DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This Office action is in response to the application filed on 11/05/2019.

Claims 1-15 are presented for examination.

Claims 5-7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 11/05/2019 and 08/28/2020 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

    Claims 1-4 and 8-15 are rejected under 35 U.S.C. 103 as being unpatentable over Hill et al. (US 2013/0136127), in view of Lee et al. (US 2010/0251364).

As to claim 1, Hill discloses the invention as claimed, including a method for screening data packets received at a service infrastructure (Fig. 10; ¶0027, “DPI can be enabled through two primary units: a signature matching (SM) engine and a flow tracker”), comprising: 
receiving a data packet at the service infrastructure, the data packet comprising a header and a content (Fig. 10 shows receiving a data packet at the service infrastructure”; ¶0026, “DPI can be used to extend a conventional classification in that it is able to go beyond the L2-L4 headers and look through the entire packet for additional information”; ¶0050); 
successively applying each signature of a set of signatures as a mask to a predetermined area of the content (Fig. 4; Fig. 10; Abstract, “The signature matching engine is enabled to perform cross-packet signature matching using signature matching state machines and reports the signature matching results to the flow tracker using a response packet that is sent to the ingress pipeline”; ¶0005, “A key element of such DPI ; and 
if there is a byte-for-byte match between the predetermined area of the content and one of the signatures of the set of signatures (Fig. 4; ¶0026, “provides the ability to inspect arbitrary fields in the payload and to match these with known signatures of the most common applications”; ¶0027, “looks for signatures, or common patterns found in specific applications, and indicate a match if one is found. It can be responsible for the processing…”; ¶0034, “Apply signature policy actions on subsequent packets”; ¶0076, “If every engine is producing a match on every byte, that would average 4-8 matches per cycle (depending on the number of memory lookups per state)”), taking an action corresponding to the one of the signatures (¶0145, “It indicates whether a match was found, how the flow should be processed, and provides information on which signature was matched…”; ¶0146), the action being selected from:
unconditionally forwarding the data packet toward a server of the service infrastructure (Fig. 12, “0X01: Forward only; ¶0032, “Forward packets to SM engine”; ¶0050; ¶0053, “The flow tracker can add a local sequence number (Packet_num) to the header of each packet that is forwarded to the SM engine”), 
forwarding the data packet toward the server of the service infrastructure if a current flow of data packets being forwarded to the server is less than a flow threshold (¶0055, “The flow tracker can forward packets for processing until a 
discarding the data packet if the current flow of data packets being forwarded to the server meets or exceeds the flow threshold (¶0065, “the current flow values are inserted into the table and a ‘missed packet’ flag is set indicating the failure”; ¶0077, “if the signature triggered, but the port range check fails, then the match is simply discarded”). 

	Although Hill discloses discarding the data packet (¶0061, “Dropped packets produce no match results and the intermediate packet state would be discarded”; ¶0065, “the packet is dropped”), and Hill discloses deep packet inspection (DPI) systems that can enable sophisticated services such as intrusion detection (¶0005), Hill does not specifically disclose unconditionally discarding the data packet. 
However, Lee discloses unconditionally discarding the data packet (Abstract, “the predetermined signature code is formed by a part of the signature corresponding to the signature code.  Accordingly, possible harmful packets such as attack packets can be classified at high speed, and thereby being blocked immediately”; ¶0006; ¶0047; ¶0056, “received packets can be classified at high speed, and harmful packets such as aggressive packets that need to be blocked can be identified promptly and accurately”). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Hill to include unconditionally discarding the data packet, as taught by Lee because it would immediately block possible harmful packet such as attack packet when it is identified and classified at high 

As to claim 2, Hill discloses the method of claim 1, further comprising associating, in a database of the infrastructure, a specific action in relation to each signature of the set of signatures (Fig. 4; Fig. 10, “signature state tables”, “signature match table”). 

As to claim 3, Hill discloses the method of claim 2, further comprising selecting the set of signatures among a plurality of sets of signatures stored in the database based on a destination address and a destination port identified in the header of the data packet, the destination address designating the server of the service infrastructure, the destination address and the destination port together identifying a service hosted in the service infrastructure (¶0143, “Signature results packets can be identified as they enter the ingress pipeline by matching the destination MAC address and type field with pre-configured values.  When the flow tracker receives a results packet from the SM engine, it uses the flow index in the header to retrieve the session table entry…”).

