DETAILED ACTION
Claims 1-20 are examined and pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1, 11 and 16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Chao et al. (U.S. 2007/0280114 A1, hereinafter “Chao”).
As to claims 1, 11 and 16, Chao discloses a computing system (Figure 5) for coupling to a computer network, the computing system having resources for processing data packets received from the computer network, the data packets having headers that include a source IP address value (SrcIP), the computing system comprising traffic management apparatuses, client devices, or server devices, the computing system comprising memory comprising programmed instructions stored thereon and processors configured to be capable of executing the stored programmed instructions to:
receive data packets from the network and configured to extract the SrcIP value from the header of each data packet and determine connection tracking statistics for the received data packets (para. [0007]-[0013]; discloses each arriving packet is parsed to find the attribute value it carries. Para.[0013]; discloses different attributes specifically 16-bit source IP address prefixes (header). Para. [0007]; discloses attack detection phase is performed by monitoring key traffic statistics (packets-per-second, bits-per-second, number of active flows, and new arriving flow rate) of packet);
analyze the extracted SrcIP value to determine a probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system (para.[0012]; discloses the comparison of both profiles provides PacketScore with enough parameters to distinguish legitimate packets from DDoS attacking packets with the use of an attribute or metric. The degree of disassociation existing between these profiles (the higher the disproportion, the higher the likelihood of an attack) provides packet differentiation. Para.[0013]; discloses different attributes specifically 16-bit source IP address prefixes (header)
wherein analyzing the extracted SrcIP value comprises determining whether the received data packets share a particular SrcIP value (attribute value) and in response to the received data packets share the particular SrcIP value, increase the probability that a received data packet was initiated by an attacker mounting a resource attack against the computing system based on the connection tracking statistics(para. [0008],[0012]; discloses attribute value (source address) shared by attacking packets will be assigned a lower or higher score because of its relative frequency increase (decrease) in current traffic profile against the nominal ones and therefore PacketScore can efficiently differentiate legitimate packets among suspicious traffic. Further para. [0078]-[0080]; discloses the relative frequency of attribute values detected for each packet is seen and if the attribute values overflow and the higher the packet score the more the packets share the same attribute value deviate from the normal traffic and thus higher probability that these packets are attacking packet).
Allowable Subject Matter
Claims 2-5, 7-10, 12-15 and 17-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Kesin et al. (U.S. 2017/0195354 A1) discloses a security system detects anomalous activity in a network. The system logs user activity, which can include ports used, compares users to find similar users, sorts similar users into cohorts, and compares new user activity to logged behavior of the cohort. The comparison can include a divergence calculation. Origins of user activity can also be used to determine anomalous network activity.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOE CHACKO whose telephone number is (571)270-3318. The examiner can normally be reached Monday-Friday 7am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 5712723951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JOE CHACKO/Primary Examiner, Art Unit 2457