DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 28-54 are pending in this application.
Claims 28-54 are newly added as part of the preliminary amendment submitted on 12/21/2021.
Claims 1-21 are cancelled.
IDS submitted on 12/21/2021 has been considered by the Examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 28-54 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-27 of U.S. Patent No. US 11,240,258 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-27 of U.S. Patent No. US 11,240,258 B2 contains every element of claims 28-54 of the instant application and thus anticipate the claims of the instant application (see Claim Comparison Table below).
	
Instant Application 17/645,382
Patent No. US 11,240,258 B2
28. A method for identifying network attacks, comprising: 
acquiring a plurality of access data sets for each of at least two time periods of a target website server, each of the plurality of access data sets including one or more fields; 
determining, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields; and
 determining that at least two access requests of the plurality of access data sets are network attacks based on at least one of: 
quantities of the access data sets having the same field of the one or more fields within each of the time periods being the same, or 
a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or 
a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods.
1. A method for identifying network attacks, comprising: 
acquiring a plurality of access data sets for each of at least two time periods of a target website server, each of the plurality of access data sets including one or more fields; 
determining, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields; and 
determining that at least two access requests of the plurality of access data sets are network attacks based on at least one of: 




a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or 
a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods.
29. The method of claim 28, wherein acquiring the plurality of access data sets for each of the at least two time periods of the target website server further comprises: collecting an access log of the target website server; and acquiring the access data sets within the at least two time periods from the access log.
2. The method of claim 1, wherein acquiring the plurality of access data sets for each of the at least two time periods of the target website server further comprises: collecting an access log of the target website server; and acquiring the access data sets within the at least two time periods from the access log.
30. The method of claim 29, wherein collecting the access log of the target website server further comprises: collecting an access log of a front-end application of the target website server.
3. The method of claim 2, wherein collecting the access log of the target website server further comprises: collecting an access log of a front-end application of the target website server.
31. The method of claim 29, wherein after acquiring the plurality of access data sets for each of the at least two time periods from the access logs, the method further comprises: storing the plurality of access data sets within the at least two time periods in a database, and wherein determining, for each of the at least two time periods, the quantity of access data sets having the same field of the one or more fields further comprises: querying the database for the access data sets within the at least two time periods, and counting the quantity of the access data sets having the same field for each of the at least two time periods.
4. The method of claim 2, wherein after acquiring the plurality of access data sets for each of the at least two time periods from the access logs, the method further comprises: storing the plurality of access data sets within the at least two time periods in a database, and wherein determining, for each of the at least two time periods, the quantity of access data sets having the same field of the one or more fields further comprises: querying the database for the access data sets within the at least two time periods, and counting the quantity of the access data sets having the same field for each of the at least two time periods.
32. The method of claim 28, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining whether the quantities of the access data sets having the same field for the at least two time periods are the same; and in response to the quantities of the access data sets having the same field being the same, determining that the at least two access requests of the plurality of access data sets are the network attacks.
5. The method of claim 1, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining whether the quantities of the access data sets having the same field for the at least two time periods are the same; and in response to the quantities of the access data sets having the same field being the same, determining that the at least two access requests of the plurality of access data sets are the network attacks.
33. The method of claim 28, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: acquiring the maximum value and the minimum value of the quantities of the access data sets having the same field; determining the difference between the maximum value and the minimum value; and determining the at least two access requests of the plurality of access data sets as the network attacks in response to a determination that the difference is less than a preset threshold.
6. The method of claim 1, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: acquiring the maximum value and the minimum value of the quantities of the access data sets having the same field; determining the difference between the maximum value and the minimum value; and determining the at least two access requests of the plurality of access data sets as the network attacks in response to a determination that the difference is less than a preset threshold.
34. The method of claim 28, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining the average value of the quantities of the access data sets having the same field; determining the difference between the quantity of the access data sets in each of the at least two time periods and the average value; and determining that the at least two access requests of the plurality of access data sets are the network attacks in response to a determination that the difference is less than a preset threshold.
7. The method of claim 1, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining the average value of the quantities of the access data sets having the same field; determining the difference between the quantity of the access data sets in each of the at least two time periods and the average value; and determining that the at least two access requests of the plurality of access data sets are the network attacks in response to a determination that the difference is less than a preset threshold.
35. The method of claim 28, wherein the at least two time periods comprise adjacent time periods.
8. The method of claim 1, wherein the at least two time periods comprise adjacent time periods.
36. The method of claim 28, wherein the one or more fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL).
9. The method of claim 1, wherein the one or more fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL).
37. An apparatus for identifying network attacks, comprising: 
a memory device storing instructions; and 
a processor arranged to execute the instructions to cause the apparatus to: 
acquire a plurality of access data sets for at least two time periods of a target website server, each of the plurality of access data sets including one or more fields; 
determine, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields; and 
determine that at least two access requests of the plurality of access data sets are network attacks based on at least one of: 
quantities of the access data sets having the same field of the one or more fields within each of the time periods being the same, or 
a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or 
a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods.
10. An apparatus for identifying network attacks, comprising: 
a memory device storing instructions; and 
a processor arranged to execute the instructions to cause the apparatus to: 
acquire a plurality of access data sets for at least two time periods of a target website server, each of the plurality of access data sets including one or more fields; 
determine, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields; and 
determine that at least two access requests of the plurality of access data sets are network attacks based on at least one of: 




