DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
      Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 01/17/2022 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claims are objected to because of the following informalities:  
Claim 5, line 6, “the number of the number of” should read “the number of”.
Claim 18 should be rewritten as:
A forwarding device in a LAN storing program instructions to perform the method of claim 8, comprising: 
a processor; and
a memory;
Appropriate corrections are required.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 6-7, 11-13 and 16-17 are rejected under 35 U.S.C. 102(a)(l)(a)(2) as being anticipated by US PG-PUB No. US 2009/0044276 A1 to Abdel-Aziz et al. (hereinafter “Abdel”)
Regarding claim 1:
Abdel discloses:
A method for suppressing virus propagation in a local area network (LAN) (¶02: “… a method and apparatus for detecting propagation of malware … via a shared access point of a communication network … wireless local area networks (LANs) …”), being appliable to a forwarding device (¶152: “… may be implemented within an access switch 14 (FIG. 1) of a wireless LAN 10 (FIG. 1) or another type of communication network.”), comprising: 
in response to receiving a first service packet (¶44: “… PDU's arriving on port 312.”) initiated by a target terminal (¶40: “… a network element (NE) 310 …”), determining whether a destination port (¶119: “… destination port number …”, ¶44: “… the MD system 301 monitors the PDU's arriving on port 312.”) carried in the first service packet indicates one of the preset risky ports (¶44: “… port 312 …”, ¶59: “… AIC unit 324 identifies in rules set 322 the particular rules disobeyed by the respective traffic flow on port 312.”); 
wherein the first service packet corresponds to a first one of service packets (¶48: “… outgoing ARP requests …)” sent to other terminal (¶40: “… a host …”) by the target terminal immediately after acquiring a media access control (MAC) address (¶40: “… a physical address of a host …”) of the other terminal by performing an address resolution protocol (ARP) interaction with the other terminal (¶40: “… when the NE wishes to obtain a physical address of a host on the access network, it broadcasts an ARP request onto the access network.”); 
in response to that the destination port carried indicates one of the preset risky ports, determining whether a number of interacting terminals (¶30: “… client devices 30 …”, Fig 2, item 30: “client”) in the LAN that have performed ARP interaction (¶40: “ARP requests and responses may be present on port 312 if the NE uses ARP.”) with the target terminal reaches a first preset threshold (¶59: “… crosses a limit/threshold …”) (¶59: “… if the count value in one or more counters crosses a limit/threshold, AIC unit 324 identifies in rules set 322 the particular rules disobeyed by the respective traffic flow on port 312.”); 
in response to that the number of interacting terminals reaches the first preset threshold, providing protection to the target terminal so to suppress virus propagation in the LAN (¶159-160: “… a suspected malware infection … may be identified when the corresponding current trend exceeds the corresponding expected trend by a corresponding trend threshold … including initiating actions to contain the suspected malware infection …”).  
Regarding claim 2:
Abdel discloses:
The method of claim 1, further comprising: 
in response to receiving the ARP packet initiated by the target terminal, updating the number of interacting terminals based on the ARP packet (¶48: “… an ARP_response_out packet will update the ARP ARP_response_out counter, etc. … a complex counter unit 325 … enables counting the number of far-end hosts.”).  
Regarding claim 3:
Abdel discloses:
The method of claim 1, wherein providing protection to the target terminal to suppress virus propagation in the LAN comprises: 
determining whether a number of abnormal terminal relationships corresponding to the target terminal reaches a second preset threshold (¶56: “… individual limits …”), wherein for one of the number of abnormal terminal relationships, the target terminal performs interaction with other terminal in the LAN by sending a first service packet (¶61: “…  ARP_query_out that indicates the number of peers on a local subnet …”) of which a destination port belongs to preset risky ports, and in response to that the number of abnormal terminal relationships reaches the second preset threshold, providing protection to the target terminal so to suppress virus propagation in the LAN (¶61: “…  individual count values are ARP_query_out that indicates the number of peers on a local subnet, and the RST_in that indicates the number of RST packets received by port 312.”, ¶60: “Once the type of attack has been identified, attack containment logic 326 triggers a certain defensive action …”).  
Regarding claim 6:
Abdel discloses:
The method of claim 2, wherein the ARP packet comprises: 
an ARP request packet and/or an ARP response packet (¶40: “… ARP requests and responses may be present on port 312 if the NE uses ARP.”).  
Regarding claim 7:
Abdel discloses:
The method of claim 1, wherein the first service packet comprises: 
a transmission control protocol (TCP) packet (¶40: “… PDU's can include … TCP/RST packets …”); and/or 
a user datagram protocol (UDP) packet (¶40: “… PDU's can include … UDP packets”).
