Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
This action is in response to the communication filed on 12/15/2020.
Claims 1-20 are under examination.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed  determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,911,483 B1. Although the claims at issue are not identical, they are not patentably distinct from each other because the subject matter claimed in the instant application is fully disclosed in the patent and is covered by the patent since the patent and the application are claiming common subject matter, as follows: A computer-implemented method, comprising: receiving first request data, the first request data specifying requests received by a Domain Name System service over a first period of time and requests received by a web service for providing a resource over the first period of time; determining, based at least in part on the first request data, a baseline ratio of the requests received by the web service to the requests received by the Domain Name System service; receiving second request data, the second request data specifying at least second requests received by the Domain Name System service over a second period of time having a duration of the first period of time and second requests received by the web service for providing the resource over the second period of time; determining, based at least in part on the second request data, a ratio of the second requests received by the web service relative to the second requests received by the Domain Name System service; determining, based at least in part on the ratio relative to the baseline, that the ratio is indicative of a Distributed Denial of Service attack; and redirecting network traffic directed towards the web service to another service.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 5, 9 and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1) and NA et al. (US 2010/0138921 A1).
Regarding claim 1, Grill et al. discloses a computer-implemented method, comprising: receiving first request data, the first request data specifying requests received by a Domain Name System service over a first period of time and requests received by a web service for providing a resource over the first period of time [par. 0070, “the particular threshold value is determined based on a previous threshold value and a plurality of ratios of number of domain name server requests to internet protocol addresses contacted. Each ratio of the plurality of ratios may be associated with a different corresponding host in the network. The previous threshold value may be a certain threshold value determined at a previous period of time and may be determined based on network flow information available for that period of time or up until that period of time”]; determining, based at least in part on the first request data, a baseline ratio of the requests received by the web service to the requests received by the Domain Name System service [par. 0070, “the particular threshold value is determined based on a previous threshold value and a plurality of ratios of number of domain name server requests to internet protocol addresses contacted. Each ratio of the plurality of ratios may be associated with a different corresponding host in the network. The previous threshold value may be a certain threshold value determined at a previous period of time and may be determined based on network flow information available for that period of time or up until that period of time”, (calculating ratio of A to B is obviousness of calculating ration of B to A)]; receiving second request data, the second request data specifying at least second requests received by the Domain Name System service over a second period of time having a duration of the first period of time and second requests received by the web service for providing the resource over the second period of time [par. 0028, “the network operator may configure a metering process at an internetworking device serving as an observation point to collect network flow information about packets originating from the hosts, and may configure an exporter to export that information to a collector computer that is configured as described herein. The collector may be configured to determine the number of DNS server requests made by a particular host within a particular time interval and the number of internet protocol (IP) addresses contacted by the particular host within the particular time interval based on the network flow information received at the collector”]; determining, based at least in part on the second request data, a ratio of the second requests received by the web service relative to the second requests received by the Domain Name System service [par. 0028, “the network operator may configure a metering process at an internetworking device serving as an observation point to collect network flow information about packets originating from the hosts, and may configure an exporter to export that information to a collector computer that is configured as described herein. The collector may be configured to determine the number of DNS server requests made by a particular host within a particular time interval and the number of internet protocol (IP) addresses contacted by the particular host within the particular time interval based on the network flow information received at the collector”, (calculating ratio of A to B is obviousness of calculating ration of B to A)]; determining, based at least in part on the ratio relative to the baseline, that the ratio is indicative of a Distributed Denial of Service attack [par. 0030, “a value based on a ratio of the number of DNS server requests made by the particular host to the number of IP addresses contacted by the particular host is determined. The value is compared with a threshold value, which is based on the ratios of the number of DNS server requests made by other hosts within the network to the number of IP addresses contacted by other hosts within the network. If the value for the particular host is greater than the threshold value, then the particular host is identified as one that is compromised with DGA-based malware”]; 
Grill et al. does not explicitly disclose redirecting network traffic directed towards the web service to another service.
However NA et al. in the field relates to determining and taking measures against a DDoS attack using networking devices installed in a communication network teaches redirecting network traffic directed towards the web service to another service [pars. 0050-0051, “When the attack determining unit 310 determines that the traffic to the origin server 160 is associated with the DDoS attack, the IP address changing unit 320 requests the DNS 120 to change the IP address associated with the domain name of the origin server 160 to the IP addresses of the replicating servers 150. In order to enhance the stability of the service provided from the origin server 160, the replicating servers 150 can respond to the service requests instead of the origin server 160 when the attack determining unit 310 determines that the traffic is associated with the DDoS attack”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of NA et al. into the teaching of Grill et al. with the motivation to enhance the stability of the service provided from the origin server as taught by NA et al. [NA et al.: par. 0051].
