DETAILED ACTION
1.	This action is responsive to the communications filed on 06/15/2022.
2.	Claims 1-24 are pending in this application.
3.	Claims 2, 7, 10, 15, 18, 23, have been amended.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
Applicant's arguments filed 06/15/2022 have been fully considered but they are not persuasive. In the remarks, applicant argued that:
a.	For the rejection of claim 1, the Office Action alleges that paragraph [0013] of Dagon describes "based on determining that the first message is malicious, ... sending, to the second computing device, a second message comprising an invalid network address," as recited in claim 1. Office Action, p. 8. Dagon describes: 
…
The Office Action alleges Dagon sinkhole computer 20 to be the "one or more first computing devices" of claim 1, Dagon bot computers 10 to be the "second computing device" of claim 1, and Dagon C&C computer 25 to be the "destination device" of claim 1. Office Action, p. 7. Paragraph [0013] of Dagon at most describes redirecting traffic from the Dagon bot computers 10 for the Dagon C&C computer 25 to the Dagon sinkhole computer 20. However, neither paragraph [0013] of Dagon nor any other portions of Dagon describes the Dagon sinkhole computer 20 or any other devices in Dagon sending any messages back to Dagon bot computers 10 (the alleged "second computing device"). Therefore, Dagon fails to teach or suggest "sending, to the second computing device, a second message comprising an invalid network address," as recited in claim 1. Gels fails to cure this deficiency of Dagon (Applicant’s remarks, Pages 8-10).

In response: Regarding applicant’s assertion that “neither paragraph [0013] of Dagon nor any other portions of Dagon describes the Dagon sinkhole computer 20 or any other devices in Dagon sending any messages back to Dagon bot computers 10 (the alleged "second computing device") and therefore Dagon does not disclose the claimed “sending, to the second computing device, a second message comprising an invalid network address”, the examiner respectfully disagrees.
In Dagon, the command and control computer of the malicious botnet is identified. The IP address of the C&C computer is replaced with the IP address of the sinkhole computer so that when bot computers look up the C&C computer, they will be told to contact the sinkhole computer instead (Paragraph 13, Figure 2B). The examiner is equating being told to contact the sinkhole computer (i.e., by sending the IP address of the sinkhole) as sending a message to the bot computer in order to inform them of the replaced IP address.
As such, the rejection is respectfully maintained.

b.	Furthermore, the Office Action concedes that Dagon fails to teach or suggest "sending, to the second computing device, a second message ... configured to prevent the second computing device from sending one or more additional messages." as recited in claim 1, and relies on paragraph [0007] of Gels. Office Action, p. 8. Paragraph [0007] of Gels describes: 
… 
Assuming, without conceding, that the sender of the IP packet with a "faked address" in Gels to be equivalent to the "second computing device" of claim 1, both paragraph [0007] of Gels and other portions of Gels are silent about sending, to the sender in Gels, a "second message configured to prevent ... one or more additional messages" from the sender (Applicant’s remarks, Page 10).

In response: The examiner respectfully disagrees. 
Gels discloses that in order to make DoS and DDoS attacks more difficult, active blocking of faked IP addresses is utilized. Each organization that is connected to a network provider has a specific range of IP addresses. Each IP packet that is sent from this organization must have a sender in that range. If not in the range, it is considered a faked IP address and is not passed on by the network carrier (i.e., the claimed preventing…messages) (Paragraph 7). Gels goes on to disclose that specific external IP addresses can be excluded from communicating with the target system (Paragraph 70).
Examiner recommends clarifying the limitation to state that the second message prevents one or more additional messages for exiting the second computing device. This is in line with the detailed description (see page 9, lines 4-6 of the spec) of this step. Currently the limitation is being given the broadest reasonable interpretation of preventing one or more additionally messages from the second computing device from reaching the destination device.
As such, the rejection is respectfully maintained.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP §2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 9, 17, are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 3, 11, 17, of U.S. Patent No. 11,120,406 (Patent ‘406) in view of Dagon et al. (US 2008/0028463).
Regarding claims 1, 9, 17, Patent ‘406 discloses:
A method comprising: receiving, by one or more first computing devices and from a second computing device, a first message addressed to a destination device (Patent ‘406, claim 1); and 
preventing sending of the first message to the destination device (Patent ‘406, claim 3); and 
sending, to the second computing device, a second message comprising an invalid network address and configured to prevent the second computing device from sending one or more additional messages (Patent ‘406, claim 1).
While Patent ‘406 disclosed preventing sending (see above), Patent ‘406 did not explicitly disclose based on determining that the first message is malicious.
