DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/8/2021 has been entered.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
	Claims 1, 4-15 are pending.  Claims 2-3 are cancelled.

Priority
Acknowledgment is made of applicant's claim for benefit based on National Stage application PCT/EP2016/064422. It is noted, however, that applicant has not filed a certified copy of the PCT/EP2016/064422 application as required by 37 CFR 1.55.

Claim Objections
Claims 1, 14-15 are objected to because of the following informalities:  
Claims 1, 14, and 15 contain the following: “forwarding packets… based on the flow state of the received data flow is “ALLOW””.  This should be “forwarding packets… based on the flow state of the received data flow being “ALLOW””, or similar.
Claims 1, 14, and 15 contain the following: “blocking packets… based on the flow state of the received data flow is “BLOCK””.  This should be “blocking packets… based on the flow state of the received data flow being “BLOCK””, or similar.
Claims 1, 14, and 15 contain the following: “replicating packets… based on the flow state of the received data flow is “SUSPECT””.  This should be “replicating packets… based on the flow state of the received data flow being “SUSPECT””, or similar.
Claims 1, 14, and 15 contain the following: “forwarding packets… based on the received data flow matches…”.  This should be “forwarding packets… based on the received data flow matching…”, or similar.
Claims 1, 14, and 15 contain the following: “blocking packets… based on the received data flow matches…”.  This should be “blocking packets… based on the received data flow matching…”, or similar.
Claims 1, 14, and 15 contain the following: “replicating packets… based on the received data flow matches…”.  This should be “replicating packets… based on the received data flow matching…”, or similar.
Claims 14 and 15 have no antecedent basis for “the at least one inspection processor”.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 4, 10, 13-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moyer (PGPUB 2017/0048312), and further in view of Shishodia (PGPUB 2017/0006082) and Ling et al (PGPUB 2015/0334090).

Regarding Claim 1:
Moyer teaches a system for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN), comprising at least one processor (abstract, techniques for performing SDN-based mirroring of traffic flows for network analytics; paragraph 43-44, computer system comprising processor); and 
at least one non-transitory computer-readable storage medium including computer-executable instructions executed by the at least one processor to perform operations comprising (paragraph 43, 50, processor and memory storing instructions): 
storing, on the at least one non-transitory computer-readable storage medium, flow states of data flows (paragraph 32-34, SDN mirroring application receives mirroring configuration information including parameters of a flow to be mirrored as well as a mirror port; SDN mirroring application saves received mirroring configuration information as a mirroring profile, i.e. “flow state”); and 
sharing and updating, from the at least one non-transitory computer-readable storage medium, the flow states across the system (paragraph 32-34, SDN mirroring application generates mirroring command including specified flow/mirror port parameters; command sent to SDN mirroring component of network device; command is used to install entries in SDN flow table of network device to instruct device to mirror flow in accordance with parameters/rules included in command; flow state thus shared and updated across system);
determining, whether a received data flow already has a flow state stored in the at least one non-transitory computer-readable storage medium (paragraph 35, device attempts to match incoming packet against SDN flow table to see whether packet is part of flow to be mirrored);
performing, by at least one shared state forwarding processor of the at least one processor, one of: blocking, forwarding, or replicating, the received data flow based on (paragraph 21, 29-30, upon receiving mirroring command, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s) (i.e. “flow state”):  
a flow state of the received data flow, when the received data flow has a stored flow state (paragraph 21, 29-30, upon receiving mirroring command, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s) (i.e. “flow state”); traffic analytics tool operable to receive mirrored network traffic from network device); and 
receiving, by at least one inspection processor of the at least one processor, a replicated data flow (paragraph 21, traffic analytics tool operable to receive mirrored network traffic from network device).
Moyer does not explicitly teach classifying whether the received data flow is malicious or allowed;
altering, by the at least one inspection processor, the flow state of the received data flow according to a classification result indicating whether the received data flow is malicious or allowed,
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:

