DETAILED ACTION
1.	This office action is in response to the communication filed on 02/23/2021.
2.	Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
3.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


5.	Claim(s) 1-5 and 11-20 is/are rejected under 35 U.S.C. 102(a)(1)/102(a)(2) as being anticipated by Boteler et al. (US 2011/0185418 A1, hereafter Boteler).
Regarding claim(s) 1, 11, and 16:
Boteler discloses a computer-implemented method, the method comprising: 
detecting, by a computing system, illegitimate network traffic associated with a cyberattack in network traffic (see fig. 1 and paras. 63-65 where occurrence(s)/event(s) (i.e. illegitimate network traffic) related to anomalous packet(s) or unknown network flow is/are detected, by a correlation engine (i.e. computing system) connecting to the internet, to be associated with a type of attack. Notes: see para. 83 where the correlation engine has a memory); 
determining, by the computing system, an amplification factor of the cyberattack based on a probability distribution of the illegitimate network traffic (see fig. 1 and paras. 39, 64, 73-74 where a higher level and a type of an attack (e.g. denial of service attack, password attack, etc.) is determined when a number of events/occurrences per time period (e.g. hour, day, week, month, etc.) exceeds a predetermined threshold. In other words, an amplification factor (e.g. a higher level or a high motivation of an attacker) of an attack is determined based on a number of events/occurrences per time period, e.g. hour, day, week, month, etc. (i.e. probability distribution) exceeds a predetermined threshold. Notes: see paras. 16-17, 31 for further illustration for an attacker’s motivation in an attack); 
determining, by the computing system, a filter to demotivate a generation of the illegitimate network traffic, wherein the filter reduces the amplification factor of the cyberattack; and implementing, by the computing system, the determined filter to block the illegitimate network traffic (see fig. 1 and paras. 39, 44 where a filter is set to recognize an attack pattern associated with an event vector; see paras. 81-82 where a filter dumps a track/event vector associated with an attack).

Regarding claim(s) 2, 12, and 17:
Boteler discloses:    
wherein the amplification factor of the cyberattack is determined based on a bandwidth amplification factor in one or more network protocols and a filter to be selected (see fig. 1 and paras. 39, 64, 73-74 where a higher level of a denial of service attack is determined when a number of events/occurrences per day exceeds a predetermined threshold and a previous filter set to detect when a number of events/occurrences per hour exceeds a predetermined threshold. Notes: see para. 31 where an attacker sends a lot of connection requests to a server to overload the server (i.e. reduce the bandwidth between a server and other users)).

Regarding claim(s) 3, 13, and 18:
Boteler discloses:
wherein the filter to demotivate the generation of the illegitimate network traffic is determined based on a probability distribution of legitimate network traffic and the probability distribution of the illegitimate network traffic (see fig. 1 and paras. 68-69 where an alarm condition is initiated if a number of occurrences/events per week or month exceeds a threshold (i.e. if a number of occurrences/events per week or month does not exceed a threshold, the number of occurrences/events are associated with legitimate network traffic); see paras. 81-82 where a filter (e.g. filter detects number of occurrences/events per hour) dumps a track/event vector associated with an attack (i.e. number of occurrences/events are associated with illegitimate network traffic)).

Regarding claim(s) 4, 14, and 19:
Boteler discloses:
wherein the filter to demotivate the generation of the illegitimate network traffic is based on a generative adversary net framework (see fig. 1 and paras. 63-65 where a filter of a correlation engine is set to detect an attack generated by an attacker (i.e. the filter is based on a framework (i.e. generative adversary net framework) including an attacker generating an attack, and a filter detecting the attack)).

Regarding claim(s) 5, 15, and 20:
Boteler discloses:
wherein the filter blocks the illegitimate network traffic while maximizing legitimate network traffic to minimize impacts to response times of the computing system (see fig. 1 and paras. 68-69 where an alarm condition is initiated if a number of occurrences/events per week or month exceeds a threshold (i.e. if a number of occurrences/events per week or month does not exceed a threshold, the number of occurrences/events are associated with legitimate network traffic); see paras. 81-82 where a filter (e.g. filter detects number of occurrences/events per hour) dumps a track/event vector associated with an attack (i.e. number of occurrences/events are associated with illegitimate network traffic). In other words, a filter dumps occurrences or events (i.e. illegitimate network traffic) detected to be associated with an attack each hour, and allowing all occurrences or events (i.e. legitimate network traffic) not associated with an attack to pass through to minimize impacts to response times of the correlation engine).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


