Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-20 are pending in this office action. 

Priority
Priority has been claimed to US Provisional application# 62/870,621, filed on 07/03/2019.

Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors.  Applicant's cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 08/26/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Omum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1-3, 12-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over various claims of application# 16/576,556, now patent# 11,122,075 (referred to as ‘075 hereinafter). With regards to ‘075, claims 1-2, 4, 7, 9-10, 13, 18-20 of ‘075 patent claim all the limitations set forth in the instant claims. Particularly, the instant independent claim 1 is covered by claims 1, 18 and 19 of ‘075; similarly, the instant independent claims 13 and 20 (similar to instant claim 1) are covered by the subject matter of the comparatively narrower independent claims 13 and 20 respectively of ‘075 in addition to subject matters of claims 18 and 19 of ‘975. Similarly, the instant claims 2-3 are covered by claims 3 and 1 resp. of ‘075; the instant claims 6 and 12 are covered by claims 1 and 18 resp. of ‘075. Further, the instant claims 14-19 are anticipated by the corresponding claims 2, 4, 7, 9, 10 and 18 respectively of ‘075. As various limitations in the above claims of ‘286 cover the limitations of the instant claims, the instant claims are not patentably distinct from the specified claims of ‘ as discussed above. 
Further, the system and computer program product (computer-readable medium) claims carry out method steps in a computing environment of the device/system. Therefore, it would be obvious to be able to carry out steps of a method, using a system or device or by computer executable computer program product code stored in a statutory computer readable medium executed by a processor.
This is a non-provisional obviousness type double patenting rejection because the conflicting claims have been patented.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 6-8, 10, 12-15, 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Vengalil et al. (US 2017/0026405 A1, hereinafter Vengalil), in view of Dolson et al. (US 2004/0006643 A1, Dolson hereinafter).
For claim 1, Vengalil teaches a computing system, comprising: a network adapter; a memory device; a processor (Fig. 1; para 0015-0019, 0107-0111, 0150 – network components such as transceivers to send and receive packets using a network protocol, and system comprising processor as processing units and memory units to store data) configured to: establish one or more transport protocol heuristics configured to identify one or more limits or other conditional values for operational functions that are performed when processing selective acknowledgement (SACK) messages (para 0001, 0006, 0008, 0012 - detection and elimination of optimistic selective acknowledgement (SACK) spoofing based DoS and DDoS attacks, and heuristics or analysis mechanism is devised and applied to SACK messages at the sender node; para 0123, 0125, 0129, 0141-0145, 0150 – discloses ways of heuristically analyzing the exchanged data via the network protocol between sender and receiver, and processing the SACK messages to identify comparison values or limits (such as checksum, intervals, payload essence or cumulative payload essence, flood rate etc.) received or configured for operational functions such as packet transmission, SACK generation, SCN increment etc.);
determine, based on the established transport protocol heuristics applied to the SACK messages, that a specified triggering event has occurred (para 0039-0040, 0124-0126, 0129, 0141-0145, 0150 – heuristically analyzing and processing the SACK messages to identify comparison values or limits that caused triggered packets, and mitigation in response to limits associated with detected events such as triggered packets associated with the attack/flood events forced upon by the malicious entity); and 
in response to determining that the specified triggering event has occurred: determine that the limits or conditional values for the operational functions are to be changed based on the type of triggering event that occurred; and change the one or more limits or conditional values based on the determination (para 0012, 0035-0040, 0124, 0129, 0141-0145, 0150 – processing the SACK messages to identify comparison values or limits (such as checksum, intervals, payload essence or cumulative payload essence, flood rate etc.) for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed after determining the need to do so based on the condition such as flood forced upon by the malicious receiver, as a mitigation in response to detected events or triggers, utilizing remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver involved in SACK spoofing as malicious etc.).
Although checking of various limits associated with network data transmission and reception (as also disclosed by Vengalil above) including various attributes such as threshold values, limits and flood rate thresholds for identification of transmission integrity and security are also very well-known in the art, Vengalil does not appear to explicitly disclose, however Dolson discloses determining and utilizing thresholds reached to identify network security threats (para 0222, 0234, 0239-240 – placing a limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).
Therefore, based on Vengalil in view of Dolson, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Dolson in the system of Vengalil, in order to incorporate techniques of attack detection based on processes that take into account many common factors such as data integrity check and adjusting limits on various network parameters in order to enhance the system’s dynamic attack detection and gradually improving malicious entity detection capabilities, thereby making the system more extensible and secure.

