitate network assessment timing characteristics of the network traffic of the communications systems is monitored. [Col. 9, ln. 4-28] the upper bound of the fingerprint corresponds to a limited time interval, i.e. 1 hour) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Talmor with the teachings of Tews to include wherein the PAC comprises an upper bound for packet arrivals during a corresponding fixed time interval.  One of ordinary skill in the art would have been motivated to make this modification as creating a representative histogram with upper and lower bounds/baselines allows for more information about how baseline jitter measurements vary over time, and allow such jitter to be accounted for in the baseline.  (Tews, col. 10, ln. 52-56)

As per claim 6, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves in view of Talmor does not clearly teach wherein the compromised packet stream is detected based upon comparison of a current packet arrival count over the corresponding fixed time interval with the upper bound for the corresponding fixed time interval.  
However, Tews teaches wherein the compromised packet stream is detected based upon comparison of a current packet arrival count over the corresponding fixed time interval with the upper bound for the corresponding fixed time interval.  ([Tewst, Fig. 8, col. 9, ln. 59-62] a network anomaly [compromised packet stream – see col. 12, ln. 31-34] is detected based upon a comparison of portion 382 [current packet arrival count] falling outside the bounds of portion 372 [the upper bound for the corresponding fixed time interval])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Tews and Talmor for the same reasons as disclosed above.  

Claims 2-4 and 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Chaves in view of Tews and Talmor as applied to claim 1 above, and further in view of Kommareddy et al. (US Pub. 2008/0028467) (hereinafter “Kommareddy”).

As per claim 2, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves also teaches [in response to the notification message] indicating that the candidate IP core is the potential attacker, updating a flag corresponding to a port in the router of the candidate IP core, the flag indicating that the candidate IP core is the potential attacker; and ([Chaves, pg. 7, para. 4; pg. 8, Algorithm 2] Algorithm 2 provides steps required to find all possible attacker suspect nodes [indicating the candidate IPs] by considering the collision router location by finding all the output ports on every minimal route path [corresponding to a port in the router] from the source [the source being candidate IPs] that can send packets to that port via the minimal path] to destination; the all_attackers flag is set in response to finding a suspect node. In response to the notification message indicating that the candidate is the potential attacker, updating a flag corresponding to a port, the flag indicating that the candidate is the potential attacker is taught by Kommareddy below)
[after a predefined period of time, transmitting a verification message] confirming that the candidate IP core is an attacker in response to the flag indicating that the candidate IP core is the potential attacker.  ([Chaves, pg. 13, para. 2] the firmware of the NoC extracts the direction information to narrow the suspects list [flag the candidate IP core – see pg. 8, Algorithm 2 where a candidate attacker is flagged] and localize [confirm] the compromised PE [that the candidate IP core is the potential attacker]. After a predefined period of time, transmitting a verification message confirming the candidate is an attacker is taught by Kommareddy below)
Chaves in view of Tews and Talmor does not clearly teach in response to the notification message indicating that the candidate is the potential attacker, updating a flag corresponding to a port, the flag indicating that the candidate is the potential attacker; and after a predefined period of time, transmitting a verification message confirming the candidate is an attacker.  
However, Kommareddy teaches in response to the notification message indicating that the candidate is the potential attacker, ([Kommareddy, para. 0026] the flow identifier of suspect flows [notification message] is transmitted from each of the routing nodes to a rendezvous node where a flow identifier of an attack flow is identified) updating a flag ([para. 0078; para. 0148; Fig. 22] the monitor on the rendezvous node updates a flag Y to identify an attacker) corresponding to a port, ([para. 0062] the routing nodes obtain the candidate attackers from packets received by line taps at ports of the router, and so the flag identifying an attacker corresponds to a port) the flag indicating that the candidate is the potential attacker; and ([para. 0080] the rendezvous node receives suspect flow lists from each of the routing nodes, setting flags indicating a candidate is a potential attacker, until all required suspect flow lists are obtained, producing a final and correct list, which is reported as an attacker)
after a predefined period of time, ([Kommareddy, para. 0083; para. 0123; Fig. 15] after a predefined rehash interval/time 50 [a predefined period of time] all suspect flow lists from the routing nodes are obtained by the rendezvous node, and the attacks can be detected) transmitting a verification message confirming the candidate is an attacker. ([Para. 0078] the rendezvous node analyzes the flow list to confirm the potential attacker, and then reports [transmitting a verification message] the confirmed attacker to the detection system) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews and Talmor with the teachings of Kommareddy to include in response to the notification message indicating that the candidate is the potential attacker, updating a flag corresponding to a port, the flag indicating that the candidate is the potential attacker; and after a predefined period of time, transmitting a verification message confirming the candidate is an attacker.  One of ordinary skill in the art would have been motivated to make this modification in order to distribute traffic monitors to allow adaptation to any topology in order to detect many types of DoS attacks efficiently and with minimal false positives.  (Kommareddy, para. 0051)

