Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The abstract of the disclosure is objected to because it exceeds the 150 word count limit.  Correction is required.  See MPEP § 608.01(b).
Drawings
The drawings are objected to because Figures 7A, 8, 9A, 9B, 10, 11, 13, 14A, 14B, 15A, 15B, 15C, and 16 all include terminology which is not legible. Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claims 2, 3, and 4 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 is rejected under 35 U.S.C. 112(b) because the claim is dependent on itself. For the purpose of examination claim 2 is being interpreted to be dependent on independent claim 1. 
Claim 3 is rejected under 35 U.S.C. 112(b) because the claim is dependent on itself. For the purpose of examination claim 3 is being interpreted to be dependent on independent claim 2. 
Claim 4 is rejected under 35 U.S.C. 112(b) because the claim is dependent on itself. For the purpose of examination claim 4 is being interpreted to be dependent on independent claim 2. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over SUDO (US-20180041471-A1) in view of PENG (US-20050249214-A1), hereinafter SUDO-PENG.
Regarding claim 1, SUDO teaches “A subsystem of a computer system that detects and deflects denial-of-service attacks, the subsystem comprising: a computer system that includes one or more processors, one or more memories, and one or more mass-storage devices: and computer instructions, stored in one or more of the , one or more memories that, when executed by one or more of the one or more processors, control the computer system to monitor, by a logging component of the subsystem, ([SUDO, para. 0127] “FIG. 13 is a diagram that illustrates the computer that executes the control program. As illustrated in FIG. 13, a computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard-disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of the units is connected with a bus 1080.”) ([SUDO, Abstract] “When an attack is detected, a controller samples an attack-target addressed DNS reply, received by a border router, from each of the border routers. Then, the controller adds the transmission-source IP address of the sampled DNS reply to the black list of the border router. Furthermore, upon reception of any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment from the IP address that is described in the black list, the controller gives a command to the border router to discard the packet.”) ([SUDO, para. 0101] “In this manner, if reflective DDoS attacks, or the like, are conducted, the communication system identifies attack packets with regard to subsequent fragments and blocks them by using the border router 20. Furthermore, the communication system passes DNS replies (allowable DNS replies) to DNS requests from the attack target. Therefore, the communication system may block most of the attack packets and pass allowable packets.”) ([SUDO, para. 0048] “The control unit 13 includes an attack detecting unit 130, an observing unit 131, the state determining unit 132, a packet acquiring unit 133, a list generating unit 134, a packet-discarding commanding unit 135, a packet-transfer commanding unit 136, an exceptional-setting commanding unit 137, and a packet transferring unit 138.”) ([SUDO, para. 0049] “The attack detecting unit 130 detects attacks to a target. For example, the attack detecting unit 130 acquires the traffic information from the accommodation router 30 and, if it is determined that DNS replies are centered on a predetermined destination (target) within the user network on the basis of the traffic information, detects an attack to the destination as a target.”) ([SUDO, para. 0050] “The observing unit 131 observes the amount of traffic of target-addressed DNS reply in each of the border routers 20. … measure the amount of traffic of DNS reply, which is addressed to the IP address of the target”) incoming network traffic to detect network-message floods and determine one or more source addresses of …. ([SUDO, para. 0030] “when a DNS request is received from the target via the accommodation router 30, the controller 10 specifies an exceptional setting of the rule (the setting that DNS replies to DNS requests from the target are passed. Specifically, the setting that a DNS reply packet, whose transmission source is the destination IP address of the corresponding request, is passed) for all the border routers 20 and then transfers the DNS request to any of the border routers 20 (S4).”) ([SUDO. Para. 0050] “The observing unit 131 observes the amount of traffic of target-addressed DNS reply in each of the border routers 20. For example, the observing unit 131 gives a command to each of the border routers 20 so as to measure the amount of traffic of DNS reply, which is addressed to the IP address of the target, and acquires a measurement result of the amount of traffic from the border router 20 at predetermined intervals.”) and deflect, by a deflection component of the subsystem, network messages directed to the computer system at a network boundary when the deflection component is notified by the logging component of a source address associated with a network-message flood. ([SUDO, para. 0101] “In this manner, if reflective DDoS attacks, or the like, are conducted, the communication system identifies attack packets with regard to subsequent fragments and blocks them”) ([SUDO, para. 0113] “As illustrated in FIG. 10, the control unit 13 of the controller 100 includes the attack detecting unit 130, the packet-transfer commanding unit 136, the exceptional-setting commanding unit 137, the packet transferring unit 138, and a blocking commanding unit 139. If the attack detecting unit 130 detects an attack, the blocking commanding unit 139 makes a notification of the IP address of the target and makes a blocking setting command to each of the border routers 200. Here, the blocking setting command is the command to block target-addressed DNS replies and UDP subsequent fragments whose transmission sources are the IP addresses that are described in the black list included in the border router 200 of its own and, upon reception of a target-addressed DNS reply whose transmission source is the IP address that is not described in the black list included in the border router 200 of its own, add the IP address to the black list.”) ([SUDO, para. 0050] “The observing unit 131 observes the amount of traffic of target-addressed DNS reply in each of the border routers 20. For example, the observing unit 131 gives a command to each of the border routers 20 so as to measure the amount of traffic of DNS reply, which is addressed to the IP address of the target, and acquires a measurement result of the amount of traffic from the border router 20 at predetermined intervals.”) ([SUDO, para. 0026] “the controller 10 detects concentration of the packets in the accommodation router 30, each of the border routers 20 first prepares for the black list that is used to block the attack packets (list preparation state). Then, after the black list is largely completed, the controller 10 causes each of the border routers 20 to block the attack packet by using the black list (list blocking state).”).
However, SUDO does not explicitly teach of “remote entities that are sources of the network-message floods”.
In analogous teaching PENG teaches “remote entities that are sources of the network-message floods” ([PENG, Abstract] “A traffic management system for use in a communications network, including a detection module for determining the source addresses of received network packets”) ([PENG, para. 0075] “The new source address detection module 404 executes a new source address detection process 900, as shown in FIG. 9, that monitors received source IP addresses to detect changes or anomalies in traffic patterns which may be indicative of flash crowd events or Highly Distributed Denial of Service (HDDoS) attacks. The new source address detection process takes advantage of the huge number of new IP addresses in attack traffic to the victim.”) ([PENG, para. 0117] “The traffic management system 300 was configured to detect the percentage of new IP addresses observed …. and contains the traffic from users outside the network”).
Thus, given the teaching of PENG, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of remote entities being the source of network messages by PENG into the teaching of a subsystem to deflect denial-of-service attacks as taught by SUDO. One of ordinary skill in the art would have been motivated to do so because PENG recognizes the need to quickly detect network attacks ([PENG, para. 0008] “Clearly, there is a need for a better approach to detecting bandwidth attacks. There is also a need for rapidly detecting and responding to a flash crowd event.”) ([PENG, para. 0136] “The traffic management systems 300, 400 described above allow DDoS attacks to be detected with 100% accuracy when configured to detect as few as 18 new source IP addresses in the last-mile router and as few as 2 new IP address in the first-mile router. The detection process is fast and has a very low computing overhead.”).

