DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 6/13/2022 has been entered. Claims 1-6, 8-14, 17, 20 are currently amended. Claims 1-20 are pending in the application.
The objection to claims 1-2, 4, 6, 8-9, 11-14, 17 due to informalities has been withdrawn. The objection for claim 10 is maintained as shown below.
Response to Arguments
Applicant's argument, see pages 8-11 of the Remarks filed on 6/13/2022 with respect to claim rejection under 35 USC 103 over prior arts of records have been fully considered and asserted moot in view of newly applied prior art(s) incorporated in the current office action presented below.
Examiner acknowledges applicant has amended independent claim 1 (similarly claims 10, 17) by specifying with amendment underlined reciting “temporarily dissociating an IP address …”, and “reassociating, …, the IP address with the domain”, inter alia.
Applicant mainly argued that the cited prior arts does not teach temporarily dissociating, and Pham’s teachings on associating the dissociated IP address as shown in the previous claim 3, now included in claim 1 (similarly claims 10, 17). Applicant specifically argued,
“The Office Action therefore turns to Pham and asserts that Pham teaches the limitations of previously presented claim 3. In that regard, Pham teaches "adding IP addresses to firewalls", and a "user interface ... to change a status of entry ... by unblocking a blocked IP address or ISP." See Abstract and paragraph [0033] of Pham. However, unblocking a blocked IP address is not the same as "reassociating, after the set of one or more request is determined to be associated with the malicious activity, the IP address with the domain", as acknowledged by Examiner Lee during the Interview.”

Examiner acknowledges applicant’s prospective however respectively disagrees. First, regarding the interpretation of dissociating IP address, examiner has indicated under the guidance of BRI, “dissociating” an IP address is interpreted as blacklisting an IP address since it is well known in the arts that once an IP address is associated with malicious act, the IP address may be added to blacklist. This interpretation appears to be in light of applicant’s specification, see e.g. [Abstract] “Methods and systems are presented for detecting and automatically blocking malicious traffic directed at a service provider. An IP address associated with a domain of the service provider is dissociated from the domain. Requests addressed to the IP address after it has been dissociated are identified as malicious and logged. IP addresses from which the malicious requests originated are blocked, …”. Examiner has reviewed applicant’s specification and find no specific details of how dissociating IP address is implemented. Second, Pham teaches unblocking a blocked IP address, which can be understood as associating (or reassociating) the IP address since dissociating is interpreted as blocking (blacklisting) the IP address, therefore unblock(ing) can be understood as opposite to dissociating, i.e. associating or reassociating.
Examiner further notes regarding applicant’s initiated interview conducted 6/1/2022 regarding Pham’s teachings on “associating the IP address with the domain”, the examiner has no record of collection that suggests “unblocking a blocked IP address is not the same as ‘reassociating, …, the IP address with the domain’, as acknowledged by Examiner Lee during the Interview” as applicant argued above. See Examiner Interview Summary Record (PTOL-413) for further details.
Examiner acknowledges applicant’s argument that no cited references teaches “temporarily dissociating an IP address” is persuasive however upon updated search, examiner found prior art Heydari to teach the feature. See current office action presented below for details.
Applicant’s further argument regarding dependent claims is not persuasive and moot in view of current office action since the independent claims are asserted not patentable.
Claim Objections
Claims 3, 5, 10 are objected to because of the following informalities:  
Claim 3 recites, “wherein the IP address is a first IP address, wherein the domain is associated with a second IP address, and wherein the operations further comprise: ...” which may read “wherein the IP address is a first IP address, and the domain is associated with a second IP address, the operations further comprise: ...” or more appropriate form.
Claim 5 line 2, “and wherein and the operations …” may read “
Claim 10 recites a method. Applicant is suggested to recite at least one hardware device performing at least one of the method steps of the claim. 
Claim 10 lines 10-11, “… with malicious activity comprising source IP addresses associated with requests of the second set of requests” may read “… with the malicious activity comprising source IP addresses associated with the requests of the second set of one or more requests”.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3-6, 8-9 are rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi et al (US20200007548A1, hereinafter, “Sanghavi”), in view of Heydari (US20210409442A1, hereinafter, “Heydari”), further in view of Pham (US20190081854A1, hereinafter, “Pham”) and Zawoad et al (US20190387005A1, hereinafter, “Zawoad”).
