DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
  Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 10/22/2020 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner. 
Response to Arguments
Applicant’s arguments, see pages 3 and of Remarks, filed 9/20/2022, with respect to the rejection(s) of claim(s) 1-18 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of US-PGPUB No. 2016/0330236 A1 Reddy et al. (hereinafter “Reddy”).

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. 
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “a load distribution determination unit”, “a load distribution processing unit”, and “an attack handling setting unit” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over US-PGPUB No. US 2017/0279685 A1 Mota et al. (hereinafter “Mota”) and further in view of US-PGPUB No. 2016/0330236 A1 Reddy et al. (hereinafter “Reddy”)
Regarding claim 1: 
Mota discloses:
A DDoS handling device (see FIG. 2, device 200, and also ¶41: “… device 200 … perform anomaly detection functions as part of an anomaly detection infrastructure within the network. …  the anomaly detection infrastructure of the network may be operable to detect network attacks (e.g., DDoS attacks, the use of malware such as viruses, rootkits, etc.).”) configured to handle communication directed to a target of a DDoS attack (¶58: “… server 154 …”) flowing, into one of a plurality of gateway devices (see FIG. 3 item No. 110, CE-1, CE-2) of an autonomous system that serve as a plurality of connection points to adjacent autonomous systems (see FIG. 3 local network 160 (devices 10, 12, 14 and 16), and local network 162 (devices 18 and 20), ¶58: “… CE-2 acts as a DLA that monitors traffic flows associated with the devices of local network 160 …”), and correspond to a plurality of mitigating locations (¶29: “… local networks 160-162 and data center/cloud environment 150 may be located in different geographic locations.”) for the DDoS attack, respectively, the DDoS handling device comprising:
a load distribution determination unit (see FIG. 5, item No. 510, Dynamic Forwarding Instantiator (DFI)), including one or more processors (¶35: “… one or more processors 220 …”), configured to determine whether or not to execute load distribution processing based on an amount of available resources at mitigating locations (see FIG. 4, DLA 400, and ¶123: “… the budget of each DLA 400 …”) corresponding to the gateway device (see FIG. 3 item No. 110, CE-1, CE-2 and CE-3) of the autonomous system into which the communication directed to the target flows and, if at least one attack has been detected, based further on an amount of the communication directed to the target (Mota ¶04: “… a distributed DoS (DDoS) attack may involve multiple attackers sending malicious requests … the requests may overload a resource, thereby impacting legitimate requests sent to the resource.”, 
¶112: “… DFI 510 constantly monitors the charge of the network due to the operation of the distributed learning system, and compares this data with data about the network topology and resources. When DFI 510 detects a bottleneck point that is not running a SAF 506, it checks if the network element at this point can host an SAF 506. If this is the case, DFI 506 sends an instantiation message to the target network element …”); 	
a load distribution processing unit (see FIG. 5 item No. 516, Network Resource Balancer Module (NRBM)), including one or more processors (¶35: “… one or more processors 220 …”), configured to select, from among the plurality of mitigating locations (Mota ¶130: “… each DLA 400 …”), mitigating locations to be used to handle the communication directed to the target to address shortages of resources between mitigating locations for each attack (¶130-131: “… NRBM … can optimize the budget allocated to each DLA 400, in order to maximize the number of relevant anomalies raised by the complete system while minimizing the impact on network resources.”), if the load distribution determination unit determines to execute the load distribution processing (Mota, ¶123: “… (NRBM) 516 that is responsible for maintaining and optimizing the use of network resources across the whole network (e.g., in conjunction with DFC 508 and DFI 510)”, ¶130-131: “… NRBM … can optimize the budget allocated to each DLA 400, in order to maximize the number of relevant anomalies raised by the complete system while minimizing the impact on network resources. … NRBM … may temporarily increase the budget of one or more DLAs, in case of the emergence of new intrusions (e.g., obtained from threat intelligence feeds) and/or the occurrence of special events”);  
However, Mota failed to explicitly disclose the following limitation taught by Reddy:
an attack handling setting unit (Reddy, ¶233: “… one or more flow distributors …”, FIG. 5B item 550, Flow Distributor), including one or more processors (Reddy, ¶233: “… each flow distributor 550 can be associated with a processor 505 …”), configured to execute path control such that the communication directed to the target passes through the mitigating locations selected by the load distribution processing unit for each attack (¶234: “The flow distributor 550 can distribute network traffic among the cores 505 according to a distribution, computing or load balancing scheme … the flow distributor can distribute network traffic according to … any load balancing scheme for distributing load among multiple processors. The flow distributor 550 can therefore act as a load distributor by taking in data packets and distributing them across the processors according to an operative load balancing or distribution scheme.”).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Mota to incorporate the functionality of the flow distributor to distribute network traffic across processors based on an operative load balancing or distribution scheme, as disclosed by Reddy, such modification would allow the system to direct attack traffic to the appropriate mitigation processor (core), improving system efficiency and performance.
Regarding claim 2:
The combination of Mota and Reddy discloses:
The DDoS handling device according to claim 1, wherein the load distribution processing unit is configured to select mitigating locations for each attack not only to address shortages of resources at between mitigating locations but also to maximally equalize resource utilization rates at the respective mitigating locations (Mota ¶123: “…  a Network Resource Balancer Module (NRBM) … is responsible for maintaining and optimizing the use of network resources across the whole network … NRBM … individually adjusts the budget of each DLA … using a much richer set of strategies allowing for asymmetrical (unbalanced) bandwidth budget per DLA.”, and  
¶130: “… NRBM … can optimize the budget allocated to each DLA …, in order to maximize the number of relevant anomalies raised by the complete system while minimizing the impact on network resources.”).  