Regarding claim 18. This claim recites of a method claim that teaches of features similar to those of claim 1. Therefore, claim 18 is rejected in a similar manner as in the rejection of claim 1. 


Regarding claim 19, SUDO-PENG teach all limitations of claim 18. SUDO further teaches “wherein the deflection occurs within an edge router at the network boundary.” ([SUDO, Abstract] “Furthermore, upon reception of any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment from the IP address that is described in the black list, the controller gives a command to the border router to discard the packet.”) ([SUDO, para. 0025] “A border router 20 is provided between the Internet and the relay network to perform a process to transfer input packets. The border router 20 has functions to change internal transfer rules in accordance with commands from a controller 10, described later, to transfer packets, which match a specific condition, to the controller 10, or to transmit the traffic information to the controller 10.”)

Regarding claim 20, this claim recites of data storage device encoded with computer instructions which once executed perform the features of claim 1. Therefore, claim 20 is rejected in a similar manner as in the rejection of claim 1. 

Claims 2, 3, 5, and 6 are rejected under 35 U.S.C. 103 as being unpatentable over SUDO-PENG, in view of BABAKIAN (US-20170005923-A1), hereinafter SUDO-PENG-BABAKIAN.

Regarding claim 2, SUDO-PENG teaches all limitations of claim 1. However, SUDO-PENG does not teach “wherein the deflection component includes a daemon that communicates with an edge router at the network boundary.”.
In analogous teaching BABAKIAN teaches “wherein the deflection component includes a daemon that communicates with an edge router at the network boundary.” ([BABAKIAN, para. 0029] “As shown, the L3 gateways 250-260 each include a Border Gateway Protocol (BGP) daemon 280-290.”) ([BABAKIAN, para. 0031] “In some embodiments, the L3 gateways 250-260 are virtualized containers that have the ability to store a routing table, such as namespaces. In addition, the BGP daemons 280-290, or other routing protocol applications, operate within these containers according to the data received from the controllers. One or more daemons may operate on the gateway host machine outside of the containers (e.g., in the virtualization software of the gateway) in order to receive data tuples from the controller that define both the routing tables and the BGP configuration for a particular namespace. This daemon or daemons operate to instantiate the namespace, provision the namespace with the routing table, and start the BGP daemon in the namespace. In addition, the daemon(s) generate a configuration file for the BGP daemon in some embodiments, and store the configuration file (e.g., in a file system of the host machine) for access by the routing protocol application. Upon installing its configuration file, the BGP daemons begins communication with its external router neighbors.”).
Thus, given the teaching of BABAKIAN, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of daemon to communicate to routers by BABAKIAN into the teaching of a subsystem to deflect denial-of-service attacks as taught by SUDO-PENG. One of ordinary skill in the art would have been motivated to do so because BABAKIAN recognizes the benefit of daemon to communicate to routers ([BABAKIAN, para. 0029] “BGP daemon only effectively works in one direction, sending out routes to its neighbors (to attract ingress traffic) but not installing routes received from those neighbors.”) ([BABAKIAN, para. 0048] “embodiments provide a novel method of performing ingress traffic engineering …. The method simplifies ingress optimizations without the need for manual configuration within the network domains and provides abstractions”).