6.	Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Boteler in view of Cheriton (US 7120931 B1).
Regarding claim(s) 6:
Boteler discloses:
wherein the implemented filter to block the illegitimate network traffic is implemented through [hardware offloading features of at least one network interface hardware] associated with the computing system (see fig. 1 and paras. 63-65 where occurrence(s)/event(s) (i.e. illegitimate network traffic) detected to be associated with an attack is/are received, by a correlation engine (i.e. computing system) via connecting to the internet).
Boteler does not, but Cheriton discloses:
hardware offloading features of at least one network interface hardware associated with the computing system (see Cheriton, fig. 2, col. 4, lines 19-21, and col. 4, line 59 - col. 5, line 2, where a computer system includes a network interface, e.g. ethernet interface, (i.e. network interface hardware) including a plurality of ports (i.e. hardware offloading features) for connecting to the Internet).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Boteler's invention by enhancing it for hardware offloading features of at least one network interface hardware associated with the computing system, as taught by Cheriton, in order for using an ethernet interface to connect to the internet (Cheriton, col. 4, line 59 - col. 5, line 2).

7.	Claim(s) 7-10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Boteler in view of Touitou et al. (US 2005/0021999 A1, hereafter Touitou).
Regarding claim(s) 7:
Boteler discloses:
 	determining, by the computing system, whether [a portion of internet protocol (IP) packets of the network traffic is spoofed IP packets] (see fig. 1 and paras. 63-65 where occurrence(s)/event(s) (i.e. illegitimate network traffic) related to anomalous packet(s) or unknown network flow is/are detected, by a correlation engine (i.e. computing system) connecting to the internet, to be associated with a type of attack, e.g. denial of service attack).
Boteler does not, but Touitou discloses:
 	determining whether a portion of internet protocol (IP) packets of the network traffic is spoofed IP packets (see Touitou, para. 62, where a guard device (i.e. computing system) determines IP packets received from network are originated from spoofed IP addresses).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Boteler's invention by enhancing it for determining whether a portion of internet protocol (IP) packets of the network traffic is spoofed IP packets, as taught by Touitou, in order for determining IP packets originated from spoofed IP addresses (Touitou, para. 62).

Regarding claim(s) 8:
Boteler does not, but Touitou discloses:
swapping origin IP addresses with destination IP addresses associated with the portion of the IP packets, wherein the origin IP addresses and the destination IP addresses are specified in headers associated with the portion of the IP packets; and generating network ping requests based on the swapped IP addresses (see Touitou, paras. 62, 69 where a guard device (i.e. computing system) determines packets received from network are originated from spoofed IP addresses, wherein, for a received packet, the guard device returns an ACK packet to the source IP address of the received packet via the internet (i.e. public network); see paras. 4, 70 where a packet comprises a header followed by payload data, wherein a packet’s header includes source and destination addresses. In other words, the guard device generates ACK packets (i.e. network ping requests) by using the source IP addresses of the received packets as the destination IP addresses of the ACK packets (i.e. the source IP addresses of the received packets are swapped with the destination IP addresses)).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Boteler's invention by enhancing it for swapping origin IP addresses with destination IP addresses associated with the portion of the IP packets, wherein the origin IP addresses and the destination IP addresses are specified in headers associated with the portion of the IP packets; and generating network ping requests based on the swapped IP addresses, as taught by Touitou, in order for returning ACK packets to the source IP addresses of received packets to determined whether the received packets were sent from spoofed source addresses for detecting spoofed traffic (Touitou, paras. 62, 69-70).

Regarding claim(s) 9:
Boteler does not, but Touitou discloses:
transmitting the network ping requests to a public network (see Touitou, paras. 62, 69-70).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Boteler's invention by enhancing it for transmitting the network ping requests to a public network, as taught by Touitou. The motivation is the same as presented in claim 8.

Regarding claim(s) 10: 
Boteler does not, but Touitou discloses:
wherein the cyberattack is a coordinated distributed denial-of-service attack (see Touitou, para. 8, for distributed denial-of-service (DDoS) attack).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Boteler's invention by enhancing it for a coordinated distributed denial-of-service attack, as taught by Touitou, in order for detecting and blocking spoofed traffic during DDoS attack (Touitou, para. 8).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Anderson et al. (US 2003/0014665 A1). Apparatus And Method For Secure, Automated Response To Distributed Denial Of Service Attacks.
Ansari et al. (US 2008/0295175 A1), PROACTIVE TEST-BASED DIFFERENTIATION METHOD AND SYSTEM TO MITIGATE LOW RATE DoS ATTACKS.
Afek et al. (US 2006/0212572 A1), Protecting Against Malicious Traffic.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA, can be reached on 571-272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HUAN V DOAN/Primary Examiner, Art Unit 2499