Regarding claim 11:
Abdel discloses:
A forwarding device in a LAN (Fig. 2, Wireless Access Switch 14), comprising: 
a processor (Fig. 2, Header Data Processing 22); 
a memory (Fig. 2, Memory 40) for storing program instructions that are executable by the processor to perform operations comprising: 
In addition to the above limitations, claim 11 substantially recites the same limitations as claim 1 in the form of a forwarding device to realize the corresponding method, therefore it is rejected by the same rationale.
Regarding claims 12-13 and 16-17:
Claims 12-13 and 16-17 substantially recite the same limitations as claims 2-3 and 6-7, respectively, in the form of a forwarding device to realize the corresponding method, therefore they are rejected by the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Abdel, and further in view of US-PGPUB No. 2006/0274363 A1 to Katano
Regarding claim 4:
Abdel discloses:
The method of claim 1, wherein providing protection to the target terminal to suppress virus propagation in the LAN comprises: 
in response to that the number of the first terminals reaches the third preset threshold, providing protection to the target terminal to suppress virus propagation in the LAN (Abdel, ¶58: “Dynamic limits in conjunction with distinct containment actions (or responses) may also be envisaged … it is possible to initially set the boundaries for certain counters 315 to be tight, and to respond with a containment action for these boundaries that only slows-down the port 312 when the boundary is triggered, rather than shutting it down.”).
determining whether a number of first terminals reaches a third preset threshold (Abdel, ¶58: “Dynamic limits …”), 
However, Abdel fails to disclose the following limitation taught by Katano:
wherein the first terminals are terminals in the interacting terminals of which Internet protocol (IP) addresses are consecutive (Katano, ¶99: “… The DHCP server function of a router used in a home generally assigns a predetermined number of consecutive IP addresses from a given IP address.”);  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Abdel to incorporate the functionality of the DHCP server of a router to assign a predetermined number of IP addresses from a given address, as disclosed by Katano, such modification would allow the system to determine the first and last IP addresses, and thus compute the IP range and know the number of usable IP addresses.
Regarding claim 14:
Claim 14 substantially recites the same limitations as claim 4 in the form of a forwarding device to realize the corresponding method, therefore it is rejected by the same rationale.
Claims 5, 8-9, 15 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Abdel, and further in view of US-PGPUB No. 2020/0412753 A1 to Akashi
Regarding claim 5:
Abdel discloses:
The method of claim 1, further comprising: 
in response to that the destination port indicates one of the preset risky ports, updating an abnormal packet reception time maintained by the forwarding device (Abdel, ¶139: “… remedy includes temporarily blocking the MAC address 31, such as for one second, then for two seconds, then for four seconds, doubling each time …”); 
in response to receiving the ARP packet sent by the target terminal, determining whether the number of abnormal terminal relationships reaches the first preset threshold (Abdel, ¶59-60: “… if the count value in one or more counters crosses a limit/threshold, AIC unit 324 identifies in rules set 322 the particular rules disobeyed by the respective traffic flow on port 312. … the ARP_failures counter is a pretty unambiguous indicator of scanning of the local subnet, so it should trigger its limit immediately.”); 
However, Abdel does not disclose the following limitations taught by Akashi:
(Akashi, ¶32: “When the irregular frame is received in step S106 (step S106: Y), the control unit 21 determines that the irregular frame is abnormal because an interval of the irregular frame is too short since the irregular frame is received before counting to the threshold (step S107). … if the measured time (the difference between a current time and the abnormal packet reception time) is equal to or less than the predetermined threshold, the control unit 21 determines abnormal.”); and 
in response to that the difference between the current time and the abnormal packet reception time is less than the preset time threshold, providing protection to the target terminal to suppress virus propagation in the LAN (Akashi, ¶32: “The message frame determined to be abnormal is discarded by deleting it from the distribution buffer 24.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Abdel to incorporate the functionality of the control unit to determine abnormality of a frame (packet) by computing the difference between packet arrival time (current time) and expected packet arrival time, when the difference is a less than a predetermined threshold, as disclosed by Akashi, such modification would allow the system to determine suspect packets that arrive before expected time and might cause denial of service attack, and protect the system by discarding those suspect packets.