For claim 2, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein the specified triggering event comprises determining, based on the one or more transport protocol heuristics applied to the SACK messages, that at least one limit or condition for one or more transport protocol heuristics has been reached (para 0121, 0123, 0130, 0142, 0148 – increments the sequence number, or adds the payload essence value to an initial value as part of count operation, for SACK validation). Vengalil does not appear to explicitly disclose, however Dolson discloses when the (one or more) threshold values for one or more of the heuristics have been reached (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).

For claim 6, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches in response to determining that the specified triggering event has occurred: identifying which network node is sending the SACK messages; classifying the identified network node as a security threat; and taking one or more remedial actions to mitigate the security threat associated with the identified network node (para 0035-0040, 0115 - determining SCTP receiver node based on triggered events as a spoofed malicious node for which mitigation is performed; para 0124-0126, 0141-0145, 0150 – processing the SACK messages for detection and mitigation of attack, and mitigation via remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver node involved in SACK spoofing as malicious etc.). 

For claim 7, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein the specified triggering event includes reaching a specified level of current operating conditions at the computer system (para 0115, 0121-0125, 0143 - congestion operating condition due to traffic flooding as a triggering event).

For claim 8, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches the computer system of claim 7, wherein the current operating conditions include processor load (para 0110, 0112, 0121, 0123, 0143 - congestion associated with processors associated with receiver and other nodes of the system, causing more load on the respective processors).

For claim 10, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches the computer system of claim 7, wherein the current operating conditions include network load (para 0115, 0121-0125, 0143 - network congestion operating condition due to traffic flooding as a triggering event).

For claim 12, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein the one or more limits or conditional values are dynamically changed as operating conditions change at the computer system (para 0115, 0121-0125, 0129, 0143, 0149-0150 - congestion operating condition due to traffic flooding as a triggering event; and processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence, flood rate etc.) received or configured for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed based on the condition process). Vengalil does not appear to explicitly disclose, however Dolson discloses when the threshold values are dynamically changed as conditions change (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).

As to claim 13, the claim limitations are similar to those of claim 1, except the instant claim 13 is drawn to a computer-implemented method that is similar to the method performed by the system of claim 1. Therefore claim 13 is rejected according to claim 1 above.

For claim 14, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein establishing the one or more transport protocol heuristics to the SACK messages includes incrementing one or more counters associated with the operational functions as the SACK messages are processed (para 0121, 0123, 0130, 0142, 0148 – a part of the process (operational function) increments the sequence number, or adds the payload essence value to an initial value for validation).

For claim 15, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches computer-implemented method of claim 14, wherein one or more of the counters are modified upon receiving an acknowledgement (ACK) message (para 0123, 0142, 0148 – increments the sequence number, or adds the payload essence value to an initial value as part of count operation when selective ACK message is received with TSN Ack).

For claim 17, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein at least one of the one or more threshold values for operational functions that are performed when processing the SACK messages comprises an indication of how many SACK messages are received within a specified time period (para 0124-0125, 0132, 0134; Fig. 7; – time gap associated with flood rate indicating number of packets received in a specific time gap). Vengalil does not explicitly teach, however Dolson discloses threshold values when processing the SACK messages comprises an indication of how many SACK messages are received within a specified time period (para 0222, 0234, 0239-240).

For claim 18, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches filtering the SACK messages to remove previously received SACK messages (para 0116, 0134, 0150-0151 – removal or elimination of duplicate or previously received SACK messages).

For claim 19, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches wherein the one or more limits or conditional values for operational functions that are performed when processing the SACK messages is dynamically changed as operating conditions change at the computer system (para 0115, 0121-0125, 0129, 0143, 0149-0150 - congestion operating condition due to traffic flooding as a triggering event; and processing the SACK messages to identify comparison values (such as checksum, intervals, payload essence or cumulative payload essence, flood rate etc.) received or configured for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed based on the condition process). Vengalil does not appear to explicitly disclose, however Dolson discloses when the threshold values are dynamically changed as conditions change (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).

As to claim 20, the claim limitations are similar to those of claim 1, except the instant claim 20 is drawn to a non-transitory computer-readable medium comprising one or more computer-executable instructions (para 0054-0055, 0111) that, when executed by at least one processor of a computing device, cause the computing device to perform the method as performed by the system of claim 1. Therefore claim 20 is rejected according to claim 1 above.


