DETAILED ACTION
Amendments submitted on August 2, 2022 for Application No. 16/936868 are presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed August 2, 2022 have been considered but they are not persuasive. In the remarks applicant argues:
I)	On pages 10-11, Applicant argues that the previous 35 USC 112 rejections should be withdrawn.
Applicant’s amendments have overcome the previous 35 USC 112 rejections; therefore, they have been withdrawn.

II)	On pages 12-20, Applicant argues that the cited prior art doesn’t teach the newly amended limitations.
The Examiner would note that the majority of Applicant’s arguments for the independent and dependent claims are based on the newly added limitations in the independent claims. However, as shown below, the newly added limitations in the independent claims appear to contain new matter. Additionally, a new art was added to teach these new limitations. Therefore, Applicant’s arguments are considered moot based on the new grounds of rejection as set forth below. A few specific arguments will be responded to below for clarity.

III)	On page 15, Applicant argues that the cited prior art doesn’t teach “flow shaping as the flow pertains to a particular service or session” as in claim 4.
The Examiner disagrees and in no way concedes nor subscribes to Applicant's summarization or distillation of the art of record. It has been held "All of the disclosures in a reference must be evaluated for what they fairly teach one of ordinary skill in the art." In re Lemelson, 397 F.2d 1006, 1009 (CCPA 1968).
Applicant appears to be arguing that the traffic flow is shaped because (in response to) the traffic flow being for a particular service; however, the claims do not appear to be that specific and only appear to mention shaping the traffic flow and that the traffic flow pertains to one of the listed services.
Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches shaping the traffic flow by adding delays or dropping packets. Soule, paragraphs 41 and 50, teaches that the system can be used using the SSH protocol in the application layer as well as various other protocols such as HTTP and FTP. Additionally, Soule, paragraphs 8-10, teaches countering attacks at the same protocol layer that the attack was detected in.
Therefore, the cited prior art does teach the claim limitation in question. It has been held that a publication is good for all it teaches to persons of ordinary skill in the art. In re Fritch, 972 F.2d 1260, 1264 (Fed. Cir. 1992). A reference is good for all it teaches. In re Meinhardt, 392 F.2d 273, 280 (CCPA 1968). Finally, it is well established that a reference is good for all it fairly teaches a person having ordinary skill in the art, even when the teaching is a cursory mention. E.g., In re Mills, 470 F.2d 649, 651 (CCPA 1972).

IV)	On pages 15-17, Applicant argues that the cited prior art doesn’t teach “the demand of the second sender is still managed – just without shaping the flow or misinforming the second sender” as in claim 9.
The Examiner disagrees and in no way concedes nor subscribes to Applicant's summarization or distillation of the art of record. It has been held "All of the disclosures in a reference must be evaluated for what they fairly teach one of ordinary skill in the art." In re Lemelson, 397 F.2d 1006, 1009 (CCPA 1968).
The Examiner would note that giving the sender access to the service can be considered as managing the demand of the sender. Therefore, Cai teaches managing the demand of the sender without shaping the flow or misinforming the sender when it teaches that packets from trusted sources on a white list (which assumed to be non-malicious) are allowed to pass through the system without any additional security checks in paragraph 16.
Therefore, the cited prior art does teach the claim limitation in question. It has been held that a publication is good for all it teaches to persons of ordinary skill in the art. In re Fritch, 972 F.2d 1260, 1264 (Fed. Cir. 1992). A reference is good for all it teaches. In re Meinhardt, 392 F.2d 273, 280 (CCPA 1968). Finally, it is well established that a reference is good for all it fairly teaches a person having ordinary skill in the art, even when the teaching is a cursory mention. E.g., In re Mills, 470 F.2d 649, 651 (CCPA 1972).

V)	On pages 18-19, Applicant argues that the “first-line component” drops the flow in claim 14 instead of the “second-line component” dropping the flow as in claim 13.
As shown below, Applicant’s arguments are persuasive and claim 14 has been indicated as containing allowable subject matter.