However, in an analogous art, Dagon disclosed based on determining that the first message is malicious, preventing sending of the first message to the destination device (Paragraphs 12-13, malware author attempts to contact (i.e., malicious message) command and control (C&C) computer (i.e., destination device). The IP address of the C&C computer is replaced with the IP address of the sinkhole computer 20. The sinkhole computer is used to hold traffic redirected from another computer, thereby isolating the network of bot computers from the C&C computer (i.e., preventing sending of the first message to the destination device). Paragraph 14, determining if a bot computer DNS request rate is normal or suspicious (i.e., malicious)).
	One of ordinary skill in the art would have been motivated to combine the teachings of Patent ‘406 with Dagon because the references involve detecting malicious attacks on a network, and as such, both are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the determining of malicious messages and preventing them from reaching their destination of Dagon with the teachings of Patent ‘406 in order to improve surveillance of data (Dagon, Paragraph 52).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 7, 9-13, 15, 17-21, 23, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Dagon et al. (US 2008/0028463) in view of Gels et al. (US 2004/0187032).
Regarding claim 1, Dagon disclosed:
A method comprising: receiving, by one or more first computing devices (Paragraph 12, sinkhole computer 20) and from a second computing device (Paragraph 12, bot computer 10), a first message (Paragraph 14, DNS request) addressed to a destination device (Paragraph 12, C&C computer 25)( Paragraph 9, victim bot computers use a command and control (C&C) computer to communicate with compromised networks Paragraphs 12-13, a malware author controls victim bot computers 10. The command and control computer (C&C) of the network of attacking comprised computers is identified. The sinkhole computer is used to hold traffic redirected from the C&C computer. Paragraph 14, bot computer’s sending DNS requests); and 
based on determining that the first message is malicious: preventing sending of the first message to the destination device (Paragraphs 12-13, malware author attempts to contact (i.e., malicious message) command and control (C&C) computer. The IP address of the C&C computer is replaced with the IP address of the sinkhole computer 20. The sinkhole computer is used to hold traffic redirected from another computer, thereby isolating the network of bot computers from the C&C computer (i.e., preventing sending of the first message to the destination device. Paragraph 48, once traffic is deemed abusive (i.e., malicious) and measured in the sinkhole, it is possible to revoke the DDNS account); and 
sending, to the second computing device, a second message comprising an invalid network address (Paragraph 13, the IP address of the C&C computer is replaced with the IP address of the sinkhole computer (i.e., invalid). Bot computers looking to contact the C&C computer will be told to contact the sinkhole computer instead (i.e., sending a second message to the second computing device)).
While Dagon disclosed determining a message is malicious and sending the malicious messages to an invalid IP address (see above), Dagon did not explicitly disclose configured to prevent the second computing device from sending one or more additional messages.  
However, in an analogous art, Gels disclosed configured to prevent the second computing device from sending one or more additional messages (Paragraph 7, blocking of faked IP addresses (i.e., preventing from sending additional messages as they are blocked) as many DoS and DDoS attacks used faked IP addresses (IP spoofing) to prevent detection of the hacker. Anonymous hosts should be restricted or prohibited as far as possible).
	One of ordinary skill in the art would have been motivated to combine the teachings of Dagon with Gels because the references involve mitigating DoS/DDoS attacks on a network, and as such, both are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the preventing of sending additional messages of Gels with the teachings of Dagon in order to adequately detect and eliminate…a host from risks and dangers (Gels, Paragraphs 15-17).
	Regarding claims 9, 17, the claims are substantially similar to claim 1. Claim 9 recites one or more processors and memory (Dagon, Paragraph 8, computers, therefore having a process and memory). Claim 17 recites a non-transitory computer readable medium (Dagon, Paragraph 9, medium for communication). Therefore, the claims are rejected under the same rationale.	
Regarding claims 2, 10, 18, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
	wherein determining that the first message is malicious comprises one or more of: monitoring messages received from the second computing device (Dagon, Paragraph 14, determining whether a bot computers DNS request rate is normal or suspicious (i.e., monitoring); analyzing content of the first message; determining that a quantity of messages received from the second computing device satisfies a maximum threshold quantity of messages (Dagon, Paragraphs 19-32, determining if the request rate significantly deviates from a mean request rate and exceeds a threshold); or determining that the first message has been sent via a port of the second computing device, wherein messages, previously sent by the second computing device via the port of the second computing device, indicate malicious messaging by the second computing device.
	Regarding claims 3, 11, 19, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
	wherein the second computing device is associated with a first network, and wherein preventing sending of the first message to the destination device comprises preventing sending of the first message to a destination device associated with a second network different than the first network (Dagon, Paragraph 13, the IP address of the C&C computer is replaced with the IP address of the sinkhole computer. Bot computers looking to contact the C&C computer will be told to contact the sinkhole computer instead. Figure 2A showing the victim cloud as one network and the sinkhole/C&C computer as a different network).
