CHARACTERIZATION AND MITIGATION OF RANDOMIZED DDoS ATTACKS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 03/02/2026 has been entered. Response to Arguments Applicant's arguments have been fully considered but they are not persuasive. The applicant argues that neither Huston et al. (US 20170070531), hereon referred to as Huston, nor Chang et al. (US 2012/0272289), hereon referred to as Chang, alone or in combination disclose all of the limitations of the independent claim(s). The applicant argues that what is taught in Hutson is functionally different from the claimed invention. The applicant argues that Hutson is a “blacklist” approach and relies on know attack signatures developed during an attack and mentions that the claims use a “whitelist” approach that learns legitimacy characteristics during peacetime and uses cluster-based legitimacy scoring to determining if a packet is legitimate. The applicant also argues that Huston does not teach selecting a cluster defining legitimacy characteristics, does not develop a legitimacy score, and the mentioned signature matching of Huston does not teach/suggest selecting a cluster that best fits. Furthermore, the applicant argues that Chang does not disclose any type of clustering, does not mention “cluster” nor “legitimacy” and therefore cannot teach a legitimacy score based on any cluster, or learning cluster-based legitimacy characteristics during peacetime. However, the Examiner respectfully disagrees. Both Hutson and Chang both functionally teach the technological elements of the claim(s), as currently presented. Firstly, the applicant’s arguments relies on distinctions that are not present in the claim language currently presented. The claim(s) as currently pretend, does not mention “whitelist”; “blacklist”; “opposite principles” or even require that the system have no knowledge of prior attacks. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Huston discloses receiving packets during an attack period and analyzing them through an attack mitigation device. Then, it can differentiate between legitimate traffic and DDoS attack traffic using “behavioral based analysis, TCP cookie mechanisms, rate limit engines” and makes a determination based on network and bandwidth statistics including an average number of active connections and packets received per second (Huston; Paragraphs 0025-0030). This teaches that Huston , technologically and functionally classifies incoming packets into categories of legitimate and attack traffic. The system is matching incoming packet characteristics against defined categories with known behavioral attributes. Hutson also teaches of quantitative statistical measures, average connects, packets per second, bandwidth threshold, that address “legitimacy score” (Hutson; Paragraphs 0025-0031) since they are numerical determinations of legitimate packets. The claim does not explicitly require the score to be a specific value, from a specific equation. Any quantitative statistical measure technologically reads on this element. Similarly, when the analysis determines abnormal behavior, traffic is not legitimate and then conducts mitigation such as null-routing, logically separating, or dropping the attack traffic (Huston; Paragraphs 0025-0033). Lastly, since Huston discloses the ability to identify abnormal traffic behavior, this inherently requires a baseline of normal behavior, established during non-attack operations (peacetime). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-4, 6-9, 12-18, 20-23, & 26-30 are rejected under 35 U.S.C 103 as being unpatentable over Huston et al. (US 20170070531), hereon referred to as Huston, in view of Chang et al. (US 2012/0272289), and hereon referred to as Chang. In regards to claims 1, 15 & 29, Hutson disclose receiving a packet during the attack time period (The embodiments include protection against DDoS attacks; Encrypted traffic is received and analyzed during an attack; Paragraphs 0007; 0030-0040; Figs. 1-2); selecting a cluster defining legitimacy characteristics from at least one cluster of packets that best fits the received packet, wherein legitimacy characteristics of a cluster are learned during a peacetime period (The traffic is analyzed to detect one or more attacks, and in response generates attack signatures based on the determined identifying characteristics of the attack packets of sending the attack signature based on the characteristics of the attack for DDoS mitigation; Paragraphs 0007; 0030-0040; Figs.1-2); and applying a mitigation action on the received packet upon determination that the packet is not legitimate (The attack mitigation device is configured to process traffic received from the cloud-based DDoS service for the purpose of mitigating DoS and DDoS attacks; the attack mitigation device is configured to decrypt and inspect data traffic received from the cloud-based DDoS service and to drop traffic belonging to an attack; the attack mitigation device is configured to detect DoS/DDoS attacks by determining if incoming traffic from cloud-based DDoS service is suspected of including threats by monitoring traffic addressed to the destination device; the attack mitigation device can be configured to detect DoS/DDoS attacks based on (but not limited to) network