Regarding claim 3, SUDO-PENG-BABAKIAN teach all limitations of independent claim 2. SUDO further teaches “wherein, when the deflection component is notified, by the logging component, of a source address associated with a network-message flood, the deflection component sends an UPDATE request to the edge router to request the edge router to null route the source address.” ([SUDO, para. 0048] “The control unit 13 includes an attack detecting unit 130, an observing unit 131, the state determining unit 132, a packet acquiring unit 133, a list generating unit 134, a packet-discarding commanding unit 135, a packet-transfer commanding unit 136, an exceptional-setting commanding unit 137, and a packet transferring unit 138.”) ([SUDO, para. 0049] “The attack detecting unit 130 detects attacks to a target. For example, the attack detecting unit 130 acquires the traffic information from the accommodation router 30 and, if it is determined that DNS replies are centered on a predetermined destination (target) within the user network on the basis of the traffic information, detects an attack to the destination as a target.”) ([SUDO, para. 0057] “The packet-discarding commanding unit 135 gives a command to each of the border routers 20 in accordance with the state of each of the border routers 20 as to which packet is to be blocked (discarded)”) ([SUDO, 0058] “For example, the packet-discarding commanding unit 135 sets the rule for the border router 20, which is in the initial state, that, when any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment is received, the packet is to be discarded.”) ([SUDO, 0059] “Furthermore, for example, the packet-discarding commanding unit 135 sets the rule for the border router 20, which is in the list blocking state, that, when any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment with the IP address described in the black list as the transmission source is received, the packet is to be discarded.”) ([SUDO, para. 0060] “Furthermore, for example, the packet-discarding commanding unit 135 sets the rule for the border router 20, which is in the list preparation state, that, when any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment is received, the packet is to be discarded.”) ([SUDO, para. 0112] “For example, if concentration of DNS replies to a predetermined address (an attack on the target) is detected, the controller 100 gives the following command to each of the border routers 200. Specifically, upon reception of a target-addressed DNS reply with the IP address that is not described in the black list, included in the border router 200 of its own, as the transmission source, the controller 100 gives a command to each of the border routers 200 to add the IP address to the black list. Furthermore, upon reception of a target-addressed DNS reply and a UDP subsequent fragment with the IP address described in the black list as the transmission source, the controller 100 gives a command to each of the border routers 200 to block it.”).

Regarding claim 5, SUDO-PENG-BABAKIAN teaches all limitations of claim 2. SUDO further teaches “wherein the logging component communicates a source address associated with a network-message flood to the deflection component using operating- system-provided stored data shared by the logging component and the deflection component.” ([SUDO, para. 0025] “There is a communication specification called OpenFlow, for example, as the system for multiple routers to dynamically change route control settings in accordance with commands from the controller”) ([SUDO, para. 0121] “Specifically, the functions of the communication control unit 21, the storage unit 22, and the transfer control unit 232 of the control unit 23 in the border router 200, illustrated in FIG. 10, are implemented by the OpenFlow-compatible router”) ([SUDO, para. 0044] “As illustrated in FIG. 4, the controller 10 includes a communication control unit 11, a storage unit 12, and a control unit 13.”) ([SUDO, para. 0046] “The storage unit 12 stores router information. The router information is the information that indicates the identification information on each of the border routers 20 that are provided in the relay network. As illustrated in FIG. 5, for example, the router information may include the state (the initial state, the list preparation state, the list blocking state) of each of the border routers 20 as well as the identification information on each of the border routers 20. The state of each of the border routers 20 is written by a state determining unit 132.”) ([SUDO, para. 0077] “When the rule and the exception are received via the communication control unit 21, which are transmitted from the controller 10, the rule managing unit 231 stores the rule and the exception as the rule information in the storage unit 22. Furthermore, when a command to delete the rule or the exception is received from the controller 10 via the communication control unit 21, the rule managing unit 231 accordingly deletes the deletion-target rule.”) ([SUDO, para. 0050] “The observing unit 131 observes the amount of traffic of target-addressed DNS reply in each of the border routers 20. For example, the observing unit 131 gives a command to each of the border routers 20 so as to measure the amount of traffic of DNS reply, which is addressed to the IP address of the target, and acquires a measurement result of the amount of traffic from the border router 20 at predetermined intervals.”) ([SUDO, para. 0057] “The packet-discarding commanding unit 135 gives a command to each of the border routers 20 in accordance with the state of each of the border routers 20 as to which packet is to be blocked (discarded).”) ([SUDO, para. 0059] “Furthermore, for example, the packet-discarding commanding unit 135 sets the rule for the border router 20, which is in the list blocking state, that, when any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment with the IP address described in the black list as the transmission source is received, the packet is to be discarded.”) ([SUDO, para. 0067] “The storage unit 22 stores a routing table and rule information.”) ([SUDO, para. 0068] “The routing table is the route information that is referred to when the control unit 23 determines the forward destination of a packet”)

Regarding claim 6, SUDO-PENG-BABAKIAN teaches all limitations of claim 5. SUDO further teaches “wherein the operating-system-provided stored data is a user- accessible kernel routing table” ([SUDO, para. 0067] “The storage unit 22 stores a routing table and rule information.”) ([SUDO, para. 0068] “The routing table is the route information that is referred to when the control unit 23 determines the forward destination of a packet.”) ([SUDO, para. 0074] “A transfer control unit 232 (described later) of the control unit 23 basically determines the forward destination of a packet by using the routing table; however, if the rule is set, the rule is applied so that the forward destination of a packet is determined, a packet is discarded, discarding of a packet is stopped, or the like.”).

