System and Method for Analyzing Internet Traffic to Detect Distributed Denial of Service (DDOS) Attack

§101 §103

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Status of Claims The following claim(s) is/are pending in this office action: 1-6 The following claim(s) is/are amended: 1 The following claim(s) is/are new: - The following claim(s) is/are cancelled: - Claim(s) 1-6 is/are rejected. This rejection is FINAL. Response to Arguments Applicant’s arguments filed in the amendment filed 12/3/2025, have been fully considered but are moot in view of new grounds of rejection. The reasons set forth below. Applicant’s Invention as Claimed Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim(s) 1-6 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim(s) 1-6 is/are rejected under 35 U.S.C. 101 because the claimed invention is directed to observation and judgment, which are mental process abstract ideas, without significantly more. The claim(s) recite(s) “receiving raw network traffic…selecting features carrying data representative of [a] cyberattack…extract [] data representative of the cyberattack, processing [] the extracted data [] to detect anomalies indicative of the cyberattack.” In short, the system monitors network traffic, which is an observation, and then performs processing on the traffic at a high level of generality using machine learning to “detect anomalies indicative of [a] cyberattack,” which is a generalized judgment of categorization. This judicial exception is not integrated into a practical application because the claims do not improve a computer, rather they utilize machine learning to perform an observation and judgment that the system is under attack that was conventionally detected by human judgment. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional features such as a processor simply utilize the machine as a processing tool. The final step of “if the [] algorithm detects an anomaly, generating responsive action to the cyberattack” is insignificant post-solution activity to take some action in response to the cyber attack. Claims not specifically mentioned are rejected by virtue of dependency and because they do not obviate the above-recited deficiencies. Claim Rejections - 35 USC § 103 A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-6 are rejected under 35 U.S.C. 103 as being unpatentable over Terrazas Gonzales (US Pub. 2020/0280579) in view of Boregowda (US Pub. 2007/0058856). With respect to Claim 1, Terrazas Gonzalez teaches a method for analyzing network traffic passing through an exposed computer device to detect a cyberattack, the method executed on at least one computer processor, the method comprising: (paras. 79-80; analysis of data passed through an exposed computer device to detect, e.g., a DDOS attack. Para. 131; processor.) a) receiving raw network traffic flowing into the exposed computer device in real-time; (para. 82; analysis of raw traffic before it hits the device. para. 137; receiving traffic in real-time) b) selecting, from the raw network traffic, features carrying data representative of the cyberattack such that the selected features are based on the raw network traffic which is unaltered; (para. 86, 138; system identifies features of the traffic that are carrying data representative of a cyberattack. para. 82; analysis of raw traffic before it hits the device.) c) applying generalized data transformations to the selected features based on the unaltered raw network traffic to extract, from the selected features, the data representative of the cyberattack; (paras. 89-90, 139; system applies generalized data transforms to extract relevant data.) d) processing, using a self-learning unsupervised machine learning algorithm, the extracted data derived from the raw network traffic to detect anomalies indicative of the cyberattack (paras. 93-97, 101, 142; system applies ART, which is a self-learning unsupervised algorithm to detect anomalies that may be cyberattacks) wherein the self-learning unsupervised machine learning algorithm comprises adaptive resonance theory (ART) having a single tuning parameter; (paras. 94-99; ART with only one parameter) and e) if the self-learning unsupervised machine learning algorithm detects an anomaly, generating responsive action to the cyberattack; (para. 103-104, 143; system generates a responsive action.) and, while steps b) through d) are performed, (para. 95-97; ART is effective for real-time application self-learning. The system adapts for detection, which suggests modification while running. Para. 99-100; incremental learning on its own, which suggests modification while running. paras. 117, 127; feedback loops to adjust the operation of the system, including detection feedbacks such as addendum information and instructions for the machine learning algorithm to be implemented. See also Boregowda, para. 73; training is performed until the network is stable (i.e. none of the vigilance in the network changes.) which suggests training until the optimization is complete. Furthermore, duplication of parts is not inventive, see MPEP 2144. Thus, it would have been obvious to one of ordinary skill prior to the effective filing date to make additional adjustments to the tuning parameter in order to update the optimization.) But Terrazas Gonzalez does not explicitly teach dynamic optimization. Boregowda, however, does teach optimizing the single tuning parameter of the self-learning unsupervised machine learning algorithm based on the raw network traffic received in real-time. (paras. 