DETAILED ACTION
This office action is in response to the application filed on 5/31/2022.  Claim(s) 1-21 is/are pending and are examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Information Disclosure Statement PTO-1449
The Information Disclosure Statement(s) submitted by applicant on 5/31/2022 and 7/25/2022 has/have been considered. The submission is in compliance with the provisions of 37 CFR § 1.97. Form PTO-1449 signed and attached hereto. 
Priority/Benefit
Applicant’s benefit claim is hereby acknowledged as a continuation of  application 16/453,035 filed 06/26/2019 now US Patent 11,363,044, which papers have been placed of record in the file.

Specification
The disclosure is objected to because of the following informalities: 
a.	The abstract of the disclosure is objected to because it is longer than 150 words.  Correction is required.  See MPEP § 608.01(b).	
Examiner’s Note – Allowable Subject Matter
Claims 4-5 overcome the prior art and would otherwise be allowable if incorporated into the independent claim along with any intervening claims, as well as made to overcome the non-statutory double patenting rejection of record. 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112 (b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim(s) 19-21  is/are rejected under 35 U.S.C. 112 (b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which applicant regards as the invention.

Regarding claim(s) 19-21, the phrase “the method” makes the claims indefinite and unclear in that it lacks antecedent basis.
For purposes of art examination, the claim(s) was/were construed to refer to “the system”.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).  
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to:  
http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claim(s) 1-21 is/are rejected on the grounds of nonstatutory double patenting as being unpatentable over claims 1-5, 9, 10, 13-17, 19-20, 22-24, and 30 of US Patent 11,363,044.  Although the claims at issue are not identical in form, they are not patentably distinct from each other.  Specifically, the patented claims anticipate the instant claims.  The concordance is as follows.  Claims 1-3 are anticipated by patented claims 1-3 respectively.  Claims 4-5 is anticipated by patented claim 19-20, respectively. Claim 6 is anticipated by patented claim 1.  Claims 7-8 are anticipated by patented claims 4-5, respectively.  Claim 8 is anticipated by patented claim 5.    Claim 10 is anticipated by patented claim 14.  Claim 11 is anticipated by patented claim 16.  Claim 12 is anticipated by patented claim 9.  Claim 13 is anticipated by patented claims 9 and 10.  Claim 14 is anticipated by patented claims 9 and 13.  Claim 15 is anticipated by patented claims 9 and 14.  Claim 16 is anticipated by claims patented 9 and 15.  Claim 17 is anticipated by patented claim 17.  Claim 18 is anticipated by patented claim 22.  Claim 19  is anticipated by patented claim 23.  Claim 20 is anticipated by patented claim 24.  Claim 21 is anticipated by patented claim 30.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-3, and 6-15, and 17-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla (US 2008/0086434 A1), in view of Anderson et al. (US 2019/0245866 A1) in view of Gerlach et al. (US 9,781,157 B1). 
Regarding claims 1, 17, and 18, Chesla teaches:
“A method for detecting and mitigating denial-of-service (DoS) attacks that are using an encrypted communication protocol (Chesla, ¶ 505 discloses an implementation of a detection device implemented using a non-transitory computer readable medium which is executed on a computer which necessarily has a processor and a memory.  Chesla, ¶ 63-66 discloses an HTTP flood DDoS attack), comprising: 	estimating traffic telemetries of packets of at least ingress traffic passing over an insecure network that is directed to a protected entity, the packets of the at least ingress traffic being intended for the protected entity (Chesla, Fig. 1, ¶ 68-76 teaches measuring the inbound and outbound traffic characteristics to a protected web server 108.  Chelsa, ¶ 13 discloses that the network includes the Internet which is an insecure network); 	providing at least one rate-based feature and at least one rate-invariant feature based on the estimated traffic telemetries (Chesla, ¶ 71-76 gives examples of rate based features such as HTTP requests per second, and rate invariant features such as the HTTP request URL size distribution), wherein the rate-based feature and the rate-invariant feature demonstrate a normal behavior of the traffic (Chesla, ¶ 80-85 the aforementioned featured are observed for an appropriate period of time to establish typical operating conditions when not under attack); and 	executing a mitigation action when a potential flood DoS attack is detected (Chesla, ¶ 99-102 discloses performing a mitigation action against the potential attack) by an evaluation of the at least one rate-based feature and the at least one rate-invariant feature to determine whether the behavior of the ingress traffic intended for the protected entity indicates a potential flood DoS attack (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring), wherein the evaluation of the at least one rate-based feature is with respect to at least a first baseline and the evaluation of the at least one rate-invariant feature is with respect to at least a second baseline (Chesla, ¶ 22-24, ¶ 26-28, ¶ 144-147, and ¶ 205 discuss establishing short term and long term baselines for real time and adaptive machine learning anomaly detection of traffic)”.	Chelsa teaches the ability to detect a flood denial of service attack using a variety of unencrypted information HTTP information and higher layer information.  
Chelsa does not, but in related art, Anderson, ¶ 44-46, ¶ 78-82, and ¶ 93-95 teaches a method to infer secured HTTP telemetry without decrypting the TSL packets.  Anderson, ¶ 3, and ¶ 44-46 teaches that this information can be leveraged to defend against denial of service attacks.  
	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla and Anderson, to modify the HTTP flood DDOS detection and mitigation system of Chesla to include the method to infer HTTP information in HTTPS connections secured with TLS to detect malicious activity as taught in Anderson.  The motivation to do so would be, as stated by Anderson, ¶ 82, would be to thwart attackers who attempt to obfuscate their malicious behavior by encrypting their attacks, thus making the network behavior of their attacks undetectable. 
	Chesla in view of Anderson does not, but in related art, Gerlach teaches:
	“by analyzing transmission control protocol (TCP) headers of the packets (Gerlach, Col. 6 Ln. 30 – Col. 7 Ln. 14 specifically teaches using TCP header rate based information, i.e., the rate of certain TCP flags pass through to a protected entity, and time invariant features, i.e., the combination of TCP flags observed, to determine that a distributed denial of service attack is occurring and to perform a mitigating action)”.
	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla, Gerlach, and Anderson, to modify the HTTPS flood DDOS detection and mitigation system of Chesla in view of Anderson to include the method to analyze TCP header information to detect malicious activity as taught in Gerlach.  The motivation to do so constitutes applying a known technique to known devices and/or methods ready for improvement to yield predictable results. 
	