forwarding packets of the received data flow, based on the flow state of the received data flow is “ALLOW”; and
blocking packets of the received data flow, based on the flow state of the received data flow is “BLOCK”.
However, Shishioda teaches the concept of classifying whether a received data flow is malicious or allowed (abstract, orchestrator is software appliance comprising SDN applications such as intrusion detection and prevention (IDP); paragraph 37, live traffic data flowing through network is port mirrored and passed to orchestrator, which conducts deep packet analysis; identified threats are converted into required formats and firewall policies are created based on the information);
altering, by at least one inspection processor, a flow state of the received data flow according to a classification result indicating whether the received data flow is malicious or allowed (paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies automatically pass through the compliancy logic and final a firewall rule is created automatically based on the IDS signature; the automatically created rule is pushed into the live network as static flows on the switches using the controller; rule is sent as instruction to controller, which installs flow tables on switches to allow or deny the traffic as per the rule created),
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
in response to the received data flow having a stored flow state, wherein the stored flow state is updated based on each classification by the at least one inspection processor of the at least one processor (paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies automatically pass through the compliancy logic and final a firewall rule is created automatically based on the IDS signature; the automatically created rule is pushed into the live network as static flows on the switches using the controller; rule is sent as instruction to controller, which installs flow tables on switches to allow or deny the traffic as per the rule created),
forwarding packets of the received data flow, based on the flow state of the received data flow is “ALLOW” (paragraph 36, rule is sent as instruction to controller, which installs flow tables on the switches to allow traffic as per the rule, i.e. the flow state (rule) is set to allow); and
blocking packets of the received data flow, based on the flow state of the received data flow is “BLOCK” (paragraph 36, rule is sent as instruction to controller, which installs flow tables on the switches to deny traffic as per the rule, i.e. the flow state (rule) is set to deny).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the inspection processor classification teachings of Shishodia with the flow processing and replication system of Moyer, with the benefit of utilizing available traffic analysis tools to discover ongoing network threats and respond to them with appropriate mitigating actions, thereby improving overall network security.
Neither Moyer nor Shishioda explicitly teaches a comparison of the received data flow with a predetermined pattern of allowed traffic, a predetermined pattern of malicious traffic, or a predetermined pattern of suspected traffic, when the received data flow has no stored flow state; 
replicating packets of the received data flow, based on the flow state of the received data flow is “SUSPECT”; and
in response to the received data flow not having a stored flow state,
 forwarding packets of the received data flow, based on the received data flow matches the predetermined pattern of allowed traffic;

replicating packets of the received data flow, based on the received data flow matches the predetermined pattern of suspected traffic; and
wherein the replicating the packets of the received data flow based on the flow state of the received data flow is “SUSPECT” or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of:
forwarding the packets of the received data flow to the at least one inspection processor for classifying; or
stalling the packets of the received data flow until the at least one inspection processor completes classifying, and then blocking or forwarding the packets of the received data flow based on the classification result.
However, Ling teaches the concept of determining, whether a received data flow already has a flow state stored in the at least one non-transitory computer-readable storage medium (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; when there is no matching entry in flow table, switch sends copy of packet to controller);
a comparison of the received data flow with a predetermined pattern of allowed traffic, a predetermined pattern of malicious traffic, or a predetermined pattern of suspected traffic, when a received data flow has no stored flow state (paragraph 19-20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall detects threat in packet, i.e. “predetermined pattern of malicious traffic”, firewall sends switch a deny message which causes switch to drop packet); 
replicating packets of the received data flow, based on the flow state of the received data flow is “SUSPECT” (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets);
in response to the received data flow not having a stored flow state (paragraph 20, packet does not match entry in flow table),
 forwarding packets of the received data flow, based on the received data flow matches the predetermined pattern of allowed traffic (paragraph 20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall has identified that packet flow does not contain threat, firewall sends allow message to switch, which outputs packet towards destination);
blocking packets of the received data flow, based on the received data flow matches the predetermined pattern of malicious traffic (paragraph 20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall has identified that packet flow contains threat, firewall sends deny message to switch, which drops packet);
replicating packets of the received data flow, based on the received data flow matches the predetermined pattern of suspected traffic (paragraph 20, when the packet does not match entry in flow table, i.e. “predetermined pattern of suspected traffic”, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection); and
wherein the replicating the packets of the received data flow based on the flow state of the received data flow is “SUSPECT” or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of:
forwarding the packets of the received data flow to the at least one inspection processor for classifying (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets); or
stalling the packets of the received data flow until the at least one inspection processor completes classifying (abstract, system for performing deep packet inspection; paragraph 27, if deep packet inspection is configured on a flow, packets are mirrored to firewall; network switch will not output or drop the packet until message is received from firewall), and then blocking or forwarding the packets of the received data flow based on the classification result (paragraph 27, allow message from firewall allows network switch to continue processing packet; if deny message is received from firewall, packet is dropped).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the processing flows with no state teachings of Ling with the flow processing and replication system of Moyer in view of Shishodia, with the benefit of being able to process ongoing flows as well as new or unknown flows, without causing system disruption or simply dropping the new flows.

Claim 4:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.  In addition, Shishodia teaches wherein 
the operations performed, by the at least one shared state forwarding processor, further comprise immediately blocking packets of a data flow, when the at least one inspection processor performs the operation of setting or updating a flow state of the data flow to "BLOCK" (paragraph 36, rule sent as instruction to controller which installs flow tables on the switches to deny the traffic as per the rule).