a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or 
a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods.
38. The apparatus of claim 37, wherein the processor is arranged to execute the instructions to cause the apparatus to: collect an access log of the target website server; and acquire the access data sets within the at least two time periods from the access log.
11. The apparatus of claim 10, wherein the processor is arranged to execute the instructions to cause the apparatus to: collect an access log of the target website server; and acquire the access data sets within the at least two time periods from the access log.
39. The apparatus of claim 38, wherein the processor is arranged to execute the instructions to cause the apparatus to collect an access log of a front-end application of the target website server.
12. The apparatus of claim 11, wherein the processor is arranged to execute the instructions to cause the apparatus to collect an access log of a front-end application of the target website server.
40. The apparatus of claim 38, wherein the processor is arranged to execute the instructions to cause the apparatus to: store the plurality of access data sets within the at least two time periods in a database, and query the database for the access data sets within the at least two time periods; and count the quantity of the access data sets having the same field for each of the at least two time periods.
13. The apparatus of claim 11, wherein the processor is arranged to execute the instructions to cause the apparatus to: store the plurality of access data sets within the at least two time periods in a database, and query the database for the access data sets within the at least two time periods; and count the quantity of the access data sets having the same field for each of the at least two time periods.
41. The apparatus of claim 37, wherein the processor is arranged to execute the instructions to cause the apparatus to: determine whether the quantities of the access data sets having the same field for the at least two time periods are the same, and in response to the quantities of the access data sets having the same field being the same, determine that the at least two access requests of the plurality of access data sets are the network attacks.
14. The apparatus of claim 10, wherein the processor is arranged to execute the instructions to cause the apparatus to: determine whether the quantities of the access data sets having the same field for the at least two time periods are the same, and in response to the quantities of the access data sets having the same field being the same, determine that the at least two access requests of the plurality of access data sets are the network attacks.
42. The apparatus of claim 37, wherein the processor is arranged to execute the instructions to cause the apparatus to: acquire the maximum value and the minimum value of the quantities of the access data sets having the same field; determine the difference between the maximum value and the minimum value; and determine the at least two access requests of the plurality of access data sets as the network attacks in response to a determination that the difference is less than a preset threshold.
15. The apparatus of claim 10, wherein the processor is arranged to execute the instructions to cause the apparatus to: acquire the maximum value and the minimum value of the quantities of the access data sets having the same field; determine the difference between the maximum value and the minimum value; and determine the at least two access requests of the plurality of access data sets as the network attacks in response to a determination that the difference is less than a preset threshold.
43. The apparatus of claim 37, wherein the processor is arranged to execute the instructions to cause the apparatus to: determine the average value of the quantities of the access data sets having the same field; determine the difference between the quantity of the access data sets in each of the at least two periods and the average value; determine whether the difference is less than a threshold; and determine that the at least two access requests of the plurality of access data sets are the network attacks in response to a determination that the difference is less than the threshold.
16. The apparatus of claim 10, wherein the processor is arranged to execute the instructions to cause the apparatus to: determine the average value of the quantities of the access data sets having the same field; determine the difference between the quantity of the access data sets in each of the at least two periods and the average value; determine whether the difference is less than a threshold; and determine that the at least two access requests of the plurality of access data sets are the network attacks in response to a determination that the difference is less than the threshold.
44. The apparatus of claim 37, wherein the at least two time periods comprise adjacent time periods.
17. The apparatus of claim 10, wherein the at least two time periods comprise adjacent time periods.
45. The apparatus of claim 37, wherein the one or more fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL).
18. The apparatus of claim 10, wherein the one or more fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL).
46. A non-transitory computer readable medium that stores a set of instructions that is executable by at least one processor of an electronic device to cause the device to perform a method for identifying network attacks, the method comprising: 
acquiring a plurality of access data sets for each of at least two time periods of a target website server, each of the plurality of access data sets including one or more fields; 
determining, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields; and 
determining that at least two access requests of the plurality of access data sets are network attacks based on at least one of: 
quantities of the access data sets having the same field of the one or more fields within each of the time periods being the same, or 
a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or 
a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods.
19. A non-transitory computer readable medium that stores a set of instructions that is executable by at least one processor of an electronic device to cause the device to perform a method for identifying network attacks, the method comprising: 
acquiring a plurality of access data sets for each of at least two time periods of a target website server, each of the plurality of access data sets including one or more fields; 
determining, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields; and 
determining that at least two access requests of the plurality of access data sets are network attacks based on at least one of: 




