DETAILED ACTION
This application has been examined. Claims 1-3,5-20 are pending. Claim 4 is cancelled.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Making Final
Applicant's arguments filed 11/4/2025 have been fully considered but they are not persuasive.
The Examiner is maintaining the rejection(s) using the same grounds for rejection and thus making this action FINAL.
Response to Arguments
Applicant's arguments filed 11/4/2025 have been fully considered but they are not persuasive.
The Applicant presents the following argument(s) [in italics]:
… the cited portion of Clemm discloses only that an attempted transmission rate is determined and that a determination is made if the attempted transmission rate exceeds a maximum transmission rate. Conversely, the present claims recite monitoring computing resource usage at the target device. In other words, the present claims determine if too many computing resources at the device itself are being used…
The Examiner respectfully disagrees with the Applicant.
The Examiner notes that network transmission/reception of traffic is equivalent to a consumption of computing resources because said network transmission/reception of traffic is consuming available bandwidth/network resources that is allocated to the device.
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., wherein the computing resource usage is regarding device CPU utilization or storage memory utilization levels at the target device ) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
The Applicant presents the following argument(s) [in italics]:
… Nishijima as a whole, is completely silent as to resource usage of a device, let alone the monitoring of such usage, and further detecting an overload condition based on that monitored usage…
The Examiner respectfully disagrees with the Applicant.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Nishijima-Clemm-Peri disclosed (re. Claim 1) wherein a network monitoring device of the network is configured to monitor computing resource usage at the target device (Nishijima-Paragraph 47, When detecting the attack traffic, the detection device 3 transmits, to a network management server, information (hereinafter referred to as “attack information”) of an address and a port indicating a destination and a transmission source of the attack traffic, and a protocol type of the attack traffic) and is configured to detect the overload condition at the target device ( Clemm-Paragraph 22,determining an attempted transmission rate by the source endpoint to the destination endpoint; and determining that the attempted transmission rate exceeds the maximum transmission rate.) based on the monitored computing resource usage and to generate the traffic suppression request based on detecting the overload condition (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.)
Priority
This application claims benefits of priority from Provisional Application 63/294370 filed December 28,2021.
The effective date of the claims described in this application is December 28,2021.
Information Disclosure Statement
The Applicant is respectfully reminded that each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in 37 CFR 1.56.
There were no information disclosure statements filed with this application.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-3,5-14,16-17,19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nishijima (US PGPUB 20210067490) further in view of Clemm (USPGPUB 20190007326) further in view of Peri (USPGPUB 20230300075)
Regarding Claim 1
Nishijima Paragraph 44 disclosed wherein attack source devices 7a and 7d such as servers that attack the attack target server 4 are connected to the external networks NWa and NWd, as an example. The attack target server 4 is an example of an attack target device that receives an attack.
Nishijima Paragraph 60 disclosed wherein the NW management server 1 can suppress an increase in a load of forward processing of other traffic due to the defense settings.
Nishijima Paragraph 101 wherein the edge router 5 prevents the traffic from being unable to reach the attack target server 4 due to the route settings.
Nishijima disclosed (re. Claim 1) a method for suppressing network traffic, the method comprising: detecting an abnormal traffic condition at a target device in a network; (Nishijima-Paragraph 47, When detecting the attack traffic, the detection device 3 transmits, to a network management server, information (hereinafter referred to as “attack information”) of an address and a port indicating a destination and a transmission source of the attack traffic, and a protocol type of the attack traffic)
determining a source address of high traffic associated with the abnormal traffic condition at the target device; (Nishijima-Paragraph 47, When detecting the attack traffic, the detection device 3 transmits, to a network management server, information (hereinafter referred to as “attack information”) of an address and a port indicating a destination and a transmission source of the attack traffic, and a protocol type of the attack traffic, Paragraph 48, the processing content “block” means discarding the attack traffic having matched transmission source address and destination address.)
generating a traffic suppression request comprising a source-destination tuple comprising a source identifier corresponding to the source address and a destination identifier corresponding to an address of the target device; (Nishijima-Paragraph 47, When receiving the attack detection notification from the detection device 3, the NW management server 1x performs, for the firewall 2, defense settings against the attack traffic on the basis of the attack information, Paragraph 49, an inflow of the attack traffic to the attack target server 4 is suppressed, and a load on the attack target server 4 is reduced, Paragraph 48, the processing content “block” means discarding the attack traffic having matched transmission source address and destination address)
sending the traffic suppression request to a router; (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.)
configuring the router with a filter based on the source-destination tuple of the traffic suppression request; (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.) and
filtering traffic between the source address and the target device based on the configured filter.(Nishijima-Paragraph 52, edge router 5 and the intermediate router 6 can discard the attack traffic by registering address information of the attack traffic in an ACL on the basis of the attack information, Paragraph 48, the processing content “block” means discarding the attack traffic having matched transmission source address and destination address)
While Nishijima substantially disclosed the claimed invention Nishijima does not disclose (re. Claim 1) detecting, by a target device, an abnormal traffic condition at a target device in a network.
