DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/03/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 9-11 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Huston et al. (Pub. No.: US 2017/0070531) in view of Malan et al. (Pub. No.: US 2002/0035698) and Stutz (Pub. No.: US 2017/0223052).
Regarding claim 1: Huston discloses A method comprising:
receiving a plurality of data packets via a first network path that connects to a first network point of access, and via a second network path that connects to a different second network point of access (Huston - [0020]: Fig. 1, the attack mitigation device 106 is configured to process traffic received from the cloud-based DDoS service 102 for the purpose of mitigating DoS and DDoS attacks. [0019]: It should be noted that although pairs of external devices 101 a, 101 b and remote offices 113 a, 113 b, and one data center 115 are depicted in FIG. 1 merely for the sake of simplicity, the embodiments disclosed herein can be applied to a plurality of external devices, protected remote offices, and datacenters);
detecting that a first set of the plurality of data packets originating from the first network point of access do not satisfy an attack signature, and that a second set of the plurality of data packets originating from the second network point of access satisfy the attack signature based on the second set of data packets comprising irregular addressing or irregular request patterns (Huston - [0020]: the external device 101 a may carry out the malicious attacks against the server 117, and particularly encrypted DoS and/or encrypted DDoS attacks (hereinafter “encrypted attack”). [0021]: The attack mitigation device 106 can be configured to detect DoS/DDoS attacks based on (but not limited to) network and bandwidth statistics, such as an average number of active connections, an average number of packets received per second, and other DoS/DDoS attack detection techniques known in the related art);
However Huston doesn’t explicitly teach, but Malan discloses:
retrieving an Internet Protocol (“IP”) addresses that is assigned to each user equipment (“UE”) of a set of UEs accessing a network via the second network point of access, and network usage by each UE (Malan - [0096]: The DoS tracker utilizes two types of statistics that routers may collect on our behalf: single packet statistics, and flow-based statistics. Single packet statistics are those that provide essential information about a set of packets entering a forwarding node—a router. Some of the statistics kept include: destination and source IP addresses, incoming interface, protocol, ports, and, length);
determining a mismatch between the network usage by a particular UE of the set of UEs and computed usage from a subset of the second set of data packets comprising the IP address that is assigned to the particular UE (Malan - [0097]: With distributed correlation, the controller compares the attack signature with those discovered at other nodes in the topology. Attacks that correlate strongly are associated together and implicitly form the path from the source to the target);
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the method of Huston with Malan so that DOS attack is traced. The modification would have allowed the system to detect attacks. 
The combination of Huston with Malan doesn’t explicitly teach but Stutz discloses implementing attack protections against the particular UE by disabling network access, throttling network access, or blocking one or more data packets originating from the particular UE at the second network point of access using a unique identifier of the particular UE that is different than the IP address that is assigned to the particular UE  (Stutz - [0136]: networking servers and/or equipment may be configured to block network communication from the device. For example, network switches may be notified not to communicate traffic from the compromised device. For example, wifi access points may be configured to block a connection or to block traffic to and from the network device. For example, the physical layer network address (e.g., MAC address) may be blocked from wireless access to the network).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Huston and Malan with Stutz so that the system, with a motivation to provide a initiate measures to protect the network from the compromised first device using MAC address (Stutz, Abstract).
Regarding claim 9: Huston as modified discloses further comprising:
querying a network device using an identifier of the second network point of access; and
receiving the network usage by the particular UE at the second network point of access in response to querying the network device using the identifier of the second network point of access (Malan - [0108]: The StormDetector's analysis engine receives flow statistics from the routers in the target's hosting service. From these statistics, it can detect the attack at some-set of the affected routers along its path. This path leads directly from the target to ISP-A's border, where the attack originates. [0107]: The StormDetector is a mechanism for identifying denial of service attacks within an ISP, a Web hosting service, or an enterprise network).
Malan is combined with Huston and Stutz herein for similar obviousness reasons and motivation and the same rationale as stated for claim 1.
Regarding claim 10: Huston as modified discloses wherein implementing the attack protections comprises:
preventing data packets comprising IP addresses that differ from the IP addresses that are assigned to the set of UEs from passing through the second network point of access (Huston - [0021]: the attack mitigation device 106 is also configured and operable to identify and track various network information related to the attack including, but not limited to, IP addresses, TCP ports and other network information (i.e., layer 3 and/or layer 4 information), and utilizes cloud-signaling network protocols to push this information identifying attack sources (e.g., external device 101 a) to the cloud-based DDoS mitigation service provided by attack management devices 104-1 located within the cloud-based DDoS service 102. It is to be understood and appreciated the cloud-based DDoS mitigation service is preferably configured and operable to identify and block malicious incoming traffic based on the received attack-related information).
Regarding claims 11 and 16-17: Claims are directed to system claims and do not teach or further define over the limitations recited in claims 1, 9-10. Therefore, claims 11 and 16-17 are also rejected for similar reasons set forth in claims 1 and 9-10. Furthermore, Huston in para. [0023] and Fig. 1 discloses a first network point of access; a second network point of access; and one or more devices.
Regarding claim 18: Claim is directed to computer readable medium claims and do not teach or further define over the limitations recited in claim 1. Therefore, claim 18 is also rejected for similar reasons set forth in claim 1. Furthermore, Huston in para. [0036] discloses a non-transitory computer-readable medium, storing a set of processor-executable instructions.