a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or 
a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods.
47. The non-transitory computer readable medium of claim 46, wherein acquiring the plurality of access data sets for each of the at least two time periods of the target website server further comprises: collecting an access log of the target website server; and acquiring the access data sets within the at least two time periods from the access log.
20. The non-transitory computer readable medium of claim 19, wherein acquiring the plurality of access data sets for each of the at least two time periods of the target website server further comprises: collecting an access log of the target website server; and acquiring the access data sets within the at least two time periods from the access log.
48. The non-transitory computer readable medium of claim 47, wherein collecting the access log of the target website server further comprises: collecting an access log of a front-end application of the target website server.
21. The non-transitory computer readable medium of claim 20, wherein collecting the access log of the target website server further comprises: collecting an access log of a front-end application of the target website server.
49. The non-transitory computer readable medium of claim 47, wherein after acquiring the plurality of access data sets for each of the at least two time periods from the access logs, the set of instructions is further executable by the at least one processor of the electronic device to perform: storing the plurality of access data sets within the at least two time periods in a database, and wherein determining, for each of the at least two time periods, the quantity of access data sets having the same field of the one or more fields further comprises: querying the database for the access data sets within the at least two time periods, and counting the quantity of the access data sets having the same field for each of the at least two time periods.
22. The non-transitory computer readable medium of claim 20, wherein after acquiring the plurality of access data sets for each of the at least two time periods from the access logs, the set of instructions is further executable by the at least one processor of the electronic device to perform: storing the plurality of access data sets within the at least two time periods in a database, and wherein determining, for each of the at least two time periods, the quantity of access data sets having the same field of the one or more fields further comprises: querying the database for the access data sets within the at least two time periods, and counting the quantity of the access data sets having the same field for each of the at least two time periods.
50. The non-transitory computer readable medium of claim 46, wherein determining the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining whether the quantities of the access data sets having the same field for the at least two time periods are the same; and in response to the quantities of the access data sets having the same field being the same, determining that the at least two access requests of the plurality of access data sets are the network attacks.
23. The non-transitory computer readable medium of claim 19, wherein determining the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining whether the quantities of the access data sets having the same field for the at least two time periods are the same; and in response to the quantities of the access data sets having the same field being the same, determining that the at least two access requests of the plurality of access data sets are the network attacks.
51. The non-transitory computer readable medium of claim 46, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: acquiring the maximum value and the minimum value of the quantities of the access data sets having the same field; determining the difference between the maximum value and the minimum value; and determining the at least two access requests of the plurality of access data sets as the network attacks in response to a determination that the difference is less than a preset threshold.
24. The non-transitory computer readable medium of claim 19, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: acquiring the maximum value and the minimum value of the quantities of the access data sets having the same field; determining the difference between the maximum value and the minimum value; and determining the at least two access requests of the plurality of access data sets as the network attacks in response to a determination that the difference is less than a preset threshold.
52. The non-transitory computer readable medium of claim 46, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining the average value of the quantities of the access data sets having the same field; determining the difference between the quantity of the access data sets in each of the at least two time periods and the average value; and determining that the at least two access requests of the plurality of access data sets are the network attacks in response to a determination that the difference is less than a preset threshold.
25. The non-transitory computer readable medium of claim 19, wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining the average value of the quantities of the access data sets having the same field; determining the difference between the quantity of the access data sets in each of the at least two time periods and the average value; and determining that the at least two access requests of the plurality of access data sets are the network attacks in response to a determination that the difference is less than a preset threshold.
53. The non-transitory computer readable medium of claim 46, wherein the at least two time periods comprise adjacent time periods.
26. The non-transitory computer readable medium of claim 19, wherein the at least two time periods comprise adjacent time periods.
54. The non-transitory computer readable medium of claim 46, wherein the fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL).
27. The non-transitory computer readable medium of claim 19, wherein the fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL).



