DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-22 are pending.  Claims 1, 11 and 12 are independent.

3.	The IDS’es submitted on 12/23/2020 and 8/25/2022 have been considered.

Claim Objections
4.	Claim 7 is objected to because it partially recites “sending the clean traffic to the destined to the protected cloud-hosted” (emphasis added).  This limitation should be rewritten “sending the clean traffic destined to the protected cloud-hosted application” or “sending the clean traffic to the destined protected cloud-hosted application”.

5.	Similarly, claim 19 is objected to because it partially recites “send the clean traffic to the destined to the protected cloud-hosted” (emphasis added).  This limitation should be rewritten “send the clean traffic destined to the protected cloud-hosted application” or “send the clean traffic to the destined protected cloud-hosted application”.

6.	Claim 16 is objected to because it partially recites “evaluate, using a FIS engine” (emphasis added).  The abbreviation “FIS” is not clear what it stands for; thus, it should be spelled out before being used in a claim.
7.	Claims 16, 17 and 18 are objected to because the claims they are depending on are out of order.  Claims 16, 17 and 18 should be depending on claims 15, 16 and 17, respectively.

Appropriate correction is required.

Claim Rejections - 35 USC § 112
8.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


9.	Claim 13 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 13, the phrase "can be hosted in a plurality of cloud computing platforms …" (emphasis added) renders the claim indefinite because it is unclear whether the limitations following the word “can” are part of the claimed invention.  See MPEP § 2173.05(d).




Claim Rejections - 35 USC § 102
10.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

11.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

12.	Claims 1, 2, 3, 7, 8, 9, 11, 12, 14, 15 and 19-21 are rejected under 35 U.S.C. 102 as being anticipated by Doron (US PG Pub. 2014/0283051).
As regarding claim 1, Doron discloses A method for protecting cloud-hosted applications against application-layer slow distributed denial-of-services (DDoS) attacks, comprising: 
collecting telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms [para. 22 and 33-35; collecting DoS attack data from the VMs of physical machines 130-m]; wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application [para. 3, 8 and 26; cloud infrastructures host protected objects];
providing a set of rate-based and rate-invariant features based on the collected telemetries [para. 29-33; determining average number of active connections or an average number of packets received per second based on the DoS attack data]; and 
evaluating each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack [para. 29-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second]; and 
causing execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic].  

As regarding claim 2, Doron further discloses The method of claim 1, wherein the collected telemetries include at least one of: a central processing unit utilization, a latency, a new transmission control protocol (TCP) connection count, a current TCP connection count, application-layer hypertext transfer protocol methods, application-layer verbs, application-layer request counts, memory usage, transaction volume, a connection size, a session size, and an error rate [para. 29; collecting traffic data including average number of active connections or an average number of packets received per second].  
  

As regarding claim 3, Doron further discloses The method of claim 1, wherein the set of rate-based and rate-invariant features includes: new connections per second, connections per second, and average connection size [para. 29; collecting traffic data including average number of active connections or an average number of packets received per second].  
As regarding claim 7, Doron further discloses The method of claim 1, wherein causing execution of the mitigation action further comprises: redirecting traffic destined to the protected cloud-hosted application to a mitigation resource for at least cleaning the traffic; and sending the clean traffic to the destined to the protected cloud-hosted [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic].  

As regarding claim 8, Doron further discloses The method of claim 7, wherein the mitigation resource is deployed in a defense cloud computing platform being out-of-path from the computing platforms hosting the protected cloud-hosted application [para. 27 and 35; the security system is deployed out-of-path].  

As regarding claim 9, Doron further discloses The method of claim 1, wherein the method is performed by a system deployed in a defense cloud computing platform [para. 51-52; detecting and mitigating DoS attack].  

As regarding claim 11, Doron discloses A non-transitory computer readable medium having stored thereon instructions for causing processing circuity to perform a method for protecting cloud-hosted applications against application-layer slow distributed denial-of-service (DDoS) attacks, comprising: method for protecting cloud-hosted applications against application-layer slow distributed denial-of-service (DDoS) attacks, comprising: 
collecting telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms [para. 22 and 33-35; collecting DoS attack data from the VMs of physical machines 130-m], wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application [para. 3, 8 and 26; cloud infrastructures host protected objects]; 
providing a set of rate-based and rate-invariant features based on the collected telemetries [para. 29-33; determining average number of active connections or an average number of packets received per second based on the DoS attack data];  
evaluating each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack [para. 29-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second]; and 
causing execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic].  

As regarding claim 12, Doron discloses A system for protecting cloud-hosted applications against application-layer slow DDoS attacks, comprising: 
a processing circuity [para. 54-57; a processor]; and 
a memory connected to the processor, the memory contains instructions that when executed by the processing circuity [para. 54-57; the processor executing instructions store in a memory], configure the system to: 
collect telemetries from a plurality of sources deployed in a plurality of public cloud computing platforms [para. 22 and 33-35; collecting DoS attack data from the VMs of physical machines 130-m], wherein each of the plurality of public cloud computing platforms hosts an instance of a protected cloud-hosted application [para. 3, 8 and 26; cloud infrastructures host protected objects]; 
provide a set of rate-based and rate-invariant features based on the collected telemetries [para. 29-33; determining average number of active connections or an average number of packets received per second based on the DoS attack data];  
evaluate each feature in the set of rate-based and rate-invariant features to determine whether a behavior of each feature and a behavior of the set of rate-based and rate-invariant features indicate a potential application-layer slow DDoS attack [para. 29-33; determining a DoS attack based on the determined average number of active connections or an average number of packets received per second]; and 
cause execution of a mitigation action, when an indication of a potential application-layer slow DDoS attack is determined [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic].  