Regarding Claim 10:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.  In addition, Moyer teaches wherein the operations further comprise: 
altering, by the at least one inspection processor, a flow state of a replicated data flow to "END" (paragraph 31, agent indicates that mirroring of flow to traffic analytics too is no longer needed, i.e. state is set to “end replication”; paragraph 27, agent is traffic analytics application in communication with traffic analytics tool, i.e. inspection processor), and 
stopping, by the at least one shared state forwarding processor the replication and sending to the at least one inspection processor of the received data flow, when the at least one inspection processor alters the flow state to "END" (paragraph 31, network device continues mirroring flow until device receives second command to stop mirroring, i.e. flow state altered to “end”).

Regarding Claim 13:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.  In addition, Moyer teaches wherein 
(paragraph 23, SDN controller connected to network device)
providing, by the SDN controller and to the at least one shared state forwarding processor, the predetermined patterns (paragraph 29-30, 21, upon receiving mirroring command including parameters/rules (i.e. “predetermined patterns”) from SDN mirroring application of SDN controller, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s)).

Regarding Claim 14:
Moyer teaches a method for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN), comprising (abstract, techniques for performing SDN-based mirroring of traffic flows for network analytics; paragraph 43-44, computer system comprising processor); and 
storing flow states of data flows (paragraph 43, 50, processor and memory storing instructions; paragraph 32-34, SDN mirroring application receives mirroring configuration information including parameters of a flow to be mirrored as well as a mirror port; SDN mirroring application saves received mirroring configuration information as a mirroring profile, i.e. “flow state”); and
sharing and updating the flow states across the SDN (paragraph 32-34, SDN mirroring application generates mirroring command including specified flow/mirror port parameters; command sent to SDN mirroring component of network device; command is used to install entries in SDN flow table of network device to instruct device to mirror flow in accordance with parameters/rules included in command; flow state thus shared and updated across system);
(paragraph 35, device attempts to match incoming packet against SDN flow table to see whether packet is part of flow to be mirrored);
performing one of: blocking, forwarding, or replicating, the received data flow based on (paragraph 21, 29-30, upon receiving mirroring command, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s) (i.e. “flow state”):  
a flow state of the data flow, when the received data flow has a stored flow state (paragraph 21, 29-30, upon receiving mirroring command, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s) (i.e. “flow state”); traffic analytics tool operable to receive mirrored network traffic from network device).
Moyer does not explicitly teach classifying whether a replicated data flow is malicious or allowed;
altering the flow state of the data flow according to a classification result indicating whether the received data flow is malicious or allowed,
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
in response to the received data flow having a stored flow state, wherein the stored flow state is updated based on each classification by the at least one inspection processor of the at least one processor,
forwarding packets of the received data flow, based on the flow state of the received data flow is “ALLOW”; and

However, Shishioda teaches the concept of classifying whether a replicated data flow is malicious or allowed (abstract, orchestrator is software appliance comprising SDN applications such as intrusion detection and prevention (IDP); paragraph 37, live traffic data flowing through network is port mirrored and passed to orchestrator, which conducts deep packet analysis; identified threats are converted into required formats and firewall policies are created based on the information);
altering a flow state of the data flow according to a classification result indicating whether the received data flow is malicious or allowed (paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies automatically pass through the compliancy logic and final a firewall rule is created automatically based on the IDS signature; the automatically created rule is pushed into the live network as static flows on the switches using the controller; rule is sent as instruction to controller, which installs flow tables on switches to allow or deny the traffic as per the rule created),
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
in response to the received data flow having a stored flow state, wherein the stored flow state is updated based on each classification by the at least one inspection processor of the at least one processor (paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies automatically pass through the compliancy logic and final a firewall rule is created automatically based on the IDS signature; the automatically created rule is pushed into the live network as static flows on the switches using the controller; rule is sent as instruction to controller, which installs flow tables on switches to allow or deny the traffic as per the rule created),
(paragraph 36, rule is sent as instruction to controller, which installs flow tables on the switches to allow traffic as per the rule, i.e. the flow state (rule) is set to allow); and
blocking packets of the received data flow, based on the flow state of the received data flow is “BLOCK” (paragraph 36, rule is sent as instruction to controller, which installs flow tables on the switches to deny traffic as per the rule, i.e. the flow state (rule) is set to deny).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the inspection processor classification teachings of Shishodia with the flow processing and replication system of Moyer, with the benefit of utilizing available traffic analysis tools to discover ongoing network threats and respond to them with appropriate mitigating actions, thereby improving overall network security.
Neither Moyer nor Shishioda explicitly teaches a comparison of the data flow with a predetermined pattern of allowed traffic, a predetermined pattern of malicious traffic, or a predetermined pattern of suspected traffic, when the received data flow has no stored flow state; 
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
replicating packets of the received data flow, based on the flow state of the received data flow is “SUSPECT”; and
in response to the received data flow not having a stored flow state,
 forwarding packets of the received data flow, based on the received data flow matches the predetermined pattern of allowed traffic;
blocking packets of the received data flow, based on the received data flow matches the predetermined pattern of malicious traffic;

