SYSTEM AND METHOD TO MITIGATE DISTRIBUTED DENIAL OF SERVICE (DDoS) ATTACKS

§102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-10 have been examined and are pending. Priority Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. Claim Objections Claims 1-6 are objected to because of the following informalities: Claim 1, lines 1-3, 5-8 and 15: delete (100), (102), and (102a) throughout. Claim 2, lines 1-2: delete (100), (102), and (102a) throughout. Claim 3, lines 1 and 6: delete (100), (102), and (102a) throughout. Claim 4, lines 1-3: delete (100), (102), and (102a) throughout. Claim 5, lines 1-3: delete (100), (102), and (102a) throughout. Claim 6, lines 1-7, 7, 9, 13 and 16-17: delete (100), (102), (102a), (102b), and (400) throughout. Claim 7, lines 1-2: delete (100), (102), and (102a) throughout. Claim 8, lines 1-3, 5, 7, and 10-11: delete (100), (102), and (400) throughout. Claim 9, lines 1-5: delete (100), (102), (102a), (102b), and (400) throughout. Claim 10, lines 1-3: delete (400), (102b), and (102a) throughout. Appropriate correction is required. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claim(s) 1-2, 4-7, and 9-10 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Karasaridis et al, hereinafter (“Karasaridis”), US PG Publication 20200195669 A1. Regarding claims 1 and 6, Karasaridis teaches a system (100) to mitigate distributed denial of service (DDoS) attacks, the system (100) comprising: [Karasaridis et al 20200195669 A1 ¶¶0011-0012 and 0029-0032 system 100] a plurality of nodes (102) configured to (i) exchange node information with one another, [Karasaridis et al 20200195669 A1 ¶¶0029-0032 and 0036 exchange data packets; types of information in support of reconfiguring in the system 100 comprising network 102 with one or more access networks 120 and 122 where communications are transmitted and received between devices 110, 112, and 114, and servers 116, servers 118, DNS resolvers 181-183] (ii) determine a reconstruction error from the node information associated with each node of the plurality of nodes (102), [Karasaridis ¶¶0015, 0029, 0032, and 0054-0055 an encoder-decoder neural network of the present disclosure generates two sets of results; a reconstruction error for each input vector. A encoder-decoder neural network process 200 include an encoder portion 211 and a decoder portion 212, which may be symmetric and may include a number of layers and a number of nodes in each layer; the encoder-decoder neural network 210 may take an input vector 201, encode the input vector 201 into a compressed vector representation 208, and decode the compressed vector representation 208 into a reconstructed vector 202.] and (iii) determine a set of traffic anomalies for a first set of nodes (102a) of the plurality of nodes (102) having the reconstruction error higher than a first threshold value; [Karasaridis ¶¶0014-0015, 0018, 0031-0032, and 0045-0046 sets of features from input vector where there is a reconstruction error for each input vector; anomalous DNS traffic records identified by processing system 104 (e.g., when the distance/score exceeds a threshold).] a second set of nodes (102a) of the plurality of nodes (102) are configured to (i) select a predetermined attack pattern from a set of predetermined attack patterns for each traffic anomaly from the set of traffic anomalies having a similarity score higher than a second threshold value, [Karasaridis ¶¶0014 and 0025 A machine learning-based reputation score building includes a two stage multi-class security event detection and classification process to identify anomalous network traffic; a neural network structure can implement nonlinear transforms to capture more complicated traffic patterns. It should be noted that in one example, instead of utilizing the original network traffic data for anomalous traffic classification, input aggregate vectors (e.g., aggregate features sets) are utilized to enhance the detection accuracy and reduce the computational complexity. Reputation scores/statuses; anomalous DNS traffic may be determined when a distance score from the 2 stage neutral network is greater than a threshold. ¶0037 where a device 110/112 selects and/or be assigned DNS181 or 182 which generate aggregate vectors and train an encoder-decoder neural network with the aggregate vectors, e.g., to identify “normal” aggregate vectors. ¶¶0055, 0065, and 0068 plurality of aggregate vectors, nodes in each respective layer of the encoder portion 211 and the decoder portion 212 are updated via a feedforward pass and a backpropagation of a deviation measure; where the processing system detects that the first plurality or one of many of DNS traffic records comprises the anomalous DNS traffic records when the distance is greater than a threshold. Examiner interprets that the output deviations measures to trained is analogous to determining attack patterns for traffic anomaly against previously stored identified attack patterns from database 106; where the greater the distance the higher the similarity score.] (ii) generate an new attack pattern for each traffic anomaly of the set of traffic anomalies having the similarity score less than the second threshold value, [Karasaridis ¶0002 new types of attacks; See ¶¶0055, 0065, and 0068 Examiner interprets the converse must be true where the output deviations measures to trained is analogous to determining attack patterns for traffic anomaly against previously stored identified attack patterns from database 106; where the lesser the distance the lesser the similarity score.] and (iii) segregate genuine traffic from overall traffic that is diverted at the first set of nodes (102a) using one of, the set of predetermined attack patterns and the new attack pattern. [Karasaridis ¶0021 clustering technique includes multi-dimensional distance calculation over large volumes of data and scanned/merged samples into clusters. ¶0029 reconfiguring a first-tier domain name system authoritative server to redirect domain name system queries from a source device to a second-tier domain name system authoritative server designated for a second status ¶0052 If cluster is labeled as a DDoS on a DNS authoritative server; where through distance comparisons between input aggregate vectors and the reconstructed vectors output via the encoder-decoder neural network as described above for an input aggregate vector for new network traffic data. The DNS resolver has changed, the processing system 104 may notify the first tier DNS authoritative server cluster 190 and/or may reconfigure the first tier DNS authoritative server cluster 190 such that one or more DNS authoritative servers in the cluster will redirect DNS queries from the DNS resolver to a second tier DNS authoritative server cluster 191-193 commensurate