DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are pending.  Claims 1, 19 and 20 are independent.

3.	The three IDS’es submitted on 3/15/2021, 8/25/2022 and 10/13/2022 have been considered.

Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
5.	A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 


6.	The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

7.	Claims 1, 19 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No.10,951,648. Although the claims at issue are not identical, they are not patentably distinct from each other.


Claim Rejections - 35 USC § 112
8.	The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

9.	Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. 
Claims 1, 19 and 20 partially recites “receive telemetries from a plurality of sources, wherein each source is configured to collect telemetries related to the traffic between a plurality of end user devices and the cloud-hosted application, wherein the telemetries are out-of-path information with respect to traffic to and from the cloud-hosted application” (emphasis added).  It is not clear how telemetries that are related to the traffic to and from the cloud-hosted application are also out-of-path information with respect to traffic to and from the cloud-hosted application at the same time.  Accordingly, claim 1, and its dependent claims 2-18, claims 19 and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.

Claim Rejections - 35 USC § 103
10.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

11.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

12.	Claims 1-10 and 12-22 are rejected under 35 U.S.C. 103 as being unpatentable over Holloway (US PG Pub. 2014/0109225) in view of Doron (US PG Pub. 2014/0283051).
As regarding claim 1, Holloway discloses A defense platform for protecting against excessive utilization of at least one cloud service for operation of a cloud-hosted application, wherein the defense platform is deployed out-of-path of traffic between a plurality of end user devices and the cloud- hosted application, comprising: 
at least one detector [para. 35; the proxy server(s) 120 and/or the control server(s) 125 identify DoS attacks]; 
a mitigator [para. 35 and 50; the DoS identification and mitigation module 180 and/or 126 causes one or more mitigation actions to be performed]; and 
a controller communicatively connected to the detector and the mitigator [para. 138-139; components of the system are connected through a controller]; 
wherein the at least one detector is configured to: 
receive telemetries from a plurality of sources, wherein each source is configured to collect telemetries related to the traffic between a plurality of end user devices and an edge network configured at least to distribute traffic for the cloud-hosted application [FIG. 1 and para. 24-27, and 64; receiving, by the proxy servers 120 acting as a node in a content delivery or edge network CDN, incoming traffic 154 from client devices 110]; 
Holloway does not explicitly disclose that the telemetries are out-of-path information with respect to traffic to and from the cloud-hosted application; however, Doron discloses it [FIG. 1 and para. 27 and 33; the central controller monitors traffic between client 140 and VMs hosted in the physical machines 130].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Holloway’s controller to further perform the missing claim limitation, as disclosed by Doron, to further provide an efficient solution by using a dedicated computing device for detecting DoS attacks.
Holloway further discloses at least a portion of the telemetries collected are related to operation of a portion of at least one cloud computing platform hosting the cloud-hosted application [FIG. 1 and para. 24-27, and 64; the incoming traffic 154 including data of the cloud computing platform];
detect, based on the collected telemetries and at least one learned normal utilization behavior of each cloud service for the cloud-hosted application, excessive utilization of at least one of the at least one cloud service by the cloud-hosted application [para. 36-37 and 72-73; detecting DoS attacks when the amount of traffic that is destined to a particular destination is higher than the amount of traffic normally encountered]; and 
wherein the controller, upon detection of the excessive utilization of the at least one cloud service by the cloud-hosted application, is configured to cause mitigation, by the mitigator, of the excessive utilization of each cloud service [para. 73, 75, and 82; causing mitigation modules 180 and/or 126 to perform mitigation actions].  

As regarding claim 2, Holloway further discloses The defense platform of claim 1, wherein the cloud-hosted application is hosted in a plurality of cloud computing platforms of which the at least one cloud computing platform is one [para. 31, 34, and 53; origin servers 130 host content of their domain in the cloud].

As regarding claim 3, Holloway further discloses The defense platform of claim 2, wherein the plurality of sources includes at least one source configured to collect telemetries from within one of the plurality of cloud computing platforms [para. 26; client devices 110 and origin servers 130].  

As regarding claim 4, Holloway further discloses The defense platform of claim 2, wherein the plurality of sources includes at least one source located within one of the plurality of cloud computing platforms and configured to collect telemetries therefrom [para. 26; client devices 110 and origin servers 130].  


As regarding claim 5, Doron further discloses The defense platform of claim 1, wherein the cloud-hosted application is at least partially hosted in an on-premises datacenter, wherein at least one of the at least one cloud service is hosted in the on-premises datacenter [para. 3 and 21-22; the protected application VMs can be hosted in a datacenter in various network infrastructures including private and public networks].  