Regarding claims 2 and 19, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 1 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein estimating traffic telemetries further comprises: 	estimating traffic telemetries of packets of egress traffic passing over the insecure network that are from the protected entity (Chesla, ¶ 68-76 teaches measuring the inbound and outbound traffic characteristics to a protected web server 108) by analyzing TCP headers of the packets of the egress traffic (Gerlach, Col. 6 Ln. 30 – Col. 7 Ln. 14 specifically teaches using TCP header rate based information, i.e., the rate of certain TCP flags pass through to a protected entity, and time invariant features, i.e., the combination of TCP flags observed, to determine that a distributed denial of service attack is occurring and to perform a mitigating action), the packets of the egress traffic using the encrypted version of the non- encrypted communication protocol (Anderson, ¶ 44-46, ¶ 78-82, and ¶ 93-95 teaches a method to infer secured HTTP telemetry without decrypting the TSL packets)”.

Regarding claims 3 and 20, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 2 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the evaluation of the at least one rate-based feature and the at least one rate-invariant feature is performed without decrypting any of the ingress traffic and the egress traffic (Anderson, ¶ 78-80 and ¶ 93-96 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data.  Chesla, ¶ 71-76 gives examples of rate based features such as HTTP requests per second, and rate invariant features such as the HTTP request URL size distribution which can be accomplished used the telemetry measuring technique provided in Anderson)”.

Regarding claim 6, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 1 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the non-encrypted protocol is hypertext transfer protocol (HTTP), and the encrypted version of the non-encrypted communication protocol is hypertext transfer protocol secure (HTTPS) (Anderson, ¶ 78-80 and ¶ 93-96 teach inferring HTTP header information within TLS, i.e., HTTPS, encrypted tunnels without decrypting the data)”.

Regarding claim 7, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 1 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), further comprising: 	computing the at least first baseline for the at least one rate-based feature and the at least second baseline for the at least one rate-invariant feature (Chesla, ¶ 9 and ¶ 15 teaches creating a baseline for the rate based and rate invariant features using the collected information)”.

Regarding claim 8, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 7 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the at least first baseline includes: 	a short-term baseline and a long-term baseline, wherein the short-term baseline characterizes short-term changes in the ingress traffic and the long-term baseline characterizes changes in the ingress traffic over a long-term than the short-term (Chesla, ¶ 22-24, ¶ 26-28, ¶ 144-147, and ¶ 205 discuss establishing short term and long term baselines for real time and adaptive machine learning anomaly detection of inbound and outbound traffic)”.

Regarding claim 9, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 7 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the at least second baseline includes: 	a short- term baseline and a long-term baseline, wherein the short-term baseline characterizes short-term changes in the ingress traffic and the long-term baseline characterizes changes in the ingress traffic over a long-term than the short-term (Chesla, ¶ 22-24, ¶ 26-28, ¶ 144-147, and ¶ 205 discuss establishing short term and long term baselines for real time and adaptive machine learning anomaly detection of inbound and outbound traffic)”.

