DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
  Response to Arguments
	Applicant’s argument, see Remarks filed on 09/21/2022, with regards to the rejection of the dependent claim 4 (now cancelled by Applicant) under 35 USC § 102, and the amendment of the independent claim 1 by incorporating the subject matter of claim 4, have been fully considered, but they are not persuasive. 
On page 6, Applicant contends that paragraph [0081] of Ravichandran merely discloses updating a stored data pattern of a signature upon determining a change of data pattern, but does not specifically disclose that the data pattern has a first given profile of variation of at least one of its characteristics during a first given period and then a second profile of variation different from the first profile of variation, of the at least one characteristic during a second given period. 
The examiner respectfully disagrees with the applicant’s argument. 
Ravichandran, in ¶81, teaches that the computer 160, 170 may be programmed to update the stored data pattern in the signature upon determining a change of data pattern communicated by a specific device (identified based on the respective device identifier) changed. Thus, Ravichandran does not merely update a stored data pattern upon determining a change of data pattern, but upon determining a change of data pattern of a specific device of known profile. If one of the profile characteristics, the device identifier, is different, Ravichandran in paragraph [0049] teaches the device is a rogue device and causes a “spoofing attack”, an attack in which a computer and/or a program masquerades as another by falsifying data, e.g., submitting an identifier of the other device. Furthermore, as disclosed in ¶47, the determination may be performed periodically (eg., every 100 milliseconds). Thus, the first variation of the device identifier (stored signature) is determined in the first 100 milliseconds, and periodically (every 100 milliseconds) checked for an occurrence of a second variation (rogue device identifier). Therefore, examiner asserts that Ravichandran fully teaches and suggests monitoring of the specific data pattern by periodically checking profile variation of a device identifier during a first time period (first 100 milliseconds), and then periodically checking for an occurrence of a different profile variation (rogue device identifier) as claimed by the applicant. The examiner did not find applicant’s argument persuasive, and thus the rejection of independent claim 1 under 35 USC § 102 is maintained. 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-3, 5-6 and 10 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US-PGPUB No. 2020/0059452 A1 Ravichandran et al. (hereinafter “Ravichandran”)
Regarding claim 1: 
	Ravichandran discloses:
A method of detecting and filtering illegitimate communication streams in a satellite communication network (see FIG. 1, ¶30: “… a satellite network 100 (sometimes referred to as a “communication network 100”) …”), the method being executed by a gateway satellite station (¶33: “ … a gateway 115A, 115B …”) able to establish a communication link (¶16: “… uplink …downlink”) between a satellite (¶33: “… a satellite 105.”, see FIG. 1) and an access network (¶33: “… a network 150 …”, see FIG. 1) and comprising the steps of: 
 receiving a communication stream originating from the satellite (¶20: “The method … sniffing, at the gateway, at least one of uplink and downlink data, identifying, at the gateway, the signature of the rogue device, broadcasting, at the gateway, the identified signature, and blocking, at the gateway, at least one of the downlink and uplink of the rogue data.”, 
¶33: “… a gateway 115A, 115B may connect a network 150 to a satellite 105.
The gateways 115A, 115B are computer-based communication devices … Each gateway 115A, 115B may be programmed to use different uplink and downlink methods to transmit data to and receive data from satellites 105.”, and  
¶35: “Each system gateway 115A, 115B may be programmed to transmit control and configuration data to satellites 105 as well as receive data, such as telemetry data, from satellites 105.”, See FIG. 1), 
determining a set of characteristics of the communication stream forming a signature of the stream (¶19-22: “The method may further include sniffing, at the terminal, at least one of uplink and downlink data, and identifying the signature of the rogue data based on clustering the sniffed data. [0020] The method may further include sniffing, at the gateway, at least one of uplink and downlink data, identifying, at the gateway, the signature of the rogue device, broadcasting, at the gateway, the identified signature, and blocking, at the gateway, at least one of the downlink and uplink of the rogue data. [0021] The signature may further include a data pattern, a type of attack, a frequency of attack, and a status. [0022] The type of attack may be at least one of SYN Flood, UDP Flood, SMBLoris, ICMP Flood, and HTTP Get Flood.”, and see also Table 1), 