As regarding claim 6, Holloway further discloses The defense platform of claim 1, wherein traffic to and from the cloud-hosted application is delivered at least partially via at least one edge network [para. 24; source, acting as a node in a CDN, provides performance service], wherein the plurality of sources includes at least one source deployed in the at least one cloud computing platform [para. 31, 34, and 53; origin servers host content of their domain in the cloud] and at least one source deployed in the at least one edge network [para. 24; source, acting as a node in a CDN, provides performance service].  

As regarding claim 7, Holloway further discloses The defense platform of claim 6, wherein the at least one cloud service includes at least one cloud service provided via the at least one cloud computing platform and at least one cloud service provided via the at least one edge network [para. 24; different cloud services one of which is performance service provided via CDN], wherein each detectorPage 34 of 43RADW P1030 is configured for multiple concurrent detection of excessive utilization of any of the at least one cloud service [para. 37; detecting one or more parameters that exceed a threshold].  

As regarding claim 8, Holloway further discloses The defense platform of claim 7, wherein the detected excessive utilization includes excessive utilization of the at least one cloud service provided via the at least one cloud computing platform [para. 36-37 and 72-73; detecting DoS attacks when the amount of traffic that is destined to a particular destination is higher than the amount of traffic normally encountered] and of the at least one cloud service provided via the at least one edge network [para. 24; source, acting as a node in a CDN, provides performance service].  

As regarding claim 9, Holloway discloses The platform of claim 1, wherein the controller is further configured to: 
divert traffic related to the excessive utilization of each cloud service by the cloud-hosted application from the plurality of end user devices to the defense platform [para. 50, 73, and 87]; 
Holloway does not explicitly disclose that the controller is further configured to:
cause the mitigator to perform at least one mitigation action including removing illegitimate traffic from the diverted traffic; and 
cause injection of clean traffic for delivery to the cloud-hosted application, thereby reducing excessive utilization of the at least one cloud service by the cloud-hosted application.  	
Doron discloses a controller configure to:
cause the mitigator to perform at least one mitigation action including removing illegitimate traffic from the diverted traffic [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic]; and 
cause injection of clean traffic for delivery to the cloud-hosted application, thereby reducing excessive utilization of the at least one cloud service by the cloud-hosted application [para. 27, 35, 44, 49 and 52; diverting suspicious traffic to a scrubbing center, e.g. system 120, for cleaning the traffic].  
	It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Holloway’s controller to further perform the missing claim actions, as disclosed by Doron, to further enhance the protection service.

As regarding claim 10, Holloway further discloses The defense platform of claim 1, wherein the excessive utilization is caused by a distributed denial-of-service (DDoS) attack [para. 3, 33, and 128], wherein the detection of the excessive utilization includes detecting the DDoS attack [para. 33-35 and 128].  

As regarding claim 11, Holloway further discloses The defense platform of claim 1, wherein the excessive utilization increases costs associated with using the cloud services for operation of the cloud-hosted application [para. 3, 33, and 103].  

As regarding claim 12, Doron further discloses The defense platform of claim 1, further comprising: an application delivery controller (ADC), wherein the ADC is configured to inject the clean traffic for delivery to the cloud-hosted application [para. 27, 35, 44, 49 and 52; sending the cleaning the traffic back to the protected object].  

As regarding claim 13, Holloway further discloses The define platform of claim 1, wherein traffic to and from the cloud-hosted application is delivered at least partially via an edge network [para. 24; source, acting as a node in a CDN, provides performance service].  

As regarding claim 14, Holloway further discloses The defense platform of claim 13, wherein a content delivery network (CDN) is deployed in the edge network [para. 24; source, acting as a node in a CDN, provides performance service].  

As regarding claim 15, Holloway further discloses The defense platform of claim 1, wherein the defense platform is a stand-alone cloud computing platform that does not host the cloud-hosted application [para. 26; the proxy server does not provide requested resource but the original intended server].  

As regarding claim 16, Holloway further discloses The defense platform of claim 1, wherein the received telemetries include traffic parameters related to at least one of: layer-7, and layer-3 to layer-4 [para. 34; traffic including features of the attacks that attack layer 7].  

As regarding claim 17, Holloway further discloses The defense platform of claim 16, wherein the at least one detector is configured to detect excessive utilization caused by a distributed denial-of-service (DDoS) attack, wherein the DDoS attack is any one of: a layer-7 flood DDoS attack, a layer-7 slow DDoS attack, and a layer-3 to layer-4 flood DDoS attack [para. 34; traffic including features of the attacks that attack layer 7].  

