DETAILED ACTION
Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in response to the application filed 4/9/19 and amendment filed 3/30/21. 

1.	Claims 1-15 and 17-21 are pending.
	Claims 1-15 and 17-21 are rejected.

Response to Arguments
2.	Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot in light of new grounds of rejections. Any arguments that may apply have been addressed below:
	Applicant states:
	A:	The combination of Sahita, Cherian and Portolan fails to teach or suggest all of the features of independent claim 12. One skilled in the art would not have sought to combine these references to render claim 12primafacie obvious. The rejection of claim 12, and claims 14-15 and 18-20 depending thereon kindly is solicited.
Response to A:  The Examiner disagrees that all of the features of independent claim 12 are not taught or suggested. The Examiner notes there was not specific language mentioned that was not taught. Thus, as best understood by the Examiner, the limitations are taught as cited.  The Examiner further contends that one skilled in the 

Claim Rejections - 35 USC § 112
3.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


4.	Claim 21 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
5.	Regarding claim 21, the phrase "wherein the edge represents one or more of a counter, timer, and control structure for examination" renders the claim indefinite because it is unclear whether the Applicant is attempting to state an alternative use, i.e. that the edge represents a counter, a timer “or” a control structure for examination, since the Applicant has place and in front of control structure.  However, the Examiner will interpret the Applicant to mean “or” which is consistent with paragraph 78 of the disclosure.
.
Claim Rejections - 35 USC § 103

7.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

8.	Claims 1, 4-7, 9-11 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Sahita, (Sahita), US PGPub. No.: 20050111460 applied to claims above, in view of Behrendt et al., (Behrendt), US PGPub. No.: 20120151272 in view of Portolan et al. (Portolan), US PGPub. No: 20120137186 and further in view of Krieski et al., (Krieski), US PGPub. No.: 20020156886.

 	As per claim 1, Sahita teaches a networked apparatus comprising: 
(para. 68; Fig. 8) thereon for analyzing network traffic based upon a linear representation of a predetermined protocol (via vectors (which are linear representations); NIDU 200 does not detect network intrusion based solely on data in a packet, but rather also based on known (hence, predetermined) protocol behavior) (para.27,  29, 41), (via NIDS (network intrusion detection system includes NIDU; classifier identifies a protocol used to transmit a packet); A user configures NIDU 200 to examine the flows of one or more protocols, hence predetermined) (Fig. 1/106; para. 22, 26, 27); 
a processor operably coupled to the non-transitory memory (para. 68; Fig. 8) and the listening tool, (NIDS/NIDU can also represent a listening tool since NIDS examines packets of flows entering a network; NIDS, hence, pays attention to network behavior)) (para. 6, 8, 9) the processor configured to perform the instructions of: 
spawning a finite state machine (FSM) based upon the linear representation (via vectors (which are linear representations)) (para. 29) of the predetermined protocol, (the operation of a protocol can be described based on a theoretical model commonly referred to as a finite state machine (FSM). A FSM is commonly represented (spawned) as a set of unique states for a system, and a set of transitions between the states. Combined source states 2442 and state transitions 2446 correspond to states in a protocol's FSM; protocols operation is defined (hence, spawned) by FSM) (para. 29, 30, 31; Fig. 3); 
sending data of the FSM to an endpoint, (a flow begins at state 0 and transitions from state to state, based on data transmitted between source 102 and destination 108 (endpoint); the integration of NIDU 200 in network device 106 enables network device 106 to determine, based on the expected state transition of a flow, whether to transmit a data packet (data of FSM) belonging to the flow to destination 108) (para. 22, 30; Fig. 1 and 3) to screen the network traffic, (NIDU functions to determine, based on the expected state transition of a flow, whether to transmit a data packet belonging to the flow to destination; destination 108 (endpoint) is intended to represent a network access device or a television set-top box, that include NIDU 200 (thus, functions as a device that screens)) (para. 21, 22, 23); Sahita further teaches the linear representation of the predetermined protocol, (via a vector) (para. 27, 29).
behavior of the predetermined protocol based upon the received network traffic, (Rules engine 220 determines whether the packet includes transition pattern 2444 included in the state-transition rule 244; if the packet does not include the transition pattern 2444, the packet is deemed to be associated with an attempted network intrusion, thus, behavior of the predetermined protocol/rule based upon use related to the received traffic by identifying the intrusion as designed/defined)(para. 8, 40).
Sahita does not specifically teach receiving the screened network traffic from the endpoint based upon the FSM. 
However, Behrendt teaches receiving the screened network traffic from the endpoint based upon the FSM, (An Event Filtering, Aggregation and Correlation System 106 processes raw data reported by the monitoring systems (hence, screened network traffic) and converts it into an optimal number of events which are sent to AIMS based on fault-tolerant FSM engine) (para. 37; Fig. 1).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the FSM teachings of Sahita and Behrendt in order to further identify information which indicates abnormal behavior, (Behrendt; para. 37),  in order to act on it. 
Neither Sahita nor Behrendt specifically teaches wherein the linear representation is based upon information including FSM identifiers for nodes and edges.
However, Portolan teaches wherein the linear representation is based upon information including FSM identifiers for nodes and edges, (via the need for more sophisticated processing (e.g., identifying a register inside a received vector (linear representation), or computing the vector to access a specific device (specific device representing identifier for node)); TAP FSM) (para. 54; 158, 475).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the FSM teachings of Sahita, Behrendt and Portolan such that in the interest of the usual architectural best practice of keeping instruction and data separated, register-based parameter passing is defined for this exemplary implementation of a Vector Level TISA, (Portolan; para. 115). 
Neither Sahita, Behrendt nor Portolan specifically teaches then, without a request to the endpoint, directly verifying behavior of the protocol based upon the received network traffic,
decoupling protocol information from decoding, encoding, and emulation logic; Because the invention decouples software code generation for decoding and encoding from specific protocols, developers are able to more quickly generate code or hardware designs for network devices which monitor protocol behavior (hence, verifying). In one embodiment for monitoring the behavior of a protocol contained within a network frame, network frames are received by the network device and then network frames are filtered according to which protocol is being monitored) (para. 15).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sahita, Behrendt, Portolan and Krieski such that the protocol finite state machine language 116 provides a means of describing the finite state machine (fsm) of network protocols. The network device user may author a description of any protocol using the protocol finite state machine language 116. This description includes the structure of the finite state machine in terms of states, events, and actions, (Krieski; para. 145).

