Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is the initial office action that has been issued in response to patent application, 18/870,164, filed on 11/27/2024. Claims 1-8 are currently pending and have been considered below. Claims 1, 5 and 7 are independent claims.
Priority
This application is a 371 of PCT/JP2022/022310 06/01/2022.
Drawings
The drawings filed on 11/27/2024 are accepted by the examiner.
Information Disclosure Statement
The information disclosure statements (IDS' s) submitted on 11/27/2024, 10/15/2025 and 09/30/2021 are in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement.
Specification
The title of the invention is not descriptive. A new title is required that is clearly indicative of the invention to which the claims are directed.
The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01.
Claim Objections
Claim 4 objected to because of the following informalities: “the attack detection unit”. “The attack detection unit” should recite “the attack detection device”. Appropriate correction is required.
Claim 4 recites the limitation "the attack detection unit" in line 4. There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-8 are rejected under 35 U.S.C. 102a(1) as being anticipated by Doron(US Publication No. 2019/0182266 A1)
Regarding Claim 1:
Doron discloses:
An attack detection device that detects a cyber attack in a mobile network including a radio access network comprising a plurality of first communication devices that include a first processor and perform wireless communication with a user terminal(Doron, [0002-0003], cyber security, and more specifically to detecting DDoS attacks., two types of networks, an edge (or access) network and a backbone network. An edge network provides network connectivity to user devices or hosts while the backbone network connects two or more edge networks together. Examples of large-scale networks include cloud computing platforms, data centers, service provider networks, and the like…[0027], … The backbone network 110 may be operated or maintained by an Internet service provider (ISP) or other service provider, a network carrier, a cloud provider, and the like. The edge network 130 may be a datacenter, an enterprise network, a mobile network, an Internet of Things (IoT) network, and the like…. [0039], … An attack detector 620 (hereinafter referred to as the OOP detector 620) is deployed out of path (OOP) of the communications among the carrier network 610 to collect data and detect DDoS attacks on the carrier network 610.),
the attack detection device comprising: a second processor(Doron, [0014], Certain embodiments disclosed herein also include a system for out-of-path detection of cyber-attack. The system comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: receive, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources;),
wherein the second processor is configured to : acquire pieces of resource information of the plurality of first communication devices(Doron, [0013], . The method comprises receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources, [0030-0031]], a plurality of data sources 150 are deployed in the backbone network 110…, … example for data source 150 may include a router collecting Flow data (e.g., NetFlow), Border Gateway Patrol (BGP) data, Simple Network Management Protocol (SNMP) data, and the like.)
and integrate the pieces of resource information(Doron, [0026], The disclosed embodiments provide techniques for ingestion, enrichment, and storage of data that allow for massively and scalable collection and analysis of high volumes of data, from a variety of sources and having a variety of characteristics to detect DDoS attacks.. [0047], the data enrichment 220 may include combining Flow data with one or more other types of data into enriched Flow data. The enriched Flow data may be stored and processed in real-time as streaming data is collected);
and detect the cyber attack based on the integrated pieces of resource information(Doron, [0013], by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack. ).
Regarding Claim 2:
Doron discloses:
The attack detection device according to claim 1, wherein the mobile network includes a core network including a second communication device that includes a third processor(Doron, [0027], Network 100 may include a backbone network 110 connected to the World Wide Web (WWW) 120 and to a plurality of edge networks 130-1 through 130-N (collectively referred to hereinafter as edge networks 130 or individually as an edge network 130) [0030], a plurality of data sources 150 are deployed in the backbone network 110. Each of the data sources 150 collects or otherwise stores data related to traffic within the backbone network 110 and, more specifically, traffic directed to and from the protected objects 140. [0034], the OOP detector 160 may be deployed in the backbone network 110. In other embodiments, the OOP detector 160 may be deployed as a service in the cloud. The OOP detector 160 may be communicatively connected to all of the data sources 150 and also be configured to collect data from such sources.),
controls wireless communication in the radio access network, and relays data between the radio access network and an external network(Doron, [0039], FIG. 6 shows an example network diagram 600 illustrating a user device 630 connecting to the Internet via a mobile carrier network 635 by authenticating via RADIUS server 640. The user device 130 may be a computer, a mobile device, an IoT device, and the like, for example. The RADIUS server 640 may communicate over carrier network 610 implemented via deployment of routers 615.),
and the second processor is configured to integrate the pieces of resource information by associating control information of the wireless communication acquired from the core network with the pieces of resource information of the plurality of first communication devices(Doron, [0027], Network 100 may include a backbone network 110 connected to the World Wide Web (WWW) 120 and to a plurality of edge networks 130-1 through 130-N (collectively referred to hereinafter as edge networks 130 or individually as an edge network 130). The backbone network 110 may be operated or maintained by an Internet service provider (ISP) or other service provider, a network carrier, a cloud provider, and the like [0043], The main data feeds may include Flow data from routers, other Flow enabled equipment, and flow-based traffic monitoring systems. The Flow data may provide measures for the overall bandwidth (bits per second) and packets (packets per second) of Flows in the network, all on a per traffic flow basis).