wherein the replicating the packets of the received data flow based on the flow state of the received data flow is “SUSPECT” or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of:
forwarding the packets of the received data flow for classifying; or
stalling the packets of the received data flow until completing classifying, and then blocking or forwarding the packets of the received data flow based on the classification result.
However, Ling teaches the concept of determining, whether a received data flow already has a flow state stored in at least one non-transitory computer-readable storage medium (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; when there is no matching entry in flow table, switch sends copy of packet to controller);
a comparison of the data flow with a predetermined pattern of allowed traffic, a predetermined pattern of malicious traffic, or a predetermined pattern of suspected traffic, when a received data flow has no stored flow state (paragraph 19-20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall detects threat in packet, i.e. “predetermined pattern of malicious traffic”, firewall sends switch a deny message which causes switch to drop packet); 
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
(paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets);
in response to the received data flow not having a stored flow state (paragraph 20, packet does not match entry in flow table),
 forwarding packets of the received data flow, based on the received data flow matches the predetermined pattern of allowed traffic (paragraph 20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall has identified that packet flow does not contain threat, firewall sends allow message to switch, which outputs packet towards destination);
blocking packets of the received data flow, based on the received data flow matches the predetermined pattern of malicious traffic (paragraph 20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall has identified that packet flow contains threat, firewall sends deny message to switch, which drops packet);
replicating packets of the received data flow, based on the received data flow matches the predetermined pattern of suspected traffic (paragraph 20, when the packet does not match entry in flow table, i.e. “predetermined pattern of suspected traffic”, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection); and

forwarding the packets of the received data flow for classifying (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets); or
stalling the packets of the received data flow until completing classifying (abstract, system for performing deep packet inspection; paragraph 27, if deep packet inspection is configured on a flow, packets are mirrored to firewall; network switch will not output or drop the packet until message is received from firewall), and then blocking or forwarding the packets of the received data flow based on the classification result (paragraph 27, allow message from firewall allows network switch to continue processing packet; if deny message is received from firewall, packet is dropped).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the processing flows with no state teachings of Ling with the flow processing and replication system of Moyer in view of Shishodia, with the benefit of being able to process ongoing flows as well as new or unknown flows, without causing system disruption or simply dropping the new flows.

Regarding Claim 15:
Moyer teaches a non-transitory computer-readable storage medium including computer-executable instructions executable by a processor to perform operations, for detecting and preventing (abstract, techniques for performing SDN-based mirroring of traffic flows for network analytics; paragraph 43-44, computer system comprising processor; paragraph 43, 50, processor and memory storing instructions); and 
storing flow states of data flows (paragraph 43, 50, processor and memory storing instructions; paragraph 32-34, SDN mirroring application receives mirroring configuration information including parameters of a flow to be mirrored as well as a mirror port; SDN mirroring application saves received mirroring configuration information as a mirroring profile, i.e. “flow state”); and
sharing and updating the flow states across the SDN (paragraph 32-34, SDN mirroring application generates mirroring command including specified flow/mirror port parameters; command sent to SDN mirroring component of network device; command is used to install entries in SDN flow table of network device to instruct device to mirror flow in accordance with parameters/rules included in command; flow state thus shared and updated across system);
performing one of: blocking, forwarding, or replicating, the received data flow based on (paragraph 21, 29-30, upon receiving mirroring command, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s) (i.e. “flow state”):  
a flow state of the data flow, when the received data flow has a stored flow state (paragraph 21, 29-30, upon receiving mirroring command, SDN mirroring component programs network device to mirror incoming traffic for specified flow to specified mirror port based on included parameters/rule(s) (i.e. “flow state”); traffic analytics tool operable to receive mirrored network traffic from network device).
Moyer does not explicitly teach classifying whether a replicated data flow is malicious or allowed;

wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
in response to the received data flow having a stored flow state, wherein the stored flow state is updated based on each classification by the at least one inspection processor of the at least one processor,
forwarding packets of the received data flow, based on the flow state of the received data flow is “ALLOW”; and
blocking packets of the received data flow, based on the flow state of the received data flow is “BLOCK”.
However, Shishioda teaches the concept of classifying whether a replicated data flow is malicious or allowed (abstract, orchestrator is software appliance comprising SDN applications such as intrusion detection and prevention (IDP); paragraph 37, live traffic data flowing through network is port mirrored and passed to orchestrator, which conducts deep packet analysis; identified threats are converted into required formats and firewall policies are created based on the information);
altering a flow state of the data flow according to a classification result indicating whether the received data flow is malicious or allowed (paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies automatically pass through the compliancy logic and final a firewall rule is created automatically based on the IDS signature; the automatically created rule is pushed into the live network as static flows on the switches using the controller; rule is sent as instruction to controller, which installs flow tables on switches to allow or deny the traffic as per the rule created),