applying at least one classification algorithm (¶44: “… clustering algorithms …”) so as to class the signature into a set of legitimate signatures or into a set of illegitimate signatures, if the signature is classed into the set of illegitimate signatures, filtering the communication stream, otherwise transmitting the communication stream to the access network (¶19: “The method may further include sniffing, at the terminal, at least one of uplink and downlink data, and identifying the signature of the rogue data based on clustering the sniffed data.”, 
¶44: “The computer(s) … may be programmed to cluster the data using clustering algorithms such as K-means. Data clustering may include identifying data patterns and grouping the data patterns.”, and  
¶75-76: “… the computer 170 determines whether rogue data matching one or more stored signatures was detected. The computer 170 may be programmed to detect rogue data by sniffing data that is communicated via the gateway 115A, clustering the sniffed data, and detecting rogue data based on stored signatures and clustering of the sniffed data. If the computer 170 determines that rogue data was detected, then the process 300 proceeds to a block 360; otherwise the process 300 ends, or alternatively, returns to the decision block 310 … [0076] In the block 360, the computer 170 block the detected rogue data. … the computer 170 may be programmed to block the data from the application that generates the rogue data …, whereas allowing rest of data from the device (i.e., data from other application on the rogue device) to pass through.”), wherein an illegitimate signature (p-78: “… rogue data signature …”) corresponds to a communication stream which has a first given profile of variation (¶81: “… stored signature …”) of at least one of its characteristics (¶81: “… device identifier…”) during a first given period (¶47: “… computer 160 may be programmed to periodically, e.g., every 100 ms (milliseconds), check for an occurrence and/or recurrence of a flooding attack from a source, e.g., a device 120A …”) and then a second profile of variation (p-49: “… a rogue device.”) different from the first profile of variation, of the at least one characteristic (¶49: “… submitting an identifier of the other device …”) during a second given period (¶47: “… periodically, e.g., every 100 ms (milliseconds) …”) (¶81: “The computer 160, 170 may be programmed to determine the data pattern, device identifier, application identifier, route of data, etc., and store the signature data in a memory 130, 140. The computer 160, 170 may be programmed to update a change in stored signature of data. For example, upon determining a change of data pattern communicated by a specific device (identified based on the respective device identifier) changed, the computer 160, 170 may be programmed to update the stored data pattern in the signature including the respective device identifier.”, ¶49: “… the computer 160 may identify the source, e.g., the device 120A, as a rogue device. For TCP SYN flooding attacks, if the traffic is spoofed, it can be detected locally at a gateway 115A, 115B … a “spoofing attack” is an attack in which a computer and/or a program masquerades as another by falsifying data, e.g., submitting an identifier of the other device.”).
Regarding claim 2:
Ravichandran discloses:
The method of detecting and filtering illegitimate communication streams according to Claim 1 comprising, for each new received data packet, the association of the packet with a stream signature (¶75: “… the computer 170 determines whether rogue data matching one or more stored signatures was detected.”).  
Regarding claim 3:
Ravichandran discloses:
The method of detecting and filtering illegitimate communication streams according to claim 1, wherein the set of legitimate signatures and the set of illegitimate signatures are predetermined on the basis of a priori observations (¶29: “Each terminal in a satellite network may act as a sniffer by logging traffic behavior(s) from all sources into a local memory. Periodically, data from terminal logs are input to a clustering algorithm to group the traffic patterns and to determine the rogue anomalies dynamically.”).  
Regarding claim 5:
	Ravichandran discloses: 
The method of detecting and filtering illegitimate communication streams according to claim 1, wherein the determined characteristics are primaryAtty Dkt. No. 95781.41960 14 characteristics extracted from the communication stream from among the source address of the communication stream, the destination address of the communication stream, the protocol version of the communication stream, the port number of the communication stream (¶47: “The computer 160, 170 may be programmed to identify an attack based at least in part on source port and/or destination port during UDP-based communication … a type of data during an ICMP-based communication … source port, destination port, flag, sequence number, acknowledge Number, and/or window Size during a TC-based communication … routing path. The computer(s) 160 may be programmed to categorize a type of an attack and a frequency of the attack.”).  
Regarding claim 6:
	Ravichandran discloses: 
The method of detecting and filtering illegitimate communication streams according to Claim 5, wherein the primary characteristics are extracted from at least one header field of the received data packets (¶47: “… the computer 160, 170 may be programmed to identify an attack based at least in part on source port, destination port, flag, sequence number, acknowledge Number, and/or window Size …”).  