Regarding claim 1, Sanghavi teaches:
A system (Sanghavi, discloses methods and devices for blocking, detecting and/or preventing malicious traffic, [Abstract]), comprising: a memory; and one or more hardware processors coupled with the memory and configured to read instructions from the memory to cause the system to perform operations (Sanghavi, referring to Fig. 4B and [0089] Device 400 may perform these processes based on processor 435 executing software instructions stored by a non-transitory computer-readable medium, such as memory 440 and/or storage component 445) comprising: 
[temporarily] dissociating an IP address from a domain wherein the domain is associated with one or more nodes (Sanghavi, [0019] the information obtained by the routing device may include, for example, a list of blacklisted (i.e. dissociating) domain identifiers associated with blacklisted domains, network addresses (i.e., Internet protocol (IP) addresses) for one or more sinkhole servers associated with the blacklisted domain identifiers, …); 
receiving, at a first node of the one or more nodes, a set of one or more requests associated with the [temporarily] dissociated IP address, wherein the set of one or more requests is determined to be associated with malicious activity based on being associated with the [temporarily] dissociated IP address (Sanghavi, [0016] the security devices described herein may detect malicious traffic in a network and/or prevent the malicious traffic from reaching backend devices (e.g., servers, sinkhole servers, etc.) in the network. And [0022] The security device may cache the network addresses included in the intercepted DNS messages. In this way, the security device may resolve IPv4 and IPv6 network addresses associated with a given blacklisted domain for inclusion in a data structure (e.g., a blacklisted domain data structure) that is assessible to and/or stored by the security device and/or the routing device, by which the security device and/or the routing device may filter and/or block users from accessing devices hosting the blacklisted domains and/or malicious content available from the blacklisted domains); (see Heydari below for temporarily dissociating IP address)
While Sanghavi teaches blacklisting IP address as dissociating IP address shown above, but does not expressly teach temporarily dissociating, Heydari in the same field of endeavor teaches:
temporarily dissociating an IP address (Heydari, discloses a moving target defense systems and methods, [Abstract] The temporary IP address can be dynamically changed at a predetermined interval that can be varied based on conditions at the server computer. An intrusion detection system can be used with the moving target defense systems and methods to identify attacks on the server computer based on the temporary IP address(es) provided by the server computer. When an attack is identified, the corresponding client computer is determined based on the temporary IP address and the client computer is placed on a blacklist that is not provided with new temporary IP addresses when the server computer changes temporary IP address); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Heydari in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi by using temporary IP address to communicate with clients to identify attacks on server computer. This would have been obvious because the person having ordinary skill in the art would have been motivated to use dynamic address with rotation intervals with ability to identify a remote attacker by using an intrusion detection system and the changing of the server's address to determine which connected client is attacking the server (Heydari, [Abstract], [0005]).
The combination of Sanghavi-Heydari does not expressly teach the following limitation, Pham in the same field of endeavor teaches:
reassociating, after the set of one or more request is determined to be associated with the malicious activity, the IP address with the domain (Pham, discloses adding IP addresses to firewall, see [Abstract]. And [0033] user interface 450 can include a list of blocked IP addresses (i.e. dissociated IP address), and each entry, such as entry 452, can indicate a name of an ISP associated with a blocked IP address, … selection of entry 452 can allow a user of user interface 450 to change a status of entry 452, for example, by unblocking (i.e. reassociating) a blocked IP address…);  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pham in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari by using user interface to allow user to change the blocked entry with IP address associated with domain. This would have been obvious because the person having ordinary skill in the art would have been motivated to add IP address to a group of IP addresses maintained by firewall (Pham, [Abstract]).
While Sanghavi-Heydari-Pham does not explicitly teach training a machine learning model utilizing log information and following limitation(s), Zawoad in the same field of endeavor teaches:
training a machine learning model utilizing log information corresponding to the set of one or more requests (Zawoad, discloses method of identifying malicious network devices associated with IP address and/or network domain, see [Abstract]. And [0078] Received malicious activity information may be stored in the data store 312 (i.e. log information corresponding to the set of one or more requests). And [0141] malicious activity information may be obtained from a unified blacklist databased (UBDB) stored in the data store 312 of FIG. 3. The UBDB may contain malicious activity information previously obtained from one or more open source blacklists. And [0230] FIG. 7 is a flow diagram 700 illustrating an example process for training and updating a machine-learning model), wherein the training includes determining one or more patterns corresponding to the malicious activity (Zawoad, [0226] To train the machine-learning model, the model training engine 602 may obtain training data including a list of network identifiers (e.g., one or more IP addresses and/or one or more network domain names) with an preassigned maliciousness scores. In some examples, the training data may include historical maliciousness activity information (i.e. patterns) obtained from one or more malicious activity sources); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zawoad in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham by identifying malicious network devices using machines learning model trained with historical activity information. This would have been obvious because the person having ordinary skill in the art would have been motivated to establish machine learning model of Zawoad trained with historical malicious activities information (Zawoad, [Abstract]) with Sanghavi associated with blacklisted source and destination network addresses for the detection and prevention of malicious traffic.
Sanghavi and Zawoad further teaches: receiving, at any of the one or more nodes, a new request corresponding to a first information (Zawoad, [0248] At 810, a first set of features may be extracted (e.g., by the feature processing engine 512 of FIG. 5) from the malicious activity information received at 808); and determining whether the new request corresponds to malicious activity based on using the machine learning model to analyze the first information and determine if the first information corresponds to the one or more patterns (Zawoad, [0251] At 814, one or more maliciousness scores may be calculated (e.g., by the scoring engine 604) for the set of one or more network identifiers utilizing a machine learning model. Examiner notes historical information of maliciousness activity information associated with network identifier creates patterns and the activity includes request from source devices accessing to destination devices as taught by Sanghavi).

Regarding claim 3, Sanghavi-Heydari-Pham-Zawoad combination further teaches:
The system of claim 1, wherein the IP address is a first IP address, wherein the domain is associated with a second IP address, and wherein the operations further comprise: repeating, for the second IP address, the dissociating, the receiving the set of one or more requests, and the associating (Sanghavi teaches dissociating the IP address, i.e. first IP address, further receiving requests, and Pham teaches reassociating the first IP address. It is obvious to one ordinary skilled in the art that these combined teachings can be applied to the second IP address since it repeating the same process).  

Regarding claim 4, Sanghavi-Heydari-Pham-Zawoad combination further teaches:
The system of claim 1, wherein the operations further comprise: blocking the new request based on determining that the new request corresponds to the malicious activity (Sanghavi, [0016] the security devices described herein may detect malicious traffic in a network (i.e. request including new request)… Where the count of the DNS requests satisfies a threshold, the source device may be deemed to be an attacker device, and the security device may notify a cloud-based security platform so that the attacker device may be globally blocked).  