Regarding claim 10, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 1 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the behavior of the at least ingress traffic using an encrypted version of a non-encrypted communication protocol indicates a potential flood DoS attack when anomalies are detected on at least one rate-based feature and on at least one rate invariant feature (Chesla, ¶ 133-137 discusses measure the ratio of HTTP requests and responses.  Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data which correspondingly would allow the rate as measured by Chesla to be determined)”.

Regarding claim 11, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 1 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the method is performed by a defense system including at least a detector for detecting the potential flood DoS attack and a mitigation resource for executing the mitigating action (Chesla, ¶ 99-102 discloses performing a mitigation action against the potential attack)”.

Regarding claims 12 and 21, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 1 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the evaluation of the at least one rate-based feature and the at least one rate-invariant feature with respect to at least one baseline further comprises: 	comparing real-time samples of the at least one rate-based feature to the at least first baseline and comparing the at least one rate-invariant feature to the at least second baseline (Chesla, ¶ 88-96 and ¶ 306 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring)e; and 	detecting a potential flood DoS attack using the encrypted communication protocol is detected when at least one of: 	the at least one rate-based feature and at least one rate- invariant feature deviates from their respective at least one baseline, wherein the deviation from the at least one respective baseline is by a threshold (Chesla, ¶ 7 and ¶ 88-96 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring when values exceed a given threshold.  Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data which correspondingly would allow the rate as measured by Chesla to be determined)”.

Regarding claim 13, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 12 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein the threshold is dynamically updated based on real-time estimation of the traffic telemetries (Chesla, ¶ 365-366 teaches dynamic threshold in the real-time detection system)”.

Regarding claim 14, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 12 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), further comprising: 	detecting rate-invariant anomaly based on at least abnormal distribution of size of HTTPS requests and responses (Chesla, ¶ 7 and ¶ 88-96 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring when values exceed a given threshold)”.

Regarding claim 15, Chesla in view of Anderson in view of Gerlach teaches:
“The method of claim 12 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), further comprising: 	detecting rate-based anomaly based on at least a total number of ingress requests per second using the encrypted version of the non-encrypted communication protocol and a total volume of bytes of ingress requests per second (Chesla, ¶ 7 and ¶ 88-96 disclose using HTTP rate and HTTP size information to determine that a potential HTTP flood DDoS attack is occurring when values exceed a given threshold) using the encrypted version of the non-encrypted communication protocol and egress responses total volume of bytes per second using the encrypted version of the underlying communication protocol (Chesla, ¶ 133-137 discusses measure the ratio of HTTP requests and responses.  Anderson, ¶ 78-80 and ¶ 93-93 teach inferring HTTP header information within TLS encrypted tunnels without decrypting the data which correspondingly would allow the rate as measured by Chesla to be determined)”.

Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chesla in view of Anderson in view of Gerlach in view of Holloway et al. (US 2019/0158533 A1).
Regarding claim 16, Chesla in view of Anderson in view of Gerlach teaches:
	“The method of claim 12 (Chesla in view of Anderson in view of Gerlach teaches the limitations of the parent claims as discussed above), wherein executing the mitigation action further comprises: 	generating a suspect list including a list of source internet protocol (IP) addresses of client devices triggered the detected anomalies (Chesla, ¶ 92-93 teaches looking at the IP addresses for the requests)”.
	Chesla in view of Anderson in view of Gerlach does not, but in related art, Holloway teaches: 		“challenging each of the client devices in the suspect list (Holloway, ¶ 50 and ¶ 67-68 teaches cloud based proxy system which challenges visitors during a denial of service attack); and 	causing execution of the mitigation action on traffic originated from any device client that fails the challenge (Holloway, ¶ 67-68 and ¶ 71 teaches cloud based proxy system which blocks requests from clients with failed challenges)”.	At the time of the applicants’ earliest effective filing it would have been obvious to one of ordinary skill in the art, having the teachings of Chesla, Anderson, in view of Gerlach and Holloway, to modify the HTTP flood DDOS detection and mitigation system of Chesla and Anderson in view of Gerlach to include the method to distinguishing between a flash crowd activity and a cloud based proxy system which blocks requests from clients with failed challenges as taught in Holloway.  The motivation to do so constitutes applying a known technique (i.e., HTTP flood DDOS detection and mitigation system) to known devices and/or methods (i.e., cloud based proxy system which blocks requests from clients with failed challenges) ready for improvement to yield predictable results.
Conclusion
	In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure: See PTO-892.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN GUNDRY whose telephone number is (571)270-0507 and can normally be reached on Monday - Friday 8:30 AM - 5PM EST.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on (571) 272-3685.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.
/STEPHEN T GUNDRY/Examiner, Art Unit 2435