Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 01/22/2026 has been entered.
This Office Action is in response to the communication and claim amendment filed on 01/22/2026; claim 1 have been amended; claim 1 is independent claims. Claims 1-10 have been examined and are pending. This Action is made Non-FINAL.
In attempt to accelerate the process of prosecution, on March 3rd, 2026 and February 25, 2026, the Examiner has contacted the applicant’s representative (Mr. Michael Saji, Reg. No.: 66,291) by telephone to discuss possible amendments to overcome the outstanding rejection and advance prosecution. However, due to the time constrain, the Examiner and the Applicants could not come up with an agreement.
Response to Arguments
Applicants’ arguments to the rejections of claims 1-10 under 35 U.S.C. § 101 have been fully considered but they are not persuasive.
Applicants argue: The Office Action appears to erroneously conclude that, since certain limitations of the claim ("calculating...decreasing / increasing...[denoting]..,. denot[ing] ") appear to constitute abstract ideas, the claim as a whole is directed toward an abstract idea. However, this analysis fails to consider the claim as a whole, and does not explain bow, e.g., "retrieving at an IPsec endpoint gateway,..." and "storing, at an IPsec endpoint gateway...," could be interpreted as abstract ideas (Applicant Remarks/Arguments, page 4).
The Examiner Respectfully disagrees with the Applicants as follows:
The claim has been considered as a whole. The Examiner notes that limitations "retrieving..." and "storing..." were not characterized as abstract ideas in the rejection; rather, these limitations were analyzed as additional operations/elements in a form of insignificant extra-solution activities. As addressed in the office action, the claims recite the steps of “calculating [] a score for each defined packet;” “decreasing [] a score value;” “increasing [] a score value;” “denot[ing] an increased probability of having a DoS attack;” and “denot[ing] a lower probability of DoS attack;” Said steps are directed to mental processes as the aforementioned steps could be performed in the human mind or using pencil and paper. Therefore, the claim is directed to an abstract idea. Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the limitations “retrieving, at an IPsec endpoint gateway, a first and second Security Association and Key Management Protocol (ISAKMP) packet;” and “storing, at the IPsec endpoint gateway, a unique key ….” However, said operations are not sufficient to consider that the abstract idea is being interpreted into a practical application. Said operations are recited at a high level of generality in gathering and storing information, which are a form of insignificant extra-solution activities. There is no other additional limitations indicating that the calculation result is being used to protect the system or to improve the technical field. As the claim does not recite any other limitations that could be considered that the claim “purport(s) to improve the functioning of the computer itself” or “any other technology or technical field,” the abstract idea is not being integrated into a practical application.
Applicants argue: The Office Action relies on the statement, provided without support, that an IPsec endpoint gateway is a generic computer. In so doing, the Office Action fails to give interpretive weight to the terms "IPsec," "endpoint," and "gateway," each of which provides specific structural information regarding the computing device. "The broadest reasonable interpretation does not mean the broadest possible interpretation. Rather, the meaning given to a claim term must be consistent with the ordinary and customary meaning of the term..." MPEP 2111. It appears that the three terms above have been interpreted as having no meaning whatsoever, which is not consistent with the broadest reasonable interpretation standard (Applicant Remarks/Arguments, page 4).
The Examiner Respectfully disagrees with the Applicants as follows:
The rejection does not disregard the structural meaning of the terms “IPsec,” “endpoint,” or “gateway.” Rather, even when given their ordinary and customary meaning, these terms describe known networking components operating in their conventional capacity. Under BRI consistent with the ordinary and customary meaning per MPEP § 2111:
"IPsec" identifies the protocol being processed — Internet Protocol Security, a well-known, industry-standard protocol. This is a field-of-use designation that identifies what protocol the device handles, not a structural modification to the device itself. "Endpoint" identifies where the device sits in the network — at the termination point of a communication path. This is a location descriptor, not a structural feature. "Gateway" identifies the function of the device — a network entry/exit point that passes traffic between network segments. Under BRI, a gateway is any computing device configured to route traffic at a network boundary. Each term has been given its ordinary and customary meaning.
Collectively, "IPsec endpoint gateway" describes a general-purpose computing device, located at a network boundary, that processes IPsec protocol traffic. The Examiner notes that the publication specification describes this functionality as implemented using open-source software (StrongSwan, par. [0016]) running on generic computing hardware with standard processors, memory, and network interfaces (pars. [0063]-[0065]). The publication specification describes an "IPsec tunnel endpoint (open ports 500/4500)" (pars. [0003], [0021]) and an "IPsec subsystem" (par. [0016]) — generic components in standard IPsec deployments. Stacking descriptive terms in front of a generic computing device narrows the field of use but does not transform the device into a specialized machine with a particular structure. The claim does not recite any specific structural modification, improvement, or unconventional configuration of the gateway. Accordingly, the "IPsec endpoint gateway" remains a generic computer performing generic computer functions. See Alice Corp. v. CLS Bank Int'l, 573 U.S. 208 (2014); MPEP § 2106.05(b); MPEP § 2106.05(h). In addition, the claim does not recite any specific modification or improvement to IPsec protocol operation, gateway architecture, or packet processing functionality. Merely limiting the abstract idea to implementation within an IPsec endpoint gateway does not transform the claim into patent-eligible subject matter, as the gateway is used as a tool to perform the recited mathematical analysis.
Applicants argue:
(1) the limitation "retrieving, at an IPsec endpoint gateway, a first and a second Internet Security Association and Key Management Protocol (ISAKMP) packet, where the first ISAKMP packet and the second ISAKMP packet are received in immediate succession from a shared origin," is not a mere instruction to apply a generic computer function, as it relies on a specific packet, an ISAKMP packet, and as it also requires that the ISAKMP is physically received by a gateway in an IPsec-compliant network. Telecommunications networks are necessarily physical (Applicant Remarks/Arguments, page 4).