Claim Objections
Claims 8, 12, and 14 are objected to because of the following informalities:
Claim 8 recites “from for the sender”, which should be “from the sender”. 
Claim 12 recites “receiving a second network traffic flow defected …”, which should be “receiving a second network traffic flow deflected …”.
Claim 14 recites “causing a subsequent portion of the third network traffic flow from the sender to be dropped”, which should be “causing a subsequent portion of the third network traffic flow from the third sender to be dropped”.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1, 8, 11-12, 14, and 18 recite “in response to determining that the network traffic flow does not relate to the service, deflecting … the network traffic flow away from the computer services system … prior to the network traffic flow being determined as not malicious, or as malicious or potentially malicious” or similar limitations. Therefore, the claims currently recite determining that the traffic does not relate to the service and deflecting before the traffic is determined to be malicious or not. However, paragraphs 36-37 and Figure 2A of the specification specifically check whether or not the traffic is malicious in step 204 to determine if the traffic is related to the service or not. Therefore, the specification teaches that the determination as to whether or not the traffic is related to the service is based on whether or not the traffic is malicious. Dependent claims 2-7, 9-10, 13, 15-17, and 19-20 are rejected for the same reasons as shown above and for being dependent on a previously rejected base claim.

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8 and 13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Claim 8 recites “determine whether the network traffic flow is not malicious …”; however, it is unclear if this should be “the network traffic flow” of the first sender or “the second network traffic flow” of the second sender when the rest of claim 8 is focused on “the second network traffic flow” of the second sender.
Claim 13 recites “managing demand of the third sender by dropping the third network traffic flow without shaping the deflected third network traffic flow”; however, “the third sender”, “the third network traffic flow”, and “the deflected third network traffic flow” do not have antecedent basis in the claim.

The examiner has cited particular examples of 35 U.S.C. 112 rejections above. It is respectfully requested that, in preparing responses, the applicant check the claims for further 35 U.S.C. 112 rejections in the event that it was inadvertently missed by the examiner to advance prosecution. 
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.


Claims 1-8, 11, and 15-20 as best understood are rejected under 35 U.S.C. 103 as being unpatentable over Soule (US 2020/0228538) in view of Nakae (US 7464407).

