DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 10/27/2025 has been entered. Claims 1, 4-7, 9-12, 15-16, 18, 20-21 are currently amended. Claims 3, 14 are cancelled. Claims 1-2, 4-13, 15-21 are pending in the application.
Response to Amendments
The objection to claim 1, 6-7, 9-12, 18, 20-21 has been withdrawn in light of applicant’s amendment to the claims. The objection to claim 17 remains. See updated Claim Objections below.
The rejection of claims 3-5, 14-16 under 35 USC 112(d) for being improper dependent form has been withdrawn in light of applicant’s cancellation of the claims 3 and 14 and amendment to claims 4-5, 15-16.
Response to Arguments
Applicant’s arguments, see pages 1-5 of the Remarks filed 10/27/2025 with respect to claim rejections under 35 USC 103 over prior arts of record have been fully considered and asserted not persuasive due to followings.
Regarding independent claims 1, 11, 12, applicant primarily argued the combination of references Doron and Kohout does not teach detecting the encrypted DDoS attacks associated with TLS fingerprints.
Applicant argued, see pages 2-3 of the Remarks,
“The Office Action cites Doron for all of the claim element except the transport layer security (TLS) fingerprints (FP) for which it cites Kohout. While it is true that Doron teaches the use of rate-based parameters and rate-invariant parameters, there is nothing in Doron to suggest the use of TLS FP in any manner let alone that the rate-based parameters and rate-invariant parameters are associated with TLS FP. In fact, given the types of rate-based parameters and rate-invariant parameters employed in Doron, e.g., as described in paragraphs 31-33, it is clear that Doron does not need, does not suggest, and does not even consider the possibility of using rate-based parameters and rate-invariant parameters that are associated with transport layer security (TLS) fingerprints (FP).
It should also be appreciated that Doron is dealing with HTTPS flood attacks, which are at the application layer, while the instant application is dealing with transport layer security (TLS) encrypted attacks. Note in this regard that paragraph 3 of the instant application acknowledges attacks at the application layer and that they are different from TLS encrypted attacks which are at the network layer. While both are DoS types of attacks, they each have their own unique characteristics that make the techniques suitable for detecting one to be unsuitable for detecting the other, e.g., as suggested in paragraph 5 of the instant application.
In view of the foregoing, it is clear that the claims are dealing with a different level of the protocol stack than Doron is dealing with and there is nothing in Doron to suggest the use of using rate-based parameters and rate-invariant parameters that are associated with transport layer security (TLS) fingerprints (FP) would be useful or even possible”.
Examiner acknowledges applicant’s perspective however respectively disagrees.
First, Doron teaches one type of encrypted DDoS attacks associated with TLS protocol, i.e., https flood attacks, as Doron states in para. [0006] “An encrypted DoS/DdoS is performed against victim resources having an encrypted connection with their clients or over an encrypted communication protocol. An example for the encrypted DoS/DdoS is an HTTPS flood attack, as it is based on HTTP communications over a TLS/SSL encryption protocol”. Doron further indicates the detection of DDoS attacks based on at least one rate-based feature and at least one rate-invariant feature based on the estimated traffic telemetries (Doron, [Abstract]).
Second, the Office Action (mailed 6/27/2025) indicates Doron teaches traffic features related to TLS, i.e., TLS traffic features, although not specifically teach “fingerprints”, as shown on page 6 by bracket of “fingerprints”. Doron’s teaching of the TLS traffic features can be interpreted as TLS fingerprints in view of Kohout’s teachings of TLS fingerprints. Therefore, applicant’s argument that “there is nothing in Doron to suggest the use of TLS FP in any manner let alone that the rate-based parameters and rate-invariant parameters are associated with TLS FP” is not convincing. Further, a review of para. [0031-0033] of Doron does not suggest “it is clear that Doron does not need, does not suggest, and does not even consider the possibility of using rate-based parameters and rate-invariant parameters that are associated with transport layer security (TLS) fingerprints (FP)”, as applicant argued.