 	As per claim 4, the apparatus of claim 1, Sahita teaches wherein the processor is further configured to execute the instructions of determining a state of the FSM from a group of predetermined states, (NIDU 200 includes classifier 210, rules engine 220, one or more state tables 230 and one or more rules tables 240. Although classifier 210 and rules engine 220 are described below as separate functional elements, they may be combined into a single multifunctional element (processor) that performs the functions of classifier; see group of states; also denote state table) (para. 25, 27, 65, 68); Fig. 4), where the state is selected from the group consisting of static, ability to be further parsed or retrieved, association with an application on the FSM, and empty content, (parsing via listening) (para. 30; Fig. 3).

 	As per claim 5, the apparatus according to claim 1, Sahita teaches wherein the linear representation of the predetermined protocol is based upon additional information including one or more of direction, stack layer, header format, alignment, encoding attributes, special characters, FSM message header values, FSM timer values, FSM payload values, state of the FSM, control structures, counters, time intervals, integrity, and system constraints, (wherein vectors includes direction; also note control structures of Fig. 3, i.e. timed wait; Current state (of FSM) is represented by a bit-vector) (Fig. 3; para. 27, 29, 30). 

 	As per claim 6, the apparatus according to claim 1, Sahita teaches wherein the linear representation of the predetermined protocol is obtained via collected network traffic packet captures or a specification, (flow entry (collected network traffic) indicates a current state 2324 of the flow. Current state 2324 is represented by a bit-vector) (para. 27, 29). 

(wherein linear representation via a bit-vector, and thus silent (independent of) regarding an application) (para. 27, 29). 

 	As per claim 9, the apparatus according to claim 1, Sahita teaches wherein the endpoint is a reader, (via NIDS examines (reads) packets entering a network to determine whether an unauthorized user is attempting to access the network; NIDU may be on an endpoint, installed in the destination device (server, personal computer) (para. 6, 22) on an internet browser. 