Claims 4 are rejected under 35 U.S.C. 103 as being unpatentable over SUDO-PENG-BABAKIAN, in view of EARL (US-9071576-B1).
Regarding claim 4, SUDO-PENG-BABAKIAN teach all limitations of independent claim 2. SUDO further teaches of “…… request to the edge router to request the edge router to terminate null routing of the source address.” ([SUDO, para. 0062] “Furthermore, if an attack is detected, the exceptional-setting commanding unit 137 sets the rule for the accommodation router 30 that a DNS request from the target is transferred to the controller 10. Thus, after an attack is detected, DNS requests from the target reach the controller 10. Furthermore, the exceptional-setting commanding unit 137 deletes the setting of the above-described exception in the border router 20 after a predetermined time elapses.”) ([SUDO, para. 0124] “Furthermore, if a DNS request is received from the target via the accommodation router 30, the controller 100 specifies the exceptional setting for the sub controller of each of the border routers 200 that a DNS reply to the DNS request is passed. After receiving the above-described exceptional setting, the sub controller gives a command to the OpenFlow-compatible router, which is managed by itself, to pass a DNS reply to the DNS request. This allows the border router 200 to pass allowable packets from the target.”).
However, SUDO-PENG-BABAKIAN does not teach “wherein, when the deflection component is notified, by the logging component, of a source address that was previously associated with a network-message flood but for which null routing can now be terminated, the deflection component sends a WITHDRAW … to request the edge … to terminate null routing of the source address.”
In an analogous teaching EARL teaches “wherein, when the deflection component is notified, by the logging component, of a source address that was previously associated with a network-message flood but for which null routing can now be terminated, the deflection component sends a WITHDRAW … to request the edge … to terminate null routing of the source address.” ([EARL, Abstract] “The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor.”) ([EARL, Col. 3 lines 32-36] “For example, a server may persistently capture network traffic, periodically count the total number of incoming packets and decide whether within a predefined time interval the total number of incoming packets exceeds a predefined amount.”) ([EARL, Col. 5 lines 60-67 – Col. 6 lines 1-10) “The monitor app 112 or the operating system may set a timer once an Internet protocol address is added to the blacklist and after a predefined time period the Internet protocol address may be removed from the blacklist if the attacker 118 associated with the Internet protocol address does not continue sending abusive network traffic to the server 102 after the Internet protocol address was added to the blacklist. The timer may be greater than or equal to the time interval used to determine whether the total number of incoming packets exceeds a predefined threshold earlier. For example, if the threshold for the total number of incoming packets is 10,000 packets within a time interval of 5 minutes, the timer here for the blacklist of the firewall may be greater than or equal to 5 minutes. After removing the Internet Protocol address from the blacklist, the firewall 104 may stop purging application service requests from the attacker 118 associated with the Internet protocol address that was just removed from the blacklist”) ([EARL, Col. 4 lines 55-61] “Any Internet protocol address added to the blacklist will be blocked for a predefined period of time, for example 2 minutes, 5 minutes, 10 minutes, or some other period of time, and then removed from the blacklist after the predefined period of time if the Internet protocol address is no longer associated with a service request rate greater than the predefined rate limit.”).
Thus, given the teaching of EARL, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of withdrawing a pervious null route request by EARL into the teaching of a subsystem to deflect denial-of-service attacks as taught by SUDO-PENG-BABAKIAN. One of ordinary skill in the art would have been motivated to do so because EARL recognizes the need to take action against a flood of messages ([EARL, Col. 1 lines 20-39] “Network based applications are becoming more predominant in our daily lives with the rapid development and popularization of portable network capable devices …. The impact of the network attacks on the user experience may have implications for user satisfaction with the network application provider or the network service provider.”) ([EARL, Col. 2 lines 5-7, Col. 2 lines 21-27] “In an embodiment, a method of managing application service requests is disclosed …. determining when the rate of application service requests associated with an Internet protocol address exceeds a first threshold, and taking proactive action when the rate of application service requests associated with the Internet protocol address exceeds the first threshold”) 


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over SUDO-PENG, in view of TADA (US-20200336495-A1), hereinafter SUDO-PENG-TADA.