As per claims 1, 11, and 18, Soule discloses A method comprising: 
receiving, by a first-line component of a network security system, a network traffic flow from a sender and directed to a computing services system providing a service (Soule, Figure 6 and associated texts such as paragraphs 64-66, teaches intercepting packets directed towards a server to “process at least one service request”. The packets are then received and analyzed at a first security node. Soule, paragraphs 11-12 and 14-15, teaches a first server node and second server node, that contain hardware components, to perform the features of analyzing packets, dropping packets, shaping the traffic by performing delays or redirections, and misinforming the attacker by sending a “deceptive response to the sender”. Additionally, Soule, paragraphs 11-12 and 14-15, teaches that either server node can perform any of the system steps.); 
… 5….,..deflecting, by the first-line component, the network traffic flow away from the computing services system and to a second-line component of the network security system prior to the network traffic flow being determined as not malicious, or as malicious or potentially malicious (Soule, Figure 6 and associated texts such as paragraphs 64 and 57-71, teaches analyzing the packet at a first security node to determine if the packet is harmful at a first protocol layer. If the packet is not harmful at the first protocol layer it will be forwarded to a second security node for additional analysis at a second protocol layer. The Examiner would note that, at this point in time, the packet is only known to not be harmful (non-malicious) at the first protocol layer, but the packet can still be harmful at other protocol layers. Therefore, at this point in time, it is not known if the packet is malicious or not. As shown in Soule Figure 6 and paragraph 64, the packet is not harmful at the first protocol layer but is harmful at the second protocol layer. This is known after an additional analysis at the second security node. Additionally, as the packets are sent to a second layer for additional scanning/processing instead of the intended service they are considered as being deflected away from the service.); and 
in response to determining that the network traffic flow is malicious or potentially malicious, managing, by the second-line component, demand of the sender by shaping the deflected network traffic flow in responding to the sender and/or by 10misinforming the sender in responding to the sender (Soule, Figure 6 and associated texts such as paragraphs 64 and 57-71, teaches analyzing the packet at the second security node to determine if the packet is harmful/malicious at the second protocol layer. Soule, paragraph 10, 15, 20, 48, 61, and 63, teaches shaping the traffic by adding artificial delays, dropping random packets, or redirecting the packets for further analysis if the packet is malicious. Soule, paragraph 10, 15, 20, 48, 61, and 63, also teaches misinforming the sender by advertising false open ports or sending responses to make the sender/attacker think the attack is working properly when it isn’t because the attack packets have actually been dropped. Soule, paragraph 20, recites “sending a deceptive response to the sender”.)
However, Soule does not specifically teach “in response to determining that the network traffic flow does not relate to the service, deflecting, by the first-line component, the network traffic flow away from the computing services system and to a second-line component of the network security system prior to the network traffic flow being determined as not malicious, or as malicious or potentially malicious”
Nakae discloses in response to determining that the network traffic flow does not relate to the service, deflecting, by the first-line component, the network traffic flow away from the computing services system and to a second-line component of the network security system prior to the network traffic flow being determined as not malicious, or as malicious or potentially malicious (Nakae, abstract, claim 14, and col. 9 lines 36-48 teaches receiving an IP packet that is unauthorized or suspicious and forwarding those packets to a decoy unit to scan the packet to determine if the packet is malicious or not. Nakae, col. 10 lines 60-67, teaches if the packet is addressed to an IP address that is not in use that it gets forwarded for further analysis i.e. does not relate to the service as the packet is sent to an IP address that the service is not using. Additionally, as the packets are sent to a decoy unit instead of the intended service they are considered as being deflected away from the service.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Nakae with the teachings of Soule. Soule teaches preventing attacks by dropping packets, shaping traffic, and misinforming the attacker so the attacker does not send additional attacks. Nakae teaches detecting an unauthorized/suspicious packet such as a packet that is addressed to an unused IP address and forwards the packet to a decoy unit to scan the packet to determine if the packet is malicious or not. Therefore, it would have been obvious to have forwarded these unauthorized/suspicious packets for further analysis to determine if the packets are malicious or not by the decoy unit while preventing the packets from deploying an attack on the intended service.

As per claim 2, Soule in view of Nakae discloses The method of claim 1, wherein the demand of the sender comprises 15sender demand for resources of a base network security system in relation to which the network security system is upstream (Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches that a node working at the network layer can add delays or drop packets randomly to placate the attacker and manipulate the traffic away from the system. Soule also teaches potentially redirecting the traffic to another system for further analysis as shown in paragraph 61. Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches performing various techniques to misinform the sender and manipulate the attacker traffic. Some examples include responding to the sender in such a way to make the sender think the attack is working, delaying responses, advertising false open ports, etc… In each of these examples, the sender/attacker is placing a demand on the network resources. Additionally, Nakae, Figure 1, shows that the firewall unit and decoy unit are upstream from the intended server and Soule, Figure 1, also shows that the first/second server nodes are upstream from the intended application.)

As per claim 3, Soule in view of Nakae discloses The method of claim 1, wherein managing the demand of the sender comprises shaping the deflected network traffic flow in responding to the sender (Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches that a node working at the network layer can add delays or drop packets randomly to placate the attacker and manipulate the traffic away from the system. Soule also teaches potentially redirecting the traffic to another system for further analysis as shown in paragraph 61. Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches performing various techniques to misinform the sender and manipulate the attacker traffic. Some examples include responding to the sender in such a way to make the sender think the attack is working, delaying responses, advertising false open ports, etc…)