Regarding Claim 3:
Doron discloses:
The attack detection device according to claim 1, wherein the mobile network includes a core network including a second communication device that includes a third processor(Doron, [0039], FIG. 6 shows an example network diagram 600 illustrating a user device 630 connecting to the Internet via a mobile carrier network 635 by authenticating via RADIUS server 640. The user device 130 may be a computer, a mobile device, an IoT device, and the like, for example. The RADIUS server 640 may communicate over carrier network 610 implemented via deployment of routers 615),
controls wireless communication between the user terminal and the first communication device, and relays data between the radio access network and an external network(Doron,[0049], the enriched Flow data may be provided to a detection engine 230. The detection engine 230 may be configured to generate one or more analytics and corresponding insights.),
the second processor is configured to control a controller of the radio access network to make the controller execute analysis processing of analyzing communication data of the first communication device when an abnormality is detected in resource information of the second communication device(Doron, [0052-0053], the detection engine 230 may be s configured to utilize machine learning techniques for analyzing the enriched Flow data and learning the behavior of various entities in the network, and not just the behavior of destination IPs. Using these machine learning techniques, the detection engine 230 may be configured to characterize traffic flows to increase accuracy of anomaly detection…, the detection engine 230 may be configured to identify entities operating within the network and detect anomalies in the identified entities' behavior. Such identification allows for uniquely identifying entities, thereby providing more accurate normal behavior baselining and anomaly detection.),
and the second processor is configured to detect the cyber attack based on a result of the analysis processing(Doron, [0013], a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack; [0055], the detection engine 230 may output an identification of the host under attack, normal behavior characteristics of that host, comprehensive attack attributes, a combination thereof, and the like. The outputs may be utilized to protect, for example, a carrier infrastructure by applying the appropriate mitigation action.).
Regarding Claim 4:
Doron discloses:
The attack detection device according to claim 1, further comprising: wherein the second processor is configured to: share information regarding the cyber attack detected by the attack detection unit with a controller of the radio access network(Doron, [0013], …upon detection of a potential cyber-attack, providing indication to each network entity of the network entities that is under attack. [007], At S450, outputs are provided with respect to the detected attack. The outputs are determined based on the detection of anomalies and may include, but are not limited to, an IP address of an entity under attack, a group of IP addresses of entities under attack, a degree of the attack,)
and control the controller of the radio access network to make the controller handle the cyber attack(Doron, [[0071], At S460, a mitigation action may be executed based on the outputs related to the detected attack.).
Regarding Claim 5:
Doron discloses:
An attack detection system that detects a cyber attack in a mobile network including a radio access network and a core network, the radio access network including a first communication device that includes a first processor and performs wireless communication with a user terminal(Doron, [0002-0003], cyber security, and more specifically to detecting DDoS attacks., two types of networks, an edge (or access) network and a backbone network. An edge network provides network connectivity to user devices or hosts while the backbone network connects two or more edge networks together. Examples of large-scale networks include cloud computing platforms, data centers, service provider networks, and the like…[0027], … The backbone network 110 may be operated or maintained by an Internet service provider (ISP) or other service provider, a network carrier, a cloud provider, and the like. The edge network 130 may be a datacenter, an enterprise network, a mobile network, an Internet of Things (IoT) network, and the like…. [0039], … An attack detector 620 (hereinafter referred to as the OOP detector 620) is deployed out of path (OOP) of the communications among the carrier network 610 to collect data and detect DDoS attacks on the carrier network 610.),
and the core network including a second communication device that includes a third processor, controls the wireless communication in the radio access network and relays data between the radio access network and an external network, the attack detection system comprising: an attack detection device including a second processor(Doron, [0014], Certain embodiments disclosed herein also include a system for out-of-path detection of cyber-attack. The system comprising: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: receive, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources;);
a first controller configured to manage the radio access network(Doron, [0030-0032], According to disclosed embodiments, a plurality of data sources 150 are deployed in the backbone network 110. Each of the data sources 150 collects or otherwise stores data related to traffic within the backbone network 110 and, more specifically, traffic directed to and from the protected objects 140. the data sources 150 are deployed at the edge of an edge network 130 and the backbone network 110. One example for data source 150 may include a router collecting Flow data (e.g., NetFlow), Border Gateway Patrol (BGP) data, … the data sources 150 may not be an actual part of backbone network 110, but may reside at other parts of network 100 (which may be a large scale network).);
and a second controller configured to manage the core network, wherein the second processor is configured to: output a request for analysis processing of analyzing communication data of the first communication device to the first controller when an abnormality is detected in resource information of the second communication device acquired from the second controller(Doron, [0030], a plurality of data sources 150 are deployed in the backbone network 110. Each of the data sources 150 collects or otherwise stores data related to traffic within the backbone network 110 and, more specifically, traffic directed to and from the protected objects 140. [0034], the OOP detector 160 may be deployed in the backbone network 110. In other embodiments, the OOP detector 160 may be deployed as a service in the cloud. The OOP detector 160 may be communicatively connected to all of the data sources 150 and also be configured to collect data from such sources. The OOP detector 160 may further be configured to enrich Flow data with data collected from the other data sources 150);
and detect the cyber attack based on a result of the analysis processing(Doron, [0013], by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack.).
