DETAILED ACTION
This Office Action is in response to the application 17/087418 filed on 11/02/2020.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-21 have been examined and are pending in this application. Claims 1, 8, and 15 are independent.
	Priority
This application is a continuation of Application No. 16/045,004 filed on 07/25/2018, currently US Patent No. 10,826,918.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 05/13/2021, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims 1, 8, and 15 are objected to because of the following informalities:
As to claims 1, 8, and 15, the last limitations “causing/cause a connection . . .”  should have an “and” preceding (emphasis added).
Appropriate correction is required.

Double Patenting
Claims 1-21 are rejected on the ground of non-statutory double patenting as being unpatentable over claim 1-24 of U.S. Patent No. 10,826,918. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the reference claims.
The independent claims 1, 8, and 15 of the instant application are anticipated by the claims 1, 8, and 15 of the reference patent, respectively. 
The following claims are presented side by side for comparison. While claims 1, 8, and 15 of the instant application recite a broader scope of the claims 1, 8, and 15 of the reference patent, and therefore anticipated by them.
The dependent claims 2-7, 9-14, and 16-21 of the instant application are also anticipated by the dependent claims 22-7, 9-14, and 16-21 of the reference patent, respectively.

Instant Application 17/087,518
Reference Patent US 10,826,918
1. A method for detecting malicious activity, comprising:
 

    receiving, at a first time point at a server from a first router connected to a first user device, first information indicating a first requested connection to a destination by the first user device that has been intercepted by the first router, wherein the first information indicates at least an identifier of the destination, and wherein, at the first time point, the first requested connection has not yet been classified as part of an attack;














     determining, using the first information, that the first requested connection to the destination by the first user device is part of an attack on the destination by the first user device and a plurality of other user devices, wherein determining that the first requested connection to the destination by the first user device is part of the attack on the destination comprises determining a count of a set of user devices including the first user device and the plurality of other user devices that have requested connections to the destination within a time window;









     causing a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination.
1. A method for detecting malicious activity from Internet of Things (IoT) devices, comprising: 

    receiving, at a first time point at a cloud server from a first router connected to a first IoT device, first information indicating a first requested connection to a destination by the first IoT device that has been intercepted by the first router, wherein the first information indicates at least an identifier of the destination and second information about the first IoT device, and wherein, at the first time point, the first requested connection has not yet been classified as part of an attack; 

      adding the received first information to third information received from a plurality of routers that are each connected to a corresponding one of a plurality of IoT devices not including the first IoT device, wherein the first information indicates a plurality of requested connections to a plurality of destinations by the plurality of IoT devices, to generate aggregated connection information; 

     determining, using the aggregated connection information, that the first requested connection to the destination by the first IoT device is part of an attack on the destination, wherein determining that the first requested connection to the destination by the first IoT device is part of the attack on the destination comprises determining that more than a predetermined percentage of IoT devices in the plurality of IoT devices have requested connections to the destination within a time window; 

     adding the destination to a group of blocked destinations; 

     receiving, at a second time point, information indicating a second requested connection to the destination by a second IoT device; and 

    causing the connection to the destination by the second IoT device to be blocked based on the inclusion of the destination in the group of blocked destinations.

8. A memory storing instructions that, if executed by a system for detecting malicious activity from Internet of Things (IoT) devices, the system comprising: 
    a memory; and a hardware processor coupled to the memory that is configured to: 

    receive, at a first time point from a first router connected to a first user device, first information indicating a first requested connection to a destination by the first user device that has been intercepted by the first router, wherein the first information indicates at least an identifier of the destination, and wherein, at the first time point, the first requested connection has not yet been classified as part of an attack; 

















    determine, using the first information, that the first requested connection to the destination by the first user device is part of an attack on the destination by the first user device and a plurality of other user devices, wherein determining that the first requested connection to the destination by the first user device is part of the attack on the destination comprises determining a count of a set of user devices including the first user device and the plurality of other user devices that have requested connections to the destination within a time window; 






    cause a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination.
8. A system for detecting malicious activity from user Internet of Things (IoT) devices, the system comprising: 
    a memory; and a hardware processor coupled to the memory that is configured to: 