Regarding claim 3:
The combination of Mota and Reddy discloses:
The DDoS handling device according to claim 1, wherein the load distribution processing unit is configured to select mitigating locations along one or more communication paths for each attack not only to address shortages of resources between mitigating locations but also to minimize a number of communications directed to the target requiring changes in path from a current communication path (Mota, ¶39: “Routing process/services 244 include computer executable instructions executed by processor 220 to perform functions provided by one or more routing protocols, such as the Interior Gateway Protocol (IGP) (e.g., Open Shortest Path First, “OSPF,” and Intermediate-System-to-Intermediate-System, “IS-IS”), the Border Gateway Protocol (BGP) …”). 
Regarding claim 4:
The combination of Mota and Reddy discloses:
The DDoS handling device according to claim 1, wherein the selected mitigating locations include a plurality of mitigating locations that are present on one or more paths through which the communication directed to the target can be transferred with delays comparable to those of a current communication path (Mota ¶137: “… the techniques herein provide a fully adaptive and scalable mechanism for limiting the number of anomalies that the distributed learning system detects and forwards up to the user. Through tight integration between networking-related constraints and machine learning-based anomaly characterization, the techniques select messages to be sent in order not to exceed a given threshold (e.g., a networking-level constraint) and to choose which messages to forward based on their anomaly score and/or more sophisticated machine learning-based criteria. As such, the techniques cover a fully distributed forwarding mechanism that take into account a wide number of constraints such as network resources that limits the rate of anomalies for assuring an optimal system performance and user experience.”).  
Regarding claim 5:
The combination of Mota and Reddy discloses:
The DDoS handling device according to   claim 1, wherein the plurality of mitigating locations include a first location device (Mota FIG. 2, item 110( CE-1))  corresponding to a gateway of the autonomous system into which the communication directed to the target flows and a second location  (Mota FIG. 2, item 110( CE-2)) corresponding to a gateway device of the autonomous system out of which the communication directed to the target flows (Mota FIG. 2, item 110 (CE-1 and CE-2), item 302 (traffic flow), and ¶58: “… assume that device/node 10 sends a particular traffic flow 302 to server 154 … In such a case, router CE-2 may monitor the packets of traffic flow 302 and, based on its local anomaly detection mechanism, determine that traffic flow 302 is anomalous. Anomalous traffic flows may be incoming, outgoing, or internal to a local network serviced by a DLA …”).  
Regarding claim 6:
The combination of Mota and Reddy discloses:
The DDoS handling device according to claim 5, wherein the load distribution processing unit is configured to create a first location information table storing information for each attack indicating an amount of communication directed to the target at each gateway device, , and a second location information table storing information for each attack indicating an amount of communication directed to the target at gateway devices in a target region, , and select  mitigating locations to be used to handle  each attack based on  information in the first location information table and information in the second location information table (Mota ¶126-130: “…  NRBM … has the following information: [0127] The network topology showing where the DLAs … are situated in the overall network; [0128] The set of available network resource (using external applications computing the overall applications performance from different location of the network, or using protocol such as PCEP, BG¶LS to provide information about the states of network resource reservation); and [0129] Statistics about each DLA …, including the relevance of all anomalies raised, the number and the type of hosts seen, the type of applications. [0130] Based on these data, NRBM … can optimize the budget allocated to each DLA …, in order to maximize the number of relevant anomalies raised by the complete system while minimizing the impact on network resources.”).  
Regarding claim 11:
The combination of Mota and Reddy discloses:
The DDoS method according to claim 1, wherein selecting mitigating locations for each attack comprises wherein selecting a plurality of mitigating locations that are present on one or more paths through which the communication directed to the target can be transferred with delays comparable to those of a current communication path (Mota ¶137: “… the techniques herein provide a fully adaptive and scalable mechanism for limiting the number of anomalies that the distributed learning system detects and forwards up to the user. Through tight integration between networking-related constraints and machine learning-based anomaly characterization, the techniques select messages to be sent in order not to exceed a given threshold (e.g., a networking-level constraint) and to choose which messages to forward based on their anomaly score and/or more sophisticated machine learning-based criteria. As such, the techniques cover a fully distributed forwarding mechanism that take into account a wide number of constraints such as network resources that limits the rate of anomalies for assuring an optimal system performance and user experience.”). 
Regarding claims 7, 9-10 and 12-13:
Claims 7, 9-10 and 12- 13 recite substantially the same limitations as claims 1, 2-3 and 5-6, respectively, in the form of a device implementing the corresponding method, therefore they are rejected by the same rationale. 
Regarding claims 8 and 14-18:
Claims 8 and 14-18 recite substantially the same limitations as claims 1 and 2-6, respectively, in the form of a non-transitory computer readable medium storing computer instructions, therefore they are rejected by the same rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Radlein et al. (USPAT No 9794281-B1)- disclosed systems and methods to enable identification of computing devices associated with network attacks, such as denial of service attacks. 
Talpade et al. (US-PPGPUB No 2004/0148520-A1)- disclosed system and methods to detect DDoS attacks directed at edge/customer networks and to mitigating such attacks by redirecting the DDoS and non- DDoS traffic within a service providers network and then selectively removing the DDoS traffic before it reaches the edge/customer networks.
Murphy et al. (US-PGPUB No. 20140373146-A1)- disclosed a load balancer that is able to detect and mitigate a Denial of Service (DoS/DDoS) attack. The load balancer is placed directly in the flow path of network data packets that are structured so as to be directed to one or more of the tenant addresses.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491

/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491