Regarding Claim 6:
Doron Discloses:
The attack detection system according to claim 5, wherein the first controller includes: a security analysis device configured to be activated in response to the request for analysis processing and execute the analysis processing(Doron, [0049], the enriched Flow data may be provided to a detection engine 230. The detection engine 230 may be configured to generate one or more analytics and corresponding insights. The analytics may include a detection of a DDoS attack. To this end, the analytics engines may be configured to train and apply machine learning models such as classifiers.)
and a hardware accelerator configured to execute transfer processing of transferring the communication data from the first communication device to the security analysis device and execute a part of the analysis processing offloaded from the security analysis device(Doron, [0062], FIG. 3 can be utilized in hardware, software, or any combination thereof. Specifically, each, some, or all of the hardware elements may be realized as one or more hardware logic components and circuits [0085], The detection engine 530 may be configured to detect DDoS attacks as described herein. Specifically, the detection engine may be configured to identify anomalous traffic behavior with respect to specific entities using enriched Flow data, and to detect attacks based on the identified anomalies… llustrative types of hardware logic components that can be used include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), tensor processing units (TPUs), graphics processing unit (GPUs)…);.
Regarding Claim 7:
Doron discloses:
An attack detection method of an attack detection device that detects a cyber attack in a mobile network including a radio access network, the radio access network including a plurality of first communication devices that include a first processor and perform wireless communication with a user terminal(Doron, [0013], by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack; and upon detection of a potential cyber-attack, [0042], the data ingestion 210 may include aggregating data collected from data sources 150. In an example implementation, the data may include, Flow data, BGP data, SNMP data, RADIUS data, Policy and Charging Rules Function (PCRF) data…),
wherein the attack detection method includes: acquiring pieces of resource information of the plurality of first communication devices and integrating the pieces of resource information(Doron, [0026], The disclosed embodiments provide techniques for ingestion, enrichment, and storage of data that allow for massively and scalable collection and analysis of high volumes of data, from a variety of sources and having a variety of characteristics to detect DDoS attacks. Specifically, Flow data is ingested and enriched to create enriched feeds of Flow data, both in real-time, when data is collected, and in batches (i.e., when other related data) is later received. Accordingly, disadvantages of analyzing only the Flow data are overcome. As various data sources are accounted for, the disclosed embodiments allow for detecting additional types of DDoS attacks using an OOP detector.[0047], the data enrichment 220 may include combining Flow data with one or more other types of data into enriched Flow data.),
and detecting the cyber attack based on the integrated pieces of resource information(Doron, [0013], Certain embodiments disclosed herein include a method for out-of-path detection of cyber-attacks. The method comprises receiving, by a detector, a plurality of data feeds from a plurality of data sources, wherein the detector is communicatively connected to the plurality of data sources; processing, by the detector, the plurality of received data feeds to generate enriched Flow data sets; analyzing the enriched Flow data sets to detect a potential cyber-attack; and upon detection of a potential cyber-attack).
Regarding Claim 8:
Doron discloses:
A non-transitory storage medium storing an attack detection program causing a computer to function as the attack detection device according to claim 1(Claim 8 is rejected for the same reason as claim 1).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939. The examiner can normally be reached on M-F, 8 AM TO 5 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MAYASA SHAAWAT/
Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433