(2) Further, the limitation "storing, at an IPsec endpoint gateway, a unique key out of a tuple wherein a value against the unique key is a time difference between the first and the second successive incoming packets," relies on a specific time difference, which is a meaningful limitation imposed by the physical world, not one that could be simulated by mere mental processes (Applicant Remarks/Arguments, page 4).
The Examiner Respectfully disagrees with the Applicants as follows:
(1) The Examiner does not dispute that ISAKMP packets are physically received in a telecommunications network. However, the fact that data originates from a physical source does not remove the abstract nature of the mathematical analysis performed on that data. ISAKMP is a well-known, industry-standard protocol defined by RFC 2408 — as the publication specification itself acknowledges (par. [0025]). ISAKMP packets are the standard, conventional traffic processed at any IPsec-capable device. Receiving them is the routine, expected function of that device. Specifying the type of data being gathered narrows the field of use but does not add significantly more to the abstract idea. See “Electric Power Group, LLC v. Alstom S.A.”, 830 F.3d 1350, 1353 (Fed. Cir. 2016); MPEP § 2106.05(h). The claim does not recite any improvement to the ISAKMP protocol, the physical transmission of packets, or the operation of the gateway hardware. The ISAKMP packets serve as data inputs to the abstract mathematical scoring algorithm.
(2) The act of calculating a time difference between two events is basic arithmetic — subtraction of one timestamp from another. A human security analyst reviewing a printed log of packet arrival times can perform this subtraction with paper and pencil. The fact that the underlying data originates from a physical event does not transform the mathematical operation performed on that data into a non-abstract step. All data ultimately originates from the physical world — stock prices come from real markets, temperatures come from real sensors — yet mathematical operations on such data remain abstract. See Parker v. Flook, 437 U.S. 584 (1978). The claim does not recite any improvement to the measurement of packet timing, nor any unconventional method of capturing timestamps. The time difference is computed using conventional arithmetic and stored using conventional data storage. Accordingly, this limitation does not integrate the abstract idea into a practical application.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1-10 are rejected under 35 USC 101 as being directed to an abstract idea without being integrated into a practical application or being significantly more.
Regarding claim 1, the claim is direct to an abstract idea as reciting the limitations “calculating [] a score for each defined packet;” “decreasing [] a score value;” “increasing [] a score value;” “denot[ing] an increased probability of having a DoS attack;” and “denot[ing] a lower probability of DoS attack;” Broadly interpreted, these steps recite mathematical analysis and evaluation of packet timing data, including scoring calculations and probability determinations, which constitute mental process/done by human/ and or mathematical concepts. Therefore, the claims recite an abstract idea.
Said abstract idea and/or judicial exception is not integrated into a practical application as the claim does not recite any other active steps that could be considered that the abstract idea is being integrated into a practical application. It’s noted that the claim recites the steps of “retrieving a first and a second Internet Security Association and Key Management Protocol (ISAKMP) packet;” “storing a unique key out of a tuple.” calculating, increasing, and decreasing at “an IPsec endpoint gateway”, selecting packets, and transmitting packets to a DoS detection service, these additional elements (i.e. insignificant extra-solution activity to the judicial exception) merely describe routine data retrieval, storage, selection, and transmission operations performed by generic networking components, these additional elements merely describe routine data retrieval, storage, selection, and transmission operations performed by generic networking components. The IPsec endpoint gateway is a generic computer performing generic computer functions such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claims do not improve the functioning of the IPsec gateway or any other computer components and do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as an ordered combination do not amount to significantly more than the abstract idea. As mentioned above, although the claims recite additional elements, said elements taken individually or as a combination, do not result in the claim amounting to significantly more than the abstract idea because as the additional elements perform generic computer content distributing functions routinely used in information technology field. As discussed above, the additional elements recited at a high-level of generality such that they amount no more than mere instructions to apply the exception using a generic computer component. Therefore, the claim is directed to non-statutory subject matter.
Regarding claims 2-10; claims 2-10 are also rejected under 35 U.S.C. 101 as being directed to non-statutory subject matter for the same reasons addressed above as the claims recite an abstract idea and the claims do not positively recite any other operations that could be considered as the abstract idea is being integrated into a practical application or significantly more. It’s noted that claims 4-6 recites the limitations “calculating the score using a deep neural network.” Said additional elements are recited at a high-level of generality (i.e., as a generic computing device performing a generic computer functions) such that it amounts no more than mere instructions to apply the exception or abstract idea using a generic computer component. Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention
Regarding claim 1, claim 1 recites limitation “calculating, at a DoS detection service in the IPsec endpoint gateway, a score for each defined packet;” in lines 9-10 (emphasis added). This limitation is indefinite because the term “defined packet” lacks antecedent basis and is not defined anywhere in the claim. The claim introduces “a first and a second Internet Security Association and Key Management Protocol (ISAKMP) packet,” “a plurality of packets from a network interface card,” and “at least one packet of the plurality of packets,” but never introduces or establishes a “defined packet”: or a group of “defined packets.” The modifier “defined” is unclear — the claim does not specify what criteria make a packet “defined” or distinguish a “defined packet” from the other packets recited in the claim. Accordingly, a person of ordinary skill in the art cannot determine the metes and bounds of this limitation because it is unclear which packets the score calculation applies to. See MPEP § 2173.05(a).
Regarding claims 2-10, claims 2-10 are dependent 1, and therefore inherit the 35 U.S.C 112(b) issues of the independent claim.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380. The examiner can normally be reached on Monday to Friday 6:00AM to 3:30PM other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham, can be reached at telephone number 571-270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/Canh Le/
Examiner, Art Unit 2439
March 3rd, 2026
/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439