 	As per claim 10, the apparatus according to claim 9, Sahita teaches wherein the endpoint is operably coupled to the processor and memory, (coupled via network; A data packet may travel through one or more intermediate electronic systems, commonly referred to as network devices, during transmission from a source to a destination) (para. 3; Fig. 1, Fig. 8). 

 	As per claim 11, the apparatus according to claim 1, Sahita teaches wherein the predetermined protocol is stored in a library of the memory, (rules table (RT) (library of memory) 240 are tables or other data structures related to a protocol; A user configures NIDU 200 (also comprises library of memory as stated since it examines the flows of one or more protocols; and via the model (FSM)) (para. 27, 29). 


Neither Sahita, Behrendt, nor Portolan specifically teaches wherein the edge represents one or more of a counter, timer, and control structure for examination, and wherein one or more pairs of the nodes and edges is defined.
However, Krieski teaches wherein the edge represents one or more of a counter, timer, and control structure for examination, (control structure for examination via representing network analyzer) (para. 13, 43) and wherein one or more pairs of the nodes and edges is defined, (Fig. 3 and Fig. 10 shows defined nodes and edges) (Fig. 3, Fig. 10).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sahita, Behrendt, Portolan and Krieski such that the protocol finite state machine language 116 provides a means of describing the finite state machine (fsm) of network protocols. The network device user may author a description of any protocol using the protocol finite state machine language 116. This description includes the structure of the finite state machine in terms of states, events, and actions, (Krieski; para. 145).

9.	Claims 2-3 are rejected under 35 U.S.C. 103 as being unpatentable over Sahita, (Sahita), US PGPub. No.: 20050111460 applied to claims above, in view of Behrendt et al., (Behrendt), US PGPub. No.: 20120151272 in view of Portolan et al. (Portolan), US PGPub. No: 20120137186 in view of Krieski et al., (Krieski), US PGPub. No.: 20020156886 and further in view of Sulton et al., (Sulton), US Patent No.: 8713544.

As per claim 2, the apparatus of claim 1, Sahita teaches wherein the processor is further configured to perform the instructions of dynamically altering the data including a state transition of the FSM, (para. 29, 30; Fig. 3) and modifying the linear representation of the predetermined protocol, (Fig. 4; para. 35).
 Neither Sahita, Behrendt, Portolan nor Krieski specifically teaches modifying representation of the protocol without rebooting a network node.
However, Sulton teaches modifying representation of the protocol without rebooting a network node, (the present invention allows updates (modifying) of the protocol specification (representation of protocol) independently of updates to the application specific logic in 50 the proxy activity code 2. Updates to the protocol specification 1 and/or the proxy activity code 2 can be delivered as data rather than as executable binary code, making it easier to provide updates that do not require a restart of runtime proxy executable code) (col. 5, lines 48-55).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sahita, Behrendt, Portolan, Krieski and Sulton in order to more quickly provide security for more protocols, (Sulton; col. 5, lines 57-59).

	As per claim 3, the apparatus of claim 2, Sahita teaches wherein the state transition of the FSM changes one or more of a message header, timer and payload, (via timeout, reset) (para. 30; Fig. 3). 
	Behrendt also teaches the state transition of the FSM changes one or more of a message header, timer and payload, (para. 30).

10.	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Sahita, (Sahita), US PGPub. No.: 20050111460 applied to claims above, in view of Behrendt et al., (Behrendt), US PGPub. No.: 20120151272 in view of Portolan et al. (Portolan), US PGPub. No: 20120137186 in view of Krieski et al., (Krieski), US PGPub. No.: 20020156886 and further in view of Wright et al., (Wright), US PGPub. No.: 20060077895.

 	As per claim 8, the apparatus according to claim 1, Sahita teaches wherein the linear representation is output (via vector) (para. 27, 29). 
Neither Sahita, Behrendt, Portolan nor Krieski specifically teaches the representation is output onto a graphical user interface or a file. 
However, Wright teaches the representation is output onto a graphical user interface or a file, (instance is stored as a vector of protocol elements; GUI 206 updates an instance 216 (outputs vector representation) by manipulating an element within the vector, hence onto the GUI) (para. 33).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sahita, Behrendt, Portolan, Krieski and Wright in order utilize a GUI 206 which constructs and populates a tree mimicking the nested data structure represented by the protocol message descriptions, hence for visual clarity; and when the GUI updates an instance by using a vector, the corresponding string is updated, (Wright; para. 28, 33).
s 12, 14-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Sahita, (Sahita), US PGPub. No.: 20050111460 applied to claims above, in view of Cherian et al., (Cherian), US PGPub. No.: 20130142118 and further in view of Portolan et al. (Portolan), US PGPub. No: 20120137186.