Regarding claim 3, the rejection of claim 1 is incorporated.
NA et al. further discloses wherein redirecting the network traffic directed towards the web service to the other service includes transmitting a request to the Domain Name System service to associate a domain name of the web service with an Internet Protocol of the other service [pars. 0050-0051, “When the attack determining unit 310 determines that the traffic to the origin server 160 is associated with the DDoS attack, the IP address changing unit 320 requests the DNS 120 to change the IP address associated with the domain name of the origin server 160 to the IP addresses of the replicating servers 150. In order to enhance the stability of the service provided from the origin server 160, the replicating servers 150 can respond to the service requests instead of the origin server 160 when the attack determining unit 310 determines that the traffic is associated with the DDoS attack”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of NA et al. into the teaching of Grill et al. with the motivation to enhance the stability of the service provided from the origin server as taught by NA et al. [NA et al.: par. 0051].
Regarding claim 5, Grill et al. discloses a system, comprising at least one computing device configured to implement one or more services [fig. 1], wherein the one or more services: obtaining request data generated as a result of requests received by a service that resolves an identifier to a set of network addresses for a resource over a period of time and requests received by a web service for providing the resource over the period of time [par. 0028, “the network operator may configure a metering process at an internetworking device serving as an observation point to collect network flow information about packets originating from the hosts, and may configure an exporter to export that information to a collector computer that is configured as described herein. The collector may be configured to determine the number of DNS server requests made by a particular host within a particular time interval and the number of internet protocol (IP) addresses contacted by the particular host within the particular time interval based on the network flow information received at the collector”]; determine, based at least in part on the request data, a value corresponding to the request data; determine that the value satisfies a set of conditions [par. 0030, “a value based on a ratio of the number of DNS server requests made by the particular host to the number of IP addresses contacted by the particular host is determined. The value is compared with a threshold value, which is based on the ratios of the number of DNS server requests made by other hosts within the network to the number of IP addresses contacted by other hosts within the network. If the value for the particular host is greater than the threshold value, then the particular host is identified as one that is compromised with DGA-based malware”]; 
Grill et al. does not explicitly disclose perform an operation to cause a change in how future requests are processed.
However NA et al. in the field relates to determining and taking measures against a DDoS attack using networking devices installed in a communication network teaches perform an operation to cause a change in how future requests are processed [pars. 0050-0051, “When the attack determining unit 310 determines that the traffic to the origin server 160 is associated with the DDoS attack, the IP address changing unit 320 requests the DNS 120 to change the IP address associated with the domain name of the origin server 160 to the IP addresses of the replicating servers 150. In order to enhance the stability of the service provided from the origin server 160, the replicating servers 150 can respond to the service requests instead of the origin server 160 when the attack determining unit 310 determines that the traffic is associated with the DDoS attack”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of NA et al. into the teaching of Grill et al. with the motivation to enhance the stability of the service provided from the origin server as taught by NA et al. [NA et al.: par. 0051].
Regarding claim 9, the rejection of claim 5 is incorporated.
NA et al. further discloses the operation includes transmitting a request to the service that resolves the identifier to the set of network addresses for the resource to associate the identifier of the resource with an Internet Protocol address of a Content Delivery Network service that is usable to mitigate a Denial of Service attack to cause the network traffic to be redirected to the Content Delivery Network service [par. 0026, “A so-called Contents Delivery Network (CDN) service distributes computing load associated with servicing requests to the origin server 160 by caching the contents in the origin server 160 to other replicating servers 150 and selecting an optimal server to service a user 100 based on the status of the replicating servers 150”, pars. 0050-0051, “When the attack determining unit 310 determines that the traffic to the origin server 160 is associated with the DDoS attack, the IP address changing unit 320 requests the DNS 120 to change the IP address associated with the domain name of the origin server 160 to the IP addresses of the replicating servers 150. In order to enhance the stability of the service provided from the origin server 160, the replicating servers 150 can respond to the service requests instead of the origin server 160 when the attack determining unit 310 determines that the traffic is associated with the DDoS attack”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of NA et al. into the teaching of Grill et al. with the motivation to enhance the stability of the service provided from the origin server as taught by NA et al. [NA et al.: par. 0051].