As per claims 4, 15, and 20, Soule in view of Nakae discloses wherein shaping the deflected network traffic flow 20comprises either or both of: 25Attorney docket no. 92046187manipulating the deflected network traffic flow at an application level to reduce communication efficiency from the sender; and shaping the deflected network traffic flow as the network traffic flow pertains to a remote secure shell (SSH) service, a hypertext transport protocol (HTTP)-based application, a 5file transfer protocol (FTP) session, a session initiation protocol (SIP) communication session, and/or communication encryption service (Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches that a node working at the network layer can add delays or drop packets randomly to placate the attacker and manipulate the traffic away from the system. Soule also teaches potentially redirecting the traffic to another system for further analysis as shown in paragraph 61. Soule, paragraphs 41 and 50, teaches that the system can be used using the SSH protocol in the application layer as well as various other protocols such as HTTP and FTP. Additionally, Soule, paragraphs 8-10, teaches countering attacks at the same protocol layer that the attack was detected in.)
Claims 15 and 20 recite the additional limitations of “wherein the demand of the sender is managed by shaping the deflected network traffic flow” (Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches that a node working at the network layer can add delays or drop packets randomly to placate the attacker and manipulate the traffic away from the system. Soule also teaches potentially redirecting the traffic to another system for further analysis as shown in paragraph 61. Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches performing various techniques to misinform the sender and manipulate the attacker traffic. Some examples include responding to the sender in such a way to make the sender think the attack is working, delaying responses, advertising false open ports, etc…)

As per claim 5, Soule in view of Nakae discloses The method of claim 1, wherein managing the demand of the sender 15comprises misinforming the sender in responding to the sender (Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches performing various techniques to misinform the sender and manipulate the attacker traffic. Some examples include responding to the sender in such a way to make the sender think the attack is working, delaying responses, advertising false open ports, etc… Soule, paragraph 20, recites “sending a deceptive response to the sender”.) 

As per claim 6, Soule in view of Nakae discloses The method of claim 5, wherein misinforming the sender in responding to the sender comprises responding to the sender as if the network security system were a type of computing services system different than the computing services system providing the service (Soule, paragraph 63, teaches posing “as the endpoint for connection requests” when the system is actually performing a different service.)

As per claim  207, Soule in view of Nakae discloses The method of claim 5, wherein misinforming the sender in responding to the sender comprises advertising computing services system information 26Attorney docket no. 92046187different than information regarding the computing services system providing the service (Soule, paragraph 63, teaches advertising false open ports. This is described in the specification in paragraph 33 of the Instant Application as one example of false advertising to misinform the attacker. Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches performing various techniques to misinform the sender and manipulate the attacker traffic. Soule, paragraph 20, recites “sending a deceptive response to the sender”.)