with the new status of the DNS resolver.] Regarding claims 2 and 7, Karasaridis teaches claim 1 as described above. Karasaridis teaches wherein to segregate the genuine traffic from the traffic at the first set of nodes (102a), the plurality of nodes (102) is configured to update the set of predetermined attack patterns by adding the new attack pattern to the set of predetermined attack patterns. [Karasaridis See ¶¶0014 0025 and 0037 input and output aggregated vectors. ¶¶0014 and 0055 trained plurality of aggregate vectors are updated at each respective layer of the encoder portion 211 and decoder portion 212 of captured complicated traffic patterns utilized to enhance the detection accuracy] Regarding claims 4 and 9, Karasaridis teaches claim 1 as described above. Karasaridis teaches wherein the plurality of nodes (102) are segregated into the first and second set of nodes (102a-102b) based on node information associated with each node of the plurality of nodes (102). [Karasaridis ¶¶0021 and 0029 clustering technique includes multi-dimensional distance calculation over large volumes of data and scanned/merged samples into clusters. Reconfiguring a first-tier domain name system authoritative server to redirect domain name system queries from a source device to a second-tier domain name system authoritative server designated for a second status. Fig. 1 and ¶¶0039-0040 DNS resolvers 181-183 may follow a recursive process for obtaining an IP address for a submitted query, by accessing other DNS resolvers and/or DNS authoritative servers. Based upon statuses (i.e. good, bad, or unknown) handling DNS queries for associated IP address and to device 110 by DNS resolver 182, for example.] Regarding claims 5 and 10, Karasaridis teaches claim 1 as described above. Karasaridis teaches wherein to generate the similarity score, the second set of nodes (102b) is configured to compare the traffic anomaly of each node of the first set of nodes (102a) with each attack pattern of the set of predetermined attack patterns. [Karasaridis ¶0052 rough distance comparisons between input aggregate vectors and the reconstructed vectors output via the encoder-decoder neural network as described above. See ¶¶0014, 0025, 0055, 0065, and 0068.] Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claim(s) 3 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Karasaridis et al, hereinafter (“Karasaridis”), US PG Publication 20200195669 A1, in view of Liu et al, hereinafter (“Liu”), Chinese Patent Application CN 107316046 A, translated by Google Patents. Regarding claims 3 and 8, Karasaridis teaches claim 1 as described above. Karasaridis teaches wherein the plurality of nodes (102) is further configured to (i) obtain first regular data, [Karasaridis ¶0015 input vectors] (ii) generate low dimensional data from the first regular data, [Karasaridis ¶0016 output of the encoder-decoder neural network is a feature vector with reduced dimensions (broadly, a “compressed vector representation”). A first cluster may represent “normal” network traffic] (iii) generate second regular data from the low dimensional data, [Karasaridis ¶0016 Thereafter, compressed vector representations of input vectors for subsequent network traffic data that fall within a cluster may further be identified as a particular type of anomaly.] (iv) determine an training reconstruction error by comparing the first regular data with the second regular data, [Karasaridis ¶0015 reconstruction error comprise the difference (e.g. Euclidean distance) between the input vector and an output reconstructed vector of an autoencoder. ¶0065 At optional step 430, the autoencoder of the processing system trains a plurality of aggregate vectors; encode plurality of input aggregate vectors to decode compressed vector representations as reconstructed vectors] While Karasaridis teaches adjust a set of weights [Karasaridis ¶¶0014-0015 and 0022 the clustering process may assign each sample to an individual cluster; where the scaling factor over the aggregate normalized distance is used to control how dense or how loose the clustering should be] however; Karasaridis fails to explicitly teach but Liu teaches (v) iteratively adjust a set of weights of the plurality of nodes (102) for reducing a value of the training re-construction error below a third threshold value using one or more artificial intelligence (AI) techniques. [Liu et al CN 107316046 A, p. 2, ¶3 “…2) By minimizing the reconstruction error between x and y L (x, y) as the target function JDAE, using gradient descent method optimization parameters θ and θ ' to finish the training of the whole network: adding mode for discarding in principle 3) cannot be considered, but there is in original mode are less than the similarity threshold α of all new features, which indicates that it is not present in the new mode, the features may gradually along the state data change, so the formula gradually lowering the weight thereof. After several times of increment learning iteration, will be gradually reduced until less than threshold α, indicating that the feature has become invalid feature for always does not feature the weight, needs to deleted from the existing mode.” Examiner interprets the iterations may be interpreted as a approaching a third iteration when the gradient descent method starts at threshold α equaling one when incrementing] Karasaridis teaches the features of claims 1-2, 4-7, and 9-10 not v) iteratively adjust a set of weights of the plurality of nodes (102) for reducing a value of the training re-construction error below a third threshold value using one or more artificial intelligence (AI) techniques. Liu teaches a data, analysis and evaluation (DAE) model that has been trained using mode similarity algorithm for similar pattern comparisons. Because both Karasaridis and Mitchell teach identifying and classifying a normal state using machine learning techniques to reduce cost and solve complex problems, it would have been obvious to one skilled in the art before the effective filing date of the claimed invention was made to use a dynamic compensation weighting of the incremental feature mode, to improve the accuracy and detecting deviation in the same manner set forth in Karasaridis [Liu p. 13 Analysis of results] Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Chesla 20130333029A1 teaches Techniques for traffic diversion in software defined networks for mitigating denial of service attacks. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 10:45a-6:45p. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CATHERINE THIAW can be reached at 571-270-1138. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. SAKINAH WHITE TAYLOR Primary Examiner Art Unit 2407 /Sakinah White Taylor/Primary Examiner, Art Unit 2407