Regarding claim 8:
Abdel discloses:
A method for suppressing virus propagation in a local area network (LAN) (Abdel, ¶02: “… a method and apparatus for detecting propagation of malware … via a shared access point of a communication network … wireless local area networks (LANs) …”), being appliable to a forwarding device (Abdel, ¶152: “… may be implemented within an access switch 14 (FIG. 1) of a wireless LAN 10 (FIG. 1) or another type of communication network.”), comprising:
in response to receiving an address resolution protocol (ARP) packet initiated by a target terminal, determining whether a number of interacting terminals (Abdel, ¶30: “… client devices 30 …”, Fig 2, item 30: “client”) in the LAN that have performed ARP interaction (Abdel, ¶40: “ARP requests and responses may be present on port 312 if the NE uses ARP.”) with the target terminal reaches a first preset threshold (Abdel, ¶59: “… crosses a limit/threshold …”) (Abdel, ¶59: “… if the count value in one or more counters crosses a limit/threshold, AIC unit 324 identifies in rules set 322 the particular rules disobeyed by the respective traffic flow on port 312.”);
However, Abdel does not disclose the following limitations taught by Akashi:
(Akashi, ¶32: “When the irregular frame is received in step S106 (step S106: Y), the control unit 21 determines that the irregular frame is abnormal because an interval of the irregular frame is too short since the irregular frame is received before counting to the threshold (step S107). … if the measured time (the difference between a current time and the abnormal packet reception time) is equal to or less than the predetermined threshold, the control unit 21 determines abnormal.”); and 
in response to that the difference between the current time and the abnormal packet reception time is less than the preset time threshold, providing protection to the target terminal to suppress virus propagation in the LAN (Akashi, ¶32: “The message frame determined to be abnormal is discarded by deleting it from the distribution buffer 24.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Abdel to incorporate the functionality of the control unit to determine abnormality of a frame (packet) by computing the difference between packet arrival time (current time) and expected packet arrival time, when the difference is a less than a predetermined threshold, as disclosed by Akashi, such modification would allow the system to determine suspect packets that arrive before expected time and might cause denial of service attack, and protect the system by discarding those suspect packets.
Regarding claim 9:
The combination of Abdel and Akashi discloses:
The method of claim 8, further comprising: 
updating the number of interacting terminals based on the ARP packet (Abdel, ¶48: “… an ARP_response_out packet will update the ARP ARP_response_out counter, etc. More information of the traffic is obtained when the port is provided with a complex counter unit 325 which, for example, enables counting the number of far-end hosts.”), wherein the ARP packet comprises: 
an ARP request packet (Abdel, ¶40: “… ARP requests … may be present on port 312 if the NE uses ARP.”); and/or 
an ARP response packet (Abdel, ¶40: “… ARP … responses may be present on port 312 if the NE uses ARP.”).  
Regarding claim 15:
Claim 15 substantially recites the same limitations as claim 5 in the form of a forwarding device to realize the corresponding method, therefore it is rejected by the same rationale.
Regarding claim 18:
The combination of Abdel and Akashi discloses:
A forwarding device in a LAN (Fig. 2, Wireless Access Switch 14), comprising: 
a processor (Fig. 2, Header Data Processing 22); 
a memory (Fig. 2, Memory 40) for storing program instructions that are executable by the processor to perform the method of claim 8.
Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Abdel, Akashi and further in view of Katano
Regarding claim 10:
The combination of Abdel and Akashi discloses:
The method of claim 8, wherein providing protection to the target terminal to suppress virus propagation in the LAN comprises: 
in response to that the number of the first terminals reaches the third preset threshold, providing protection to the target terminal to suppress virus propagation in the LAN (Abdel, ¶58: “Dynamic limits in conjunction with distinct containment actions (or responses) may also be envisaged … it is possible to initially set the boundaries for certain counters 315 to be tight, and to respond with a containment action for these boundaries that only slows-down the port 312 when the boundary is triggered, rather than shutting it down.”).
determining whether a number of first terminals reaches a third preset threshold (Abdel, ¶58: “Dynamic limits …”), 
However, the combination of Abdel and Akashi does not disclose the following limitation taught by Katano:
wherein the first terminals are terminals in the interacting terminals of which Internet protocol (IP) addresses are consecutive (Katano, ¶99: “… The DHCP server function of a router used in a home generally assigns a predetermined number of consecutive IP addresses from a given IP address.”); 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of the combination of Abdel and Akashi to incorporate the functionality of the DHCP server of a router to assign a predetermined number of IP addresses from a given address, as disclosed by Katano, such modification would allow the system to determine the first and last IP addresses, and thus compute the IP range and know the number of usable IP addresses.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Campbell et al. (US-PGPUB No. 2004/0003284 A1)- disclosed network switches with enhanced processing power and a virus information database to detect possible virus attacks and identify the source of the attacks within a computer network.
Yanovsky (USPAT No. 7010807-B1)- disclosed a system and method for virus protection of computers on a local area network (LAN).
Turnbull (US-PGPUB No. 2013/0312097 A1)- disclosed systems and methods for detecting malicious resources by analyzing communication between multiple resources coupled to a network.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491

/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491