 	As per claim 12, Sahita teaches a method for testing network traffic (via Network Intrusion Detection System and NIDU) (para. 6, 9) comprising: 
providing a client and a server, (source (can be representative as client/PC) and destination (can be representative as server) (para. 20, 22; Fig. 1) ; 
spawning a finite state machine (FSM) based upon a linear representation (via vectors (which are linear representations)) (para. 29) of a predetermined protocol of the network traffic, (the operation of a protocol can be described based on a theoretical model commonly referred to as a finite state machine (FSM). A FSM is commonly represented (spawned) as a set of unique states for a system, and a set of transitions between the states. Combined source states 2442 and state transitions 2446 correspond to states in a protocol's FSM; protocols operation is defined (hence, spawned) by FSM) (para. 29, 30, 31; Fig. 3); 
sending screened network traffic based upon the linear representation to the server, (NIDU functions to determine, based on the expected state transition of a flow, whether to transmit a data packet belonging to the flow to destination (server)) (para. 21, 22); Sahita further teaches the linear representation of the predetermined protocol, (via a vector) (para. 27, 29).
(the destination can also be a personal computer, a personal digital assistant which are also regarded as clients which receive the screened traffic, (determine, based on the expected state transition of a flow, whether to transmit a data packet (hence, screened) belonging to the flow to destination 108 (server, client)) (para. 21, 22).
Sahita does not specifically teach authenticating the sent traffic at the client or server. 
However, Cherian teaches teach authenticating the sent traffic at the client or server, (as a data packet passes (representing sent traffic) through the M2M server, the M2M server 316 may identify the device connection information associated with the packet. This may allow the M2M server 316 to identify the machine to machine device 308 that generated the packet. Based on one or more of authentication, authorization, subscription, and the like, the M2M server 316 may process the packet (sent traffic), hence authenticated at the server) (para. 92).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the FSM teachings of Sahita and Cherian in order to identify and impose limits based upon the amount of packets that are expected per unit of time, and to further use the IP address to facilitate a bi-directional packet data communication between the device and the server (Cherian; para. 92, 98).
Neither Sahita nor Cherian specifically teaches wherein the linear representation is based upon information including FSM identifiers for nodes and edges.
 wherein the linear representation is based upon information including FSM identifiers for nodes and edges, (via the need for more sophisticated processing (e.g., identifying a register inside a received vector (linear representation), or computing the vector to access a specific device (specific device representing identifier for node))) (para. 158).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the FSM teachings of Sahita, Cherian and Portolan in order to employ Test Instruction Set Architecture (TISA) and thus allow finer grain control of the state machine and support more sophisticated testing operations, (Portolan; para. 18, 170).

 	As per claim 14, the method according to claim 12, 
Sahita does not specifically teach wherein the authenticating step includes confirming the sent traffic on a data analyzer. 
However, Cherian teaches wherein the authenticating step includes confirming the sent traffic on a data analyzer, (as a data packet passes (representing sent traffic) through the M2M server, the M2M server 316 may identify (via analyzing) the device connection information associated with the packet. This may allow the M2M server 316 to identify the machine to machine device 308 that generated the packet. Based on one or more of authentication, authorization, subscription, and the like, the M2M server 316 may process the packet (sent traffic), hence authenticated at the server) (para. 92).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the FSM teachings of Sahita  (Cherian; para. 92, 98).

 	As per claim 15, the method according to claim 12, Sahita teaches wherein the machine is not rebooted prior to the sending step, (rebooting prior to the sending step is not disclosed by Sahita, thus the machine is not rebooted prior to sending step) (Fig. 3). 