As per claim 3, Chaves in view of Tews and Talmor and further in view of Kommareddy teaches claim 2.  
Chaves does not clearly teach updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker. 
However, Kommareddy teaches updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker. ([Kommareddy, para. 0111; Fig. 22; Fig. 5] the rendezvous node updates the counter and as a result, the flag, in accordance to the packets received, and a net increment to a counter’s value over time indicates the presence of an attack flow along the set of flows mapped to that counter.  [Fig. 13; para. 0113] flow ID 1 is initially sent as a candidate attacker to the rendezvous node at sequence 1, and flow ID 2 [another IP core] is updated at sequence 16 [a second notification message] to be the potential attacker. [Fig. 15; para. 0123] the determination of an attack flow occurs during the arrival of a fixed number of sequences of packets from time 0 to time 50 [during the predefined period of time])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews and Talmor with the teachings of Kommareddy to include updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker.  One of ordinary skill in the art would have been motivated to make this modification as determining different attack flows [candidate attackers] during a rehash interval [predefined period of time] ensures that the new mapping state is not affected by the old mapping state, increases the probability of attack detection, and reduces the number of suspect flows.  (Kommareddy, para. 0081)

As per claim 4, Chaves in view of Tews and Talmor and further in view of Kommareddy teaches claim 2.  
Chaves also teaches [wherein the predefined period of time is based upon] communication latency between the router of the IP core and routers along a path of the compromised packet stream.  ([Chaves, pg. 12, para. 1] a time stamp is introduced to calculate end-to-end [between the router of the IP core and routers] latency of each packet [communication latency] to detect the existence of the DoS attack; [pg. 7, para. 4] for each output port, all the possible input ports that can forward packets to the IP core are checked, and so the latency of all routers along a path of the compromised packet stream are checked.  Wherein the predefined period of time is based upon communication latency is taught by Kommareddy below)
Chaves in view of Tews and Talmor does not clearly teach wherein the predefined period of time is based upon communication latency.  
However, Kommareddy teaches wherein the predefined period of time is based upon communication latency. ([Kommareddy, para. 0058; 0072] the counters are tested to map an incoming-to-outgoing traffic ratio representative of packet roundtrip time [communication latency]; [para. 0083] rehashing resets the counters to decouple flows from their flow aggregates, for example, to prevent the new traffic ratio mapping from being affected by the old traffic ratio mapping, and so the rehashing resets are based upon the communication latency; [para. 0127] the interval between periodic processing is larger than the roundtrip time)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Tews, Talmor and Kommareddy for the same reasons as disclosed above.  

As per claim 7, Chaves in view of Tews and Talmor teaches claim 1.  
Chaves in view of Tews and Talmor does not clearly teach wherein the DLC comprises mean and variance of latency distributions for different hop counts from the router.
However, Kommareddy teaches the DLC comprises mean and variance of latency distributions ([Kommareddy, Fig. 22; para. 0148] at step 2202 to step 2208, the mean and standard deviation of the anomalies are calculated and a score is updated to take into account the mean and standard deviation; [para. 0089] the scoring procedure estimates packet flow’s rate using the counts; [para. 0058-0059; para. 0075] score refers to an outgoing-to-incoming packet ratio that is representative of packet roundtrip time [destination latency curve]) for different hop counts from the router.  ([para. 0078] the monitor for each router node forwards the records it has received from its previous hop monitors, and so a different score is calculated for different hop counts from the router)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Tews and Talmor with the teachings of Kommareddy to include wherein the DLC comprises mean and variance of latency distributions for different hop counts from the router.  One of ordinary skill in the art would have been motivated to make this modification in order to determine attack flows which may be otherwise detected as statistical outliers.  (Kommareddy, para. 0130)

As per claim 8, Chaves in view of Tews and Talmor teaches claim 7.  
Chaves in view of Tews and Talmor does not clearly teach wherein the candidate IP core is identified as the potential attacker based upon a comparison of a current latency distribution with the mean and variance of the DLC.
However, Kommareddy teaches wherein the candidate IP core is identified as the potential attacker based upon a comparison of a current latency distribution with the mean and variance of the DLC.  ([Para. 0148-0149] at step 2208, the score [current latency distribution – see para. 0058-0059] is compared with the mean and variance of the flow that are used as a baseline for calculating scores.  If the resulting core is greater than the detection threshold, the candidate is identified as the potential attacker)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Tews, Talmor and Kommareddy for the same reasons as disclosed above.  