Regarding claim 12, the rejection of claim 5 is incorporated.
Grill et al. further discloses the value corresponding to the request data is a ratio calculated by dividing a number of requests processed by the web service specified in the request data over the period of time by a number of requests processed by the service that resolves the identifier to the set of network addresses for the resource over the period of time [par. 0030, “a value based on a ratio of the number of DNS server requests made by the particular host to the number of IP addresses contacted by the particular host is determined. The value is compared with a threshold value, which is based on the ratios of the number of DNS server requests made by other hosts within the network to the number of IP addresses contacted by other hosts within the network. If the value for the particular host is greater than the threshold value, then the particular host is identified as one that is compromised with DGA-based malware” (calculating ratio of A to B is obviousness of calculating ration of B to A)].
Regarding claim 13, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 14, the rejection of claim 13 is incorporated.
NA et al. further discloses the operation includes transmitting a request to the service that resolves the identifier to redirect network traffic directed at the resource to another service that can promulgate the change [par. 0026, “A so-called Contents Delivery Network (CDN) service distributes computing load associated with servicing requests to the origin server 160 by caching the contents in the origin server 160 to other replicating servers 150 and selecting an optimal server to service a user 100 based on the status of the replicating servers 150”, pars. 0050-0051, “When the attack determining unit 310 determines that the traffic to the origin server 160 is associated with the DDoS attack, the IP address changing unit 320 requests the DNS 120 to change the IP address associated with the domain name of the origin server 160 to the IP addresses of the replicating servers 150. In order to enhance the stability of the service provided from the origin server 160, the replicating servers 150 can respond to the service requests instead of the origin server 160 when the attack determining unit 310 determines that the traffic is associated with the DDoS attack”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of NA et al. into the teaching of Grill et al. with the motivation to enhance the stability of the service provided from the origin server as taught by NA et al. [NA et al.: par. 0051].
Regarding claim 15, the rejection of claim 13 is incorporated.
Grill et al. further discloses determine a request frequency ratio of the requests received by the web service for providing the resource to the requests received by the service that resolves the identifier; and compare the request frequency ratio to the baseline request data to determine that the set of conditions have been satisfied [par. 0030, “a value based on a ratio of the number of DNS server requests made by the particular host to the number of IP addresses contacted by the particular host is determined. The value is compared with a threshold value, which is based on the ratios of the number of DNS server requests made by other hosts within the network to the number of IP addresses contacted by other hosts within the network. If the value for the particular host is greater than the threshold value, then the particular host is identified as one that is compromised with DGA-based malware” (calculating ratio of A to B is obviousness of calculating ration of B to A)].

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1) and NA et al. (US 2010/0138921 A1) as applied to claims 1, 3, 5, 9 and 12-15 above, and further in view of El-Moussa et al. (US 2010/0122342 A1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Grill et al. further discloses identifying, based at least in part on the first request data and the second request data, an Internet Protocol address corresponding to an entity that causes the ratio to be indicative of the Distributed Denial of Service attack [par. 0069, “existence of malware on the particular host is determined based on the number of domain name server requests originated from the particular host and the number of internet protocol addresses contacted by the particular host”, par. 0050, “collector 105 may also determine the source address of packet 222 and the receive time of packet 222”];
Grill et al. and NA et al. do not disclose providing the Internet Protocol address corresponding to the entity to the other service to cause the other service to block network traffic originating from the Internet Protocol address corresponding to the entity.
However El-Moussa et al. teaches providing the Internet Protocol address corresponding to the entity to the other service to cause the other service to block network traffic originating from the Internet Protocol address corresponding to the entity [par. 0056, “the router or detection system can send a filtering message to the router nearest to the attacking sender, with the instruction for that router to drop traffic for the set period. The filtering message includes the sender IP address, the destination IP address, protocol (TCP) and amount of time to block his traffic”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of El-Moussa et al. into the teaching of Grill et al. and NA et al. with the motivation to allow for very specific targeting of malicious traffic and if the sender sending the malicious traffic is communicating with a receiver other than the victim, the legitimate traffic is not blocked or dropped as taught by El-Moussa et al.  [El-Moussa et al.: par. 0056].

Claims 4, 6-7, 11, 16-17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1) and NA et al. (US 2010/0138921 A1) as applied to claims 1, 3, 5, 9 and 12-15 above, and further in view of Del Fante (US 2016/0164912 A1).