Regarding claim 5, Sanghavi-Heydari-Pham-Zawoad combination further teaches:
The system of claim 1, wherein the new request is received at a first endpoint, and wherein the operations further comprise: determining that a first pattern of the one or more patterns is associated with the first endpoint (Sanghavi, [0018] The DNS sinkhole functionality may include, for example, receiving DNS requests (i.e. one or more patterns), comparing domain names received in the DNS requests to blacklisted domain identifiers stored in the DNS sinkhole data structure, and responding to the DNS requests with a network address of a sinkhole server (i.e. first endpoint) that is associated with the blacklisted domain identifier); and blocking, based on the first information corresponding to the first pattern and on the new request being received at the first endpoint, the new request (Sanghavi, [0018] In this way, traffic destined to blacklisted domains may be directed to sinkhole server devices for further logging and inspection. In some implementations, the blacklisted domains may be associated with an attacker or an attacker's website, which a customer (e.g., a country, a network service provider, a network operator, etc.) determines should be blocked).  

Regarding claim 6, Sanghavi-Heydari-Pham-Zawoad combination further teaches:
The system of claim 1, wherein the new request is associated with a source IP address, the source IP address is associated with a threat score, and the operations further comprise: increasing the threat score associated with the source IP address in response to determining that the new request corresponds to the malicious activity (Zawoad, [0142] The feature processing engine 512 may calculate an attack severity score (i.e. threat score) based on the particular blacklist that identified the IP address. In some examples, a higher (i.e. increasing) severity score may be assigned to an IP address that is used for command and control (C2) activity than an a severity score assigned to an IP address that has been used to send spam emails).  

Regarding claim 8, Sanghavi-Heydari-Pham-Zawoad combination further teaches:
The system of claim 1, wherein a pattern of the one or more patterns corresponding to the malicious activity is based on a user agent associated with one or more requests of the set of one or more requests (Zawoad, [0045] Network identifiers not contained in the whitelist may be forwarded to the parameter determination engine 206. The parameter determination engine 206 may collect malicious activity information from various malicious activity sources (e.g., the third-party servers of FIG. 1), extract and/or calculate various parameters (features) (i.e. user agent) from the collected malicious activity information, and provide the extracted and/or calculated features to the decision engine 208).  

Regarding claim 9, Sanghavi-Heydari-Pham-Zawoad combination further teaches:
The system of claim 1, wherein a pattern of the one or more patterns corresponding to the malicious activity is based on a payload associated with one or more requests of the set of one or more requests (Zawoad, [0019] the threat intelligence provider can provide threat intelligence information via an electronic feed. Threat intelligence information may be customized by industry and/or by organization. Threat intelligence information can include high-risk hosts, network domain names, malicious payloads and Internet Protocol (IP) addresses,…).  

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi-Heydari-Pham-Zawoad combination as applied above to claim 1, in further view of Tsironis (US20180316705A1, hereinafter, “Tsironis”).
Regarding claim 2, Sanghavi-Heydari-Pham-Zawoad combination teaches:
The system of claim 1, wherein the training the machine learning model comprises: applying a rule to the set of one or more requests, wherein the rule is designed to identify requests associated with the malicious activity (Sanghavi, [0015] the security devices described herein may block malicious traffic in a network… The security devices may utilize match criteria included in match-based filters and/or rules to block traffic destined to the resolved network addresses); 
While the combination of Sanghavi-Heydari-Pham-Zawoad does not expressly teach but Tsironis in the same field of endeavor teaches:
determining that the rule failed to identify one or more requests of the set as being associated with malicious traffic; and updating the rule based on the one or more requests when the rule failed to identify the one or more requests as -32-Attorney Docket No.: 70481.2753US01OCP.D2020.101302.US1being associated with the malicious traffic (Tsironis, discloses method allowing user to define a filter of an anomaly action rule, see [Abstract]. And [0085] Accordingly, users of different enterprise networks can readily customize rules for their particular needs. This ensures reliable identification of potential or actual threats. By enabling customization of complex rules in an easy-to-use manner, the disclosed security techniques can avoid threats that are defined too broadly and reduce the risk of false positives, and can avoid defining threats too narrowly and reduce the risk of failing to identify threats. And [0094] A new version of the rules package can be released and used to transparently update the older versions of the rules package on any network security platform).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Tsironis in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad by using anomaly action rules to identify security threats to a computer network. This would have been obvious because the person having ordinary skill in the art would have been motivated to update the rules to reduce the risk of failing to identify threats (Tsironis, [Abstract], [0085]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi-Heydari-Pham-Zawoad combination as applied above to claim 1, in further view of Holloway et al (US20140047542A1, hereinafter, “Holloway”).
Regarding claim 7, Sanghavi-Heydari-Pham-Zawoad combination teaches:
The system of claim 6, 
While the combination of Sanghavi-Heydari-Pham-Zawoad does not expressly teach but Holloway in the same field of endeavor teaches:
wherein the operations further comprise: transmitting, in response to the threat score meeting or exceeding a threshold, a challenge to a device associated with the source IP address (Holloway, [0127] more complex algorithms may be used to avoid false positives for legitimate client network applications that do not have client-side scripting enabled, including not increasing the threat score until a certain threshold of failures have occurred. Threat scores may also be decreased for each successful passage of a challenge); receiving a response to the challenge from the device (Holloway, [0084] In a specific example, the proxy service node may rate limit or block traffic for all visitors of a domain that may be under attack until a visitor and/or the visitor's browser completes a challenge); determining a validity of the response (Holloway, [0084] A successful response to a challenge is an indication that the visitor's client device is not part of a botnet); and blocking, in response to determining the response is not valid, the new request (Holloway, [0084] In a specific example, the proxy service node may rate limit or block traffic for all visitors of a domain that may be under attack until a visitor and/or the visitor's browser completes a challenge).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Holloway in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad by implementing a proxy service using rules based on filtering rules such as IP rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to enable proxy service to use rules for mitigating a DoS attack in response to request for domain resource (Holloway, [Abstract]).

