DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 12/11/2020 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. 2017/0093910 A1 to Gukal et al. (hereinafter “Gukal”), and further in view of US-PGPUB No. 2020/0195534 A1 to Monetti et al. (hereinafter “Monetti”)
Regarding claim 1:
Gukal discloses:
A method (¶02: “… methods implemented by a network device …”) for automatic selection of countermeasures (¶02: “… distracting and diverting threats …”) to an automatically detected Distributed Denial of Service (DDoS) attack (¶02: “…  a dynamic network threat detection system using deception-based security mechanisms … The deception-based security mechanisms can serve as attractive targets to network threats, distracting and diverting threats from the actual, production assets of a network.”, ¶53: “… active attacks include denial of service (DoS) attacks, distributed denial of service (DDoS) attacks …”), the method comprising: 
determining an observed vector (¶473: “… construct attribute vectors …”) from the statistical data structure (¶473: “The attribute vector creation engine 3112e constructs the vectors for both the query item and the one or more candidate items …”), wherein the observed vector has associated attribute/value pairs (¶473: “… using the attribute values 3107.”) that characterize the respective one or more fields of one or more combinations (¶451: “… attribute values … represent the number of times the associated vulnerability attributes were detected”), wherein the one or more combinations have associated counters (¶471: “”… weighs …) that satisfy a predetermined criterion (¶471: “The attribute weight engine 3112c of FIG. 31 is configured to weigh the received attribute values 3107 (for both a query item and candidates items) according to their assigned weights, for example, by multiplying the attribute value by its associated attribute weight. The attribute weight engine 3112c is also configured to update the attribute weights for future comparisons of the query item to candidate items, as similar items are characterized and confirmed …”); 
comparing the attribute/value pairs associated with the observed vector to known attribute/value pairs associated with known DDoS attack vectors of an attack vector database (see  FIG 34B: “Attack Pattern Database 3405.”) (¶522: “The attack pattern generator 3406 may monitor and/or analyze the network data 3404 in conjunction with previous attack pattern data in a database of known attack patterns 3405.”); 
and in response to finding a known attack vector having matching known attribute/value pairs as a result of the comparison, selecting mitigation parameters (¶523: “… security mechanisms …”) associated with the known attack vector (¶523: “The deployment generator 3410 may analyze the suspected attack pattern 3408. … The deployment generator 3410 may determine which of the security mechanisms are most likely to be attractive to potential threats.”), wherein the selected mitigation parameters are used for applying a countermeasure to the network traffic for mitigating an attack (¶526: “Once placed in the network 3402, the security mechanisms 3420a-3420c may begin collecting data about activity or interactions related to them. For example, the security mechanisms 3420a-3420c may record each time that they are accessed, what was accessed, and, with sufficient information, who accessed them (i.e., the source of the access or interaction). The security mechanisms 3420a-3420c may provide this data to the deployment engine 3414.”). 
However, Gukal does not disclose the following limitations taught by Monetti: 
receiving a network traffic snapshot of network traffic (Monetti, ¶24: “… a snapshot of the ingress packets or the egress packets may be obtained”), wherein packets of the network traffic snapshot each have data stored in respective fields of a set of one or more fields (Monetti, ¶27: “The egress and ingress packets may be matched based on different information. This may vary based on the network setup, but source IP addresses, destination IP addresses, source port numbers, destination port numbers, or (in the case of TCP) TCP sequence number, among other things. In other cases, other indicative header fields specific to the protocol may be used.”); 
generating a statistical data structure (Monetti, ¶30: “… correlate packet streams …”) that includes, for each unique packet of the network traffic snapshot, each potential unique combination of data stored in the respective fields of the set of one or more fields, each of the combinations having an associated counter (Monetti, ¶30: “…  parametric values …”) that is incremented for each occurrence that the combination matches one of the packets of the network traffic snapshot (Monetti, ¶30: “… compute parametric values based on programmed measurement requirements (e.g., counting packets belonging to a certain TCP session and then outputting average session size over the last 10 seconds).”) and one or more timestamps (Monetti, ¶27: “… a timestamp …”) indicating when the combination was observed (¶30: “… compute time delays (e.g., subtract the ingress timestamp from the egress timestamp).”) (Monetti, ¶27: “… egress and ingress packets are matched. For example, packet 2-1 on ingress port 111 is matched with packet 2-1 on egress port 113”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Gukal to incorporate the functionality of the analysis engine to to receive a snapshot of ingress/egress packets and to determine if there has been a microburst and resolve the issue, as disclosed by Monetti, such modification of using packet snapshots would allow for more accurate network planning, which may in-turn introduce cost reduction in the existing technology.