Applicant further indicated Doron’s HTTPS flood attack are at the application layer, while the instant application is dealing with TLS encrypted attacks, and cited para. [3] or [5] of the instant application. Examiner notes, it is known in the arts that HTTPS flood is a type of distributed denial-of-service (DDoS) attack, while TLS is the cryptographic protocol that provides the security for HTTPS. Further, para. [3] or [5] does not suggest Doron’s HTTPS flood attack is not encrypted DDoS attack.
Based on above, examiner asserts applicant’s arguments that “there is nothing in Doron to suggest the use of using rate-based parameters and rate-invariant parameters that are associated with transport layer security (TLS) fingerprints (FP) would be useful or even possible” are not persuasive.
Regarding teachings of reference Kohout, applicant further argued, see pages 3-4 of the Remarks,
“Kohout is teaching the use of FP for a function completely different from and unrelated to detecting attacks as is being dealt with in Doron. Kohout has nothing therein to suggest that its FP could be used in any way to detect a DoS attack. There is also nothing to suggest that the FP of Kohout could be the basis for any rate-based or any rate-invariant parameters”, “the Office Action’s proposed combination does not have all of the elements of claim 1, and, as such, independent claim 1 is allowable over the proposed combination under 35 U.S.C. §103”.
Examiner acknowledges applicant’s perspective however respectively disagrees.
First, in claim 1, TLS fingerprints are not specifically defined. In this case, the limitation TLS fingerprints (FP) is interpreted as traffic features of encrypted traffic related to TLS protocol.
Kohout teaches TLS features (i.e., TLS FP) of traffic (Kohout, [Abstract] a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic). In relating to traffic analysis, Kohout also teaches the traffic that can be caused by malware may include network attack such as DoS attack (Kohout, [0033]). Therefore, the combination of Doron and Kohout teaches the TLS fingerprints as presented in the Office Action. And the teaching of rate-based or rate-invariant parameters does not require Kohout, since Doron is used to teach the detection of the encrypted DDoS attacks based on rate-based and rate-invariant parameters. Since the combination of Doron and Kohout are shown to teach all the elements of claim 1, the examiner asserts applicant’s argument above is not convincing.
Regarding the motivation of combining Doron with Kohout, examiner notes that Doron is shown to teach rate-based parameters and rate-invariant parameters in detecting encrypted DDoS attack based on analyzing traffic associated with TLS traffic features, and these TLS traffic features are interpreted as TLS fingerprints in view of Kohout’s teaching of TLS fingerprinting in network traffic analysis on the encrypted traffic associated with a device. In this case, Kohout is used to teach the TLS traffic features which can be interpreted as TLS fingerprints, not necessarily to teach detecting the DDoS attack of the encrypted traffic using rate-based or rate-invariant related techniques, which is believed been taught by Doron as discussed above.
The above discussion on claim 1 also apply to independent claims 11 and 12. Applicant’s further argument regarding dependent claims is moot since the argument is based on assumption that the independent claims are allowable.
Therefore, the claim rejections under 35 USC 103 over the cited prior arts of record is maintained. Applicant is suggested to further include innovative features into the independent claims to advance the case.
Claim Objections
Claims 1, 10-12, 17, 21 are objected to because of the following informalities:
Claim 1 line 6 (similarly claim 11 line 9, claim 12 line 7), “… fingerprints (FP)” may read “… fingerprints (FPs)”.
Claim 10 and 21: if applicant references fingerprints as FPs as above, then for claim 10 in line 6, claim 21 line 6, referencing fingerprints to FPs may not be needed.
Claim 17 line 4, “… based on transaction’-related traffic …” may read “… based on transaction-related traffic …”, or more appropriate form.
Appropriate correction is suggested.
Examiner Notes
Examiner cites particular paragraphs, columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4-9, 11-13, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Doron et al (US20220294814A1, hereinafter, “Doron”), in view of Kohout et al (US20210152526A1, hereinafter, “Kohout”).