Claims 9-12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Chaves in view of Talmor and in view of Kommareddy.  

As per claim 9, Chaves teaches a method for detection and localization of denial-of-service (DoS) attacks, comprising: receiving, by a router of an intellectual property (IP) core in a network-on- chip (NoC) based system-on-chip (SoC) architecture, a notification message [indicating that the IP core is a potential attacker of a compromised packet stream]; ([Chaves, Fig. 2; pg. 2, para. 4-8; pg. 3, para. 2] multi-Processors System-on-Chips implemented as Networks-on-Chip is disclosed which includes the processor intellectual property core and associated routers as a system to detect denial of service attacks, identify the collision point of malicious and sensitive data, and find the direction from which the malicious packets enter the sensitive path.  [Fig. 10; pg. 12, para. 2] Figure 10 depicts the addition of a communication degradation monitor in the NoC router to locate the router where the attacker’s traffic enters the sensitive communication path.  [Pg. 11, para. 2] in addition to packets, the monitors also receive information regarding all the output requests and grants [notification messages].  Receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream is taught by Talmor below)
 [in response to the notification message], updating a flag corresponding to a port in the router, the flag indicating that the candidate IP core is the potential attacker; ([Chaves, pg. 7, para. 4; pg. 8, Algorithm 2] Algorithm 2 provides steps required to find all possible attacker suspect nodes [indicating the candidate IPs] by considering the collision router location by finding all the output ports on every minimal route path [corresponding to a port in the router] from the source [the source being candidate IPs] that can send packets to that port via the minimal path] to destination; the all_attackers flag is set in response to finding a suspect node. In response to the message, updating a flag corresponding to a port in the router, the flag indicating that the candidate IP core is the potential attacker is taught by Kommareddy below)
Chaves does not clearly teach receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream; in response to the message, updating a flag corresponding to a port in the router, the flag indicating that the IP core is the potential attacker; monitoring for additional notification messages for a predefined period of time, where the flag is updated in response to the additional notification messages that are received during the predefined period of time; and after the predefined period of time, transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the IP core is the potential attacker.
However, Talmor teaches receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream.  ([Talmor, col. 5, ln. 20-33; col. 7, ln. 27-35] a network traffic management device includes a security module that sends a modified response [notification message] and a router [see col. 4, ln. 55-64] of a client device [a device capable of connection to other computing devices or candidate IP core – see col. 3, ln. 25-29] receives the modified response; the modified response indicates that the client device is a potential attacker of a compromised stream of data packets [see col. 4, ln. 33-38]) 
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves with the teachings of Talmor to include receiving, by a router a notification message indicating that the IP core is a potential attacker of a compromised packet stream.  One of ordinary skill in the art would have been motivated to make this modification because denial of service attacks mimic legitimate requests and the technique allows a security module to confirm whether a potential attacker is a legitimate requester or attacker.  (Talmor, col. 8, ln. 5-8)
Chaves in view of Talmor does not clearly teach in response to the message, updating a flag corresponding to a port in the router, the flag indicating that the IP core is the potential attacker; monitoring for additional notification messages for a predefined period of time, where the flag is updated in response to the additional notification messages that are received during the predefined period of time; and after the predefined period of time, transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the IP core is the potential attacker.
However, Kommareddy teaches in response to the message, ([Kommareddy, para. 0026] the flow identifier of suspect flows [message] is transmitted from each of the routing nodes to a rendezvous node where a flow identifier of an attack flow is identified) updating a flag ([para. 0078; Fig. 22] the monitor on the rendezvous node updates a flag Y to identify an attacker) corresponding to a port in the router, ([para. 0062] the routing nodes obtain the candidate attackers from packets received by line taps at ports of the router, and so the flag identifying an attacker corresponds to the port) the flag indicating that the IP core is the potential attacker; ([para. 0080] the rendezvous node receives suspect flow lists from each of the routing nodes, setting flags indicating a client [IP core] is a potential attacker, until all required suspect flow lists are obtained, producing a final and correct list, which is reported as an attacker)
monitoring for additional notification messages for a predefined period of time, ([Kommareddy, para. 0083; para. 0123; Fig. 15; Fig. 22] after a predefined rehash interval/time 50 [a predefined period of time] all suspect flow lists [notification messages] from the routing nodes are obtained by the monitor of the rendezvous node, and the attacks can be detected) where the flag is updated in response to the additional notification messages that are received during the predefined period of time; and ([para. 0111; Fig. 22] the rendezvous node updates the counter and as a result, the flag, in accordance to the sequences/packets [notification messages received].  [Fig. 15; para. 0123] the arrival of a fixed number of sequences of packets are from time 0 to time 50 [during the predefined period of time])
after the predefined period of time, ([Kommareddy, para. 0083; para. 0123; Fig. 15] after a predefined rehash interval/time 50 [a predefined period of time] all suspect flow lists from the routing nodes are obtained by the rendezvous node, and flags indicating attackers are set) transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the IP core is the potential attacker. [Para. 0078] the rendezvous node analyzes the flow list to set flags to confirm the potential attacker [see Fig. 22], and then reports [transmitting a verification message] the confirmed attacker to the detection system)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Talmor with the teachings of Kommareddy to include in response to the message, updating a flag corresponding to a port in the router, the flag indicating that the IP core is the potential attacker; monitoring for additional notification messages for a predefined period of time, where the flag is updated in response to the additional notification messages that are received during the predefined period of time; and after the predefined period of time, transmitting a verification message confirming that the IP core is an attacker in response to the flag indicating that the IP core is the potential attacker.  One of ordinary skill in the art would have been motivated to make this modification as 1) distribute traffic monitors allows adaptation to any topology in order to detect many types of DoS attacks efficiently and with minimal false positives and 2) determining different attack flows [candidate attackers] during a rehash interval [predefined period of time] ensure that the new mapping state is not affected by the old mapping state, increases the probability of attack detection, and reduces the number of suspect flows.  (Kommareddy, para. 0051; para. 0081)