Regarding claim 2: 
The combination of Gukal and Monetti discloses:
The method of claim 1, wherein the mitigation parameters are selected only if a percentage of the combinations of the statistical data structure that have data stored in the combination's associated data fields that matches the attribute/value pairs of the known attack vector exceeds a threshold (Gukal, ¶566-567: “A threshold may be selected (e.g., absolute value of the correlation coefficient is greater than 0.9), such that correlation coefficients that are above the threshold indicate patterns of network behavior that may be associated with a threat, and should be added to the attack pattern 3808. … attack patterns from an attack pattern generator can be provided to a deployment generator, to be used to adjust the deployment of security mechanisms in a network.”).  
Regarding claim 3:
The combination of Gukal and Monetti discloses:
The method of claim 2, further comprising, if the percentage of the combinations of the statistical data structure that have data stored in the combination's associated data fields that matches the attribute/value pairs of the known attack vector does not exceed the threshold (Gukal, ¶571: “… within the threshold.”), continuing to compare the attribute/value pairs associated with a next observed vector to the known attribute/value pairs until a known attack vector having matching known attribute/value pairs is found as a result of the comparison (Gukal, ¶571: “… any regression model can be used for prediction purposes. Once the score values are assigned, the locations may then be sorted by the score value, and a threshold may be selected (e.g., highest score value, top ten highest score values, values greater than 0.75, etc.). Security mechanisms may then be deployed at locations within the threshold.”).  
Regarding claim 4:
The combination of Gukal and Monetti discloses:
The method of claim 1, wherein the method further comprises determining from the attack vector database detailed attack parameters (Gukal, ¶528: “… attack signature …”) stored in association with the known attack vector (Gukal, ¶562: “The statistical analysis engine 3807b can be provided with digital signatures for known attack patterns from the attack pattern database 3805.”), wherein the mitigation parameters selected are based on the detailed attack parameters (Gukal, ¶528: “… the validation engine 3422 may implement statistical analysis with pattern matching to generate an attack signature if one or more interactions are part of a new confirmed threat, or may use an existing attack signature to confirm one or more interactions as a threat.”).  
Regarding claim 5:
The combination of Gukal and Monetti discloses:
The method of claim 4, wherein the detailed attack parameters are associated with detailed known attribute/value pairs (Gukal, ¶60: “By comparing a digital signature for particular network data to digital signatures for known attack patterns, the network threat detection system can determine a probability that the particular network data shows evidence of a known attack.”), and wherein determining the detailed attack parameters further comprises: 
determining at least one observed sub-vector (Gukal, ¶475: “… normalized attribute vector …”) from the statistical data structure, wherein each of the at least one observed sub-vector includes detailed attribute/value pairs about - 35 - 83549326v.1Atty Docket No.: 1510794.460US1 the one or more combinations, the detailed attribute/value pairs having information of greater detail than the attribute/value pairs associated with the observed vector (Gukal, ¶475: “The attribute vector creation engine 3112e of FIG. 31 may further be configured to normalize the attribute vector to remove the bias from high or low attribute values. … Thus, the normalized attribute vector would be …”); 
comparing in a second comparison the detailed attribute/value pairs of an observed sub-vector of the at least one observed sub-vectors to the known detailed attribute/value pairs (Gukal, ¶477: “The attribute vector comparison engine 3112f is configured to determine a distance between the attribute vector of a query item and a random vector (“query item distance”), to determine a distance between the attribute vector or one or more candidate items and the random vector …”), wherein the mitigation parameters associated with the detailed attack parameters are only selected if it is determined the detailed attribute/value pairs match the detailed known attribute/value pairs as a result of the second comparison (Gukal, ¶479: “The similar item identification engine 3112g is configured to determine whether the comparison values are within a threshold value. If they are within a threshold value, those candidate items may be characterized as similar items 3114a to the query item. … Once similar items 3114a are identified, one or more can be used as a host for deception mechanisms …”).  
Regarding claim 6:
The combination of Gukal and Monetti discloses:
The method of claim 4, further comprising, if the result of the second comparison indicates that the detailed attribute/value pairs of the observed sub-vector do not match the detailed known attribute/value pairs, repeating the second comparison with the detailed attribute/value pairs of a next one of the at least one observed sub-vectors until a match is found (Gukal, ¶321: “When the new alert data 1604, at step 1680, does not match an identified attack pattern 1690, the process 1606 next attempts, at step 1682, to determine whether the new alert data 1604 describes a pattern of behavior that may be a new and previously unidentified threat to the network. … The previously unmatched alerts 1672 may be patterns of behavior that has previously been determined to not be an attack. The new alert data 1604 may be matched against these previously unmatched alerts 1672 to determine that the new alert data 1604 describes behavior already determined to not be an attack. Alternatively, the new alert data 1604 may indicate that a previous unmatched alert 1672 may, in fact, describe an actual attack.”).  
Regarding claim 7:
The combination of Gukal and Monetti discloses:
The method of claim 1, further comprising applying the selected mitigation parameters as the countermeasure (Gukal, ¶155: “When only its own security mechanisms are compromised, the security device 660 may isolate itself from the rest of the network 600.”).  