and bandwidth statistics, such as an average number of active connections, an average number of packets received per second, and other DoS/DDoS attack detection technique; Paragraphs; Paragraphs 0020-0030). However, Huston does not disclose determining a legitimacy score for the received packet based on the legitimacy characteristics of the selected cluster; and determining based on the legitimacy score if the received packet is not legitimate. In an analogous art Chang discloses determining a legitimacy score for the received packet based on the legitimacy characteristics of the selected cluster; and determining based on the legitimacy score if the received packet is not legitimate (The primary server can update rules, add rules and parameters (scores, weights and threshold) associated with logic rules in each access node and in the primary server; Part of analyzing the security threats probing/testing data packets are sent to validate observed traffic information or to obtain the network information (transmission latency may collected by transmitting separate ping test packet; Paragraphs 0265-0280). At the time before the effective filing date of the invention, it would have been obvious to the one with ordinary skill in the art to combine the teachings disclosed by Huston, with the teachings disclosed by Chang regarding determining a legitimacy score for the received packet based on the legitimacy characteristics of the selected cluster; and determining based on the legitimacy score if the received packet is not legitimate (The primary server can update rules, add rules and parameters. The suggestion/motivation of the combination would have been to provide additional security in in providing services and access (Chang; Paragraph 0006). In regards to claims 2 & 16, Huston discloses wherein the mitigation action is any of: blocking the received packet, diverting the received packet to a scrubbing center to results with clean traffic, and generating an alert on a potential attack (DDoS mitigation service is preferably configured and operable to identify and block malicious incoming traffic based on the received attack-related information without needing to decrypt the incoming encrypted traffic; the attack mitigation device is then configured to send a cloud signaling message to a cloud-based DDoS mitigation service. The cloud signaling messages are able to carry information needed to identify malicious traffic. The operation of the cloud signaling message and attack mitigation device; Paragraphs 0021-0031). In regards to claims 3 & 17, Huston discloses wherein the selected cluster is any one of: a first seen source internet protocol (IP) packet, a second seen source IP packet, a short transport layer protocol and a long transport layer connection (Provides an ability to improve the scale and performance of the DDoS mitigation solution by offloading the processing of large volumes of the attack traffic to the cloud-based mitigation service where the malicious traffic can be blocked more efficiently based on the layer 3 and 4 information identifying attack packets; Paragraphs 0030-0035). In regards to claims 4 & 18, Huston discloses wherein determining based on the legitimacy score if the received packet is not legitimate, further comprises: comparing the legitimacy score to a legitimacy threshold; and determining the received packet to be not legitimate if the legitimacy score exceeds the legitimacy threshold (Configuring includes enabling a threshold for automatic signaling, and setting a threshold limit such as 5 Megabits per second (Mbps); Paragraphs 0030-0035). 5. The method of claim 4, further comprising: checking when the mitigated traffic is at a baseline level determined prior to commencement of the attack; and adjusting the legitimacy threshold value in a direction that attempts to cause the clean traffic to reach the baseline level. In regards to claims 6 & 20, Chang discloses wherein learning legitimacy characteristics of a cluster during the peacetime period further comprising: collecting a plurality of received packets directed to the protected entity; classifying the plurality of received packets into at least one cluster; and learning for each of the at least one cluster legitimacy characteristics (Data read from the received data packets may be stored in different memory subcomponents according to different categories within the storage device based on the analysis by the sorting software application; Data may be stored in different categories based on service type (e.g. premises security, energy management, e-commerce, etc.) or by data layer type (e.g. application, transport, network, datalink, physical, etc.); Paragraphs 0114-0120). In regards to claims 7 & 21, the combination of Huston and Chang discloses wherein collecting the plurality of received packets further comprises: sampling the plurality of received packets directed to the protected entity (The elements presented in the claim(s) do not contain any additional features, do not present any inventive step or novelty not addressed/presented in the combination of Huston and Chang. Examiner takes official notice, that these elements are commonly known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art. The additional features