35, 53, 73; vigilance parameter for ART may be adjusted to optimize the variable. See also Terrazas Gonzalez, paras. 127-128; feedback loop) It would have been obvious to one of ordinary skill prior to the effective filing date to adjust the vigilance parameter to optimize it in order to improve the classification accuracy of the system. (Boregowda, para. 53) With respect to Claim 2, modified Terrazas Gonzalez teaches the method of claim 1, and Terrazas Gonzalez also teaches wherein the self-learning unsupervised machine learning algorithm comprises ART category 1. (para. 98; ART category 1) With respect to Claim 3, modified Terrazas Gonzalez teaches the method of claim 1, and Terrazas Gonzalez also teaches wherein applying generalized data transformations includes applying zero-crossing rate. (paras. 89-90; zero-crossing rate) With respect to Claim 4, modified Terrazas Gonzalez teaches the method of claim 1, and Terrazas Gonzalez also teaches wherein, when each of steps a) through e) above are performed by distinct modules (paras. 4-10, 27, 132; distinct modules for different functions. Further, making separable is obvious, see MPEP 2144.) formed by computer readable codes stored on at least one non-transitory readable storage medium and executed by at least one computer processor, (para. 131; non-transitory medium and processor) and when each of steps a) through e) comprise communicating between corresponding ones of the distinct modules, communicating between corresponding ones of the distinct modules comprises transmitting tokens in the form of packets of data. (paras. 109-110; communication between modules using tokens that are packets) With respect to Claim 5, modified Terrazas Gonzalez teaches the method of claim 4, and Terrazas Gonzalez also teaches wherein transmitting tokens comprises transmitting at least one of data tokens carrying information about data and control tokens carrying instructions for a recipient one of the distinct modules. (paras. 109-110; data and control tokens) With respect to Claim 6, modified Terrazas Gonzalez teaches the method of claim 1, and Terrazas Gonzalez also teaches wherein processing the extracted data with a self-learning unsupervised machine learning algorithm comprises classifying the extracted data based on historical data of previously analyzed traffic. (para. 101; classification using historical data previously classified as typical or normal) Remarks Applicant argues at Remarks, pg. 4, that the claims are eligible and include at least one computer processor. The argument is unpersuasive because a claim that requires a computer may still be ineligible, see MPEP 2106.04(a)(2)(III)(C). Applicant argues at Remarks, pg. 5, that the claims are eligible because they are integrated into a practical application. Specifically, Applicant argues that the claims are “rooted in computer technology, that is, the invention does not exist absent computer technology. More specifically, the background of the invention relates to the detection of cyberattacks.” The argument is unpersuasive. As an initial note, being “rooted in computer technology” absent an improvement to the functioning of a computer is not a recognized relevant consideration for a practical application under MPEP 2106.04(d). On the contrary, merely generally linking the use of a judicial exception to a particular technological environment or field of use is a reason to conclude the claims do not integrate into a practical application. See id. Applicant specifically does not argue that the claims improve a computer – “Even if the claimed invention may be considered not to improve a computer per se, it is undoubtedly rooted in computer technology…” Moreover, the claims are similar to those in USPTO July 2024 Subject Matter Eligibility Example 47 Claim 2, which claims an artificial neural network that “receive[s] [] continuous training data” to “detect[] one or more anomalies in a data set using the trained ANN” and “output[s] the anomaly data.” The guidance informs that that claim is ineligible because the ANN feature “merely indicates a field of use or technological environment.” Example 47 discloses “an intrusion detection system may used the disclosed anomaly detection method to improve detection of malicious network packets.” Example 47 has a similar disclosure that is just as “rooted in computer technology” and “relates to the detection of cyberattacks” as the instant invention, yet that claim was found ineligible. Consequently, Examiner concludes that the rooted in computer technology practical application argument is unpersuasive. At Remarks, pg. 5, Applicant argues it would be practically impossible for a human to perform the tuning analysis in real-time. Examiner notes that the only requirement to perform in real-time is the reception step, so the argument is unpersuasive because it argues unclaimed features. Beyond that, the term “real-time” does not place a boundary limit on either the amount of data being reviewed or the amount of time allotted, so the statement that it would be “practically impossible” to perform the claim lacks an evidentiary or rational basis, i.e. Applicant assumes a volume of processing and a speed required when the claim is not so limited. Regardless, even considering that real-time processing would be applied to a voluminous traffic set, the argument merely relays the fact that a processor can process information more quickly than a human, which is nothing more than using the computer as a processing tool to perform the mental process, see MPEP 2106.04(d) (“…limitations that did not integrate a judicial exception into a practical