Regarding claim 1, Doron teaches:
A method for detecting encrypted distributed denial of service (DDoS) attacks (Doron, discloses method and system for detecting DoS attacks using encrypted communication protocol, see [Abstract]. And [0006] An encrypted DoS/DdoS is performed against victim resources having an encrypted connection with their clients or over an encrypted communication protocol. An example for the encrypted DoS/DdoS is an HTTPS flood attack, as it is based on HTTP communications over a TLS/SSL encryption protocol) comprising:
monitoring encrypted transactions related traffic (e.g., [0072] At S310, traffic telemetries are estimated. In an embodiment, S310 includes measuring (or sampling) (i.e., monitoring) of ingress (from the client to server) traffic and/or egress traffic (from the server to the client) at predefined time intervals (e.g., 1 second). Then, for each sample, traffic features are estimated. This includes estimating, for example, the total number of HTTPS (i.e., TLS. Examiner notes, it is known in the arts that TLS is widely used for various applications, such as securing internet connections using HTTPS) requests, total volume (bytes) of HTTPS requests, total volume (bytes) of HTTPS responses, list of all requests and their sizes and the source IP generates each request, …);
deriving from the encrypted transactions rate-based parameters and rate-invariant parameters, wherein the rate-based parameters and rate-invariant parameters are associated with transport layer security (TLS) [fingerprints (FP)] (e.g., [0030] The inspected traffic is analyzed to determine abnormal activity based on rate-based and rate-invariant features (i.e., rate-based parameters and rate-invariant parameters) of the inspected traffic. And [0077] According to the disclosed embodiments, at least one baseline is continuously computed based on samples of the traffic features (i.e., TLS fingerprints in view of Kohout shown below) to determine normal activity of rate-based and rate-invariant features. Of the inspected traffic. In one embodiment, two types of baselines are computed for each traffic feature, a short-term and long-term baseline. And [0078] The traffic features that are utilized to determine the baseline and then determine abnormal activity, respective thereof. The traffic features are rate-based and rate invariant. The rate-based traffic features include: a number of HTTPS requests per second (RPS), an HTTPS response sizes, or volume measured in of bytes per second, and a volume of HTTPS requests measured in byte per second. The rate-invariant features include a distribution of HTTPS requests sizes, a distribution of HTTPS response size, an ingress/egress ratio measured as the ratio between ingress number of HTTPS requests per second and an egress HTTPS response volume measured in byte per second, and an egress/ingress ratio measured as the ratio between an egress HTTPS response volume in byte per second and an ingress number of requests per second); (See Kohout below for teaching of limitation in bracket)
comparing values of the rate-based parameters and the rate-invariant parameters respectively to at least one rate-based anomaly threshold and at least one rate-invariant anomaly threshold ([0049] Therefore, in order to detect HTTPS flood attacks, the defense system 110 is configured to compare features of inspected traffic to the legitimate traffic patterns (or their normal baseline). And [0084] a baseline threshold may be determined as follows: U(t)=Y(t)+maxDev where U(t) is an anomaly threshold, Y(t) is the baseline, and maxDev is the maximal deviation of an observed traffic feature during peace time corresponding to the required value of the false positive detections rate of the observed traffic feature. And [0085] The maxDev is continuously computed during the learning period and during peace time, as a measurement for the actual legitimate deviation from the momentary baseline of the various traffic features. The maxDev allows for anomaly detection, as it compare the legitimate deviation in traffic (due to legitimate traffic statistics behavior) to deviations caused by malicious activities. The maxDev is separately computed against the short-term and long-term baselines. Examiner further notes, comparing inspected traffic to normal baseline traffic against anomaly threshold can be interpreted as comparing values between of rate-based parameters to rate-based anomaly threshold, similarly for rate-invariant parameters);
and declaring a detected encrypted DDoS attack when both the at least one rate-based anomaly threshold and the at least one rate-invariant anomaly threshold are exceeded (Fig. 3 at 340, [0089] At S340, once the various traffic features' baselines are computed, the estimated traffic telemetries, or the momentary real time traffic features values, are compared to the baselines to determine anomaly. And [0090] Following one exemplary embodiment for detecting anomaly, the traffic features are rate-based and rate-invariant features. In an embodiment, rate-based anomaly is detected based on a total number of HTTPS requests and a total volume (bytes) of HTTPS requests and responses. And [0093] In an embodiment, the rate-invariant anomaly is detected based on abnormal distribution of the size of HTTPS requests and responses. Examiner notes, the combined teaching of [0090] and [0093] on rate-based anomaly and rate-invariant anomaly suggests when both rate-based anomaly and rate-invariant anomaly is detected, DdoS attack is detected).