Regarding claim 7, SUDO-PENG teach all limitations of claim 1. SUDO further teaches of “wherein the logging component includes: an alarm monitor: …. a monitor; and a logger table.” ([SUDO, para. 44] “As illustrated in FIG. 4, the controller 10 includes a communication control unit 11, a storage unit 12, and a control unit 13.”)  ([SUDO, para. 0047] “The control unit 13 performs the overall control on the controller 10, and here it principally transmits the rule with regard to packet transfer or blocking to the border router 20.”) ([SUDO, para. 0048] “The control unit 13 includes an attack detecting unit 130, an observing unit 131, … a packet-discarding commanding unit 135”) ([SUDO, para. 0049] “The attack detecting unit 130 detects attacks to a target. For example, the attack detecting unit 130 acquires the traffic information from the accommodation router 30 and, if it is determined that DNS replies are centered on a predetermined destination (target) within the user network on the basis of the traffic information, detects an attack to the destination as a target.”) ([SUDO, para. 0050] “The observing unit 131 observes the amount of traffic of target-addressed DNS reply in each of the border routers 20. For example, the observing unit 131 gives a command to each of the border routers 20 so as to measure the amount of traffic of DNS reply, which is addressed to the IP address of the target, and acquires a measurement result of the amount of traffic from the border router 20 at predetermined intervals.”) ([SUDO, para. 0026] “If the controller 10 detects concentration of the packets in the accommodation router 30, each of the border routers 20 first prepares for the black list that is used to block the attack packets (list preparation state). Then, after the black list is largely completed, the controller 10 causes each of the border routers 20 to block the attack packet by using the black list (list blocking state).”) ([SUDO, para. 0038] “almost all the IP addresses of attacker (e.g., reflectors) are registered in the black list of the border router 20 that is in the list preparation state, the controller 10 determines that the border router 20 shifts to the list blocking state. Then, the list-blocking rule is set in the border router 20.”).
However, SUDO-PENG does not teach of “a bandwidth monitor”.
In analogous teaching TADA teaches  “a bandwidth monitor” ([TADA, para. 0584] “a system load monitoring unit configured to monitor an available bandwidth of the data communication network”) ([TADA, Abstract] “Efficient virus detection and removal are realized by changing a mode of collecting logs in accordance with a network usage status. A configuration includes a processing monitoring unit that executes processing of monitoring a data communication network, and the processing monitoring unit includes a system load monitoring unit that monitors an available bandwidth of a network”).
Thus, given the teaching of TADA, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching bandwidth monitoring by TADA into the teaching of a subsystem to deflect denial-of-service attacks as taught by SUDO-PENG. One of ordinary skill in the art would have been motivated to do so because TADA recognizes the need to prevent illegal processing by an intrusion ([TADA, para. 0020] “It is therefore an object thereof to provide an information processing apparatus … which a plurality of electronic control units (ECUs) is connected, logs corresponding to messages transmitted from and received by the respective ECUs are selectively acquired in accordance with a status of a network bandwidth, and can efficiently prevent illegal processing caused by a virus or the like, without reducing a bandwidth for normal communication messages via the network.”)

Claims 8-12 are rejected under 35 U.S.C. 103 as being unpatentable over SUDO-PENG-TADA in view of EARL (US-9071576-B1), hereinafter SUDO-PENG-TADA-EARL.
Regarding claim 8, SUDO-PENG-TADA teach all limitations of claim 7. However, SUDO-PENG-TADA does not teach “wherein the alarm monitor receives metering-rule-violation alerts for a firewall within the computer system that each indicates that a particular source address is included in a series of network messages received at a rate that exceeds a threshold rate specified by the metering rule.”.
In analogous teaching, EARL teaches “wherein the alarm monitor receives metering-rule-violation alerts for a firewall within the computer system that each indicates that a particular source address is included in a series of network messages received at a rate that exceeds a threshold rate specified by the metering rule.” ([EARL, Abstract] “A system for managing application service requests. The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor. The requests are visible to the second processor before they are processed by the firewall.”) ([EARL, Col. 5 lines 51-60] “The firewall 104 may be a firewall, a proxy server, a domain name service forwarder, or other security related software. In an embodiment, the firewall 104 may purge queries from an attacker 118 associated with an Internet protocol address on a blacklist that the firewall 104 maintains. Application service requests from the attacker 118 associated with Internet protocol addresses on the blacklist are purged by the firewall 104. The remaining application service requests that are not purged by the firewall 104 will then be processed by the server app 108.”) ([EARL, col. 9 lines 38-52] “whether the rate of application service requests associated with an Internet protocol address exceeds a threshold B is determined. After the monitor app 112 copied the application service requests to the disk file system 116, the monitor app 112 further analyzes the application service requests per unique source Internet protocol address. For example, the monitor app 112 may review the fields of packet type, size and total number of the application service request packets per unique source Internet protocol address. In an embodiment, the monitor app 112 may calculate the rate of the application service request from a single source Internet protocol address based on the total time the packet capture ran. When the rate of the application service requests per unique source Internet protocol address exceeds a predefined threshold B, the monitor app 112 may take proactive actions”).
The same motivation to modify SUDO-PENG-BABAKIAN with EARL as in the rejection of claim 4, applies. 

Regarding claim 9, SUDO-PENG-TADA-EARL teach all limitations of claim 8. SUDO further teaches “wherein, when the alarm monitor receives an alert, the alarm monitor checks the logger table for an entry corresponding to the source address in the alert.” ([SUDO, para. 0026] “Here, if a large number of attack packets, which are addressed to the target, are transmitted from the reflectors, packets (e.g., DNS reply packets) are centered on the accommodation router 30 of the user network to which the target belongs. If the controller 10 detects concentration of the packets in the accommodation router 30, each of the border routers 20 first prepares for the black list that is used to block the attack packets (list preparation state). Then, after the black list is largely completed, the controller 10 causes each of the border routers 20 to block the attack packet by using the black list (list blocking state).”) ([SUDO, para. 0101] “if reflective DDoS attacks, or the like, are conducted, the communication system identifies attack packets with regard to subsequent fragments and blocks them by using the border router 20.”) ([SUDO, para. 0102] “after an attack is detected, the communication system blocks target-addressed DNS replies and UDP subsequent fragments and, after it is confirmed that the black list is matured to some extent, blocks target-addressed UDP subsequent fragments by using the black list. This allows the communication system to reduce attacks that use unauthorized UDP subsequent fragments.”) ([SUDO, para. 0110] “Furthermore, upon reception of any of an attack-target addressed reply packet of a predetermined service and an attack-target addressed fragmented packet with the IP address described in the black list as the transmission source, the packet-discarding commanding unit 135 of the controller 10 gives a command to the border router 20, which is in the list blocking state, to discard the packet; however, this is not a limitation. For example, upon reception of an attack-target addressed packet with the IP address described in the black list as the transmission source, the packet-discarding commanding unit 135 may give a command to the border router 20 in the list blocking state to discard the packet. In this manner, too, the border router 20 may discard attack packets due to the attack communication.”).