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 28-32, 35-41, 44-50 and 53-54 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Lahann et al. (US 2006/0294588 A1) (hereinafter, “Lahann”).

As to claim 28, Lahann discloses a method for identifying network attacks, comprising:
acquiring a plurality of access data sets for each of at least two time periods of a target website server, each of the plurality of access data sets including one or more fields (“In response, sensor 16, 17 or 18 notifies database server 12 and identifies the message (as noted above) which is suspected to be an intrusion. In response, server 12 records in database 20 information about the suspected intrusion, including its source IP address, destination IP address, destination port, signature if known to sensor 16, 17 or 18, time of day, day of week, day of month, week of year (step 102). Periodically, such as daily…” –e.g. see, [0025]; herein, server acquires a plurality of access data sets (i.e. messages) which includes one or more fields (i.e. number of different target IP addresses, number of different target ports, source IP address));
determining, for each of the at least two time periods, a quantity of access data sets having a same field of the one or more fields (“d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0032]; herein, daily periods reads on at least two time periods and each connections have same field (i.e. same source UP address)); and
determining that at least two access requests of the plurality of access data sets are network attacks based on at least one of : quantities of the access data sets having the same field of the one or more fields within each of the time periods being the same, or a difference between a maximum value and a minimum value of quantities of access data sets having the same field in the at least two time periods, or a difference between the quantity of the access data sets in each of the at least two time periods and an average value of the quantities of the access data sets having the same field in the at least two time periods. (“(c) number of different (ex. virus, worm, etc.) suspected intrusion signatures matched (against a list in the sensors) in all the messages from that same source IP address during the same predetermined (for example, daily) period; wherein (d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0031]-[0032]; herein, quantities of access data sets are analyzed and compared in  at least two access request during daily period (i.e. at least two time periods) which have same field (i.e. same source IP address) in order to determine network attacks (i.e. number of different suspected intrusion)).

As to claim 37, it is rejected using the similar rationale as for the rejection of claim 28. Lahann further discloses a memory device storing instruction; and a processor arranged to execute the instructions ([0004], [0006], [0035]).

As to claim 46, it is rejected using the similar rationale as for the rejection of claim 28. Lahann further discloses a non-transitory computer readable medium that stores a set of instructions that is executable by at least one processor of an electronic device to cause the device to perform a method for identifying network attacks ([0035], [0040]).

As to claim 29, Lahann discloses wherein acquiring the plurality of access data sets for each of the at least two time periods of the target website server further comprises: collecting an access log of the target website server; and acquiring the access data sets within the at least two time periods from the access log (“In response, sensor 16, 17 or 18 notifies database server 12 and identifies the message (as noted above) which is suspected to be an intrusion. In response, server 12 records in database 20 information about the suspected intrusion, including its source IP address, destination IP address, destination port, signature if known to sensor 16, 17 or 18, time of day, day of week, day of month, week of year (step 102). Periodically, such as daily…” –e.g. see, [0025]; herein server 12 collects all the connection messages which would be equivalent to collecting an access log of a target website server; periodically data is collected, such as daily (i.e. at least two time periods)). 

 As to claims 38 and 47, these are rejected using the similar rationale as for the rejection of claim 29.