As per claim 10, Chaves in view of Talmor and Kommareddy teaches claim 9.  
Chaves in view of Talmor does not clearly updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker.
However, Kommareddy teaches updating the flag to indicate that another IP core is the potential attacker in response to receiving, during the predefined period of time, a second notification message indicating that the other IP core is the potential attacker.  ([Kommareddy, para. 0111] the rendezvous node updates the counter and as a result, the flag, in accordance to the packets received, and a net increment to a counter’s value over time indicates the presence of an attack flow along the set of flows mapped to that counter.  [Fig. 13; para. 0113] flow ID 1 is initially sent as a candidate attacker to the rendezvous node at sequence 1, and flow ID 2 [another IP core] is updated at sequence 16 [a second notification message] to be the potential attacker. [Fig. 15; para. 0123] the determination of an attack flow occurs during the arrival of a fixed number of sequences of packets from time 0 to time 50 [during the predefined period of time])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Talmor and Kommareddy for the same reasons as disclosed above.  

As per claim 11, Chaves in view of Talmor and Kommareddy teaches claim 9.  
Chaves also teaches wherein the notification message is received from a second router of a second IP core in the NoC that identified ([Chaves, pg. 2, para. 4] the processing elements are processors used by the NoC to process and store information; [Fig. 10, pg. 12, para. 2] the information processed is information [notification message] captured by a DoS monitor of a router downstream from the router of the attacker IP core [a second router of a second IP core – see pg. 4, sec. 3: Router Architecture]) the IP core as the potential attacker based at least in part upon a destination packet latency curve (DLC). ([pg. 3, para. 12] a potential attacker IP core is determined based on a packets’ end-to-end latency upon their arrival using the packets’ generation time-stamp.  If the latency is out of the acceptable latency range, the candidate attacker’s location is determined from the Max Latency Router Address and the Max Router Latency value [a destination latency]; [Pg. 7, para. 2] the candidate attacker’s location is determined by the use of Routing Graphs [a destination latency curve associated with the IP core])

As per claim 12, Chaves in view of Talmor and Kommareddy teaches claim 11.  
Chaves also teaches wherein the IP core is identified in response to the second router detecting the compromised packet stream.  ([Chaves, pg. 13, para. 2; Fig. 10] the downstream monitor extracts [detects] the direction information of the compromised stream to narrow the suspects list and localize [identify] the compromised PE [IP core])