	As per claim 18, the method of claim 12, Sahita teaches wherein a state of the FSM is selected from a group consisting of static, ability to be further parsed or retrieved, association with an application on the FSM, and empty content, (ability to be further parsed or retrieved via state changes/transitions; also evict indicator can be viewed as further parsing since, i.e. evict indicator of state transition for pair 3 is set to 1 to indicate eviction) (para. 37; see Fig. 4). 

 	As per claim 19, the method according to claim 12, Sahita teaches wherein the linear representation of the predetermined protocol is based upon additional information including one or more of direction, stack layer, header format, alignment, encoding attributes, special characters, FSM message header values, FSM timer values, FSM payload values, state of the FSM, control structures, counters, time intervals, integrity, and system constraints, (wherein vectors includes direction; also note control structures of Fig. 3, i.e. timed wait; Current state (of FSM) is represented by a bit-vector) (Fig. 3; para. 27, 29, 30). 

 	As per claim 20, the method according to claim 12, Sahita teaches wherein the linear representation of the predetermined protocol is obtained via collected network traffic packet captures or a specification, (flow entry (collected network traffic) indicates a current state 2324 of the flow. Current state 2324 is represented by a bit-vector) (para. 27, 29).

12.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Sahita, (Sahita), US PGPub. No.: 20050111460 applied to claims above, in view of Cherian et al., (Cherian), US PGPub. No.: 20130142118 in view of Portolan et al. (Portolan), US PGPub. No: 20120137186 and further in view of Hamilton et al., (Hamilton), US Patent. No.: 6009464.

 	As per claim 13, the method according to claim 12, 
Sahita does not specifically teach wherein the client and server have the same network IP address. 
However, Cherian teaches client and server have network IP address (IP address may be associated with the UE 302b and/or the devices attached with the UE 302b, thus including server (see Fig. 3)) (para. 97; Fig. 3).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the FSM teachings of Sahita  (Cherian; para. 92, 98).
Neither Sahita, Cherian nor Portolan specifically teach wherein the client and server have the same address.
However, Hamilton teaches wherein the client and server have the same address, (server and the network client may be located at the same address space or in the same physical computer) (col. 10, lines 58-60).
 Therefore, it would be obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sahita, Cherian, and Hamilton such that Network name servers such as network name server 540, are servers that return a machine address for a network server in response to an inputted network server name.  In cases wherein devices reside within the same physical machine, they may share the same address space, or document server 520 may know beforehand the network server machine address of the network server, thus in such cases, a network name server is not needed, hence, therefore saving allocated resources, (Hamilton; col. 6, lines 65-67; col. 7, lines 18-24).

13.	Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Sahita, (Sahita), US PGPub. No.: 20050111460 applied to claims above, in view of Cherian et al., (Cherian), US PGPub. No.: 20130142118 in view of Portolan et al. (Portolan), US .

 	As per claim 17, the method according to claim 12, Sahita teaches wherein the sent traffic is independent of an application on the FSM, (via Fig. 3, Sahita is silent regarding an application on the FSM, hence the traffic is independent of an application on the FSM) (Fig. 3) and the network traffic is based upon the transport layer (via connection oriented communication; measuring connections per second) (para. 42; Fig. 3).
Neither Sahita, Cherian nor Portolan teaches transport layer is above an open service interconnect model.
However, Boucher teaches transport layer is above an open service interconnect model, (para. 8; Fig. 5, 6). 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Sahita, Cherian, Portolan and Boucher in order further utilize the transport layer of the OSI which sets forth seven processing layers through which information may pass when received by a host in order to be presentable to an end user as well as utilize the data link layers which provide frame division and error correction to the data received from the physical layers, (Boucher; para. 8, 9).
Conclusion
Mori, US PGPub. No.: 20050086020. See abstract and Fig. 15: The present invention's method and apparatus to generate test sequences for communication protocols input the data of the finite state machines (FSM) representing the specification of the communication protocols, and convert the test sequence generation problem to the SAT problem, and generate test sequences for communication protocols by solving the SAT problem.

15.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
16.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to James Edwards whose telephone number is (571) 270-7176.  The examiner can normally be reached Monday to Thursday, 7:00-5:30pm EST.

	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published application may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JAMES A EDWARDS/Examiner, Art Unit 2448                                                                                                                                                                                                        5/29/21