While Doron teaches the main concept of the claimed invention and based on traffic analysis on TLS traffic features, but does not specifically teach the TLS traffic features being TLS fingerprints, in the same field of endeavor Kohout teaches:
TLS fingerprints (FP) (Kohout, discloses method for device detection in network telemetry with encrypted traffic with TLS fingerprinting, see [Abstract] a traffic analysis service obtains telemetry data regarding encrypted traffic associated with a particular device in the network, wherein the telemetry data comprises Transport Layer Security (TLS) features of the traffic. The service determines, based on the TLS features from the obtained telemetry data, a set of one or more TLS fingerprints for the traffic associated with the particular device. And [0054] Operationally, the techniques herein leverage the concept of a TLS fingerprint, to identify the user and/or device that initiates an encrypted TLS session in a network).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kohout in the detection and mitigation DDoS attacks of Doron by using TLS fingerprinting on telemetry data regarding encrypted traffic to associate with traffic with particular device. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect device associated with traffic with TLS fingerprinting (Kohout, [Abstract]).
Regarding claim 11, claim 11 is a computer-readable medium claim that encompasses limitations similar to those limitations of the method claim 1. Therefore, claim 11 is rejected with the same rationale and motivation as applied against claim 1. In addition, Doron teaches a non-transitory computer-readable medium storing a set of instructions for detecting encrypted distributed denial of service (DDoS) attacks, the set of instructions comprising: one or more instructions that, when executed by one or more processors of a device (Doron, discloses method and system for detecting DoS attacks using encrypted communication protocol, see [Abstract]. Fig. 1 or Fig. 2, [Claim 17] A non-transitory computer readable medium, and Fig. 4 Processing Circuitry 410).
Regarding claim 12, claim 12 is a system claim that encompasses limitations similar to those limitations of the method claim 1. Therefore, claim 12 is rejected with the same rationale and motivation as applied against claim 1. In addition, Doron teaches a system for detecting encrypted distributed denial of service (DDoS) attacks comprising: one or more processors (Doron, discloses method and system for detecting DoS attacks using encrypted communication protocol, see [Abstract]. Fig. 1 or Fig. 2, [Claim 18] A system for detecting denial-of-service (DoS) attacks, and Fig. 4 Processing Circuitry 410).
Regarding claim 2, similarly claim 13, Doron-Kohout combination teaches the method of claim 1, the system of claim 12,
Doron further teaches: further comprising: initiating a mitigation action upon detection of an encrypted DDoS attack ([Abstract] and executing a mitigation action when a potential flood DoS attack using the encrypted communication protocol is detected by an evaluation of each of the at least one rate-based feature and the at least one rate-invariant feature with respect to respective baselines to determine whether the behavior of the ingress traffic indicates a potential flood DoS attack. And [0104] At S370, causing execution of at least one mitigation action on each client device determined to be an attack tool).