Claims 10, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Martini (US20180069878A1, hereinafter, “Martini”), in view of Sanghavi et al (US20200007548A1, hereinafter, “Sanghavi”), further in view of Heydari (US20210409442A1, hereinafter, “Heydari”) and Pham (US20190081854A1, hereinafter, “Pham”).
Regarding claim 10, Martini teaches:
A method (Martini, discloses methods and systems identifying a proxy connection request sent from a particular client device to a proxy server over a network, the proxy connection request including a hostname and configured to direct the proxy server to establish communication with the computer identified by the hostname on behalf of the client device, see [Abstract]), comprising: 
receiving, at a first node of one or more nodes associated with a domain, the first node associated with a first IP address associated with the domain, a first set of one or more requests, wherein each request in the first set is associated with a source IP address (Martini, referring to Fig. 2, and [0036] At 205, client device 130 sends a proxy connection request to proxy server 120 in the form of an HTTP CONNECT message… The proxy connection request is also received by anti-malware system 140, which is monitoring the network for such messages as previously described... For example, the anti-malware system 140 may identify the IP address from which the HTTP CONNECT message originated as the identity of the client device 130. And [0037] At 215, the anti-malware system 140 sends a DNS request to DNS server 170 to determine an address for the hostname in the HTTP CONNECT message (“abc123.info”) (i.e. domain)); 
wherein at least one of the receiving the first set of one or more requests, the dissociating, the receiving the second set of one or more requests, and the creating or updating the list of IP addresses is performed via one or more hardware processors (Martini, [0048] Computing device 400 includes a processor 402, memory 404).
While Martini does not expressly teach the following limitations, in the same field of endeavor Sanghavi teaches:
[temporarily] dissociating from the domain the first IP address (Sanghavi, discloses methods and devices for blocking, detecting and preventing malicious traffic [Title], based on domain name system data associated with blacklisted domain identifiers, see [Abstract] and [0002]. And [0002] The method may include receiving, by the processor, one or more packets destined for a destination device associated with a destination network address (i.e. first IP address)); 
receiving, at the first node, a second set of one or more requests, each request of the second set associated with the [temporarily] dissociated IP address and the source IP address, wherein each request of the second set is associated with malicious activity based on being associated with the [temporarily] dissociated IP address (Sanghavi, [0016] the security devices described herein may detect malicious traffic in a network and/or prevent the malicious traffic from reaching backend devices (e.g., servers, sinkhole servers, etc.) (i.e. requests) in the network. And [0022] The security device may cache the network addresses included in the intercepted DNS messages. In this way, the security device may resolve IPv4 and IPv6 network addresses associated with a given blacklisted domain for inclusion in a data structure (e.g., a blacklisted domain data structure) that is assessible to and/or stored by the security device and/or the routing device, by which the security device and/or the routing device may filter and/or block users from accessing devices hosting the blacklisted domains and/or malicious content available from the blacklisted domains); Examiner notes Sanghavi’s action of using blacklisted domain identifier is against malicious activity based on associated network addresses including source and destination addresses; (see Heydari below for temporarily dissociating IP address)
and creating or updating a list of IP addresses associated with malicious activity comprising source IP addresses associated with requests of the second set of requests (Sanghavi, [0040] the information obtained from the security platform may include, without limitation, … a list of network address ranges or prefixes associated with a possible or suspected attacker (e.g., suspect IPv4 or IPv6 addresses, ranges, or prefixes). And [0042] the security device may use, as the match criteria, the list of blacklisted domain identifiers, the list of network addresses, ranges, prefixes, and/or the like, for comparing or matching to domain identifiers and/or network addresses (i.e. source IP addresses) of the incoming traffic as determined based on examining the packet headers of the incoming traffic);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Sanghavi in the malware detection of Martini by blocking, detecting malicious traffic based on blacklisted domain identifiers. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect malicious traffic based on blacklisted domain identifiers and redirect the traffic to sinkhole server so that malicious traffic may be captured and analyzed (Sanghavi, [Abstract], [0001-0002]).
While the combination of Martini-Sanghavi teaches blacklisting IP address as dissociating IP address shown above, but does not expressly teach temporarily dissociating, Heydari in the same field of endeavor teaches:
temporarily dissociating an IP address (Heydari, discloses a moving target defense systems and methods, [Abstract] The temporary IP address can be dynamically changed at a predetermined interval that can be varied based on conditions at the server computer. An intrusion detection system can be used with the moving target defense systems and methods to identify attacks on the server computer based on the temporary IP address(es) provided by the server computer. When an attack is identified, the corresponding client computer is determined based on the temporary IP address and the client computer is placed on a blacklist that is not provided with new temporary IP addresses when the server computer changes temporary IP address); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Heydari in the malware detection of Martini-Sanghavi by using temporary IP address to communicate with clients to identify attacks on server computer. This would have been obvious because the person having ordinary skill in the art would have been motivated to use dynamic address with rotation intervals with ability to identify a remote attacker by using an intrusion detection system and the changing of the server's address to determine which connected client is attacking the server (Heydari, [Abstract], [0005]).