As to claim 4, Hill discloses the method of claim 3, wherein the flow threshold is selected from a destination-based flow threshold for the destination address and the destination port and a signature-based flow threshold for the one of the signatures (¶0061, “flow tracker error signals (e.g., the FT header includes an error bit to invalidate a packet already queued for signature matching), TCP/UDP checksum, 

 	As to claim 8, Hill discloses the method of claim 1, further comprising: starting a deletion timer for each signature of the set of signatures; following receiving the data packet, restarting the deletion timer for the one of the signatures of the set of signatures that provides a byte-for byte match to the predetermined area of the content; and if a given deletion timer expires, deleting the signature corresponding to the given deletion timer from the set of signatures (¶0146, “The 
Age index provides a signature-specific inactivity timeout value that can be used to specify when active flows should be removed from the session table”). 

As to claim 9, Hill discloses the method of claim 1, wherein: the predetermined area of the content is at a start of the content; and each signature has a maximum length to allow its application as a mask in a single processor operation (¶0150, “there are a total of 256 entries in the policy table. Here, it is assumed that each signature supported would require one policy table entry. This table is sized for the approximate number of different signatures likely to be seen”). 

As to claim 10, Hill discloses the method of claim 1, wherein forwarding the data packet toward the server of the service infrastructure comprises: forwarding the data packet to a router; and in the router, using a routing table to route the data packet to the server or to a protection module communicatively coupled to the server (¶0041, “flows can be identified by the standard 5-tuple (IP source and 

As to claims 11 and 14, Hill discloses wherein in the data packet cleaning system, the processor is further configured to: periodically search for a partial match between at least some bytes of two signatures of the set of signatures; and in response to detecting the partial match, replace the two signatures with a new signatures containing the at least some bytes forming the partial match (Fig. 12; ¶0033, “Process signature matching results: Get signature matching results, update policy”; ¶0074, “to update and check for cross signature flags”; ¶0086, “Signatures include two parts, the actual regular expressions to be matched and a set of match attributes”; ¶0119, “The match processor handles cross-signature flag updating”; ¶0120; ¶0121). 

As to claim 12, it is rejected for the same reasons set forth in claim 1 above. In addition, Hill discloses a data packet cleaning system, comprising: an input device configured to receive a data packet, the data packet comprising a header and a content (Fig. 10 shows receiving a data packet at the service infrastructure”; ¶0026, “DPI can be used to extend a conventional classification in that it is able to go beyond the L2-L4 headers and look through the entire packet for additional information”; ¶0050); a memory device configured to store a set of signatures (Fig. 4; Fig. 10,  and a processor (processor, Fig. 4) operatively connected to the input device and to the memory device (Fig. 4; ¶0067). 

As to claim 13, Hill discloses a service infrastructure comprising: a database; and a data packet cleaning system as defined in claim 12, the data packet cleaning system further comprising an output device; wherein, in the data packet cleaning system, the processor is operatively connected to the output device, the processor being further configured to: cause the output device to send a query to the database for reading the set of signatures, receive the set of signatures from the database, via the input device, and cause the memory device to store the set of signatures (Fig. 10; Fig. 12; Fig. 14; Abstract, “The flow tracker generates a signature match request that is forwarded to a signature matching engine in an auxiliary pipeline”; ¶0084; ¶0085). 

As to claim 15, Hill discloses a data packet cleaning system, comprising: an input device configured to receive a data packet; a processor operatively connected to the input device; and a memory device operatively connected to the processor, the memory device being configured to store a set of signatures and comprising non-transitory executable instructions that when executed cause the processor to perform the method as defined in claim 1 (Fig. 4; Fig. 10; ¶0067; ¶0075; ¶0076).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Subramanian et al. (US 2019/0052553), Gintis et al. (US 2011/0069620), Dennerline et al. (US 2010/0125900), Fleury et al. (US 2015/0215285), Luft et al. (US 2009/0086651) disclose system and method for collecting packet flow statistics within a network node includes forwarding packet flows received at the network node between clients and servers.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUNGWON CHANG whose telephone number is (571)272-3960. The examiner can normally be reached 8:30-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on (571)272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/JUNGWON CHANG/Primary Examiner, Art Unit 2454                                                                                                                                                                                                        November 3, 2021