As to claim 30, Lahann discloses wherein collecting the access log of the target website server further comprises: collecting an access log of a front-end application of the target website server (“…server 12 records in database 20 information about the suspected intrusion, including its source IP address, destination IP address, destination port, signature if known to sensor 16, 17 or 18, time of day, day of week, day of month, week of year (step 102).” –e.g. see, [0025]; herein, collecting “messages” related to an application as log by server 12).  

As to claims 39 and 48, these are rejected using the similar rationale as for the rejection of claim 30.

As to claim 31, Lahann discloses wherein after acquiring the plurality of access data sets for each of  the at least two time periods from the access logs, the method further comprises: storing the plurality of access data sets within the at least two time periods in a database (“In response, sensor 16, 17 or 18 notifies database server 12 and identifies the message (as noted above) which is suspected to be an intrusion. In response, server 12 records in database 20 information about the suspected intrusion, including its source IP address, destination IP address, destination port, signature if known to sensor 16, 17 or 18, time of day, day of week, day of month, week of year (step 102).” –e.g. see, [0025]; herein, database server 12 stores plurality of access data in database 20), and wherein determining, for each of the at least two time periods, the quantity of access data sets having the same field of the one or more fields further comprises: querying the database for the access data sets within the at least two time periods, and counting the quantity of the access data sets having the same field for each of the at least two time periods (“Alternately, program 32 can generally analyze the data by comparing it to a list of source IP addresses, source ports, etc. known to be malicious. After step 104, two series of steps are performed in parallel. In one series, program 32 sorts and tallies for each source IP address the number of different destination IP addresses, number of different destination ports and number of different signatures matched during a predetermined period, such as each day. This sorting and tallying is performed as follows. In step 108, program 32 queries the records in database 20 for different target IP addresses, different target ports and different suspected intrusion signatures, for each source IP address. In step 109, program 32 sorts or aggregates the records obtained in step 300 for each source IP address for each day, and records them in an HTML table 40.” –e.g. see, [0025]).  

As to claims 40 and 49, these are rejected using the similar rationale as for the rejection of claim 31.

As to claim 32, Lahann discloses wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: determining whether the quantities of the access data sets having the same field for the at least two time periods are the same; and in response to the quantities of the access data sets having the same field being the same, determining that the at least two access requests of the plurality of access data sets are the network attacks (“(c) number of different (ex. virus, worm, etc.) suspected intrusion signatures matched (against a list in the sensors) in all the messages from that same source IP address during the same predetermined (for example, daily) period; wherein (d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0031]-[0032]; herein, access data sets are analyzed and compared in  at least two access request during daily period (i.e. at least two time periods) which have same field (i.e. same source IP address) in order to determine network attacks (i.e. number of different suspected intrusion)).  

As to claims 41 and 50, these are rejected using the similar rationale as for the rejection of claim 32.

As to claim 35, Lahann discloses wherein the at least two time periods comprise adjacent time periods (“(d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0032]; herein, access data sets are analyzed and compared in  at least two access request during daily period (i.e. adjacent time periods)).  

As to claims 44 and 53, these are rejected using the similar rationale as for the rejection of claim 8.

As to claim 36, Lahann discloses wherein the one or more fields comprise at least one of an Internet Protocol (IP) address, a domain name that accesses the target website, a browser that accesses the target website, or an Uniform Resource Locator (URL) (“(d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0032]; herein, one more field comprises target IP addresses, source IP address).

As to claims 45 and 54, these are rejected using the similar rationale as for the rejection of claim 9.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

Claims 33-34, 42-43, and 51-52 are rejected under 35 U.S.C. 103 as being unpatentable over Lahann in view of Jain et al. (US 2016/0036837 A1) (hereinafter, “Lahann”).