As per claim 8, Soule in view of Nakae discloses The method of claim 1, wherein the first network traffic from for the sender is a first network traffic flow from a first sender, and the method further comprises: receiving, by the first-line component, a second network traffic flow from a second sender and directed to the computing services system; in response to determining that the second network traffic flow does not relate to the service, deflecting, by the first-line component, the second network traffic flow away from the computing services system and to the second-line component prior to the second network traffic flow being determined as not malicious, or as malicious or potentially malicious; 5categorizing, by the second-line component, the second network traffic flow in one of a plurality of network traffic categories to determine whether the network traffic flow is not malicious, or is potentially malicious or malicious; and managing, by the second-line component, demand of the second sender in responding to the second sender in a manner specific to the network traffic category in which the second network traffic flow has been 10categorized (Please see the rejection for claim 1 as shown above. The Examiner would note that it would have been obvious to perform the system of Soule in view of Nakae on multiple incoming packets from multiple users to allow the system to prevent attacks from multiple users as well as allowing the service to be used by multiple users. Nakae, Figures 4 and 6 and associated texts, also specifically teaches receiving packets from multiple source IP addresses which further shows that multiple users can use the system. Soule, Figure 6 and associated texts such as paragraphs 64-66 and 57-71, teaches intercepting packets directed towards a server to “process at least one service request”. The packets are then received and analyzed at a first security node to determine if the packet is harmful at a first protocol layer. If the packet is not harmful at the first protocol layer it will be forwarded to a second security node for additional analysis at a second protocol layer. The Examiner would note that, at this point in time, the packet is only known to not be harmful (non-malicious) at the first protocol layer, but the packet can still be harmful at other protocol layers. Therefore, at this point in time, it is not known if the packet is malicious or not. As shown in Soule Figure 6 and paragraph 64, the packet is not harmful at the first protocol layer but is harmful at the second protocol layer. This is known after an additional analysis at the second security node. Additionally, as the packets are sent to a second layer for additional scanning/processing instead of the intended service they are considered as being deflected away from the service. Next, Soule teaches analyzing the packet at the second security node to determine if the packet is harmful/malicious at the second protocol layer. Soule, paragraph 10, 15, 20, 48, 61, and 63, teaches shaping the traffic by adding artificial delays, dropping random packets, or redirecting the packets for further analysis if the packet is malicious. Soule, paragraph 10, 15, 20, 48, 61, and 63, also teaches misinforming the sender by advertising false open ports or sending responses to make the sender/attacker think the attack is working properly when it isn’t because the attack packets have actually been dropped. Soule, paragraph 20, recites “sending a deceptive response to the sender”. Nakae, abstract, claim 14, and col. 9 lines 36-48 teaches receiving an IP packet that is unauthorized or suspicious and forwarding those packets to a decoy unit to scan the packet to determine if the packet is malicious or not. Nakae, col. 10 lines 60-67, teaches if the packet is addressed to an IP address that is not in use that it gets forwarded for further analysis i.e. does not relate to the service as the packet is sent to an IP address that the service is not using. Additionally, as the packets are sent to a decoy unit instead of the intended service they are considered as being deflected away from the service. The Examiner would note that the packets can be categorized in various different ways such as based on the protocol layer that the attack was detected in (as in Soule paragraphs 8-10) or whether or not the packet is malicious or not malicious (as in Soule and Nakae col. 9 lines 36-48),  etc…)

As per claim 16, Soule in view of Nakae discloses The non-transitory computer-readable data storage medium of claim 11, wherein the demand of the sender is managed by misinforming the sender in 15responding to the sender, and misinforming the sender comprises one or more of: responding to the sender as if the network security system were a type of computing services system different than the computing services system providing the service; and 20advertising computing services system information different than information regarding the computing services system providing the service (Soule, paragraph 63, teaches advertising false open ports. This is described in the specification in paragraph 33 of the Instant Application as one example of false advertising to misinform the attacker. Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches performing various techniques to misinform the sender and manipulate the attacker traffic.)  

As per claim 17, Soule in view of Nakae discloses The non-transitory computer-readable data storage medium of claim 11, wherein the processing further comprises: in response to determining that the network traffic flow is not malicious, managing the demand of the sender without shaping the deflected network traffic 5flow and without misinforming the sender (Soule, paragraph 52, teaches that if the traffic is not malicious it is passed to the application to process the request. Soule, paragraph 61, also teaches forwarding well-behaved connections thru a different path.)

As per claim 19, Soule in view of Nakae discloses The network security system of claim 18, wherein the first-line hardware component comprises a first processor and first memory storing first program 15code executable by the first processor to deflect the network traffic flow, and wherein the second-line hardware component comprises a second processor and second memory storing second program code executable by the second processor to manage the demand of the sender (Soule, paragraphs 11-12 and 14-15, teaches that the first server node and the second server node contain processors to perform various instructions. Soule, Figure 3 and paragraph 44, teaches that each server node has a memory to store instructions.)

Claims 9-10 as best understood are rejected under 35 U.S.C. 103 as being unpatentable over Soule in view of Nakae and further in view of Cai (US 2006/0168033).

