DETAILED ACTION
This office action is in response to the application filed on 10/23/2020.  Claim(s) 1-20 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Priority
Applicant’s priority claim is hereby acknowledged of Indian Application 202041027783 filed 06/30/2020, which papers submitted under 35 U.S.C. § 119(a)-(d) have been placed of record in the file.
 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 4-6, 8-10, 12-14, 16-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Venkataswami et al. (US 2020/0267167 A1), in view of Medvedovsky et al. (US 2021/0194903 A1). 

Regarding claims 1, 9, and 17, Venkataswami teaches:
“A method of detecting and preventing attacks in a network (Venkataswami, ¶ 30 and 34 teach implementations of the given method using a processor, memory and medium to execute method steps), comprising: 	receiving network traffic statistics of a system (Venkataswami, ¶ 46-47 with particular attention to Ln. 24-26 as well as ¶ 50 and 90 teach capturing network traffic data statistics for analysis); 	determining a set of features of the system based on the network traffic statistics (Venkataswami, ¶ 47-50 teach determining the frequency of various features of the network traffic data which are indicative of attacks); 	inputting the set of features to a classification model (Venkataswami, Fig. 8D, ¶ 94-95 and 97, network information captured from SNMP proxy is sent to deep learning classify) that has been trained using historical features associated with labels indicating whether the historical features correspond to attacks (Venkataswami, ¶ 48-50, deep learning classifying labels data as malicious or not using historical and validated data to train the deep learning classifier); 	receiving, as output from the classification model, an indication of whether the system is a target of an attack (Venkataswami, ¶ 90, 94-95 and 97, output of the deep learning classifier indicates whether various types of attacks are occurring); 
performing an action to prevent the attack (Venkataswami, ¶ 97, an alert is sent to mitigate the attack)”.
Venkataswami does not, but in related art, Medvedovsky teaches:	receiving additional statistics related to the system (Medvedovsky, ¶ 71-89, various network telemetry information is captured including IP source and destination information of ongoing traffic including rate based and rate invariant features);  	analyzing, in response to the indication that the system is the target of the attack, the additional statistics to identify a source of the attack (Medvedovsky, ¶ 90-91, a list of source IP’s of client devices that triggered detection of the anomalies is created and challenges are sent to each to identify the attacker); and 	performing an action to prevent the attack based on the source of the attack (Medvedovsky, ¶ 91, the traffic from the offending IP source is blocked)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Venkataswami and Medvedovsky, to modify the SNMP network traffic attack detection system of Venkataswami to include the method to detect sources of attack and mitigate sources of attack as taught in Medvedovsky.  The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
 
Regarding claims 2, 10, and 18, Venkataswami in view of Medvedovsky teaches:
“The method of claim 1 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above), wherein the network traffic statistics comprise simple network management protocol (SNMP) statistics (Venkataswami, ¶ 39, 41-42, and 52 describe that SNMP data is used to create statistics for analysis of the attack)”.

Regarding claims 4, 12, and 20, Venkataswami in view of Medvedovsky teaches:
“The method of claim 1 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above), wherein the additional statistics comprise one or more of: 	resource utilization information (Medvedovsky, ¶ 71-80, various network telemetry information is captured and use to determine if an anomalous flow is detected which indicate network utilization)”.

Regarding claims 5 and 13, Venkataswami in view of Medvedovsky teaches:
“The method of claim 1 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above), wherein analyzing the network traffic statistics and the additional statistics to identify the source of the attack comprises one or more of: 	determining whether the additional statistics indicate any anomalies related to the system, wherein an anomaly comprises a deviation from an expected range for a given statistic (Medvedovsky, ¶ 71-90, various network telemetry information is captured and use to determine if an anomalous flow is detected)”.

Regarding claims 6 and 14, Venkataswami in view of Medvedovsky teaches:
“The method of claim 5 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above), wherein analyzing the network traffic statistics and the additional statistics to identify the source of the attack further comprises determining a source address of a connection for which an anomaly is determined based on the additional statistics (Medvedovsky, ¶ 70-91, a list of source IP’s of client devices that triggered detection of the anomalies is created and challenges are sent to each to identify the attacker)”.

Regarding claims 8 and 16, Venkataswami in view of Medvedovsky teaches:
“The method of claim 1 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above), wherein performing the action to prevent the attack based on the source of the attack comprises one or more of: 	applying a firewall (Venkataswami, ¶ 94 teaches that the firewall can block traffic so long as it knows what traffic to block.  Medvedovsky, ¶ 91 further teaches blocking malicious traffic in a DDOS attack where it knows the source or sources of the attack); or 
notifying a management entity of the source of the attack (Venkataswami, ¶ 97 alerts are sent to the console of the management device for prevention and mitigation.  Medvedovsky, ¶ 91 further teaches sending alerts in a condition where it knows the source of the attack)”.

Claim(s) 3, 11, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Venkataswami, in view of Medvedovsky, in view of Chen et al. (US 2017/0024660 A1).
Regarding claims 3, 11, and 19, Venkataswami in view of Medvedovsky teaches:
“The method of claim 1 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above)”.
Venkataswami in view of Medvedovsky does not, but in related art, Chen teaches:	“wherein determining the set of features of the system based on the network traffic statistics comprises selecting a subset of the network traffic statistics to provide as inputs to the classification model based on an input selection algorithm (Chen, ¶ 105-107 teaches a network anomaly detection system which takes a functioning classifier and takes a reduces feature set into the classifier to create a leaner higher performance classifier that still accomplishes the appropriate level of accuracy)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Venkataswami, Chen, and Medvedovsky, to modify the SNMP network traffic attack detection system of Venkataswami and Medvedovsky to include the method to use a classifier culling method which improves the performance of the classifier for network anomaly detection as taught in Chen.  The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Claim(s) 7 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Venkataswami, in view of Medvedovsky, in view of Galbreath et al. (US 2021/0359978 A1).
Regarding claims 7 and 15, Venkataswami in view of Medvedovsky teaches:
“The method of claim 1 (Venkataswami in view of Medvedovsky teaches the limitations of the parent claims as discussed above)”.
Venkataswami in view of Medvedovsky does not, but in related art, Galbreath teaches:	“wherein the classification model comprises a random forest classifier (Galbreath, ¶ 1, and 102 teaches an attack detection system using a random forest classifier)”.
	Before applicant’s earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Venkataswami, Galbreath, and Medvedovsky, to modify the SNMP network traffic attack detection system of Venkataswami and Medvedovsky to include the method to use a random forest classifier for attack detection as taught in Galbreath.  The motivation to do so applying a known technique to known devices and/or methods ready for improvement to yield predictable results.
Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435