As to claim 33, Lahann disclose wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: -3-Application No.: 15/984,287 Attorney Docket No.: 12852.0181-00000…

… determining the at least two access requests of the plurality of access data sets as the network attacks based on the determined difference (“(c) number of different (ex. virus, worm, etc.) suspected intrusion signatures matched (against a list in the sensors) in all the messages from that same source IP address during the same predetermined (for example, daily) period; wherein (d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0031]-[0032]; herein, access data sets are analyzed and compared in  at least two access request during daily period (i.e. at least two time periods) which have same field (i.e. same source IP address) in order to determine network attacks (i.e. number of different suspected intrusion)).  
Lahann may not explicitly disclose acquiring a maximum value and a minimum value of the quantities of the access data sets having the same field; determining a difference between the maximum value and the minimum value;
However, in an analogous art, Jain discloses Attorney Docket No.: 12852.0181-00000acquiring a maximum value and a minimum value of the quantities of the access data sets having the same field; determining a difference between the maximum value and the minimum value (“In some implementations, another hard limit (or absolute threshold) may be used to identify an extreme anomaly, such as 200 packets per minute, i.e., 0.45 million bytes per second of sampled flow volume for a packet size of 1500 bytes. Typically, static thresholds may be set at the 95.sup.th percentile of TCP, UDP protocol traffic. In contrast, implementations use an empirical, data-driven approach, where, e.g., 99th percentile of traffic and EWMA smoothing is used to determine a dynamic threshold. The error between the EWMA-smoothed estimate and the actual traffic volume to a VIP is also determined during each measurement interval. The engine 116 detects an attack if the total error over a moving window (e.g., the past 10 minutes) for a VIP exceeds a relative threshold. In this way, the engine 116 detects both (a) heavy hitter flows by volume, and (b) spikes above relative-thresholds. These may be detected at different time granularities, e.g., 5 minutes, 1 hour, and so on.” –e.g. see, Jain: [0036]; herein, hard limit or absolute threshold is comparable to maximum value and a dynamic threshold is comparable to minimum value).  
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lahann with the teaching of Jain to include hard limiting as maximum value for a data center to identify an extreme anomaly in a network attack (Jain, para. [0036]).
As to claims 42 and 51, these are rejected using the similar rationale as for the rejection of claim 33.

As to claim 34, Lahann discloses wherein determining that the at least two access requests of the plurality of access data sets are the network attacks further comprises: … determining a difference between the quantity of the access data sets in each of the at least two time periods ..; and determining that the at least two access requests of the plurality of access data sets are the network attacks based on the determined difference (“(c) number of different (ex. virus, worm, etc.) suspected intrusion signatures matched (against a list in the sensors) in all the messages from that same source IP address during the same predetermined (for example, daily) period; wherein (d) during a longer predetermined period, such as monthly, there are at least two, (and typically several) daily periods during which the number of different target IP addresses, number of different target ports and number of different intrusion signatures for the same source IP address was the same.” –e.g. see, [0031]-[0032]; herein, access data sets are analyzed and compared in  at least two access request during daily period (i.e. at least two time periods) which have same field (i.e. same source IP address) in order to determine network attacks (i.e. number of different suspected intrusion)).  

Lahann may not explicitly disclose determining an average value of the quantities of the access data sets having the same field; determining a difference between the quantity of the access data sets in each of the at least two time periods and the average value; and determining that the plurality of access data sets are the network attacks based on the determined difference.
However, in an analogous art, Jain discloses determining an average value of the quantities of the access data sets having the same field; determining a difference between the quantity of the access data sets in each of the at least two time periods and the average value; and determining that the plurality of access data sets are the network attacks based on the determined difference (“The volumetric attacks include TCP SYN and UDP floods, port scans, brute-force attacks for password scans, DNS reflection attacks, and attacks that attempt to exploit vulnerabilities in specific protocols. In one implementation, the attack detection engine 116 detects such attacks using sequential change point detection. During each measurement interval (1 minute for the example network traffic data), the attack detection engine 116 determines an exponential weighted moving average (EWMA) smoothed estimate of the traffic volume (e.g., bytes, packets) to a VIP. The engine 120 uses the EWMA to track a traffic timeline for each VIP.”-Jain: [0034]; herein, weighted moving average of traffic volume is equivalent to determining an average value.).  
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lahann with the teaching of Jain to include determining an average value of the quantities of the access data sets having the same field. thus, an attack detection engine can determine an exponential weighted moving average smoothed estimate of the traffic flow in the data center in order to detect a traffic anomaly, i.e. a potential data center attack (Jain, para. [0035]).

As to claims 43 and 52, these are rejected using the similar rationale as for the rejection of claim 34.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495                                                                                                                                                                                                        

/PONNOREAY PICH/Primary Examiner, Art Unit 2495