of these claims represent normal design options, which the skilled person would implement the combination of Huston and Chang, depending on the circumstances, without exercising any inventive activity). In regards to claims 8 & 22, the combination of Huston and Chang discloses wherein a legitimacy characteristic characterizes behavior of a legitimate client as seen at peace time during a period of time (The elements presented in the claim(s) do not contain any additional features, do not present any inventive step or novelty not addressed/presented in the combination of Huston and Chang. Examiner takes official notice, that these elements are commonly known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art. The additional features of these claims represent normal design options, which the skilled person would implement the combination of Huston and Chang, depending on the circumstances, without exercising any inventive activity). In regards to claims 9 & 23, Chang discloses wherein learning legitimacy characteristics further comprises any one of: learning network attributes statistic characterization; learning communication protocol attributes statistic characterization; learning entropy of a source IP address of a received packet; and learning reputation of a source of a received packet. (Data read from the received data packets may be stored in different memory subcomponents according to different categories within the storage device based on the analysis by the sorting software application; Data may be stored in different categories based on service type (e.g., premises security, energy management, e-commerce, etc.) or by data layer type (e.g., application, transport, network, datalink, physical, etc.); Paragraphs 0114-0120). In regards to claims 12 & 24, Chang discloses wherein a legitimacy characteristic of a seen source IP packet type cluster is any of: a packet size of the received packet, a UDP header fields components of the received packet, TCP header fields components of the received packet, entropy of a source IP address of the received packet, and a reputation of a source IP address of the received packet (Data read from the received data packets may be stored in different memory subcomponents according to different categories within the storage device based on the analysis by the sorting software application; Data may be stored in different categories based on service type (e.g. premises security, energy management, e-commerce, etc.) or by data layer type (e.g. application, transport, network, datalink, physical, etc.); Paragraphs 0114-0120). In regards to claims 13 & 27, Chang discloses wherein a legitimacy characteristic of a connection type cluster is any of: a time to leave (TTL) of a connection, a time from previous packet received on a connection, average time between packets throughout a connection, a connection length, a connection duration, a number of changes in IP headers fields, a number of changes in UDP or TCP headers fields, a number of concurrent connections, a connection packet rate, and a connection byte rate, wherein the connection is a long transport layer connection on which the received packet is received (Data read from the received data packets may be stored in different memory subcomponents according to different categories within the storage device based on the analysis by the sorting software application; Data may be stored in different categories based on service type (e.g. premises security, energy management, e-commerce, etc.) or by data layer type (e.g. application, transport, network, datalink, physical, etc.); Paragraphs 0114-0120). In regards to claims 14 & 28 the combination of Huston and Chang discloses wherein determining the legitimacy score further comprises: determining a cluster legitimacy score for each selected cluster based on histogram legitimacy characteristics of the selected cluster; and determining the legitimacy score as a function of the determined cluster legitimacy scores (The elements presented in the claim(s) do not contain any additional features, do not present any inventive step or novelty not addressed/presented in the combination of Huston and Chang. Examiner takes official notice, that these elements are commonly known, minor design details that are derivable from the prior art and are well known, and obvious to an ordinary skill in the art. The additional features of these claims represent normal design options, which the skilled person would implement the combination of Huston and Chang, depending on the circumstances, without exercising any inventive activity). In regards to claim 30, Chang discloses wherein the legitimacy characteristics of each cluster are learned from legitimate packets during peacetime period (Learning behavioral characteristics from normal legitimate traffic during regular operations (peacetime); Paragraphs 0118-0119; 0243; 0270-0275). Allowable Subject Matter Claims 5, 10-11, 19 & 24-25 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF E ULLAH whose telephone number is (571)272-5453. The examiner can normally be reached Mon-Fri 7:00-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached at 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SHARIF E ULLAH/Primary Examiner, Art Unit 2495