The combination of Martini-Sanghavi-Heydari does not expressly teach the following limitation, Pham in the same field of endeavor teaches:
reassociating the first IP address with the domain (Pham, discloses adding IP addresses to firewall, see [Abstract]. And [0033] user interface 450 can include a list of blocked IP addresses (i.e. dissociated IP address), and each entry, such as entry 452, can indicate a name of an ISP associated with a blocked IP address, … selection of entry 452 can allow a user of user interface 450 to change a status of entry 452, for example, by unblocking (i.e. reassociating) a blocked IP address…);  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pham in the methods and devices for blocking, detecting and preventing malicious traffic of Martini-Sanghavi-Heydari by using user interface to allow user to change the blocked entry with IP address associated with domain. This would have been obvious because the person having ordinary skill in the art would have been motivated to add IP address to a group of IP addresses maintained by firewall (Pham, [Abstract]).

Regarding claim 11, Martini-Sanghavi-Heydari-Pham combination further teaches:
The method of claim 10, further comprising: blocking requests originating from an IP address on the list of IP addresses associated with the malicious activity (Pham, discloses methods to add IP addresses to firewall to protect devices from malicious users, see [Abstract], [0001-0002]. And [0021] the mechanisms can determine whether an IP address is included in a list of IP addresses that are to be blocked by a firewall. And [0022] For example, the mechanisms can determine an ISP associated with an IP address and/or can determine geographic information associated with the IP address, and can add the IP address and/or the ISP to one or more lists of IP addresses and/or ISPs that are to be blocked by the firewall).  

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Martini-Sanghavi-Heydari-Pham combination as applied above to claim 10, in further view of Holloway et al (US20140047542A1, hereinafter, “Holloway”).
Regarding claim 12, Martini-Sanghavi-Heydari-Pham combination teaches:
The method of claim 10, 
While the combination of Martini-Sanghavi-Heydari-Pham does not expressly teach but Holloway in the same field of endeavor teaches:
further comprising: rate limiting requests originating from an IP address on the list of IP addresses associated with the malicious activity (Holloway, discloses mitigating DoS attack, see [Title]. And [0035] the proxy server(s) 120 and/or the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting. And [0067] The caching layers 560 may also include a visitor cache that may store information regarding which visitors to block or challenge. As will be described in greater detail later herein, in some embodiments, the proxy server 120 performs rate limiting on certain source IP addresses).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Holloway in the malware detection of Martini-Sanghavi-Heydari-Pham by implementing a proxy service using based on IP rules such as rate limiting. This would have been obvious because the person having ordinary skill in the art would have been motivated to enable proxy service to use rules for mitigating a DoS attack in response to request for domain resource (Holloway, [Abstract]).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Martini-Sanghavi-Heydari-Pham combination as applied above to claim 10, in further view of Bergman et al (US20190036883A1, hereinafter, “Bergman”).
Regarding claim 13, Martini-Sanghavi-Heydari-Pham combination teaches:
The method of claim 10, 
While the combination of Martini-Sanghavi-Heydari-Pham does not expressly teach but Bergman in the same field of endeavor teaches:
further comprising: flagging requests originating from an IP address on the list of IP addresses associated with the malicious activity (Bergman, [0047] The filter 200 serves the purpose of identifying requests that come from dangerous sources. This may be implemented with a simple blacklist, in which dangerous addresses (i.e. IP addresses, HTTP addresses, etc.) are added to a list. When the filter identifies a request from one of the addresses on the list, it may reject or flag the request, and log the action).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Bergman in the malware detection of Martini-Sanghavi-Heydari-Pham by flagging request from dangerous addresses. This would have been obvious because the person having ordinary skill in the art would have been motivated to implement Web application firewall with rule to filter and flag the malicious sources with dangerous IP addresses to protect content node (Bergman, [Abstract]).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Martini-Sanghavi-Heydari-Pham combination as applied above to claim 10, in further view of Baig et al (US20160173529A1, hereinafter, “Baig”).
Regarding claim 14, Martini-Sanghavi-Heydari-Pham combination teaches:
The method of claim 10, 
While the combination of Martini-Sanghavi-Heydari-Pham does not expressly teach but Baig in the similar field of endeavor teaches:
further comprising: determining that a first source IP address associated both with a request in the first set of one or more requests and a request in the second set of one or more requests is shared by two or more devices (Baig, discloses mechanisms to identify suspicious service requests, see [Title] and [0023]. And referring to Fig. 5, [0077] FIG. 5 is an exemplary algorithm 500 for executing an EDoS detection and mitigation process, ... It can be observed from FIG. 5 that the VM Investigator node first determines whether a user exceeds the CRPS value in step S510. If the CRPS value is exceeded (a “yes” decision in step S510), the UTF value is determined in step S520. The purpose of this step is to reduce false positives with a reasonable degree of accuracy (e.g., legitimate requests from different users with shared IP addresses arriving at the same time)); and excluding, based on the determining, the first source IP address from the list of IP addresses associated with malicious activity (Baig, [0081] The request is subsequently dropped in step S530. If the user passes the test, the UTF value is incremented by 0.01 in step S590. Access to cloud services is subsequently granted in step S570). Examiner notes Baig teaches using UTF (user trust factor) value to determine legitimate request from malicious request.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Baig in the malware detection of Martini-Sanghavi-Heydari-Pham by identifying legitimate request from malicious request for access to cloud resources. This would have been obvious because the person having ordinary skill in the art would have been motivated to use UTF value to detect EDoS with reasonable degrade of accuracy to filter legitimate access request from malicious attack as rate limiting control to the cloud service (Baig, [Abstract], [0023]).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Martini-Sanghavi-Heydari-Pham-Baig combination as applied above to claim 14, in further view of Fry et al (US20190306182A1, hereinafter, “Fry”).