Regarding claim 4, the rejection of claim 1 is incorporated.
Grill et al. and NA et al. do not explicitly disclose transmitting a notification to indicate detection of the Dedicated Denial of Service attack directed towards the web service.
However Del Fante teaches transmitting a notification to indicate detection of the Dedicated Denial of Service attack directed towards the web service [par. 0055, “alert generation module 214 can be configured to alert server 206 or a network level device, such as a firewall, access point (AP), gateway, or any other desired/configured device, so as to block the requests from a given source IP, that has been identified as being associated with an attack”, par. 0067, “threshold based alert/blacklist generation module 318, based on the information entropy derived from the compression ratios of temporal/spatial information, is configured to generate one or more alerts 320 for such anomalous clients”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].
Regarding claim 6, the rejection of claim 5 is incorporated.
Grill et al. and NA et al. do not explicitly disclose identify, based at least in part on the request data, requests generated by trusted entities; and remove, from the request data, the requests generated by the trusted entities such that the value corresponding to the request data is determined without the requests generated by the trusted entities.
However Del Fante teaches identify, based at least in part on the request data, requests generated by trusted entities; and remove, from the request data, the requests generated by the trusted entities such that the value corresponding to the request data is determined without the requests generated by the trusted entities [par. 0060, “data receiving module 304 can be configured to receive access requests from one or more source Internet Protocol (IP) addresses, wherein the access requests can be received from network 318 in the form of one or more network data packets. Data receiving module 304 can be customized in order to capture only a subset of the access requests. For example, only those access requests associated with suspicious IP addresses or certain sender attributes may be processed by DDoS attack detection and response system 302. In this manner, packets associated with known/registered legitimate users may not need to go through DDoS attack detection and response system 302”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].
Regarding claim 7, the rejection of claim 6 is incorporated.
Del Fante further teaches wherein identifying the requests generated by the trusted entities includes: determining Internet Protocol addresses corresponding to the trusted entities; and identifying, from the request data, entries having any of the Internet Protocol addresses corresponding to the trusted entities [par. 0060, “data receiving module 304 can be configured to receive access requests from one or more source Internet Protocol (IP) addresses, wherein the access requests can be received from network 318 in the form of one or more network data packets. Data receiving module 304 can be customized in order to capture only a subset of the access requests. For example, only those access requests associated with suspicious IP addresses or certain sender attributes may be processed by DDoS attack detection and response system 302. In this manner, packets associated with known/registered legitimate users may not need to go through DDoS attack detection and response system 302”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].
Regarding claim 11, the rejection of claim 5 is incorporated.
Grill et al. and NA et al. do not explicitly disclose the operation includes transmitting a notification specifying that a Denial of Service attack has been detected.
However Del Fante teaches the operation includes transmitting a notification specifying that a Denial of Service attack has been detected [par. 0055, “alert generation module 214 can be configured to alert server 206 or a network level device, such as a firewall, access point (AP), gateway, or any other desired/configured device, so as to block the requests from a given source IP, that has been identified as being associated with an attack”, par. 0067, “threshold based alert/blacklist generation module 318, based on the information entropy derived from the compression ratios of temporal/spatial information, is configured to generate one or more alerts 320 for such anomalous clients”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].
Regarding claim 16, the rejection of claim 13 is incorporated.
Grill et al. and NA et al. do not explicitly disclose identify, based at least in part on the request data, requests generated by trusted entities; and disregard requests generated by the trusted entities such that whether the set of conditions is satisfied is determined without using the requests generated by the trusted entities.
However Del Fante teaches identify, based at least in part on the request data, requests generated by trusted entities; and disregard requests generated by the trusted entities such that whether the set of conditions is satisfied is determined without using the requests generated by the trusted entities [par. 0060, “data receiving module 304 can be configured to receive access requests from one or more source Internet Protocol (IP) addresses, wherein the access requests can be received from network 318 in the form of one or more network data packets. Data receiving module 304 can be customized in order to capture only a subset of the access requests. For example, only those access requests associated with suspicious IP addresses or certain sender attributes may be processed by DDoS attack detection and response system 302. In this manner, packets associated with known/registered legitimate users may not need to go through DDoS attack detection and response system 302”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].
Regarding claim 17, the rejection of claim 16 is incorporated.