While Nishijima substantially disclosed the claimed invention Nishijima does not disclose (re. Claim 1) detecting an overload condition at a target device in a network.
Clemm Paragraph 104 disclosed using category flow records to detect excess network usage. Clemm Paragraph 22 disclosed determining, based on the source category and the destination category, a maximum transmission rate for the source endpoint to the destination endpoint; determining an attempted transmission rate by the source endpoint to the destination endpoint; and determining that the attempted transmission rate exceeds the maximum transmission rate.
Clemm disclosed (re. Claim 1) detecting an overload condition at a target device in a network.( Clemm-Paragraph 22,determining an attempted transmission rate by the source endpoint to the destination endpoint; and determining that the attempted transmission rate exceeds the maximum transmission rate.)
Nishijima and Clemm are analogous art because they present concepts and practices regarding traffic suppression. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Clemm into Nishijima. The motivation for the said combination would have been implement a policy module 470 may access a policy (e.g., a row in the policy table 550) that indicates, based on the source category and the destination category, that the source endpoint is not permitted to communicate with the destination endpoint.
Nishijima Paragraph 89 disclosed wherein the attack detection unit 101 may directly detect the attack traffic from the traffic transmitted from the network 9 to the attack target server 4 by including a function similar to the detection device 3.
The Examiner notes wherein Nishijima disclosed wherein the functionality of the attack detection device is transferrable to other devices in the network.
While Nishijima-Clemm substantially disclosed the claimed invention Nishijima-Clemm does not disclose (re. Claim 1) detecting, by a target device, an abnormal traffic condition at a target device in a network.
Peri Paragraph 108-109 disclosed wherein IPU 600 can provide security features including: passive or active enforcement of security policies and services such as access control lists, rate limiting, intrusion detection, distributed denial of service attacks.
Peri Paragraph 188 disclosed wherein the NIC circuitry 104A-B analyzes the sub window for evidence of an attack or an unexpected pattern of packet losses.
Peri disclosed (re. Claim 1) detecting, by a target device, an abnormal traffic condition at a target device in a network.(Peri- Paragraph 188,the NIC circuitry 104A-B analyzes the sub window for evidence of an attack or an unexpected pattern of packet losses.)
Nishijima,Clemm and Peri are analogous art because they present concepts and practices regarding traffic suppression. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Peri into Nishijima-Clemm. The motivation for the said combination would have been implement a NIC 140A-B that can divide, partition, and/or otherwise split a data flow into multiple sub flows so that the NIC circuitry 104A-B can schedule and distribute the multiple sub flows atomically and further implement a determination circuitry 220 can allow for more than one sub flow to be affined to a given core to prevent throttling of multi-flow performance with enqueue time packet distributors or quanta-based packet distributors. (Peri-Paragraph 43,Paragraph 69,Paragraph 99, Paragraph 128)
Nishijima-Clemm-Peri disclosed (re. Claim 1) wherein a network monitoring device of the network is configured to monitor computing resource usage at the target device (Nishijima-Paragraph 47, When detecting the attack traffic, the detection device 3 transmits, to a network management server, information (hereinafter referred to as “attack information”) of an address and a port indicating a destination and a transmission source of the attack traffic, and a protocol type of the attack traffic) and is configured to detect the overload condition at the target device ( Clemm-Paragraph 22,determining an attempted transmission rate by the source endpoint to the destination endpoint; and determining that the attempted transmission rate exceeds the maximum transmission rate.) based on the monitored computing resource usage and to generate the traffic suppression request based on detecting the overload condition (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.)
Regarding Claim 16
Claim 16 (re. traffic suppression request routing system) recites substantially similar limitations as Claim 1. Claim 16 is rejected on the same basis as Claim 1.
Regarding Claim 19
Claim 19 (re. device) recites substantially similar limitations as Claim 1. Claim 19 is rejected on the same basis as Claim 1.
Furthermore Nishijima-Clemm-Peri disclosed (re. Claim 19) least one NIC processor; (Peri- Paragraph 188,the NIC circuitry 104A-B analyzes the sub window for evidence of an attack or an unexpected pattern of packet losses.)