Regarding claim 9:
Gukal discloses: 
A network attack monitor (¶483: “… sensor 3210 …”, see also Fig. 32) for automatic selection of countermeasures to an automatically detected Distributed Denial of Service (DDoS) attack (¶484: “… The sensor 3210 is typically connected to a network 3204 … that is being monitored and protected …”), the network attack monitor comprising (¶483: “… the example sensor 3210 may be a computing device that includes …”): 
a memory configured to store instructions (¶485: “… the memory 3214 on the sensor 3210 may store code for an operating system 3220 …”); 
a processor (¶483: “… one or more processors 3212 …”) and in communication with the memory, wherein the processor upon execution of the instructions is caused to:
In addition to the above limitations, claim 9 substantially recites the same limitations as claim 1 in the form of a network attack monitor to implement the corresponding method, therefore it is rejected by the same rationale. 
Regarding claims 10-15:
Claims 10-15 substantially recite the same limitations as claims 2-7, respectively, in the form of a network attack monitor to implement the corresponding method, therefore they are rejected by the same rationale. 
Regarding claim 17:
Gukal discloses:
A non-transitory computer readable storage medium storing one or more computer programs embedded therein, the computer programs comprising instructions (¶582: “… a non-transitory medium in which data can be stored and that does not include carrier waves and/or transitory electronic signals propagating wirelessly or over wired connections.”), which when executed by a computer system, cause the computer system to: 
In addition to the above limitations, claim 17 substantially recites the same limitations as claim 1 in the form of a non-transitory computer readable storage medium, therefore it is rejected by the same rationale. 
Regarding claims 18-20:
Claims 18 and 19-20 substantially recite the same limitations as claims 2 and 4-5, respectively, in the form of a non-transitory computer readable storage medium, therefore they are rejected by the same rationale. 
Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gukal, Monetti, and further in view of US-PGPUB No. 2007/0150957 A1 Hartrell et al. (hereinafter “Hartrell”)
Regarding claim 8:
The combination of Gukal and Monetti discloses the method of claim 1, but fails to disclose the following limitations taught by Hartrell:
further comprising: 
receiving a snapshot of peacetime network traffic (Hartrell, ¶17: “…  pre-infection snapshot.") known to be free of an applied attack (Hartrell, ¶14: “…  the malware analysis system can provide a snapshot of the last ten minutes of the monitored activities (e.g., local system activity, network activity, etc.) prior to the detection of the infection. This snapshot may be referred to as a "pre-infection snapshot."”);
applying the selected mitigation parameters (Hartrell, ¶17: “… state model …”) as the countermeasure to the snapshot of peacetime network traffic (Hartrell, ¶17: “… the malware analysis system may apply a state model for malware to normalize and categorize the monitored activities in the pre-infection snapshot and/or the post-infection snapshot to aid in constructing cause and effect relationships.”); 
and based on packets of the snapshot of peacetime traffic that are blocked by the applied selected mitigation parameters,- 36 - 83549326v.1Atty Docket No.: 1510794.460US1adjusting the selected mitigation parameters to reduce blocking packets of the snapshot of peacetime traffic (Hartrell, ¶15: “… analyze the snapshots (i.e., the snapshot of the activities prior to the detected/suspected infection and/or the snapshot of the activities subsequent to the detected/suspected infection) and use the result of the analysis to manually or automatically re-configure security policies in the environment to prevent future infections.”). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Gukal and Monetti to incorporate the functionality of the malware analysis system to apply a state model for malware to normalize and categorize the monitored activities in the pre-infection snapshot and/or the post-infection snapshot to aid in constructing cause and effect relationships., as disclosed by Monetti, such modification would allow the system to adjust the selected mitigation parameters, thus minimizing blocking of peacetime traffic.
Regarding claim 16:
Claim 16 substantially recites the same limitations as claim 8 in the form of a network attack monitor to implement the corresponding method, therefore it is rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Doctor et al. (US-PGPUB No. 2014/0096251-A1)- disclosed a system and/or method for identifying and mitigating malicious network threats. Network data associated is retrieved from various sources across a network and analyzed to identify a malicious network threat. When a threat is found, the system performs a mitigating action to neutralize the malicious network threat 
Sheridan et al. (US-PGPUB No. 2020/0137102-A1)- disclosed a method for asset-centric management, comprising receiving, at a management system, information that characterizes one or more attributes of one or more assets in communication with a managed network, loading a criticality rules table that includes a plurality of rules, each rule mapping an individual attribute and/or a group of attributes to a corresponding criticality score. 
Compton (US-PGPUB No 2020/0137112-A1)- disclosed a system and method for mitigating a distributed denial-of-service (DDoS) attack in a networked computing system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491                                  

/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491