As per claim 9, Soule in view of Nakae discloses The method of claim 8.
However, Soule in view of Nakae does not specifically teach wherein the network traffic categories comprise a first category of network traffic from a trusted sender that does not relate to the service, and wherein responsive to categorization of the deflected second network traffic 15flow in the first category, such that the second network traffic flow is not malicious, the demand of the second sender is managed in responding to the second sender without shaping the deflected second network traffic flow and without misinforming the second sender. 
Cai discloses wherein the network traffic categories comprise a first category of network traffic from a trusted sender that does not relate to the service, and wherein responsive to categorization of the deflected second network traffic 15flow in the first category, such that the second network traffic flow is not malicious, the demand of the second sender is managed in responding to the second sender without shaping the deflected second network traffic flow and without misinforming the second sender (Cai, paragraph 16, teaches that packets from trusted sources on a white list, and assumed to be non-malicious, are allowed to pass through the system without any additional security checks.) 
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Cai with the teachings of Soule in view of Nakae. Soule in view of Nakae teaches preventing attacks by dropping packets, shaping traffic, and misinforming the attacker so the attacker does not send additional attacks. Soule also teaches using a whitelist and blacklist briefly (in paragraph 14), but does not recite any specific details. Cai teaches that when a trusted source is on a whitelist that the packets are allowed to pass through the system without any additional security checks. Therefore, it would have been obvious to have allowed the packets of trusted sources on the whitelist to pass through the system without any additional security checks (such as shaping traffic or misinforming the user) as this would reduce the load on the system by not requiring the system to further analyze packets from trusted sources.

As per claim 10, Soule in view of Nakae and Cai discloses The method of claim 9, wherein the network categories comprise a second category of network traffic from an unknown sender that does not relate to the service and a third category of network traffic from a known malicious sender that 20does not relate to the service, and wherein responsive to categorization of the deflected second network traffic 27Attorney docket no. 92046187flow in the second or third category, such that the second network traffic flow is malicious or potentially malicious, the demand of the second sender is managed by shaping the deflected second network traffic flow and/or by the misinforming the second sender in responding to the second sender in the manner specific to the second or third category in which the second network traffic flow has been categorized (Soule, paragraph 14, teaches using a white list and black list. Soule, paragraph 48, teaches receiving data from suspicious IP addresses and dropping or delaying those packets. Soule, paragraph 61, teaches blacklisting the source of the attack packets. Cai, paragraph 16, teaches that packets from trusted sources on a white list are allowed to pass through the system without any additional security checks. Therefore, the combination of references teaches using a whitelist and blacklist to categorize the incoming packets and proceeding according. If the source of the packet is on the whitelist, then the packet is allowed through as normal without any additional security checks (as shown in Cai paragraph 16). If the source of the packet is on the blacklist (known malicious source), then the packets are dropped (as in Cai paragraph 13) or dropped, shaped, and the sender is misinformed (as shown in Soule paragraphs 10, 15, 20, 48, 61, and 63). If the source of the packet is unknown, then the system of Soule in view of Nakae would be performed normally by analyzing the packet and dropping the packet, shaping the traffic, and misinforming the sender (as shown in Soule paragraphs 10, 15, 20, 48, 61, and 63 and Nakae col. 9 lines 36-48).)

Claims 12-13 as best understood are rejected under 35 U.S.C. 103 as being unpatentable over Soule in view of Nakae and further in view of Li (US 2018/0103060).