    receive, at a first time point from a first router connected to a first IoT device, first information indicating a first requested connection to a destination by the first IoT device that has been intercepted by the first router, wherein the first information indicates at least an identifier of the destination and second information about the first IoT device, and wherein, at the first time point, the first requested connection has not yet been classified as part of an attack;

    add the received first information to third information received from a plurality of routers that are each connected to a corresponding one of a plurality of IoT devices not including the first IoT device, wherein the first information indicates a plurality of requested connections to a plurality of destinations by the plurality of IoT devices, to generate aggregated connection information; determine, using the aggregated connection information, that the first requested connection to the destination by the first IoT device is part of an attack on the destination, wherein 

    determining that the first requested connection to the destination by the first IoT device is part of the attack on the destination comprises determining that more than a predetermined percentage of IoT devices in the plurality of IoT devices have requested connections to the destination within a time window; 

    add the destination to a group of blocked destinations; 

    receive, at a second time point, information indicating a second requested connection to the destination by a second IoT device; and 

    cause the connection to the destination by the second IoT device to be blocked based on the inclusion of the destination in the group of blocked destinations.

15. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious activity, the method comprising:

    receiving, at a first time point at a server from a first router connected to a first user device, first information indicating a first requested connection to a destination by the first user device that has been intercepted by the first router, wherein the first information indicates at least an identifier of the destination, and wherein, at the first time point, the first requested connection has not yet been classified as part of an attack;















     determining, using the first information, that the first requested connection to the destination by the first user device is part of an attack on the destination by the first user device and a plurality of other user devices, wherein determining that the first requested connection to the destination by the first user device is part of the attack on the destination comprises determining a count of a set of user devices including the first user device and the plurality of other user devices that have requested connections to the destination within a time window;








   
causing a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination.
15. A non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious activity from Internet of Things (IoT) devices, the method comprising: 

    receiving, at a first time point at a cloud server from a first router connected to a first IoT device, first information indicating a first requested connection to a destination by the first IoT device that has been intercepted by the first router, wherein the first information indicates at least an identifier of the destination and second information about the first IoT device, and wherein, at the first time point, the first requested connection has not yet been classified as part of an attack; 

    adding the received first information to third information received from a plurality of routers that are each connected to a corresponding one of a plurality of IoT devices not including the first IoT device, wherein the first information indicates a plurality of requested connections to a plurality of destinations by the plurality of IoT devices, to generate aggregated connection information; 

    determining, using the aggregated connection information, that the first requested connection to the destination by the first IoT device is part of an attack on the destination, wherein determining that the first requested connection to the destination by the first IoT device is part of the attack on the destination comprises determining that more than a predetermined percentage of IoT devices in the plurality of IoT devices have requested connections to the destination within a time window; 

    adding the destination to a group of blocked destinations; 

    receiving, at a second time point, information indicating a second requested connection to the destination by a second IoT device; and 