Regarding claim 10, SUDO-PENG-TADA-EARL teach all limitations of claim 9. SUDO further teaches “when no entry is found for the source address in the logger table, the alarm monitor places a new entry for the source address in the logger table.” ([SODU, para. 0036] “For example, the border router 20, which has shifted to the list preparation state, samples a target-addressed DNS reply with the IP address that is not described in the black list (described later in detail) as the transmission source from the received packets in accordance with the rule for the above-described list preparation state, and transmits it to the controller 10 (S21). Furthermore, just after the border router 20 shifts from the initial state to the list preparation state (that is, in the state where the black list has not been set yet), a target-addressed DNS reply is sampled from the received packet and is transmitted to the controller 10.”) ([SODU, para. 0037] “Then, after the target-addressed DNS reply, sampled by the border router 20, is received, the controller 10 adds the transmission-source IP address of the transmitted DNS reply to the black list of the border router 20 (S22). Then, the controller 10 monitors black-list addition (addition of a new IP address to the black list) state in the border router 20 that is in the list preparation state and, if the state is such that black-list addition is not performed for a predetermined time period, determines that the border router 20 shifts to the list blocking state. Then, the controller 10 sets the list-blocking rule for the border router 20 (S23).”) ([SODU, para. 0038] “That is, if it is determined that the state is such that almost all the IP addresses of attacker (e.g., reflectors) are registered in the black list of the border router 20 that is in the list preparation state, the controller 10 determines that the border router 20 shifts to the list blocking state. Then, the list-blocking rule is set in the border router 20.”) ([SODU, para. 0112] “For example, if concentration of DNS replies to a predetermined address (an attack on the target) is detected, the controller 100 gives the following command to each of the border routers 200. Specifically, upon reception of a target-addressed DNS reply with the IP address that is not described in the black list, included in the border router 200 of its own, as the transmission source, the controller 100 gives a command to each of the border routers 200 to add the IP address to the black list. Furthermore, upon reception of a target-addressed DNS reply and a UDP subsequent fragment with the IP address described in the black list as the transmission source, the controller 100 gives a command to each of the border routers 200 to block it.”).

Regarding claim 11, SUDO-PENG-TADA-EARL teach all limitations of claim 9. EARL further teaches “wherein, when an entry is found for the source address in the logger table, the alarm monitor determines calculates an impulse-filtered metering-rule-violation rate for the source address from information contained in the entry: when the calculated impulse-filtered metering-rule-violation rate exceeds a first threshold value …. notifies the deflection component that the source address is to be null routed, and updates the entry to indicate that the source address is null routed.” ([EARL, Abstract] “A system for managing application service requests. The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor. The requests are visible to the second processor before they are processed by the firewall.”) ([EARL, Col. 3 lines 32-36] “For example, a server may persistently capture network traffic, periodically count the total number of incoming packets and decide whether within a predefined time interval the total number of incoming packets exceeds a predefined amount.”) ([EARL, Col. 5 lines 60-67 --- Col. 5 lines 1-10] “The monitor app 112 or the operating system may set a timer once an Internet protocol address is added to the blacklist and after a predefined time period the Internet protocol address may be removed from the blacklist if the attacker 118 associated with the Internet protocol address does not continue sending abusive network traffic to the server 102 after the Internet protocol address was added to the blacklist. The timer may be greater than or equal to the time interval used to determine whether the total number of incoming packets exceeds a predefined threshold earlier. For example, if the threshold for the total number of incoming packets is 10,000 packets within a time interval of 5 minutes, the timer here for the blacklist of the firewall may be greater than or equal to 5 minutes. After removing the Internet Protocol address from the blacklist, the firewall 104 may stop purging application service requests from the attacker 118 associated with the Internet protocol address that was just removed from the blacklist.”) ([EARL, Col. 4 lines 55-61] “Any Internet protocol address added to the blacklist will be blocked for a predefined period of time, for example 2 minutes, 5 minutes, 10 minutes, or some other period of time, and then removed from the blacklist after the predefined period of time if the Internet protocol address is no longer associated with a service request rate greater than the predefined rate limit.”).
The same motivation to modify SUDO-PENG-BABAKIAN with EARL as in the rejection of claim 4, applies. 
However, SODU-PENG-EARL does not teach “and when the available network bandwidth has fallen below a second threshold value”.
TADA further teaches “and when the available network bandwidth has fallen below a second threshold value” ([TADA, Abstract] “Efficient virus detection and removal are realized by changing a mode of collecting logs in accordance with a network usage status. A configuration includes a processing monitoring unit that executes processing of monitoring a data communication network, and the processing monitoring unit includes a system load monitoring unit that monitors an available bandwidth of a network”) ([TADA, para. 0141] “Specifically, the ECU-1a (system load monitoring ECU) 102 monitors the communication status of the CAN network 120, and, in a case where the traffic (communication usage bandwidth) of the CAN network 120 is equal to or less than a predetermined threshold, the ECU-1b (virus monitoring & log collection ECU) 103 collects log information corresponding to all communication messages from the CAN network 120 and transmits the log information to the log analysis server 200.”).
The same motivation to modify SUDO-PENG with TADA as in the rejection of claim 7, applies. 