application [include] merely using a computer as a tool to perform an abstract idea, as discussed in MPEP 2106.05(f)”) and MPEP 2106.05(f) (“’[C]laiming the improved speed or efficiency inherent with applying the abstract idea on a computer’ does not integrate a judicial exception into a practical application or provide an inventive concept.”). Examiner finds the arguments unpersuasive and maintains the 101 rejection. At Remarks, pgs. 5-6, Applicant argues that the claims are nonobvious because the amended claims include features that amount to continuously performing optimization and that when Boregowda is considered by itself it teaches that the training stops. Examiner has three issues with the argument. First, the claim requires an unsupervised machine algorithm that has a single tuning parameter and then making a change that improves the tuning parameter (“while steps b) through d) are performed, optimizing the single turning parameter”). The argument takes a claim scope that requires a single change and mischaracterizes it as an invention “in which tuning/optimization is continuously performed.” Consequently, Applicant argues an unclaimed feature. Applicant acknowledges that “Boregowda teaches optimization of vigilance parameters” and cites para. 73 of Boregowda as “teaches that training is iterated until the network is stable, meaning the vigilance parameters are not changed.” That discloses changing a parameter to optimize it, and teaches the amended claim feature. Second, even assuming that the claim required tuning/optimization to be continuously performed, Applicant seems to admit Boregowda teaches, since Applicant acknowledges para. 73 discloses training is iterated until the vigilance parameter is not changed by the training. That is a statement that one cannot further optimize a fully optimized system. Presumably, the final limitation in Claim 1 would also not change the vigilance parameter if the vigilance parameter were already optimal. The mechanism by which one optimizes an optimal parameter is to make no change to it. Third, while Applicant asserts that Examiner “admits that Terrazas Gonzalez does not teach the [final limitation of Claim 1]” what Examiner actually did was state that Terrazas Gonzalez does not explicitly teach dynamic optimization, and then cited to a combination of teachings from both Boregowda and Terrazas Gonzalez to teach “wherein the single tuning parameter is dynamically optimized based on the raw network traffic received in real-time” and render the claim obvious. In other words, Terrazas Gonzalez was deficient only inasmuch as it did not describe its feedback as necessarily optimizing the parameter. While a learning system that includes an operative parameter suggests optimization of that parameter it does not inherently require it, so Examiner could not make an anticipation rejection. Given that Examiner had to resort to obviousness, Examiner chose to cite a reference that explicitly taught optimizing a parameter rather than rely upon Terrazas Gonzalez’s suggestion of optimization of the parameter through learning. Applicant ignores Terrazas Gonzalez in their argument, but obviousness is a question of what was obvious to a person of ordinary skill over the combined teachings from the references. Even assuming that (1) the claims require continuously optimizing always (which Examiner disputes ante) and (2) Boregowda would suggest to a person of ordinary skill only a discrete training phase that stops (which Examiner disputes ante), the question is whether a person of ordinary skill would have found continually optimizing to be nonobvious. But generally duplication of parts is an obvious act, see MPEP 2144, and therefore a person of ordinary skill would have found it obvious to re-apply the training of Boregowda for the expected benefit of an updated optimizing the parameter. In addition to the general obviousness of duplication of parts, Terrazas Gonzalez explicitly teaches a system with feedback loops to make adjustments to the system (see paras. 95-100, 117, 127). Terrazas Gonzalez explicitly refers to “incremental learning” (paras. 99-100) and discloses a control module sending to the detection module “control addendum information and instructions” “e.g. the machine learning algorithm to be implemented” (para. 117) and implements feedback loops “allowing for adjustments to be made to the operation of the system.” (para. 127). Applicant does not dispute or even mention the feedback loop citation, and therefore does not explain why a person of ordinary skill who was taught of optimization of the parameter in Boregowda and was taught of a system with feedback loops in Terrazas Gonzalez would find a system “in which tuning/optimization is continuously performed” (Remarks, pg. 6) to be nonobvious. Applicant does not explain why a teaching that “allow[s] for adjustments to be made to the operation of the system” together with a teaching that optimization of a parameter can occur does not suggest adjusting the operation of the system by optimizing the parameter. Because the argument relies upon unclaimed features and misapplies the obviousness analysis by considering Boregowda in isolation rather than the combination of teachings cited, Examiner finds the argument unpersuasive and maintains the 103 rejection. All claims remain rejected. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to NICHOLAS P CELANI whose telephone number is (571)272-1205. The examiner can normally be reached on M-F 9-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /NICHOLAS P CELANI/Examiner, Art Unit 2449