As per claim 12, Soule in view of Nakae discloses The non-transitory computer-readable data storage medium of claim 11, wherein the network traffic flow from the sender is a first network traffic flow, and the processing further comprises: receiving a second network traffic flow defected by the first-line component away from the computing services system, the second network traffic flow sent from a second sender and directed to the computing services system, the second network traffic flow deflected by the first-line component to the second-line component prior to the second network traffic flow being determined as not malicious, or as malicious or potentially malicious (Please see the rejection for claim 11 as shown above. The Examiner would note that it would have been obvious to perform the system of Soule in view of Nakae on multiple incoming packets from multiple users to allow the system to prevent attacks from multiple users as well as allowing the service to be used by multiple users. Nakae, Figures 4 and 6 and associated texts, also specifically teaches receiving packets from multiple source IP addresses which further shows that multiple users can use the system. Soule, Figure 6 and associated texts such as paragraphs 64-66 and 57-71, teaches intercepting packets directed towards a server to “process at least one service request”. The packets are then received and analyzed at a first security node to determine if the packet is harmful at a first protocol layer. If the packet is not harmful at the first protocol layer it will be forwarded to a second security node for additional analysis at a second protocol layer. The Examiner would note that, at this point in time, the packet is only known to not be harmful (non-malicious) at the first protocol layer, but the packet can still be harmful at other protocol layers. Therefore, at this point in time, it is not known if the packet is malicious or not. As shown in Soule Figure 6 and paragraph 64, the packet is not harmful at the first protocol layer but is harmful at the second protocol layer. This is known after an additional analysis at the second security node. Additionally, as the packets are sent to a second layer for additional scanning/processing instead of the intended service they are considered as being deflected away from the service. Next, Soule teaches analyzing the packet at the second security node to determine if the packet is harmful/malicious at the second protocol layer. Nakae, abstract, claim 14, and col. 9 lines 36-48 teaches receiving an IP packet that is unauthorized or suspicious and forwarding those packets to a decoy unit to scan the packet to determine if the packet is malicious or not. Nakae, col. 10 lines 60-67, teaches if the packet is addressed to an IP address that is not in use that it gets forwarded for further analysis i.e. does not relate to the service as the packet is sent to an IP address that the service is not using. Additionally, as the packets are sent to a decoy unit instead of the intended service they are considered as being deflected away from the service.);
in response to determining that the deflected second network traffic flow is malicious or potentially malicious… managing demand of the second sender by shaping the deflected second network traffic in response to the second sender or by misinforming the second sender in responding to the second sender (Soule, Figure 6 and associated texts such as paragraphs 64 and 57-71, teaches analyzing the packet at one or two different security nodes which can operate at different layers of the OSI model to determine if the packet is harmful/malicious. Additionally, Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches dropping malicious packets from an attacker. Soule, paragraph 10, 15, 20, 48, 61, and 63, teaches shaping the traffic by adding artificial delays, dropping random packets, or redirecting the packets for further analysis. Soule, paragraph 10, 15, 20, 48, 61, and 63, also teaches misinforming the sender by advertising false open ports or sending responses to make the sender/attacker think the attack is working properly when it isn’t because the attack packets have actually been dropped. Soule, paragraph 20, recites “sending a deceptive response to the sender”.)
However, Soule in view of Nakae does not specifically teach “determining whether a utilization state of the network security system is 20greater than a threshold”.
Li discloses wherein the processing further comprises, in response to determining that the … second network traffic flow is malicious or potentially malicious: determining whether a utilization state of the network security system is 20greater than a threshold; and in response to determining that the utilization state is less than the threshold, managing demand of the second sender by shaping the … second network traffic flow in response to the second sender or by misinforming the second sender in responding to the second sender (Li, paragraph 11, teaches monitoring a congestion threshold. If the current congestion is above a threshold then the system enters congestion mode and beings to drop malicious packets. If the current congestion is below the threshold then the system stays (or enters) normal mode to continue to monitor the incoming packets for malicious activity. Therefore, in the combination with Soule in view of Nakae the system will monitor the congestion and when the congestion is above a threshold it will drop the packets in congestion mode (as shown in Li). When the congestion is below the threshold and the system is operating in normal mode it will perform the normal system of Soule in view of Nakae by shaping the traffic and misinforming the sender/attacker.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Li with the teachings of Soule in view of Nakae. Soule in view of Nakae teaches preventing denial of service attacks as well as other attacks by dropping packets, shaping traffic, and misinforming the attacker. Li similarly teaches preventing denial of service attacks by dropping packets when the congestion of the system is above a threshold and operating normally when the congestion is below the threshold. Therefore, it would have been obvious to use the congestion/load on the system as an indicator of when to begin dropping packets to prevent the attack. This would have been a simple substitution of one know method of attack detection and prevention for another to yield the predictable results of detecting and preventing attacks.