Regarding claim 12, SUDO-PENG-TADA-EARL teach all limitations of claim 9. TADA further teaches “wherein the bandwidth monitor periodically determines the current available remaining network bandwidth.” ([TADA, Abstract] “Efficient virus detection and removal are realized by changing a mode of collecting logs in accordance with a network usage status. A configuration includes a processing monitoring unit that executes processing of monitoring a data communication network, and the processing monitoring unit includes a system load monitoring unit that monitors an available bandwidth of a network”) ([TADA, Para. 0584] “a system load monitoring unit configured to monitor an available bandwidth of the data communication network”) ([TADA, Para. 0141] “Specifically, the ECU-1a (system load monitoring ECU) 102 monitors the communication status of the CAN network 120, and, in a case where the traffic (communication usage bandwidth) of the CAN network 120 is equal to or less than a predetermined threshold, the ECU-1b (virus monitoring & log collection ECU) 103 collects log information corresponding to all communication messages from the CAN network 120 and transmits the log information to the log analysis server 200.”).
The same motivation to modify SUDO-PENG with TADA as in the rejection of claim 7, applies. 

Claims 13, 14, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over SUDO-PENG-TADA-EARL in view of GUPTA (US-20130163417-A1), hereinafter SUDO-PENG-TADA-EARL-GUPTA.
Regarding claim 13, SUDO-PENG-TADA-EARL teach all limitations of claim 9. However, SUDO-PENG-TADA-EARL does not teach “wherein the monitor periodically reviews each entry in the logger table.”. 
In analogous teaching, GUPTA teaches “wherein the monitor periodically reviews each entry in the logger table.” ([GUPTA, para. 0049] “If the number of packets from a remote address within a BTI exceeds the BT, then that remote address can be marked as blacklisted at block 404. The remote address can be placed in the dynamic blacklist described above. A corresponding time can be noted when the remote address was blacklisted. After a remote address is marked as blacklisted, it can stay in the dynamic blacklist at least for the duration specified by BEP. The admission controller 120 can periodically check the dynamic blacklist at decision block 406 to determine if the remote address should be taken out of the list because it has been in this list at least for the duration specified by BEP. This period is determined by the BRP control parameter of blacklist policy 208. Once the time expires, the remote address can be taken out of the blacklist at block 408. The network packets from this address are allowed again as long as the rate is within the threshold limits.”).
Thus, given the teaching of GUPTA, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of reviewing the logger table by GUPTA into the teaching of a subsystem to deflect denial-of-service attacks as taught by SUDO-PENG-TADA-EARL. One of ordinary skill in the art would have been motivated to do so because GUPTA recognizes the need to prevent system overload ([GUPTA, Abstract] “Generally described, the present disclosure relates to communications. More specifically, this disclosure relates to application level admission overload control. In one illustrative embodiment, intelligence can be embedded into a communication system so that it can detect and prevent network attacks without the need of costly network and firewall appliances. The communication system can control the in-flow of network packets to help prevent system overload situations through a packet oriented admission policy, connected oriented admission policy or both.”).

Regarding claim 14, SUDO-PENG-TADA-EARL-GUPTA teaches all limitations of claim 13. EARL further teaches “wherein, when a logger-table entry reviewed by the monitor corresponds to an active, non-null-routed source address for which a third threshold time has passed without incurring any metering-rule violations, the monitoring component removes the entry from the logger table.” ([EARL, Abstract] “The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor.”) ([EARL, Col. 3 lines 32-36] “For example, a server may persistently capture network traffic, periodically count the total number of incoming packets and decide whether within a predefined time interval the total number of incoming packets exceeds a predefined amount.”) ([EARL,  Col. 6 lines 59-67 – Col. 7 lines 1-5] “The monitor app 112 may copy packet captures of application service requests to the RAM-based memory 114, read the application service requests from the RAM-based memory 114, and count the total number of the application service requests. For example, the monitor app 112 may fetch all network packet captures from a network sniffer/packet capturing tool 126, such as Wireshark, tcpdump, or another network sniffer/packet capturing tool, including packets that will be purged by the firewall 104. The monitor app 112 may then copy packet captures of application service requests to the RAM-based memory 114. The monitor app 112 may read from the RAM-based memory 114 the packet captures and count the total number of application service requests to the server 102.”) ([EARL, Col. 7 lines 22-29] “if the total number of the application service requests does not exceed the predefined Threshold A in the predefined time interval, the captured packets in the RAM-based memory 114 will be deleted, the counter for the total number of the application service requests and the timer for the time interval of the application service requests will also be cleared and started again, but no further analysis of the queries will be conducted.”)
The same motivation to modify SUDO-PENG with EARL as in the rejection of claim 4, applies. 