in response to the received data flow having a stored flow state, wherein the stored flow state is updated based on each classification by the at least one inspection processor of the at least one processor (paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies automatically pass through the compliancy logic and final a firewall rule is created automatically based on the IDS signature; the automatically created rule is pushed into the live network as static flows on the switches using the controller; rule is sent as instruction to controller, which installs flow tables on switches to allow or deny the traffic as per the rule created),
forwarding packets of the received data flow, based on the flow state of the received data flow is “ALLOW” (paragraph 36, rule is sent as instruction to controller, which installs flow tables on the switches to allow traffic as per the rule, i.e. the flow state (rule) is set to allow); and
blocking packets of the received data flow, based on the flow state of the received data flow is “BLOCK” (paragraph 36, rule is sent as instruction to controller, which installs flow tables on the switches to deny traffic as per the rule, i.e. the flow state (rule) is set to deny).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the inspection processor classification teachings of Shishodia with the flow processing and replication system of Moyer, with the benefit of utilizing available traffic analysis tools to discover ongoing network threats and respond to them with appropriate mitigating actions, thereby improving overall network security.
Neither Moyer nor Shishioda explicitly teaches a comparison of the data flow with a predetermined pattern of allowed traffic, a predetermined pattern of malicious traffic, or a predetermined pattern of suspected traffic, when the received data flow has no stored flow state; 

replicating packets of the received data flow, based on the flow state of the received data flow is “SUSPECT”; and
in response to the received data flow not having a stored flow state,
 forwarding packets of the received data flow, based on the received data flow matches the predetermined pattern of allowed traffic;
blocking packets of the received data flow, based on the received data flow matches the predetermined pattern of malicious traffic;
replicating packets of the received data flow, based on the received data flow matches the predetermined pattern of suspected traffic; and
wherein the replicating the packets of the received data flow based on the flow state of the received data flow is “SUSPECT” or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of:
forwarding the packets of the received data flow for classifying; or
stalling the packets of the received data flow until completing classifying, and then blocking or forwarding the packets of the received data flow based on the classification result.
However, Ling teaches the concept of determining, whether a received data flow already has a flow state stored in at least one non-transitory computer-readable storage medium (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; when there is no matching entry in flow table, switch sends copy of packet to controller);
(paragraph 19-20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall detects threat in packet, i.e. “predetermined pattern of malicious traffic”, firewall sends switch a deny message which causes switch to drop packet); 
wherein performing one of: blocking, forwarding, or replicating the received data flow comprises:
replicating packets of the received data flow, based on the flow state of the received data flow is “SUSPECT” (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets);
in response to the received data flow not having a stored flow state (paragraph 20, packet does not match entry in flow table),
 forwarding packets of the received data flow, based on the received data flow matches the predetermined pattern of allowed traffic (paragraph 20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall has identified that packet flow does not contain threat, firewall sends allow message to switch, which outputs packet towards destination);
(paragraph 20, when the packet does not match entry in flow table, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection; paragraph 21, when firewall has identified that packet flow contains threat, firewall sends deny message to switch, which drops packet);
replicating packets of the received data flow, based on the received data flow matches the predetermined pattern of suspected traffic (paragraph 20, when the packet does not match entry in flow table, i.e. “predetermined pattern of suspected traffic”, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection); and
wherein the replicating the packets of the received data flow based on the flow state of the received data flow is “SUSPECT” or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of:
forwarding the packets of the received data flow for classifying (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets); or
stalling the packets of the received data flow until completing classifying (abstract, system for performing deep packet inspection; paragraph 27, if deep packet inspection is configured on a flow, packets are mirrored to firewall; network switch will not output or drop the packet until message is received from firewall), and then blocking or forwarding the packets of the received data flow based on (paragraph 27, allow message from firewall allows network switch to continue processing packet; if deny message is received from firewall, packet is dropped).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the processing flows with no state teachings of Ling with the flow processing and replication system of Moyer in view of Shishodia, with the benefit of being able to process ongoing flows as well as new or unknown flows, without causing system disruption or simply dropping the new flows.

Claims 5, 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moyer in view of Shishodia and Ling, and further in view of Toumura et al (PGPUB 2007/0160073).