   causing the connection to the destination by the second IoT device to be blocked based on the inclusion of the destination in the group of blocked destinations.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1-21 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al (“Smith-134,” US 2016/0205134, published on 07/14/2016), in view of Smith et al (“Smith-406” US 2016/0127406, published on 05/05/2016).
As to claim 1, Smith-134 teaches a method for detecting malicious activity (Smith-134: pars 0002, 0005, 0022, 0027, 0030, a system/method performs functions for analyzing and detecting malicious event/activity), comprising:
receiving, at a first time point at a server from a first router connected to a first user device, first information indicating a first requested connection to a destination by the first user device that has been intercepted by the first router (Smith-134: pars 0002, 0022, a system/method performs functions where a group of multiple computers repeatedly request network resources of the website or service. One or more malicious IP addresses corresponding to devices that request data from (or transceive data with) the one or more network resources), wherein the first information indicates at least an identifier of the destination (Smith-134: pars 0021-0022, the system can extract the IP addresses from the requests, and the request is for request data from (or transceive data with) the one or more network resources), and 
wherein, at the first time point, the first requested connection has not yet been classified as part of an attack (Smith-134: pars 0022-0026, the process began for performing the analysis to determine there is a malicious activity or not [i.e. not yet been classified as an attack]); and
determining, using the first information, that the first requested connection to the destination by the first user device is part of an attack on the destination by the first user device and a plurality of other user devices, wherein determining that the first requested connection to the destination by the first user device is part of the attack on the destination (Smith-134: pars 0023-0025, 0027, analysis can look at a group of IP addresses and determine if the addresses are associated with the same ISP. Compute DDos attack metric that includes a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP) comprises determining a count of a set of user devices including the first user device and the plurality of other user devices that have requested connections (Smith-134: pars 0029-0031, the metric is compared to a threshold. Determine if the metric exceeds the threshold) to the destination within a time window.
Smith-134 does not explicitly teach causing a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination.
 However, in an analogous art, Smith-406 teaches causing a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination (Smith-406: pars 0022, 0075; Fig 1, traffic corresponding to those attacks is blocked).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith-406 with the method/system of Smith-134 for the benefit of providing a user with a means for blocking traffic from one or more source to a destination when to the destination is determined as subject under attack (Smith-406: pars 0022, 0075). 
As to claim 2, the combination of Smith-134 and Smith-406 teaches the method of claim 1, 
Smith-134 further teaches wherein the attack on the destination is a distributed attack (Smith-134: pars 0021, 0023-0025, 0027, system receives an indication that one or more network resources are being targeted as part of one or more DDoS attacks. Computing DDos attack metric).
As to claim 3, the combination of Smith-134 and Smith-406 teaches the method of claim 1, 
Smith-134 further teaches wherein the first information includes a type of device associated with the first user device (Smith-134: pars 0002, 0034, users see if their IP or computers are on any list. Network resources access to legitimate users).
As to claim 4, the combination of Smith-134 and Smith-406 teaches the method of claim 1, 
Smith-134 further teaches wherein the plurality of other user devices and the first user device are each associated with a first Internet Service Provider (ISP) (Smith-134: pars 0023-0025, 0027, analysis can look at a group of IP addresses and determine if the addresses are associated with the same ISP. Compute DDos attack metric that includes a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP).
As to claim 5, the combination of Smith-134 and Smith-406 teaches the method of claim 1, 
Smith-134 further teaches wherein determining that the first requested connection to the destination by the first user device is part of an attack on the destination further comprises calculating a threat score that indicates a likelihood that the first requested connection to the destination by the first user device is part of the attack, and wherein determining that the first requested connection to the destination by the first user device is part of the attack is based on the threat score exceeding a predetermined threshold (Smith-134: pars 0029-0031,0033,  the metric is compared to a threshold. Determine if the metric exceeds the threshold. System sees an IP address at multiple net flow analyzers by aggregating, the system, based on certain criteria may elect to perform further analysis).
As to claim 6, the combination of Smith-134 and Smith-406 teaches the method of claim 5, 
Smith-134 further teaches wherein the threat score is based on a duration of the time window (Smith-134: pars 0021, 0028, The metric can be computed periodically where each computed metric corresponds to malicious requests within a different time window. The time window can be a programmable time window).
As to claim 7, the combination of Smith-134 and Smith-406 teaches the method of claim 1, 
Smith-134 further teaches wherein determining that the first requested connection to the destination by the first user device is part of the attack further comprises determining that a number of destinations for which the set of user devices have requested connections is less than a predetermined threshold (Smith-134: pars 0029-0031, the metric is compared to a threshold. Determine if the metric exceeds the threshold).
As to claim 8, Smith-134 teaches a system for detecting malicious activity from Internet of Things (IoT) devices, the system comprising: a memory; and a hardware processor coupled to the memory (Smith-134: pars 0002, 0005, 0022, 0027, 0030, a system/method performs functions for analyzing and detecting malicious event/activity), that is configured to: 