Del Fante further teaches identify Internet Protocol addresses corresponding to the trusted entities; and identify entries in the request data that specify at least one of the Internet Protocol addresses corresponding to the trusted entities [par. 0060, “data receiving module 304 can be configured to receive access requests from one or more source Internet Protocol (IP) addresses, wherein the access requests can be received from network 318 in the form of one or more network data packets. Data receiving module 304 can be customized in order to capture only a subset of the access requests. For example, only those access requests associated with suspicious IP addresses or certain sender attributes may be processed by DDoS attack detection and response system 302. In this manner, packets associated with known/registered legitimate users may not need to go through DDoS attack detection and response system 302”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].
Regarding claim 19, the rejection of claim 13 is incorporated.
Grill et al. and NA et al. do not explicitly disclose the operation includes transmitting a notification to the web service to indicate that the set of conditions have been satisfied.
However Del Fante teaches the operation includes transmitting a notification to the web service to indicate that the set of conditions have been satisfied [par. 0055, “alert generation module 214 can be configured to alert server 206 or a network level device, such as a firewall, access point (AP), gateway, or any other desired/configured device, so as to block the requests from a given source IP, that has been identified as being associated with an attack”, par. 0067, “threshold based alert/blacklist generation module 318, based on the information entropy derived from the compression ratios of temporal/spatial information, is configured to generate one or more alerts 320 for such anomalous clients”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Del Fante into the teaching of Grill et al. and NA et al. with the motivation to block the requests from a given source IP that has been identified as being associated with an attack as taught by Del Fante [Del Fante: par. 0055].

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1), NA et al. (US 2010/0138921 A1) and Del Fante (US 2016/0164912 A1) as applied to claims 4, 6-7, 11, 16-17 and 19 above, and further in view of Betts et al. (US 2006/0047832 A1).
Regarding claim 8, the rejection of claim 6 is incorporated.
Del Fante discloses identifying the requests generated by the trusted entities.
Grill et al., NA et al. and Del Fante do not explicitly disclose identifying the requests generated by the trusted entities includes: identifying, from the request data, entries specifying a shared secret provided to trusted entities; and verifying that the shared secret is valid.
However Betts et al. in the field relates to methods and apparatuses for processing web service messages teaches identifying the requests generated by the trusted entities includes: identifying, from the request data, entries specifying a shared secret provided to trusted entities; and verifying that the shared secret is valid [pars. 0031-0032, “(g) checking a signature of the web service message; [0032] (h) identifying a source of the web service message”, par. 0047, “The source of the web service message can be identified and authenticated (Step S307) by using, for example, pre-configured usernames and passwords, or by registering trusted cryptographic keys with the device, such as the public key of a trusted certificate authority”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Betts et al. into the teaching of Grill et al., NA et al. and Del Fante with the motivation to determining whether a source of the web service message is authorized as taught by Betts et al. [Betts et al.: par. 0011].

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1) and NA et al. (US 2010/0138921 A1) as applied to claims 1, 3, 5, 9 and 12-15 above, and further in view of Holloway et al. (US 8,613,089 B1).
Regarding claim 10, the rejection of claim 5 is incorporated.
Grill et al. and NA et al. do not explicitly disclose the operation includes transmitting, to a proxy server of the web service, Internet Protocol addresses of entities identified as being responsible for submitting requests resulting in the value satisfying the set of conditions to cause the proxy server to block network traffic originating from the Internet Protocol addresses of the entities.
However Holloway et al. in the field relates to detecting and mitigating denial-of-service (DoS) attacks teaches the operation includes transmitting, to a proxy server of the web service, Internet Protocol addresses of entities identified as being responsible for submitting requests resulting in the value satisfying the set of conditions to cause the proxy server to block network traffic originating from the Internet Protocol addresses of the entities [col. 19, lines 8-22, “The centralized server determines, based on these message(s), a likelihood of a packet having a particular source IP address being legitimately received at each of the proxy servers. The centralized server then transmits, to the proxy servers, a message that indicates which source IP addresses of packets are not likely to be legitimately received at that proxy server. The message may specify those source IP addresses (or range of IP addresses) that are not likely to be legitimately received and/or are likely to be legitimately received at the proxy server. The centralized server may also transmit a set of rules to the proxy servers to rate limit and/or block packets received with source IP addresses that are not likely to be legitimately received by that proxy server”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Holloway et al. into the teaching of Grill et al. and NA et al. with the motivation to provides DoS attack detection and mitigation services for the domain owners as taught by Holloway et al. [Holloway et al.: col. 3, lines 44-45].