As per claim 13, Soule in view of Nakae and Li discloses The non-transitory computer-readable data storage medium of claim 12, 5wherein the processing further comprises: in response to determining that the utilization rate is greater than the threshold, managing demand of the third sender by dropping the third network traffic flow without shaping the deflected third network traffic flow and without misinforming the sender (Soule, Figure 6 and associated texts such as paragraphs 64-66, teaches intercepting packets directed towards a server to “process at least one service request”. Soule, Figure 6 and associated texts such as paragraphs 64 and 57-71, teaches analyzing the packet at a first security node to determine if the packet is harmful at a particular layer of the OSI model. If the packet is not harmful at the first protocol layer then the packet is forwarded/deflected to a second security node for further analysis at a different layer of the OSI model. 10Soule, Figure 6 and associated texts such as paragraphs 64 and 57-71, teaches analyzing the packet at the second security node to determine if the packet is harmful/malicious. Additionally, Soule, paragraphs 10, 15, 20, 48, 61, and 63, teaches dropping malicious packets from an attacker. Soule, paragraphs 11-12 and 14-15, teaches a first server node and second server node to perform the features of analyzing packets, dropping packets, shaping the traffic by performing delays or redirections, and misinforming the attacker by sending a “deceptive response to the sender”. Therefore, each server node can drop the packets. Li, paragraph 11, teaches monitoring a congestion threshold. If the current congestion is above a threshold then the system enters congestion mode and beings to drop malicious packets. If the current congestion is below the threshold then the system stays (or enters) normal mode to continue to monitor the incoming packets for malicious activity. Therefore, in the combination with Soule in view of Nakae the system will monitor the congestion and when the congestion is above a threshold it will drop the packets in congestion mode (as shown in Li paragraph 11) by either the first or second server node (as shown in Soule paragraphs 11-12 and 14-15). When the congestion is below the threshold and the system is operating in normal mode it will perform the normal system of Soule by shaping the traffic and misinforming the sender/attacker.)

Allowable Subject Matter
Claim 14 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims as well as overcoming the 35 USC 112 Rejections. The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “wherein the threshold is a first threshold, and the processing further comprises: receiving an initial portion of a third network traffic flow defected by the first-line component away from the computing services system, the third network traffic flow sent from a third sender and directed to the computing services system, the third network traffic flow deflected by the first-line component to the second-line component prior to the third network traffic flow being determined as not malicious, or as malicious or potentially malicious; in response to determining that the deflected third network traffic flow is malicious or potentially malicious, determining whether the utilization state of the network security system isFirst named inventor: Martin Fraser ArlittPage 7Serial no. 16/936,868 Filed 7/23/2020greater than a second threshold higher than the first threshold; and, in response to determining that the utilization state is greater than the second threshold, managing demand of the third sender by 15causing a subsequent portion of the third network traffic flow from the sender to be dropped at the first-line component instead of being deflected to the second-line component, until the utilization state falls below a third threshold lower than the second threshold”. The closest prior art of record includes:
Soule (US 2020/0228538) – teaches analyzing network traffic at different nodes to determine if the traffic is malicious at a particular layer. 
Nakae (US 7464407) – teaches receiving unauthorized packets directed to an unused IP address and forwards the packets to a decoy unit for analysis to determine if the packets are malicious or not.
Li (US 2018/0103060) – teaches dropping packets when the utilization rate is above a threshold.
However, the combination of limitations as currently claimed cannot be found in the cited prior art of record.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Schlossberg (US 2002/0066034) – teaches misinforming the attacker.
Kirsch (US 6772196) – teaches a whitelist of trusted sources.
Rhoades (US 2007/0258463) – teaches that a DoS attack can drop the throughput below a threshold.
Sikdar (US 2007/0022479) – teaches dropping DoS packets above a threshold.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498