receive, at a first time point from a first router connected to a first user device, first information indicating a first requested connection to a destination by the first user device that has been intercepted by the first router (Smith-134: pars 0002, 0022, a system/method performs functions where a group of multiple computers repeatedly request network resources of the website or service. One or more malicious IP addresses corresponding to devices that request data from (or transceive data with) the one or more network resources), wherein the first information indicates at least an identifier of the destination (Smith-134: pars 0021-0022, the system can extract the IP addresses from the requests, and the request is for request data from (or transceive data with) the one or more network resources), and 
wherein, at the first time point, the first requested connection has not yet been classified as part of an attack (Smith-134: pars 0022-0026, the process began for performing the analysis to determine there is a malicious activity or not [i.e. not yet been classified as an attack]); and 
determine, using the first information, that the first requested connection to the destination by the first user device is part of an attack on the destination by the first user device and a plurality of other user devices, wherein determining that the first requested connection to the destination by the first user device is part of the attack on the destination (Smith-134: pars 0023-0025, 0027, analysis can look at a group of IP addresses and determine if the addresses are associated with the same ISP. Compute DDos attack metric that includes a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP) comprises determining a count of a set of user devices including the first user device and the plurality of other user devices that have requested connections to the destination within a time window (Smith-134: pars 0029-0031, the metric is compared to a threshold. Determine if the metric exceeds the threshold) to the destination within a time window.
Smith-134 does not explicitly teach cause a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination.
 However, in an analogous art, Smith-406 teaches cause a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination (Smith-406: pars 0022, 0075; Fig 1, traffic corresponding to those attacks is blocked).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith-406 with the method/system of Smith-134 for the benefit of providing a user with a means for blocking traffic from one or more source to a destination when to the destination is determined as subject under attack (Smith-406: pars 0022, 0075). 
As to the claims 10-14, the claims are directed to a system, and the claim limitations are similar to the method claims 2-7, and therefore, rejected for the same reason set forth above for claim 2-7.
As to claim 15, Smith-134 teaches a non-transitory computer-readable medium containing computer-executable instructions that, when executed by a processor, cause the processor to perform a method for detecting malicious activity (Smith-134: pars 0002, 0005, 0022, 0027, 0030, a system/method performs functions for analyzing and detecting malicious event/activity), the method comprising:
receiving, at a first time point at a server from a first router connected to a first user device, first information indicating a first requested connection to a destination by the first user device that has been intercepted by the first router (Smith-134: pars 0002, 0022, a system/method performs functions where a group of multiple computers repeatedly request network resources of the website or service. One or more malicious IP addresses corresponding to devices that request data from (or transceive data with) the one or more network resources), wherein the first information indicates at least an identifier of the destination (Smith-134: pars 0021-0022, the system can extract the IP addresses from the requests, and the request is for request data from (or transceive data with) the one or more network resources), and 
wherein, at the first time point, the first requested connection has not yet been classified as part of an attack (Smith-134: pars 0022-0026, the process began for performing the analysis to determine there is a malicious activity or not [i.e. not yet been classified as an attack]); and
determining, using the first information, that the first requested connection to the destination by the first user device is part of an attack on the destination by the first user device and a plurality of other user devices, wherein determining that the first requested connection to the destination by the first user device is part of the attack on the destination (Smith-134: pars 0023-0025, 0027, analysis can look at a group of IP addresses and determine if the addresses are associated with the same ISP. Compute DDos attack metric that includes a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP) comprises determining a count of a set of user devices including the first user device and the plurality of other user devices that have requested connections to the destination within a time window (Smith-134: pars 0029-0031, the metric is compared to a threshold. Determine if the metric exceeds the threshold) to the destination within a time window.
Smith-134 does not explicitly teach causing a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination.
 However, in an analogous art, Smith-406 teaches causing a connection to the destination by a second user device to be blocked based on the determining that the first requested connection to the destination by the first user device is part of an attack on the destination (Smith-406: pars 0022, 0075; Fig 1, traffic corresponding to those attacks is blocked).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Smith-406 with the method/system of Smith-134 for the benefit of providing a user with a means for blocking traffic from one or more source to a destination when to the destination is determined as subject under attack (Smith-406: pars 0022, 0075). 
As to the claims 16-21, the claims are directed to a computer-readable medium, and the claim limitations are similar to the method claims 2-7, and therefore, rejected for the same reason set forth above for claim 2-7.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355.  The examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571) 270-5002.  The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAHANGIR KABIR/             Primary Examiner, Art Unit 2439