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1), NA et al. (US 2010/0138921 A1) and Del Fante (US 2016/0164912 A1) as applied to claims 6, 6-7, 11, 16-17 and 19 above, and further in view of Lee et al. (US 2013/0152189 A1).
Regarding claim 18, the rejection of claim 16 is incorporated.
Del Fante discloses identifying the requests generated by the trusted entities.
Grill et al., NA et al. and Del Fante do not explicitly disclose identify, from the request data, entries specifying a cryptographic hash generated using a cryptographic key and a shared secret provided to trusted entities; generate a second cryptographic hash based at least in part on the cryptographic key and the shared secret; and determine that the shared secret is valid as a result of the cryptographic hash being identical to the second cryptographic hash.
However Lee et al. in the field relates to an authentication method and apparatus for detecting and preventing a source address spoofing packet which are capable of basically defending against a malicious attack such as a distributed denial of service denial ( DDoS) teaches identify, from the request data, entries specifying a cryptographic hash generated using a cryptographic key and a shared secret provided to trusted entities; generate a second cryptographic hash based at least in part on the cryptographic key and the shared secret; and determine that the shared secret is valid as a result of the cryptographic hash being identical to the second cryptographic hash [par. 0064, “the self-assurance type ID verification unit 104 determines whether a calculated Loc value and an Loc value stored in a source address of the packet are equal based on a result of verifying the signature of the Sign1 value as a digital signature value by using a public key K_pub to thereby verify validity of Sign1. As a result of the determination in step s400, if it is determined that the result is abnormal, i.e., the calculated Loc value and the Loc value stored in a source address of the packet are not equal, the self-assurance type ID verification unit 104 outputs a failure of the self-assurance type ID verification in step s402, and terminates the procedure.”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Lee et al. into the teaching of Grill et al., NA et al. and Del Fante with the motivation to detect a source address spoofing packet and a router forwards only a packet having a normal source address, thereby fundamentally defending against a malicious attack such as DDoS or the like as taught by Lee et al. [Lee et al.: par. 0021].

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Grill et al. (US 2016/0036836 A1) and NA et al. (US 2010/0138921 A1) as applied to claims 1, 3, 5, 9 and 12-15 above, and further in view of Rodriguez (US 2012/0174220 A1).
Regarding claim 20, the rejection of claim 13 is incorporated.
Grill et al. and NA et al. do not explicitly disclose the operation includes: identifying Internet Protocol addresses of entities that caused the set of conditions to be satisfied; and blocking network traffic from the Internet Protocol addresses of the entities that caused the set of conditions to be satisfied.
However Rodriguez teaches the operation includes: identifying Internet Protocol addresses of entities that caused the set of conditions to be satisfied; and blocking network traffic from the Internet Protocol addresses of the entities that caused the set of conditions to be satisfied [claim 31, “determining a set of suspect IP addresses by determining the source IP addresses of packets that occurred in the small time-window”, claim 32, “blocking traffic from the set of suspect IP addresses”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Rodriguez into the teaching of Grill et al. and NA et al. with the motivation for detecting and mitigating a denial of service ( DoS) attack as taught by Rodriguez [Rodriguez: par. 0018].


 
Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 9804891 B1		Parallelizing multiple signing and verifying operations within a secure routing context
US 20120096549 A1		ADAPTIVE CYBER-SECURITY ANALYTICS
US 9979588 B1		DNS resolver prioritization
US 20120174196 A1		ACTIVE VALIDATION FOR DDOS AND SSL DDOS ATTACKS
US 20150026800 A1		SCALABLE INLINE BEHAVIORAL DDOS ATTACK MITIGATION
US 20170111389 A1		METHOD AND SYSTEM FOR PROTECTING DOMAIN NAME SYSTEM SERVERS AGAINST DISTRIBUTED DENIAL OF SERVICE ATTACKS
US 20060075084 A1		Voice over internet protocol data overload detection and mitigation system and method
US 9930131 B2		Request routing processing
US 20090106318 A1		SYSTEM AND METHOD FOR DETECTING SPAM OVER INTERNET TELEPHONY (SPIT) IN IP TELECOMMUNICATION SYSTEMS
US 20150128263 A1		Methods and systems for malware detection
US 20180183830 A1		METHOD AND SYSTEM FOR DETECTING AND MITIGATING DENIAL-OF-SERVICE ATTACKS

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM to 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JASON CHIANG/Primary Examiner, Art Unit 2431