Regarding claim 15, Martini-Sanghavi-Heydari-Pham-Baig combination teaches:
The method of claim 14, 
While the combination of Martini-Sanghavi-Heydari-Pham-Baig does not expressly teach but Fry in the same field of endeavor teaches:
wherein each of the two or more devices is associated with a device fingerprint, and the determining is based on the device fingerprint of each of the two or more devices (Fry, discloses method for device context and security [Title]. And [0026] The fingerprint may be detected, for example, via telemetry, that may be used to identify a device and/or class of devices, indicating specific characteristics of a monitored device and/or behavior of the device... Furthermore, a fingerprint may include a pattern of traffic and/or traffic content that allows the embodiments to infer expected behavior for devices. For example, facets may be used to identify a type or classification of device, where a fingerprint may be used to distinguish two different devices that share one or more facets).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Fry in the malware detection of Martini-Sanghavi-Heydari-Pham-Baig by distinguishing devices based on device fingerprint. This would have been obvious because the person having ordinary skill in the art would have been motivated to generate fingerprint data of (LAN) devices to allow cloud server to identify anomalous behavior of the devices in monitoring network security (Fry, [Abstract], [0001]).

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Martini-Sanghavi-Heydari-Pham combination as applied above to claim 10, in further view of Oh et al (US20200169577A1, hereinafter, “Oh”).
Regarding claim 16, Martini-Sanghavi-Heydari-Pham combination teaches:
The method of claim 10, 
While the combination of Martini-Sanghavi-Heydari-Pham does not expressly teach but Oh in the similar field of endeavor teaches:
further comprising: detecting abusive traffic patterns using a machine learning model trained based on the list of IP addresses (Oh, discloses training machine learning model with malicious traffic, see [Abstract], [0004]. And [0062] Traffic of a terminal group's malicious traffic template 510 including malicious traffic templates related to the above specific device may include an IP address of a control & command (C&C) server of malicious code…For example, if traffic is in the form of ‘TIME, SRC_IP, SRC_PORT, DST_IP, DST_PORT, PROTOCOL, BYTES+ . . . ’, the IP address of the C&C server may be inserted into the ‘SRC_IP’ field indicating an IP address from which the traffic was transmitted. Referring to FIG. 5, any one of ‘101.101.101.101’ and ‘201.201.201.201’ which are IP addresses 512 and 513 of the C&C server may be inserted into the place of ‘SRC_IP’ in traffic 511 of the malicious traffic template 510 (i.e. pattern). A machine learning algorithm that learns this malicious traffic template as a model may detect traffic, which includes a packet containing the IP address of the C&C server, as malicious traffic).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Oh in the malware detection of Martini-Sanghavi-Heydari-Pham by using machine learning model based on traffic pattern of IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to use virtual malicious traffic template to train machine learning to generate optimal learning model (Oh, [Abstract], [0004]).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi et al (US20200007548A1, hereinafter, “Sanghavi”), in view of Heydari (US20210409442A1, hereinafter, Heydari”), further in view of Pham (US20190081854A1, hereinafter, “Pham”), further in view of Zawoad et al (US20190387005A1, hereinafter, “Zawoad”) and Holloway et al (US20140047542A1, hereinafter, “Holloway”).
Regarding claim 17, Sanghavi teaches:
A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations (Sanghavi, [0081] Controller 420 may perform one or more processes described herein. Controller 420 may perform these processes in response to executing software instructions stored by a non-transitory computer-readable medium) comprising: 
[temporarily] dissociating from a domain an IP address associated with the domain, wherein the domain is associated with one or more nodes (Sanghavi, [0019] the information obtained by the routing device may include, for example, a list of blacklisted (i.e. dissociating) domain identifiers associated with blacklisted domains, network addresses (i.e., Internet protocol (IP) addresses) for one or more sinkhole servers associated with the blacklisted domain identifiers, network address ranges (i.e., IP ranges) of blacklisted devices, network address prefixes (i.e., IP prefixes) of blacklisted devices…); 
receiving, at a first node of the one or more nodes, a set of one or more requests associated with the [temporarily] dissociated IP address, wherein each request in the set is determined to be associated with malicious activity based on being associated with the [temporarily] dissociated IP address (Sanghavi, [0016] the security devices described herein may detect malicious traffic in a network and/or prevent the malicious traffic from reaching backend devices (e.g., servers, sinkhole servers, etc.) in the network. And [0022] The security device may cache the network addresses included in the intercepted DNS messages. In this way, the security device may resolve IPv4 and IPv6 network addresses associated with a given blacklisted domain for inclusion in a data structure (e.g., a blacklisted domain data structure) that is assessible to and/or stored by the security device and/or the routing device, by which the security device and/or the routing device may filter and/or block users from accessing devices hosting the blacklisted domains and/or malicious content available from the blacklisted domains); (see Heydari below for temporarily dissociating IP address)
logging, at a log, each request of the set (Sanghavi, [0018] In this way, traffic destined to blacklisted domains may be directed to sinkhole server devices for further logging and inspection); 
analyzing, [via an automated pattern extractor], the log (Sanghavi, [0057] … to which security device 350 may selectively route traffic (e.g., Internet traffic that was destined for server device 320), in order to prevent access to malicious content, and to capture, log, and/or analyze the traffic in order to evaluate and contain threats (e.g., to server device 320)); (see Zawoad below for the teaching of automated pattern extractor)
While the combination of Sanghavi teaches blacklisting IP address as dissociating IP address shown above, but does not expressly teach temporarily dissociating, Heydari in the same field of endeavor teaches:
temporarily dissociating an IP address (Heydari, discloses a moving target defense systems and methods, [Abstract] The temporary IP address can be dynamically changed at a predetermined interval that can be varied based on conditions at the server computer. An intrusion detection system can be used with the moving target defense systems and methods to identify attacks on the server computer based on the temporary IP address(es) provided by the server computer. When an attack is identified, the corresponding client computer is determined based on the temporary IP address and the client computer is placed on a blacklist that is not provided with new temporary IP addresses when the server computer changes temporary IP address); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Heydari in the malware detection of Sanghavi by using temporary IP address to communicate with clients to identify attacks on server computer. This would have been obvious because the person having ordinary skill in the art would have been motivated to use dynamic address with rotation intervals with ability to identify a remote attacker by using an intrusion detection system and the changing of the server's address to determine which connected client is attacking the server (Heydari, [Abstract], [0005]).