Regarding claim 16, SUDO-PENG-TADA-EARL-GUPTA teaches all limitations of claim 13. EARL further teaches “wherein, when a logger-table entry reviewed by the monitor corresponds to an inactive, null-routed source address for which fourth threshold time has passed, the monitor notifies the deflection component to terminate null routing of the source address; and updates the logger-table entry to indicate that the source address is active and non-null- routed.” ([EARL, Abstract] “The system processes requests using a first processor, stores a record of the requests in memory using a second processor, and counts the total number of requests received over a time interval using the second processor. If the total number of requests are less than a first threshold, the stored records are dropped. Otherwise, the stored records are analyzed to determine if requests from a single source Internet protocol address exceed a second threshold. If the number of requests from a single source Internet protocol address exceeds the second threshold, the subject Internet protocol address is blacklisted to a firewall through which the service requests pass before reaching the first processor.”) ([EARL, Col. 3 lines 32-36] “For example, a server may persistently capture network traffic, periodically count the total number of incoming packets and decide whether within a predefined time interval the total number of incoming packets exceeds a predefined amount.”) ([EARL, Col. Col. 5 lines 60-67 – Col. 6 lines 1 - 10] “The monitor app 112 or the operating system may set a timer once an Internet protocol address is added to the blacklist and after a predefined time period the Internet protocol address may be removed from the blacklist if the attacker 118 associated with the Internet protocol address does not continue sending abusive network traffic to the server 102 after the Internet protocol address was added to the blacklist. The timer may be greater than or equal to the time interval used to determine whether the total number of incoming packets exceeds a predefined threshold earlier. For example, if the threshold for the total number of incoming packets is 10,000 packets within a time interval of 5 minutes, the timer here for the blacklist of the firewall may be greater than or equal to 5 minutes. After removing the Internet Protocol address from the blacklist, the firewall 104 may stop purging application service requests from the attacker 118 associated with the Internet protocol address that was just removed from the blacklist.”) ([EARL, Col. 4 lines 55-61] “Any Internet protocol address added to the blacklist will be blocked for a predefined period of time, for example 2 minutes, 5 minutes, 10 minutes, or some other period of time, and then removed from the blacklist after the predefined period of time if the Internet protocol address is no longer associated with a service request rate greater than the predefined rate limit.”).
The same motivation to modify SUDO-PENG with EARL as in the rejection of claim 4, applies. 

Claims 15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over SUDO-PENG-TADA-EARL-GUPTA, in view of ENGAN (US-20200195671-A1).
Regarding claim 15, SUDO-PENG-TADA-EARL-GUPTA teach all limitations of claim 14. However, SUDO-PENG-TADA-EARL-GUPTA does not teach “wherein the third threshold time has a length corresponding to a number of previous null-routings of the source address.”.
In analogous teaching, ENGAN teaches “wherein the third threshold time has a length corresponding to a number of previous null-routings of the source address.” ([ENGAN, para. 0037] “At block 408, the network resource provider 106 may determine a number of times the source network address has been previously added to the greylist 124 of suspended network addresses. At decision block 410, the network resource provider may determine whether the number of times is more than a predetermined threshold number of times. At decision block 410, if the network resource provider 106 determines that the source network address has not been previously added for more than the predetermined threshold number of times, i.e., less than or equal to the threshold (“no” at decision block 410), the process 400 may proceed to block 412. At block 412, the network resource provider 106 may add the source network address to the greylist 124 of suspended network addresses for a random amount of time that is shorter than or equal to a predetermined time duration.”) ([ENGAN, para. 0038] “However, if the network resource provider 106 determines that the source network address has been previously added to the greylist 124 for more than the predetermined threshold number of times (“yes” at decision block 410), the process 400 may proceed to block 414. At block 414, the network resource provider 106 may add the source network address to the greylist 124 for an extended period of time that is longer than the predetermined time duration threshold.”).
Thus, given the teaching of ENGAN, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teaching of threshold time length by ENGAN into the teaching of a subsystem to deflect denial-of-service attacks as taught by SUDO-PENG-TADA-EARL-GUPTA. One of ordinary skill in the art would have been motivated to do so because ENGAN recognizes the need to protect against unauthorized access ([ENGAN, para. 0002] “organizations are experiencing ever-increasing numbers of automated malicious attempts to gain unauthorized access to network resources.”) ([ENGAN, para. 0009] “This disclosure is directed to techniques for using adaptive malicious network traffic response to mitigate malicious login attempts.”).

Regarding claim 17, SUDO-PENG-TADA-EARL-GUPTA teach all limitations of claim 16. Furthermore, this claim recites features similar to those of claim 15. Therefore, claim 17 is rejected in a similar manner as in the rejection of claim 15.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s
disclosure.
ACKERMAN (US-20170310703-A1): This prior art teaches of detecting triggering events for distributed denial of service attacks. An endpoint in an enterprise network is monitored, and when a potential trigger for a distributed denial of service (DDoS) attack is followed by an increase in network traffic from the endpoint to a high reputation network address, the endpoint is treated as a DDoS service bot and isolated from the network until remediation can be performed.
PAPPU (US-20120216282-A1): This prior art teaches of a methods and systems for detecting and mitigating high-rate Distributed Denial of Service (DDoS) attacks are herein described. The present invention contemplates a variety of improved techniques for using a flow-based statistical collection mechanism to monitor and detect deviations in server usage data. The method further includes combining multiple anomaly algorithms in a unique way to improve the accuracy of identifying a high-rate DDoS attack. The DDoS solution includes a two-phase approach of detection and mitigation, both of which operate on a local- and a global-basis. Moreover, the anomaly algorithms can be modified or extrapolated to obtain the traffic deviation parameters and therefore, the attack probabilities.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AFAQ ALI whose telephone number is (571)272-1571. The examiner can normally be reached Mon - Fri 7:30am - 5:30pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571)272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/AFAQ ALI/Examiner, Art Unit 2434                                                                                                                                                                                                        /KAMBIZ ZAND/Supervisory Patent Examiner, Art Unit 2434