Furthermore Nishijima-Clemm-Peri disclosed (re. Claim 19) detecting an overload condition at the at least one main processor; (Nishijima-Paragraph 82,Figure 5, NW management server 1 includes a central processing unit (CPU) 10)
Regarding Claim 2
Nishijima-Clemm-Peri disclosed (re. Claim 2) wherein the target device (Peri- Paragraph 188,the NIC circuitry 104A-B analyzes the sub window for evidence of an attack or an unexpected pattern of packet losses.) is configured to generate the traffic suppression request. (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.)
Regarding Claim 3
Nishijima-Clemm-Peri disclosed (re. Claim 3) wherein a smart network interface card (Peri- Paragraph 188,the NIC circuitry 104A-B analyzes the sub window for evidence of an attack or an unexpected pattern of packet losses.) of the target device is configured to generate the traffic suppression request. (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.)
Regarding Claim 5
Nishijima-Clemm-Peri disclosed (re. Claim 5) wherein a software agent running on a device in the network (Peri-Paragraph 119, Global Hierarchical Software-defined Control Plane management operations can be offloaded to the IPU 600) is configured to generate the traffic suppression request, and wherein the software agent is configured to receive network traffic information regarding network traffic flow within the network. (Nishijima-Paragraph 56, When receiving the detection notification of the attack traffic from the detection device 3, the NW management server 1y performs defense settings against the attack traffic for each of the edge routers 5.)
Regarding Claim 6
Nishijima-Clemm-Peri disclosed (re. Claim 6) wherein the software agent selects the router based on a path of the high traffic through the network.(Nishijima-Paragraph 95, the NW information is a load (%) of the traffic forward processing of each edge router 5 and each intermediate router 6, and is used by the router selection unit 104 to select the defense router the merging router.)
Regarding Claim 7
Nishijima-Clemm-Peri disclosed (re. Claim 7) wherein the software agent selects the router at an ingress point of the high traffic into the network. (Nishijima-Paragraph 95, the NW information is a load (%) of the traffic forward processing of each edge router 5 and each intermediate router 6, and is used by the router selection unit 104 to select the defense router the merging router.)
Regarding Claim 8
Nishijima-Clemm-Peri disclosed (re. Claim 8) wherein the software agent selects the router at an ingress point from the source address (Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5) into a peering network connected to the network.(Nishijima-Paragraph 44, edge routers (#1) 5 to (#4) 5 are connected to the external networks NWa to NWd)
Regarding Claim 9
Nishijima-Clemm-Peri disclosed (re. Claim 9) wherein the software agent selects all routers in the network on a path taken by the high traffic from the source address to the target device.(Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5)
Regarding Claim 10
Nishijima-Clemm-Peri disclosed (re. Claim 10) wherein the software agent runs on a software defined networking router of the network. (Peri-Paragraph 119, Global Hierarchical Software-defined Control Plane management operations can be offloaded to the IPU 600)
Regarding Claim 11
Nishijima Paragraph 89 disclosed wherein the attack detection unit 101 may directly detect the attack traffic from the traffic transmitted from the network 9 to the attack target server 4 by including a function similar to the detection device 3.
The Examiner notes wherein Nishijima disclosed wherein the functionality of the attack detection device is transferrable to other devices in the network.
Nishijima-Clemm-Peri disclosed (re. Claim 11) wherein the software agent runs in a hypervisor, a container manager, or a host operating system of the target device. (Peri-Paragraph 119, Global Hierarchical Software-defined Control Plane management operations can be offloaded to the IPU 600,Paragraph 199, interface circuitry 1420 of the illustrated example also includes a communication device such as a transmitter, a receiver, a transceiver, a modem, a residential gateway, a wireless access point, and/or a network interface to facilitate exchange of data with external machines)
Regarding Claim 12
Nishijima-Clemm-Peri disclosed (re. Claim 12) wherein the software agent participates in a route reflector network of the network and wherein the network traffic information includes route information from the route reflector network.(Peri-Paragraph 176, the NIC circuitry 104A-B determines a packet flow distribution configuration )
Regarding Claim 13
Nishijima-Clemm-Peri disclosed (re. Claim 13) wherein the router is a gateway connected to the target device. (Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5, Paragraph 196, interface circuitry 1420 of the illustrated example also includes a communication device such as a transmitter, a receiver, a transceiver, a modem, a residential gateway, a wireless access point, and/or a network interface to facilitate exchange of data with external machines)
Regarding Claim 14
Nishijima-Clemm-Peri disclosed (re. Claim 14) wherein the traffic suppression request is broadcast to all routers in the network. (Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5)
Regarding Claim 17
Nishijima-Clemm-Peri disclosed (re. Claim 17) wherein identifying one or more routers along one or more paths within the network comprises identifying an ingress router of the network for the traffic, (Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5) and wherein sending the traffic suppression request comprises sending the traffic suppression request to the ingress router. (Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5)
Claim(s) 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nishijima (US PGPUB 20210067490) further in view of Clemm (USPGPUB 20190007326) further in view of Peri (USPGPUB 20230300075) further in view of Chychi (US Patent 11968226)
Regarding Claim 15
While Nishijima-Clemm-Peri substantially disclosed the claimed invention Nishijima-Clemm-Peri does not disclose (re. Claim 15) wherein the traffic suppression request further comprises an expiration time, and wherein the router is configured to automatically remove the filter when the expiration time has elapsed.