The combination of Sanghavi-Heydari does not expressly teach the following limitation, Pham in the same field of endeavor teaches:
reassociating the IP address with the domain (Pham, discloses adding IP addresses to firewall, see [Abstract]. And [0033] user interface 450 can include a list of blocked IP addresses (i.e. dissociated IP address), and each entry, such as entry 452, can indicate a name of an ISP associated with a blocked IP address, … selection of entry 452 can allow a user of user interface 450 to change a status of entry 452, for example, by unblocking (i.e. reassociating) a blocked IP address…);  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Pham in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari by using user interface to allow user to change the blocked entry with IP address associated with domain. This would have been obvious because the person having ordinary skill in the art would have been motivated to add IP address to a group of IP addresses maintained by firewall (Pham, [Abstract]).
While the combination of Sanghavi-Heydari-Pham does not explicitly teach pattern extractor and pattern, however Zawoad in the same field of endeavor teaches:
via an automated pattern extractor (Zawoad, [0045] The parameter determination engine 206 (i.e. automated pattern extractor) may collect malicious activity information from various malicious activity sources (e.g., the third-party servers of FIG. 1), extract and/or calculate various parameters (features) from the collected malicious activity information)
determining, based on the analyzing, a pattern indicating the malicious activity (Zawoad, [0226] To train the machine-learning model, the model training engine 602 may obtain training data including a list of network identifiers (e.g., one or more IP addresses and/or one or more network domain names) with an preassigned maliciousness scores. In some examples, the training data may include historical maliciousness activity information (i.e. pattern indicating malicious activity) obtained from one or more malicious activity sources); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Zawoad in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham by identifying malicious network devices using machines learning model trained with historical activity information based on pattern from parameter determination engine as pattern extractor. This would have been obvious because the person having ordinary skill in the art would have been motivated to establish machine learning model of Zawoad trained with historical malicious activities information (Zawoad, [Abstract]) with Sanghavi associated with blacklisted source and destination network addresses for the detection and prevention of malicious traffic.
The combination of Sanghavi-Heydari-Pham-Zawoad does not teach determining a rule based on the pattern and pushing the rule to a proxy service, Holloway in the same field of endeavor teaches:
determining, based on the pattern, a rule for managing traffic (Holloway, [0057] With respect to FIG. 5, the proxy server 120 includes the IP rules 570 that store rules related to its IP addresses... As a specific example, the IP rules 570 may indicate that the incoming downstream traffic module 512 should accept traffic (not block traffic) received at a particular IP address only if that traffic is of a particular protocol type and/or received at a particular port (i.e. pattern) (e.g., TCP packets on port 80)); 
and pushing, to a proxy service associated with the domain, the rule (Holloway, [0035] the proxy server(s) 120 and/or the control server(s) 125 identify DoS attacks and one or more mitigation actions may be taken by the proxy server(s) 120 and/or the control server(s) 125 (e.g., installing rules such as rate limiting, null routing, etc., on the proxy servers and/or the router(s) or switche(s)). And [0098] The centralized server may also transmit a set of rules to the proxy servers to rate limit and/or block packets received with source IP addresses that are not likely to be legitimately received by that proxy server).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Holloway in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad by implementing a proxy service using based on filtering rules such as IP rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to enable proxy service to use rules for mitigating a DoS attack in response to request for domain resource (Holloway, [Abstract]).

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi-Heydari-Pham-Zawoad-Holloway combination as applied above to claim 17, in further view of Wang et al (US11138463B1, hereinafter, “Wang1”) and Wang et al (US20190312897A1, hereinafter, “Wang2”).
Regarding claim 18, Sanghavi-Heydari-Pham-Zawoad-Holloway combination teaches:
The non-transitory machine-readable medium of claim 17, 
While the combination of Sanghavi-Heydari-Pham-Zawoad-Holloway does not teach the following limitation(s), Wang1 in the same field of endeavor teaches:
wherein the operations further comprise: receiving, at any node of the one or more nodes, a new request including a user agent, wherein the user agent indicates a first web browser (Wang1, discloses machine learning approaches to detect browsers as bots, see [Title], [Abstract]. And [Col. 3 line 64-Col. 4 line 2] receive a first plurality of requests from a first plurality of browsers; generate a first plurality of request-feature vectors from the first plurality of requests; generate a plurality of browser groups based on the first plurality of request-feature vectors; receive a first new request from a first client computer); detecting, using a script, a second web browser from which the new request originated; determining that the first and second web browsers are different (Wang1, [Col. 16 lines 3-8] As discussed herein there are many browsers and types of browsers, some of which may use or include one or more components in common, or use one or more different components. Accordingly, a particular browser may give the same set of responses to a first set of detection tests as one or more other browsers. However, the particular browser, for a second set of detection tests, may give a different set of responses than the one or more other browsers); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang1 in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad-Holloway by using machine learning to classify browsers as one or more types. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify user request with different browsers as bots to prevent attackers from using bots to commit unauthorized acts (Wang1, [Abstract]).