As per claim 14, Chaves in view of Talmor and Kommareddy teaches claim 11.  
Chaves also teaches [wherein the predefined period of time is based upon] communication latency between the second router and routers along a path of the compromised packet stream.  ([Chaves, pg. 12, para. 1] a time stamp is introduced to calculate end-to-end [between the second router and routers along the path] latency of each packet [communication latency] to detect the existence of the DoS attack; [pg. 7, para. 4] for each output port, all the possible input ports that can forward packets to the IP core are checked, and so the latency of all routers along a path of the compromised packet stream are checked.  Wherein the predefined period of time is based upon communication latency is taught by Kommareddy below)
Chaves does not teach wherein the predefined period of time is based upon communication latency between the second router and routers along a path of the compromised packet stream. 
However, Kommareddy teaches wherein the predefined period of time is based upon communication latency.  ([Kommareddy, para. 0058; 0072] the counters are tested to map an incoming-to-outgoing traffic ratio representative of packet roundtrip time [communication latency]; [para. 0083] rehashing resets the counters to decouple flows from their flow aggregates, for example, to prevent the new traffic ratio mapping from being affected by the old traffic ratio mapping, and so the rehashing resets are based upon the communication latency; [para. 0127] the interval between periodic processing is larger than the roundtrip time)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Chaves, Talmor and Kommareddy for the same reasons as disclosed above. 

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Chaves in view of Talmor and Kommareddy as applied to claim 12 above, and further in view of Tews.  

As per claim 13, Chaves in view of Talmor and Kommareddy teaches claim 12.
Chaves in view of Talmor and Kommareddy does not clearly teach wherein the compromised packet stream is detected based at least in part upon a packet arrival curve (PAC) associated with the second router.
However, Tews teaches wherein the compromised packet stream is detected ([Tews, col. 7, ln. 20-23; col. 11, ln. 46-49] the controller [router] communicates with devices [IP cores] to establish data flows and measure a traffic network parameter associated with the data flow [packets of the data stream – see col. 12, ln. 31-34] to detect if the network is outside the anomalous bounds and functioning abnormally [compromised]) based at least in part upon a packet arrival curve (PAC) ([col. 8, ln. 42-51] to characterize the communications, multiple conversations [packets arrivals] including empirical distributions and jitter are measured to determine a fingerprint; [Fig. 8; col. 10] the fingerprint is a graphed curve of data collected by the communications controller including packet loss statistics [see col. 6, ln. 52-64]) associated with the second router; ([Fig. 11; col. 9, ln. 59-67; col. 1, ln. 45-50] the controller is implemented in a router that is the victim of an attack and so the router corresponds to the second router)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Chaves in view of Talmor and Kommareddy with the teachings of Tews to include wherein the compromised packet stream is detected based at least in part upon a packet arrival curve (PAC) associated with the second router.  One of ordinary skill in the art would have been motivated to make this modification because a deviation from the expected timing distribution of the measured fingerprint (the PAC) may indicate interesting events (such as a DoS attack) that may be used in an attempt to compromise system operation.  (Tews, col. 3, ln. 52-58)
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure:
Gross et al. (US Pub. 2017/0222976) discloses detecting a malicious intruder event using surveillance of network packet inter-arrival times (packet arrival) where a slope of the function (a packet arrival curve) provides a uniquely differentiating “fingerprint” for authenticated users vs. malicious users  one or more hops away.  
Beauford (US Pub. 2018/0020324) discloses comparing a hop count to a hop count threshold and comparing a latency to a latency threshold (together forming a destination packet latency) in order to determine that a device is within an approved boundary (a curve), where if the device is not within an approved boundary, the server may lock the device.  
Jayashankara Shridevi et al. " Runtime Detection of a Bandwidth Denial Attack from a Rogue Network-on-Chip;" Proceedings of the 9th International Symposium on Networks-on-Chip; September, 2015 discloses a curve that uses Proximal Analogous Packets that varies in hop count and network latency differential (latency) to determine any malicious activities.  
Chaves et al. " A Distributed DoS Detection Scheme for NoC-based MPSoCs;” 2018 IEEE Nordic Circuits and Systems Conference (NORCAS): NORCHIP and International Symposium of System-on-Chip (SoC); October, 2018 discloses a router for each IP core that compares a packet latency with a packet source/destination that allows detection of the injection point of DoS packets into the sensitive path.  
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493