Claims 2-3, 7-8, 12 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Huston et al. (Pub. No.: US 2017/0070531) in view of Malan et al. (Pub. No.: US 2002/0035698) and Stutz (Pub. No.: US 2017/0223052) and Vayilapelli et al. (Pub . No.: US 2018/0199303).
Regarding claims 2 and 12: Huston as modified doesn’t explicitly teach but Vayilapelli discloses further comprising:
registering the particular UE for access to the network based on the unique identifier of the particular UE; and assigning the IP address to the particular UE in response to successfully registering the particular UE (Vayilapelli - [0041]: the network can store parameters such as, but not limited to, the IMSI, Globally Unique Temporary User Device (UE) Identity (GUTI), IP address, and device capabilities with respect to each wireless communication device corresponding to the same IMSI. The GUTI may be a unique temporary identifier assigned by the network to a wireless communication device as the device registers with the network during an initial attach to the network. Each wireless communication device may be uniquely identified by different GUTIs. During the registration process, the network may assign a unique IP address to each wireless communication device).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Huston, Malan and Stutz with Vayilapelli so that a device unique identifier is registered with assigned IP address.
Regarding claim 3: Huston as modified discloses wherein the unique identifier comprises one or more of:
an International Mobile Subscriber Identity (“IMSI”),
an International Mobile Equipment Identity (“IMEI”),
a Cell Radio Network Temporary Identifier (“C-RNTI”),
a Globally Unique Temporary Identifier (“GUTI”),
a Home Network Identity (“HNI”), or
Media Access Control (“MAC”) address (Stutz - [0136]: the physical layer network address (e.g., MAC address) may be blocked).
The reason to combine is the same as claim 2.
Regarding claims 7 and 15: Huston as modified doesn’t explicitly teach but Vayilapelli discloses further comprising:
querying a network device using an identifier of the second network point of access; and
receiving the unique identifier of the particular UE and the IP address that is assigned to the particular UE in response to querying the network device using the identifier of the second network point of access (Vayilapelli - [0098]: FIG. 6 is a diagram illustrating a mapping table 600 for identifying wireless communication devices having a same subscription identifier (e.g., a same IMSI) according to various examples. Turning now to FIGS. 1-6, the mapping table 600 depicts a set of parameters, including GUTIs, IP addresses, and device capabilities that uniquely identifies each of the wireless communication devices).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Huston, Malan and Stutz with Vayilapelli so that a device with unique identifier can be identified using IP address.
Regarding claim 8: Huston as modified discloses wherein the unique identifier of the particular UE comprises an identifier with which the particular UE registers for service with the network (Vayilapelli - [0025]: mapping, by the network, one or more of a GUTI, IP address, or device capabilities to identify each of the plurality of wireless communication devices associated with a same subscription identifier).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Huston, Malan and Stutz with Vayilapelli so that a device unique identifier is registered.

Claims 4-5, 13-14 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Huston et al. (Pub. No.: US 2017/0070531) in view of Malan et al. (Pub. No.: US 2002/0035698) and Stutz (Pub. No.: US 2017/0223052) and Lachman, III et al. (Pub. No.: US 2002/0166063).
Regarding claims 4, 13 and 19: Huston as modified doesn’t explicitly teach but Lachman, III discloses further comprising:
detecting that the particular UE is using one or more spoofed addresses based on the mismatch between the network usage by the particular UE and the computed usage (Lachman - [0075]: Trace route module 214 can verify the source IP address of the attacking packets, can determine whether a single source or multiple sources produced the attack, and can determine whether the attack was initiated from a real or false IP address location. A false IP address is commonly referred to as a “spoofed” address).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Huston, Malan and Stutz with Lachman, III so that the system can determine whether the attack uses the real or false (spoofed) address.
Regarding claims 5, 14 and 20: Huston as modified doesn’t explicitly teach but Lachman, III dislcoses wherein implementing the attack protections comprises:
preventing data packets comprising the one or more spoofed addresses from passing beyond the second network point of access (Lachman - [0076]: Countermeasure module 218 can then initiate a defensive countermeasure against either the single source or the multiple sources. Router daemon module 216 can interact with countermeasure module 218 to apply the countermeasure to an interface of host router 104 and to uplink router 110).
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was made to combine the teachings of Huston, Malan and Stutz with Lachman, III so that the system can apply a countermeasure against the source(s) for enhanced security.

Allowable Subject Matter
Claim 6 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Daniel et al. (Pub. No.: US 2017/0237768) - Origin Controlled Attack Protections in a Distributed Platform
Park et al. (Pub. No.: US 2010/0020796) - Method and apparatus for blocking forged multicast packets 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MENG LI whose telephone number is (571)272-8729.  The examiner can normally be reached on M-F 8:30-5:30.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s acting supervisor, Kristine Kincaid can be reached on (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8729.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MENG LI/
Primary Examiner, Art Unit 2437