Holloway further teaches: and blocking, by the proxy service, the new request (Holloway, [0084] In a specific example, the proxy service node may rate limit or block traffic for all visitors of a domain that may be under attack until a visitor and/or the visitor's browser completes a challenge),
The combination of Sanghavi-Heydari-Pham-Zawoad-Holloway-Wang1 does not specifically teach blocking is based on the determining that the first and second web browser are different, however in the same field of endeavor Wang2 teaches:
Blocking,…, the new request based on the determining that the first and second web browser are different (Wang2, [0041] Accordingly, as provided herein, content provider risk scores are dynamically assigned and update in real-time for content providers to determine whether to process or block content requests. And [0043] The rules are used to label content requests as fraudulent or safe/normal. The rules operate based upon various dimensions, such as a user dimension of user based characteristics (e.g. …, how many different user agents are associated with the user within a time period such as different browsers,…). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang2 in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad-Holloway-Wang1 by using content request risk score for blocking or processing the content request. This would have been obvious because the person having ordinary skill in the art would have been motivated to evaluate content request to identify risk of fraudulent request to the content (Wang2, [Abstract]).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi-Heydari-Pham-Zawoad-Holloway combination as applied above to claim 17, in further view of Baig et al (US20160173529A1, hereinafter, “Baig”) and Luo et al (US20200412761A1, hereinafter, “Luo”).
Regarding claim 19 Sanghavi-Heydari-Pham-Zawoad-Holloway combination teaches:
The non-transitory machine-readable medium of claim 17, 
The combination of Sanghavi-Heydari-Pham-Zawoad-Holloway does not teach the following limitation(s), Baig in the same field of endeavor teaches:
wherein the operations further comprise: receiving, at any node of the one or more nodes, a second set of one or more requests associated with a device identifier common to every request in the second set (Baig, discloses mechanisms to identify suspicious service requests, see [Title] and [0023]. And referring to Fig. 5, [0077] FIG. 5 is an exemplary algorithm 500 for executing an EDoS detection and mitigation process, ... It can be observed from FIG. 5 that the VM Investigator node first determines whether a user exceeds the CRPS value in step S510. If the CRPS value is exceeded (a “yes” decision in step S510), the UTF value is determined in step S520. The purpose of this step is to reduce false positives with a reasonable degree of accuracy (e.g., legitimate requests from different users with shared IP addresses arriving at the same time)); determining that a number of requests of the second set are invalid (Baig, [0081] The request is subsequently dropped (i.e. invalid request) in step S530. Examiner notes Baig teaches using UTF (user trust factor) value to determine legitimate request from malicious request);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Baig in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad-Holloway by identifying legitimate request from malicious request for access to cloud resources. This would have been obvious because the person having ordinary skill in the art would have been motivated to use UTF value to detect EDoS with reasonable degrade of accuracy to filter legitimate access request from malicious attack as rate limiting control to the cloud service (Baig, [Abstract], [0023]).
The combination of Sanghavi-Heydari-Pham-Zawoad-Holloway-Baig does not teach the following limitation(s), Luo in the same field of endeavor teaches:
determining that the number of invalid requests exceeds a rate limit indicating a number of permissible invalid requests over a period of time; and blocking, in response to the determining that the rate limit has been exceeded, further requests originating from the common device identifier (Luo, discloses mitigating a DDoS attack by dynamic rate limiting, see [Title] and [Abstract]. In particular, [0061] Traffic controller 202, rate limiter 204, … continue processing and/or blocking traffic from different regions and/or IP addresses and updating the corresponding query rate allocations 220, IP address rate limits 222, region sampling rates 224, and/or IP address sampling rates 226 until the potential DDoS attack is determined to be over. For example, the system of FIG. 2 continues limiting and/or allocating QPSes to the regions and/or IP addresses until the total rate of blocked and allowed requests for all services and/or the online system fall below query rate thresholds 210).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Luo in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad-Holloway-Baig by determining historical volume of traffic from IP address against rate limit. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the rate limiting for blocking a subset of requests of online traffic to mitigate DDoS attack (Luo, [Abstract], [0002]).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Sanghavi-Heydari-Pham-Zawoad-Holloway-Baig-Luo combination as applied above to claim 19, in further view of Yalov et al (US10902327B1, hereinafter, “Yalov”).
Regarding claim 20, Sanghavi-Heydari-Pham-Zawoad-Holloway-Baig-Luo combination teaches:
The non-transitory machine-readable medium of claim 19, 
The combination of Sanghavi-Heydari-Pham-Zawoad-Holloway-Baig-Luo does not teach the following limitation(s), in the similar field of endeavor Yalov teaches:
wherein the device identifier comprises at least a device fingerprint associated with the device (Yalov, [Col. 12 line 57 - Col. 13 line 5] the process 400 includes determining 404 the uniqueness of a device identifier based on the rules discussed above and a plurality of parameters associated with the device identifier… As another example, a device identifier may include or be based on a username associated with an online account and a user agent identifier. The device identifier may include a device fingerprint).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Yalov in the methods and devices for blocking, detecting and preventing malicious traffic of Sanghavi-Heydari-Pham-Zawoad-Holloway-Baig-Luo by determining the uniqueness of device identifier based on device parameters such as IP address associated with an HTTP request and device fingerprint. This would have been obvious because the person having ordinary skill in the art would have been motivated to associate the device with network event or transaction to detect and prevent online fraud and/or provide customized content/services (Yalov, [Abstract]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Sutton (US8413238B1) discloses methods for a distributed security that monitors communications to identify access attempts to/from darknet addresses with attempts that can be inferred to be associated with malicious activity.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436  

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436