Regarding Claim 5:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.  In addition, Ling teaches replicating the received data flow (paragraph 19-20, when network switch inputs a packet, switch determines whether or not certain information in the packet matches entry in flow table (i.e. “flow state”); if packet matches entry in flow table, network switch mirrors a copy of packet flow data to the firewall; this can be viewed as the packet having a flow state of “SUSPECT”, which can be viewed as a placeholder label corresponding to a flow state which initiates replication of packets); and
sending the replicated data flow to the at least one inspection processor for classification (abstract, system for performing deep packet inspection; paragraph 27, if deep packet inspection is configured on a flow, packets are mirrored to firewall; network switch will not output or drop the packet until message is received from firewall; paragraph 27, allow message from firewall allows network switch to continue processing packet; if deny message is received from firewall, packet is dropped).

setting or updating a flow state of a data flow to "SUSPECT", when the received data flow matches the predetermined pattern of suspected traffic. 
However, Toumura teaches the concept wherein operations performed, by at least one shared state forwarding processor, comprise: 
setting or updating a flow state of a data flow to "SUSPECT", when a received data flow matches a predetermined pattern of suspected traffic (abstract, traffic analysis at application level; paragraph 57, 58, only suspicious stream is copied by stream sampling and sent to stream analyzing equipment; statistical analyzing equipment narrows down an IP address and a port number of equipment which seems to maliciously communicate based upon the received statistical information and the received packet samples, i.e. is suspect according to predetermined pattern of suspected traffic; the statistical analyzing equipment transmits the information of a stream to be sampled to the packet communications unit based upon the above-mentioned information, i.e. sets flow state of data flow to suspicious; a suspicious stream is sampled, is copied, and a copy is transmitted to the stream analyzing equipment), 
replicating the received data flow (paragraph 57, 58, suspicious stream is copied), and 
sending the replicated data flow to the at least one inspection processor for classification (paragraph 57, 58, copy is transmitted to the stream analyzing equipment).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the replicating a suspect data flow teachings of Toumura with the flow processing and replication system of Moyer in view of Shishodia and Ling, with the benefit of conserving system resources by limiting replication functions to only those flows which have suspicious 

Regarding Claim 7:
Moyer in view of Shishodia, Ling, and Toumura teaches the system according to claim 5.
In addition, Ling teaches wherein the operations performed, by at least one shared state forwarding processor, further comprise: 
stalling the forwarding of packets of a data flow that matches a predetermined pattern of suspected traffic, until performing of classification, by the at least one inspection processor, is complete (abstract, system for performing deep packet inspection; paragraph 27, if deep packet inspection is configured on a flow, packets are mirrored to firewall; network switch will not output or drop the packet until message is received from firewall); and 
then either blocking or continuing to forward the packets, based on the classification result (paragraph 27, allow message from firewall allows network switch to continue processing packet; if deny message is received from firewall, packet is dropped).

Claims 6, 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moyer in view of Shishodia and Ling, and further in view of McGrew et al (US 10,296,744).

Regarding Claim 6:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.
Neither Moyer nor Shishodia nor Ling explicitly teaches wherein the operations performed, by at least one shared state forwarding processor, further comprise altering a flow state of a randomly selected received data flow to "SUSPECT".
(abstract, apparatus for performing inspection of flows; col 2 line 58-67, random process used to select traffic for inspection; col 8 line 56-61, flow tagged as suspicious; therefore, randomly selected traffic tagged as suspicious).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the replicating a random data flow teachings of McGrew with the flow processing and replication system of Moyer in view of Shishodia and Ling, with the benefit of being able to apply analysis and deep packet inspection to random flows, which provides the possibility of determining attacks and threats in flows which do not otherwise appear suspicious.

Regarding Claim 9:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.
Neither Moyer nor Shishodia nor Ling explicitly teaches wherein the operations performed, by the at least one shared state forwarding processor, further comprise maintaining a flow state of a data flow as "SUSPECT" for a predetermined period of time, regardless of the classification result.
However, McGrew teaches the concept wherein operations performed, by at least one shared state forwarding processor, further comprise maintaining a flow state of a data flow as "SUSPECT" for a predetermined period of time, regardless of the classification result (col 5 line 19-31, flow selection logic identifies candidate flows for inspection, such as flows from users with reputation for being subject/source of malware, i.e. suspect traffic; col 2 line 58-67, when traffic is selected, it is inspected for some period of time; when that period ends, other traffic is selected).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the duration of suspicious data flow teachings of McGrew with the .

Claim 8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moyer in view of Shishodia, Ling, and Toumura, and further in view of McGrew.