	Regarding claims 4, 12, 20, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
	wherein determining that the first message is malicious comprises: determining that messages, of at least one message type and sent by the second computing device, indicate malicious messaging by the second computing device (Dagon, Paragraph 14, determining whether a bot computer’s DNS (i.e., message type) request rate is normal or suspicious (i.e., malicious)); and 2Application No. 17/403,415Docket No.: 007412.05463\USPreliminary Amendment dated November 24, 2021
determining, based on the first message being of that at least one message type, that the first message is malicious (Dagon, Paragraph 14, if the bot’s DNS request rate is determined to be suspicious, an exponential request rate is determined).
Regarding claims 5, 13, 21, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
wherein the first message is of at least one message type (Dagon, Paragraph 14, bot computer’s DNS request rate (i.e., message type), and wherein the second message is configured to prevent the second computing device from sending additional messages of the at least one message type (Gels, Paragraph 7, blocking of faked IP addresses (i.e., preventing from sending additional messages of one message type) as many DoS and DDoS attacks used faked IP addresses (IP spoofing) to prevent detection of the hacker. Anonymous hosts should be restricted or prohibited as far as possible).
For motivation, please refer to claims 1, 9, 17.
Regarding claims 7, 15, 21, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels disclosed:
further comprising: determining that the second computing device sent the first message via a port of the second computing device (Dagon, Paragraph 148, sending DNS queries that have the same source IP and port); and 
sending other additional messages, received via the port of the second computing device, to a sink-hole device (Dagon, Paragraphs 12-13, malware author attempts to contact (i.e., malicious message) command and control (C&C) computer (i.e., destination device). The IP address of the C&C computer is replaced with the IP address of the sinkhole computer 20. The sinkhole computer is used to hold traffic redirected from another computer, thereby isolating the network of bot computers from the C&C computer. Paragraph 148, DNS queries having a source IP and port).



Claims 6, 8, 14, 16, 22, 24, are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Dagon et al. (US 2008/0028463) in view of Gels et al. (US 2004/0187032) and McCowan et al. (US 7,596,097).
Regarding claims 6, 14, 22, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels did not explicitly disclose:
wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device.  
However, in an analogous art, McCowan disclosed wherein the second message comprises an acknowledgement that provides a false indication of a successful receipt of the first message by the destination device (Column 12, Lines 41-63, trace detector 150 drops subsequent trace route packets to block trace route packets originating from the source address of the initial trace route packet. In a host 130, the trace detector can block outgoing packets 192. Trace detector formulates at least one trace route response packet (i.e., acknowledgement) for initial or subsequent trace route packets 192. The trace route response packet 194 includes misinformation concerning identities of device for which a response would have been provided had the trace route packet 192 not been dropped (i.e., false indication of a successful receipt). The trace detector can create a fraudulent or fake response that misidentifies the actual source of the response so as to confuse the trace route program).
One of ordinary skill in the art would have been motivated to combine the teachings of Dagon and Gels with McCowan because the references involve mitigating attacks on a network, and as such, both are within the same environment.  
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the acknowledgement of McCowan with the teachings of Dagon and Gels in order to reduce the likelihood of dropping legitimate packets (McCowan, Column 9, Lines 1-4).
Regarding claims 8, 16, 24, the limitations of claims 1, 9, 17, have been addressed. Dagon and Gels did not explicitly disclose:
wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the second computing device.
However, in an analogous art, McCowan disclosed wherein the second message is configured to limit a quantity of subsequent messages that will be sent by the second computing device (Column 9, Lines 46-60, once detection of a trace route occurs, the network device or end host adds the source IP address to a quarantine area where additional security measures apply. The trace detector can mark the host as untrusted which causes highly restrictive security policies to apply to all traffic (i.e., limit) to and from that host).
One of ordinary skill in the art would have been motivated to combine the teachings of Dagon and Gels with McCowan because the references involve mitigating attacks on a network, and as such, both are within the same environment.  
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to incorporate the limiting of subsequent messages of McCowan with the teachings of Dagon and Gels in order to reduce the likelihood of dropping legitimate packets (McCowan, Column 9, Lines 1-4).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Steven C Nguyen whose telephone number is (571)270-5663. The examiner can normally be reached M-F 7AM - 3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/S.C.N/Examiner, Art Unit 2451                                                                                                                                                                                                        
/Chris Parry/Supervisory Patent Examiner, Art Unit 2451