Claims 4-5, 9, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Vengalil et al. (US 2017/0026405 A1, hereinafter Vengalil), in view of Dolson et al. (US 2004/0006643 A1, Dolson hereinafter), and further in view of Jing et al. (US 2021/0273865 A1, Jing hereinafter).
For claim 4, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Although checking of various conditions associated with network data transmission and reception (as also disclosed by Vengalil above) including various attributes such as values, limits and flood rate threshold adjustments for identification of transmission integrity and security are also very well-known in the art, Vengalil in view of Dolson does not appear to explicitly disclose, however Jing discloses wherein determining that the threshold values are to be changed based on the type of triggering event that occurred includes determining an amount by which to vary the threshold values (para 0078, 0125-0129 - flooding events, and determining the tunable thresholds which are then changed based on associated factors).
Therefore, based on Vengalil in view of Dolson and Jing, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Jing in the system of Vengalil in view of Dolson, in order to incorporate techniques of attack detection based on processes that take into account many common factors such as data integrity check and adjusting limits on various network parameters in order to enhance the system’s dynamic attack detection and gradually improving malicious entity detection capabilities, thereby making the system more extensible and secure.

For claim 5, Vengalil in view of Dolson and Jing teaches the claimed subject matter as discussed above in the computer system of claim 4. Vengalil and Dolson do not appear to explicitly disclose, however Jing discloses, wherein the amount by which to vary the threshold values is determined based on one or more associated policies (para 0073, 0078, 0120, 0125-0129 - flooding events, abrupt changes, and determining the tunable thresholds which are then changed by the amount or factor based on associated parameters and according to rules).

For claim 9, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches the computer system of claim 8, wherein altering the one or more limits or conditional values includes lowering the values upon detecting high processor load or raising the values upon detecting low processor load (para 0110, 0112, 0121, 0123, 0143 - congestion in the processors associated with receiver and other nodes of the system, causing more load on the respective processors; para 0012, 0035-0040, 0124, 0129, 0141-0145, 0150 – processing the SACK messages to identify comparison values or limits (such as checksum, intervals, payload essence or cumulative payload essence, flood rate etc.) for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed after determining the need to do so based on the condition such as flood forced upon by the malicious receiver, as a mitigation in response to detected events or triggers, utilizing remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver involved in SACK spoofing as malicious etc.). Vengalil does not appear to explicitly disclose, however Dolson discloses checking threshold values for one or more of the heuristics have been reached (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).
Vengalil in view of Dolson does not appear to explicitly disclose, however Jing discloses altering the one or more threshold values includes lowering the threshold values or raising the threshold values based on varying processor load (para 0078, 0120-0122, 0125-0129 - flooding events, and determining the tunable thresholds which are then changed based on associated factors such as traffic increase and the changed processor load caused by that).

For claim 11, Vengalil in view of Dolson teaches the claimed subject matter as discussed above. Vengalil further teaches the computer system of claim 10, wherein altering the one or more limits or conditional values includes lowering the values upon detecting high network load or raising the values upon detecting low network load (para 0110, 0112, 0121, 0123, 0143 - congestion in the network components associated with receiver and other nodes of the system, causing more load on the respective components; para 0012, 0035-0040, 0124, 0129, 0141-0145, 0150 – processing the SACK messages to identify comparison values or limits (such as checksum, intervals, payload essence or cumulative payload essence, flood rate etc.) for operational functions such as packet transmission, SACK generation, SCN increment etc. wherein the time gap and SCN are dynamically adjusted or changed after determining the need to do so based on the condition such as flood forced upon by the malicious receiver, as a mitigation in response to detected events or triggers, utilizing remedial actions such as discarding the spoofed SACK, controlling flood and DoS attack, and categorizing and eliminating the receiver involved in SACK spoofing as malicious etc.). Vengalil does not appear to explicitly disclose, however Dolson discloses checking threshold values for one or more of the heuristics have been reached (para 0222, 0234, 0239-240 – limit on number of certain types of packets, or certain range or threshold can be applied in detection and prevention of attacks).
Vengalil in view of Dolson does not appear to explicitly disclose, however Jing discloses altering the one or more threshold values includes lowering the threshold values or raising the threshold values based on varying network load (para 0078, 0120-0122, 0125-0129 - flooding events, and determining the tunable thresholds which are then changed based on associated factors such as traffic increase and the changed network traffic load caused by that).


Allowable Subject Matter
Claims 3 and 16 are objected to as being dependent upon their respective rejected base claims, but would be allowable if incorporated in the base claims 1 and 13 including all of the limitations of the base claims and any intervening claims, in addition to overcoming the above-mentioned objections and rejections associated with these and their parent claims.
   
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433