Regarding Claim 8:
Moyer in view of Shishodia, Ling, and Toumura teaches the system according to claim 5.  In addition, Ling teaches wherein the operations performed, by at least one shared state forwarding processor, further comprise: 
replicating a data flow that matches the predetermined pattern of suspected traffic (paragraph 20, when the packet does not match entry in flow table, i.e. “predetermined pattern of suspected traffic”, switch sends copy of packet to controller; controller instructs switch to drop, forward, or mirror packet to firewall for deep packet inspection); and
sending the replicated data flow to the at least one inspection processor (paragraph 20, packet mirrored to firewall for deep packet inspection). 
Neither Moyer nor Shishodia nor Ling nor Toumura explicitly teaches continuing to forward packets of the data flow that matches the predetermined pattern of suspected traffic, until the operation of classifying whether the received data flow is malicious or allowed is complete, and 
then either blocking or continuing to forward the packets, based on the classification result.
However, McGrew teaches the concept of replicating a data flow that matches a predetermined pattern of suspected traffic (col 5 line 19-31, flow selection logic identifies candidate flows for inspection, such as flows from users with reputation for being subject/source of malware, i.e. suspect traffic; col 6 line 14-34, SDN controller instructs switch/router to copy selected flow), 
sending the replicated data flow to at least one inspection processor (col 6 line 14-34, after making copy, switch/router sends copy to security device for inspection), 
continuing to forward packets of the data flow that matches the predetermined pattern of suspected traffic, until the operation of classifying whether the received data flow is malicious or allowed is complete (col 6 line 14-34, meanwhile, original flow is sent from switch/router to server as was originally intended), and 
then either blocking or continuing to forward the packets, based on the classification result (col 7 line 55-63, after receiving notification from security appliance that selected flow contains malware, SDN flow selection and TDA logic requests that traffic be blocked).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the continued packet forwarding teachings of McGrew with the flow processing and replication system of Moyer in view of Shishodia, Ling, and Toumura, with the benefit of being able to prevent network interruptions which could disrupt the functioning of network applications while inspection of corresponding flows was ongoing, thereby providing a usable compromise between security and functionality.

Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moyer in view of Shishodia and Ling, and further in view of Curcio et al (PGPUB 2018/0115471).

Regarding Claim 11:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.

bypassing the at least one inspection processor for packets of a data flow, which has been previously classified as allowed.
However, Curcio teaches the concept wherein operations performed, by at least one shared state forwarding processor, further comprise: 
bypassing at least one inspection processor for packets of a data flow, which has been previously classified as allowed (paragraph 9, Deep Packet Inspection devices examine network packets and flows of packets to detect patterns to help defend against malware; paragraph 11, when a flow of packets travels from a source to a destination, a first network infrastructure device can tag packets with the information determined from rule implementation of a first subset of rules that the first network infrastructure device uses; the tagged information can be used by the second network infrastructure device as well as further network infrastructure devices in the packet flow to make decisions about the packet flow (e.g., to send the packet flow to a deep packet inspection device, intelligently choosing an intermediate network infrastructure device to route the packet flow's path through to implement particular pre-filter rules, etc.); paragraph 61-63, analysis logic 728 can be implemented to analyze the pre-filter tag(s) and pre-filter result; if the determination is that further scrutiny need not be applied (e.g., because the combinations of rules that signify that further scrutiny cannot be met), the packet flow can be diverted directly towards the final destination of the flow).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the bypassing inspection teachings of Curcio with the flow processing and replication system of Moyer in view of Shishodia and Ling, with the benefit of being able to improve network efficiency and conserve network resources by only performing inspection functions on packets and flows which have not already been inspected, cleared, or otherwise explicitly whitelisted.

Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moyer in view of Shishodia and Ling, and further in view of Jain et al (PGPUB 2016/0036838).

Regarding Claim 12:
Moyer in view of Shishodia and Ling teaches the system according to claim 1.
Neither Moyer nor Shishodia nor Ling explicitly teaches wherein the operations further comprise: 
storing metadata of data flows, on the at least one non-transitory computer-readable storage medium; and 
sharing and updating the metadata across the system, from the at least one non-transitory computer-readable storage medium, and 
wherein performing one of: blocking, forwarding, or replicating the received data flow is further based on metadata of the received data flow.
However, Jain teaches the concept wherein operations further comprise: 
storing metadata of data flows, on at least one non-transitory computer-readable storage medium, and sharing and updating the metadata across the system, from the at least one non-transitory computer-readable storage medium (abstract, technologies pertaining to identification of inbound and outbound network attacks; paragraph 48, traffic analyzer receives traffic flow summaries comprising metadata and flow state (which is in itself a form of metadata), and maintains state in a distributed manner), and 
wherein performing one of: blocking, forwarding, or replicating a received data flow is based on metadata of the received data flow (paragraph 48, traffic analyzer performs rule checking of flow metadata against whitelist and blacklist and causes appropriate action to be taken to block traffic believed to include attacks; flow state data analyzed with change detection algorithms to identify anomalous network flows attacking the data center network (which are then blocked, as above)).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the metadata based flow control teachings of Jain with the flow processing and replication system of Moyer in view of Shishodia and Ling, with the benefit of providing additional parameters for possible determination of suspicious/malicious packets and flows, allowing for more specific filtering or analysis criteria, and thereby reducing false positives and negatives.