As regarding claim 14, Doron further discloses The system of claim 12, wherein the collected telemetries include at least one of: a CPU utilization, a latency, a new TCP connection count, a current TCP connection count, application-layer HTTP methods, application-layer verbs, application-layer request counts, memory usage, transaction volume, a connection size, a session size, and an error rate [para. 29; collecting traffic data including average number of active connections or an average number of packets received per second].  
As regarding claim 15, Doron further discloses The system of claim 12, wherein the set of rate and rate-invariant features includes: new connections per second (NCPS), connection per second (CPS), and average connection size (ACS) [para. 29; collecting traffic data including average number of active connections or an average number of packets received per second].  

As regarding claim 19, Doron further discloses The system of claim 14, wherein cause execution of the mitigation action further comprising: redirect traffic destined to the protected cloud-hosted application to a mitigation resource for at least cleaning the traffic; and send the clean traffic to the destined to the protected cloud-hosted [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic].  

As regarding claim 20, Doron further discloses The system of claim 14, further comprises: a mitigation resource, wherein the mitigation resources is deployed in a defense cloud computing platform being out-of-path from the cloud computing platforms hosting the protected cloud-hosted application [para. 27 and 35; the security system is deployed out-of-path].  

As regarding claim 21, Doron further discloses The system of claim 14, wherein the system is deployed in a defense cloud computing platform [para. 51-52; detecting and mitigating DoS attack].  

Claim Rejections - 35 USC § 103
13.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

14.	Claims 4-6 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Yeh (US PG Pub. 2008/0083029).
As regarding claim 4, Doron does not explicitly disclose evaluating, using a fuzzy logic inference engine, a normal degree of fulfilment (DoF) score, a suspicious DoF score, and an attack DoF score.  However, Yeh discloses it [FIG. 2 and para. 14-21; using fuzzy logic to determine scores of different network aspects, scores of different suspicious network aspects and scores exceeding a severe threshold of different suspicious network aspects].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron’s evaluating each feature to further the missing claim feature, as disclosed by Yen, in order to effectively identify new network attacks and effectively provide appropriate corrective actions based on the degree of the identified attacks [Yeh para. 5].

As regarding claim 5, Yeh further discloses The method of claim 4, further comprising: evaluating, using an expert system, a degree of attack (DoA) score based on the maximum DoF scores computed over all the DoF scores of all features [FIG. 2 and para. 14-21; determining an overall score based on scores of different network aspects].  

As regarding claim 6, Yeh further discloses The method of claim 5, further comprising: comparing the DoA score to a predefined threshold, wherein an indication of a potential application-layer slow DDoS attack is determined when the DoA score exceeds the predefined threshold [FIG. 2 and para. 14-21; determining an attack/anomaly when aggregator exceeding a threshold and performing a corrective action].  

As regarding claim 16, Doron does not explicitly disclose evaluate, using a FIS engine, a normal degree of fulfilment (DoF) score, a suspicious DoF score, and an attack DoF score.  However, Yeh discloses it [FIG. 2 and para. 14-21; using fuzzy logic to determine scores of different network aspects, scores of different suspicious network aspects and scores exceeding a severe threshold of different suspicious network aspects].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron’s evaluating each feature to further the missing claim feature, as disclosed by Yen, in order to effectively identify new network attacks and effectively provide appropriate corrective actions based on the degree of the identified attacks [Yeh para. 5].

As regarding claim 17, Yeh further discloses The system of claim 19, further comprising: evaluate, using an expert system, a degree of attack (DoA) score based on the maximum DoF scores computed over all the DoF scores of all features [FIG. 2 and para. 14-21; determining an overall score based on scores of different network aspects].  

As regarding claim 18, Yeh further discloses The system of claim 20, further comprising: compare the DoA score to a predefined threshold, wherein an indication of a potential application-layer slow DDoS attack is determined when the DoA score exceeds the predefined threshold [FIG. 2 and para. 14-21; determining an attack/anomaly when aggregator exceeding a threshold and performing a corrective action].  

15.	Claims 10 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Kim (US PG Pub. 2012/0324573).
As regarding claim 10, Doron does not explicitly disclose The method of claim 1, wherein the application-layer slow DDoS attack is any one of: a Slowloris attack, a RUDY attack, a malformed HTTP session attack.  However, Kim discloses Dos attack including Slowloris or RUDY attack [para. 46].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron’s DDoS to further include Slowloris or RUDY attack, as disclosed by Kim, as alternative types of DDoS attacks that need to be detected for protecting the networks.

As regarding claim 22, Kim further discloses The system of claim 14, wherein the application-layer slow DDoS attack is any one of: a Slowloris attack, a RUDY attack, a malformed HTTP session attack [para. 46].




16.	Claims 13 is rejected under 35 U.S.C. 103 as being unpatentable over Doron (US PG Pub. 2014/0283051) in view of Oliveira (US Patent 9,729,414).
As regarding claim 13, Doron does not explicitly disclose that the protected cloud-hosted application can be hosted in a plurality of cloud computing platforms of various vendors including on-premises locations.  However, Oliveira discloses it [col. 1 lines 44-53 and col. 15 line 61 thru col. 16 line 3].
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Doron’s evaluating each feature to further the missing claim feature, as disclosed by Oliveira, in order to provide different cloud providers business opportunities for providing cloud computing services to their clients.










CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THONG P TRUONG/
Examiner, Art Unit 2433  

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433