Regarding claim 10:
	Claim 10 substantially recites the same limitation as claim 1, in the form of a device implementing the steps of the method, therefore, it is rejected by the same rationale.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Ravichandran and further in view of US-PGPUB No. 2016/0020923 A1 to McLeod
Regarding claim 7:
	Ravichandran discloses the method of detecting and filtering illegitimate communication streams according to claim 1, but failed to explicitly disclose the following limitation taught by McLeod: 
wherein the determined characteristics are secondary characteristics measured on the data packets of a communication stream, from among the number of data packets transmitted by the communication stream, the duration of the communication stream, the maximum size of a packet of the communication stream, the minimum size of a packet of the communication stream, the average duration between two successive packets transmitted by the communication stream (see McLeod ¶39: “Hybrid flow data is a combination of network flow data and statistics, packet data and metadata (e.g., packet statistics), and an adjustable amount of packet payload data. Examples of flow statistics may include … the start time, end time, and duration of a flow. Examples of packet statistics may include … mean time between packets that were used to generate the flow.”, 
¶81-86: “… … the buildflows program can retrieve and analyze the flow data previously stored in the data store … the buildflow program can determine and store, in the data store, several statistical measures of the flow being analyzed. These statistical measures include but are not limited to: …  a list of the packet inter-arrival times for all packets that make up the flow… a list of the packet sizes (in bytes) of each packet that make up the flow; … the minimum, maximum, mean, variance and standard deviation of the packet inter-arrival; … times for all packets that make up the flow; and the minimum, maximum, mean, variance and standard deviation of the packet size for all packets that make up the flow.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ravichandran to incorporate the functionality of the buildflows program to retrieve and analyze flow data, as disclosed by McLeod, such modification would allow the system to determine flow statistical measures that are important for the system to employ correct mitigation measures, but would result in larger packet latency if these characteristics were incorporated in the header of the packet.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ravichandran and further in view of US-PGPUB No. 2016/0323166 A1 Pandey et al. (hereinafter “Pandey”)
Regarding claim 8:
Ravichandran discloses the method of detecting and filtering illegitimate communication streams according to claim 1, but failed to explicitly disclose the following limitation taught by Pandey: 
comprising the step of applying several distinct classification algorithms and of classing the signature into a set of legitimate signatures if at least one of the said classification algorithms classes the signature into a set of legitimate signatures (see Pandey ¶40: “The classification engines … can extract data from a set of desired fields within each packet and can then apply one or more classification algorithms to this set of data to generate classification data for packet identification purposes.”,  
¶45: “The hash generators … can be configured to generate hash values based upon one or more hash algorithms that are applied to data within each packet. The resulting hash values or keys are used to provide the packet signatures …, and these hash values or keys effectively reduce the size of the packets (e.g., 128 bytes) to smaller data values (e.g., 32 bits) that can still be used to identify different packets. Any desired hash algorithm could be used …”).   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ravichandran to incorporate the functionality of the classification engines  to apply one or more classification algorithms to a set of data to generate classification data for packet identification purposes, as disclosed by Pandey, such modification would allow the system to classify various types of data, and generate a table of signatures for future comparison and classification matching.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Ravichandran and further in view of US-PGPUB No. 2019/0147670 A1 Chopra et al. (hereinafter “Chopra”)
Regarding claim 9:
	Ravichandran discloses the method of detecting and filtering illegitimate communication streams according to claim 1, but failed to explicitly disclose the following limitation taught by Chopra: 
wherein the classification algorithm is chosen from among a k-neighbours algorithm, a Bayesian naive classification algorithm, a least squares algorithm (see Chopra ¶83: “… classification algorithms may include Linear classifiers (e.g., Fisher's linear discriminant, logistic regression, naive Bayes, and perceptron), Support vector machines (e.g., least squares support vector machines), quadratic classifiers, kernel estimation (e.g., k-nearest neighbor) …”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Ravichandran to incorporate the functionality of the streaming analytics module to implement various classification algorithms, as disclosed by Chopra, such modification would allow the system to use different models (linear or non-linear) to properly identify (classify) flow packets.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Daines et al. (USPAT No 7760723-B1)- disclosed a method and techniques to relay a data stream from a data device to a network tunnel. 
Guo et al. (US-PPGPUB No 20190230010-A1)- disclosed a monitoring station deployed in a network that monitors packets over one or more interfaces in the network.
Wang et al. (US-PGPUB No. 20170329783-A1)- disclosed a method of analyzing encrypted streaming media traffic which is applicable to various data stream types, including Real Time Protocol data streams such as VoIP traffic and video (e.g.MPEG) over IP traffic.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/M.H./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491