Response to Arguments
Applicant's arguments filed 7/8/2021 have been fully considered but they are not persuasive.

Regarding the rejection of claims under 35 USC 103:
Applicant’s arguments: The Office interprets Ling's "flow table" as "a shared flow state stored on the memory" of claim 1. Further, the Office interprets Ling's "detected threat" (or "no detected threat") as "predetermined patterns" of claim 1. See Office action, at pages 6-7, and Advisory action. However, Ling merely discloses, when the information in a packet matches an entry in the flow table, the network switch forwards (mirrors) a copy of at least some of the data associated with a packet flow to the firewall. Then, the firewall may collect information about the threat or may report that threat to another computer (observer) in the computer network. In other words, Ling needs a firewall and another computer to determine whether the data could be a threat or not. See Ling, at paragraph [0019]. In Ling, when the information in the packet does not match an entry in the flow table, the network switch sends a copy of at least a portion of the packet to the controller and then still needs to wait for an instruction from the controller regarding what to do with the packet. See Ling, at paragraph [0020]. 


Examiner’s response: Applicant seems to argue that claim 1 requires that the shared state forwarding processor must immediately forward/block/replicate a packet upon determination of a flow state or comparison to predetermined pattern of traffic.  However, this is not the case.  Claim 1 merely requires forwarding/blocking/replicating a packet based on the flow state or predetermined pattern matching a particular requirement.  Claim 1 does not indicate whether or not there are any steps between determining whether the flow state or predetermined pattern matches the criteria and subsequently processing the packet, nor does claim 1 indicate which device performs the comparison.  For instance, the comparison of the received data flow with a predetermined pattern could occur at a remote device, and the results delivered to the shared state forwarding processor, which then acts upon the received comparison result.  In such a case, the shared state forwarding processor would forward a packet based on the data flow matching the predetermined pattern (as determined by another device).  
In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., “directly forwarded”) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).  It is unclear from the context of the arguments what Applicant means by “directly”, as the word “directly” is not used in the claims.  If “directly” is meant in the sense of “directly from receiving device to destination”, this is not supported by the current set of claims.  If “directly” is meant in the sense of “immediately”, this is also not supported by the current set of claims, other than by the observation that a packet been immediately forwarded at the moment the packet is forwarded.

Applicant’s arguments: Further, Applicant respectfully submits that nothing in Ling discloses or suggests that in response to the received data flow having a stored flow state, and further, the stored flow state is updated based on each classification by the at least one inspection processor of the at least one processor, as recited in amended claim 1. This advantageously ensures that the most recent flow states are available at each of the at least one shared state forwarding processor of the at least one processor. 

Examiner’s response: Ling was not recited as teaching the above argued limitations.  Instead, Shishioda was recited as teaching these limitations, e.g. paragraph 36-37, identified threats are converted into required formats and firewall policies are created based on the information; the policies 

Applicant’s arguments: Furthermore, nothing in Ling discloses or suggests that the replicating the packets of the received data flow based on the flow state of the received data flow is "SUSPECT" or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of: forwarding the packets of the received data flow to the at least one inspection processor for classifying; or stalling the packets of the received data flow until the at least one inspection processor completes classifying, and then blocking or forwarding the packets of the received data flow based on the classification result, as also recited in amended claim 1.

Examiner’s response: Examiner disagrees.  As argued above, Ling at least teaches replicating the received data flow to a firewall (i.e. “inspection processor”) as a result of a flow table match (i.e. flow state is “SUSPECT”), e.g. paragraph 19-21.  The firewall determines whether to classify the packets as malicious or allowed (paragraph 21), and instructs the switch to allow or deny the packet.  Therefore, Ling teaches “replicating the packets of the received data flow based on the flow state of the received data flow is "SUSPECT" or the received data flow matches the predetermined pattern of suspected traffic comprises at least one of: forwarding the packets of the received data flow to the at least one inspection processor for classifying; or stalling the packets of the received data flow until the at least one inspection processor completes classifying, and then blocking or forwarding the packets of the received data flow based on the classification result”.


	Applicant further argues that the dependent claims are allowable due to depending on an allowable independent claim.  However, as shown above, the independent claims are not allowable.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814.  The examiner can normally be reached on 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/FORREST L CAREY/Examiner, Art Unit 2491                                                                                                                                                                                                        


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491