As regarding claim 18, Holloway further discloses The defense platform of claim 1, wherein the at least one cloud service includes any one of: a load balancing service, a content delivery network (CDN) service [para. 24; source, acting as a node in a CDN, provides performance service], a firewall service, a web application firewall (WAF) service, a DNS service, an application programming interface, a gateway service, a streaming service, a security service, a storage service, a developer tools, a machine learning service, and a serverless service.  

As regarding claim 19, Holloway discloses A method for protecting against excessive utilization of at least one cloud service used for providing a cloud-hosted application, comprising:
receiving, at a defense platform deployed out-of-path of traffic between a plurality of end user devices and the cloud-hosted application, telemetries from a plurality of sources, wherein each source is configured to collect telemetries related to at least one of the at least one cloud service [FIG. 1 and para. 24-27, and 64; receiving, by the proxy servers 120 acting as a node in a content delivery or edge network CDN, incoming traffic 154 from client devices 110]; 
Holloway does not explicitly disclose that the telemetries are out-of-path information with respect to traffic to and from the cloud-hosted application; however, Doron discloses it [FIG. 1 and para. 27 and 33; the central controller monitors traffic between client 140 and VMs hosted in the physical machines 130].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Holloway’s controller to further perform the missing claim limitation, as disclosed by Doron, to further provide an efficient solution by using a dedicated computing device for detecting DoS attacks.
Holloway further discloses at least a portion of the telemetries collected are related to operation of a portion of at least one cloud computing platform hosting the cloud-hosted application [FIG. 1 and para. 24-27, and 64; the incoming traffic 154 including data of the cloud computing platform];
detecting, based on the collected telemetries and a learned normal utilization behavior for the cloud-hosted application, excessive utilization of at least one of the at least one cloud service by the cloud-hosted application [para. 36-37 and 72-73; detecting DoS attacks when the amount of traffic that is destined to a particular destination is higher than the amount of traffic normally encountered]; and 
causing mitigation, at the defense platform, of the excessive utilization of each cloud service upon detection of the excessive utilization of the at least one cloud service by the cloud-hosted application [para. 73, 75, and 82; causing mitigation modules 180 and/or 126 to perform mitigation actions].  

As regarding claim 20, Holloway discloses A system for protecting against excessive utilization of at least one cloud service used for providing a cloud-hosted application, comprising: 
a processing circuitry [para. 138-139; processors]; and 
a memory, the memory containing instructions that, when executed by the processing circuitry [para. 138-139; memory including instructions executed by the processors], configure the system to: 
receive, at a defense platform deployed out-of-path of traffic between a plurality of end user devices and the cloud-hosted application, telemetries from a plurality of sources, wherein each source is configured to collect telemetries related to at least one of the at least one cloud service [FIG. 1 and para. 24-27, and 64; receiving, by the proxy servers 120 acting as a node in a content delivery or edge network CDN, incoming traffic 154 from client devices 110]; 
Holloway does not explicitly disclose that the telemetries are out-of-path information with respect to traffic to and from the cloud-hosted application; however, Doron discloses it [FIG. 1 and para. 27 and 33; the central controller monitors traffic between client 140 and VMs hosted in the physical machines 130].
It would have been obvious to one of ordinary skill in the art at the time the effective filing of the invention to modify Holloway’s controller to further perform the missing claim limitation, as disclosed by Doron, to further provide an efficient solution by using a dedicated computing device for detecting DoS attacks.
Holloway further discloses at least a portion of the telemetries collected are related to operation of a portion of at least one cloud computing platform hosting the cloud-hosted application [FIG. 1 and para. 24-27, and 64; the incoming traffic 154 including data of the cloud computing platform];
detect, based on the collected telemetries and a learned normal utilization behavior for the cloud-hosted application, excessive utilization of at least one of the at least one cloud service by the cloud-hosted application [para. 36-37 and 72-73; detecting DoS attacks when the amount of traffic that is destined to a particular destination is higher than the amount of traffic normally encountered]; and 
cause mitigation, at the defense platform, of the excessive utilization of each cloud service upon detection of the excessive utilization of the at least one cloud service by the cloud-hosted application [para. 73, 75, and 82; causing mitigation modules 180 and/or 126 to perform mitigation actions].  


















CONCLUSION
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THONG P TRUONG whose telephone number is (571)270-7905.  The examiner can normally be reached on M-F 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THONG P TRUONG/
Examiner, Art Unit 2433   

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433