Chychi Column 5 Lines 40-50 disclosed where a black hole can refer to, for example, a change in network routing at a location such that the identified traffic is routed to nowhere, or an invalid address, such that the traffic is effectively discarded or otherwise not routed to its intended destination.
Chychi disclosed (re. Claim 15) wherein the traffic suppression request further comprises an expiration time, and wherein the router is configured to automatically remove the filter when the expiration time has elapsed.(Chychi-Column 13 Lines 1-10, the black holes might have an expiration time or period, and upon expiration a decision might be made to reinstate the black hole or create a different black hole if the attack is still ongoing)
Nishijima,Clemm and Chychi are analogous art because they present concepts and practices regarding traffic suppression. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Chychi into Nishijima-Clemm. The motivation for the said combination would have been enable the network manager 304 to adjust to a different network along the path if the targeted network does not acknowledge or otherwise is unable or unwilling to perform the requested or desired mediation. (Chychi-Column 9 Lines 5-10)
Claim(s) 18,20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nishijima (US PGPUB 20210067490) further in view of Clemm (USPGPUB 20190007326) further in view of Peri (USPGPUB 20230300075) further in view of Guo (USPGPUB 20210306373)
Regarding Claim 18
Nishijima-Clemm-Peri disclosed (re. Claim 18) wherein the ingress router is identified as a gateway into the network from the second network. (Nishijima-Paragraph 54, the NW management server 1x performs attack traffic restriction settings for all the edge routers 5, Paragraph 196, interface circuitry 1420 includes a residential gateway, a wireless access point, and/or a network interface to facilitate exchange of data with external machines)
While Nishijima-Clemm-Peri substantially disclosed the claimed invention Nishijima-Clemm-Peri does not disclose (re. Claim 18) wherein the source identifier identifies a range of source addresses associated with a second network.
Guo figure 7,Paragraph 31,Paragraph 34 disclosed performing a longest prefix match on the domain name and the path string.
Guo disclosed (re. Claim 18) wherein the source identifier identifies a range of source addresses associated with a second network.(Guo-Paragraph 34, longest prefix match can be performed by a pattern matching hardware module of the hardware acceleration sub-system. The pattern matching hardware module can be used to perform intrusion detection processing on network traffic received by network security device 104.)
Nishijima,Clemm and Guo are analogous art because they present concepts and practices regarding traffic suppression. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Guo into Nishijima-Clemm. The motivation for the said combination would have been enable a variety of different rate counters to be created by an administrator of a network security device (e.g., network security device 104) as appropriate for detecting and mitigating DoS attacks directed at the particular domains hosted by one or more servers protected by the network security device.(Guo-Paragraph 63)
Regarding Claim 20
While Nishijima-Clemm-Peri substantially disclosed the claimed invention Nishijima-Clemm-Peri does not disclose (re. Claim 20) wherein the smart NIC is operable to perform the method while the at least one main processor is in the overload condition.
Guo Paragraph 41 disclosed wherein the processing resource that initially receives network traffic on behalf of the network security device 104 may be an embedded processor within the NIC and wherein said detecting and mitigating a DOS attack can be performed on behalf of a host within the data center without using a central processing unit (CPU) of the network security device.
Gou disclosed (re. Claim 20) wherein the smart NIC is operable to perform the method while the at least one main processor is in the overload condition.( Guo-Paragraph 41,the processing resource that initially receives network traffic on behalf of the network security device 104 may be an embedded processor within the NIC and wherein said detecting and mitigating a DOS attack can be performed on behalf of a host within the data center without using a central processing unit (CPU) of the network security device.)
Nishijima,Clemm and Guo are analogous art because they present concepts and practices regarding traffic suppression. Before the time of the effective filing date of the claimed invention it would have been obvious to combine Guo into Nishijima-Clemm. The motivation for the said combination would have been enable a variety of different rate counters to be created by an administrator of a network security device (e.g., network security device 104) as appropriate for detecting and mitigating DoS attacks directed at the particular domains hosted by one or more servers protected by the network security device.(Guo-Paragraph 63)
Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREG C BENGZON whose telephone number is (571)272-3944. The examiner can normally be reached on Monday - Friday 8 AM - 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached on (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GREG C BENGZON/ Primary Examiner, Art Unit 2444