Regarding claim 4, similarly claim 15, Doron-Kohout combination teaches the method of claim 1, the system of claim 12,
Doron further teaches: wherein a rate-based parameter is any one of: a FP hits rate, a total FP hits, a FP load rate, and a total FP load towards a protected entity (e.g., [0036] As will be discussed below, an attack indication may be generated based on one or a combination of the above-mentioned traffic features. In yet another embodiment, only the traffic from the devices 120, 125 to the victim server 130 is analyzed to determine a number of HTTPS requests per second (i.e., FP hits rate), and volume of HTTPS requests in bytes per second (as a rate-based feature)).
Regarding claim 5, similarly claim 16, Doron-Kohout combination teaches the method of claim 1, the system of claim 12,
Doron further teaches: wherein a rate-invariant parameter is any one of: a probability distribution function (PDF) of a FP hits and a FP load (e.g., [0036] and the distribution (average) of HTTPS requests size (as a rate-invariant feature), and also to determine … the distribution (average) of HTTPS responses size (rate-invariant feature)).
Regarding claim 6, similarly claim 17, Doron-Kohout combination teaches the method of claim 1, the system of claim 12,
Doron further teaches: further comprising: establishing normal baselines for the rate-based parameters and the rate-invariant parameters based on transactions-related traffic monitored during peacetime ([0076] At S320, it is checked if the learning period has elapsed. If so, execution continues with S340; otherwise, at S330, at least one feature baseline is computed for each traffic feature. The learning period may be set to a predefined time window or until enough data is gathered and collected. A baseline is established during peace time or data gathered at peace time).
Regarding claim 7, similarly claim 18, Doron-Kohout combination teaches the method of claim 6, the system of claim 17,
Doron further teaches: wherein establishing the normal baselines for the rate-based parameters further comprises: computing means and variance of FP hits rate and FP load rate, wherein FP hits rate and FP load rate are derived from the monitored encrypted transactions received at peacetime (Doron, [0034]-[0036]).
Regarding claim 8, similarly claim 19, Doron-Kohout combination teaches the method of claim 6, the system of claim 17,
Doron further teaches: wherein establishing the normal baselines for the rate-invariant parameters further comprises: computing a PDF of all FPs associated with encrypted transactions sent towards a protected entity ([0093] the rate-invariant anomaly is detected based on abnormal distribution of the size of HTTPS requests and responses. In an embodiment, an abnormal distribution is determined based on the probability that a request's size would fit a specific bin. Examiner notes, abnormal distribution also suggest normal distribution at peacetime, i.e., baseline).
Regarding claim 9, similarly claim 20, Doron-Kohout combination teaches the method of claim 6, the system of claim 17,
Doron further teaches: further comprising: computing the at least one rate-based anomaly threshold and the at least one rate-invariant anomaly threshold using the established normal baselines ([0084] a baseline threshold may be determined as follows: U(t)=Y(t)+ maxDev where U(t) is an anomaly threshold, Y(t) is the baseline, and maxDev is the maximal deviation of an observed traffic feature during peace time corresponding to the required value of the false positive detections rate of the observed traffic feature. Examiner notes, the above question show U(t) is related to Y(t), which suggests anomaly threshold (U(t)) can be computed from baseline Y(t)).
Allowable Subject Matter
Claims 10, 21 are objected to as being dependent upon a rejected base claim(s), but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims as well as resolving of any outstanding informalities presented in this office action.
The following is a statement of reasons for the indication of allowable subject matter:
Claim 10 (similarly claim 21) depends on claim 1 (claim 12) further recites, “wherein comparing values of the rate-invariant parameters to the at least one rate-invariant anomaly threshold further comprises: computing a variation metric as a sum of the difference between a rate-invariant baseline and a measured rate-invariant parameter at a time window, across all fingerprints (FPs); and comparing the computed variation metric to a predefined threshold”.
The prior arts identified, Doron, Kohout, Chesla, Medvedovsky(IDS), Rajaram, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claims 10, 21 shown above.
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Huston et al (US20170070531A1) discloses system for mitigating network attacks (DDoS) within encrypted network traffic.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975. The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL M LEE/Primary Examiner, Art Unit 2436