DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised 
Claims 1-2 and 4-19 are rejected under 35 U.S.C. 103 as being unpatentable over US 2017/0237710 A1 (US 2017/0237710 A1), hereinafter “Mayya” in view of MANUGURI et al. (US 2016/0072684 A1), hereinafter “Manuguri”.
Regarding claim 1, Mayya teaches for an ‘SD-WAN (software defined, wide area network) established by a plurality of edge nodes (Mayya: Fig. 2, edge device 208A and 208B) and a set of one or more cloud gateways (Fig. 2, Gateway 204), ‘a method of performing deep packet inspection (DPI)’ (Mayya: Fig. 7, step 716, “THE FLOW IS PASSED OVER TO THE DPI ENGINE),
the method comprising:
‘at a particular edge node, using a local deep packet inspector to perform a first DPI operation on a set of packets of a first packet flow to generate a set of DPI parameters for the first packet flow‘ (Mayya: Fig. 7, step 716, “FROM CLASSIF!CATION THE DPI ENGINE IS USED TO POPULATE THE LOCAL APPLICATION ROUTING CACHE; [0073], lines 11-12, “The classification from the DPI engine is used to populate the database for future flows”).
Mayya however does not teach, ‘forwarding a copy of the set of packets to a remote deep packet inspector to perform a second DPI operation to generate a second set of DPI parameters; and ‘receiving a result of the second DPI operation’.
Manuguri, an analogous art, in the same field of endeavor teaches ‘forwarding a copy of the set of packets to a remote deep packet inspector to perform a  (Manuguri: [0022], “the device performing the method 100 receives the verdict of the DPI performed by another device”; lines 9-13,  “the determination at block 120 optionally includes selecting a device to perform the inspection, transmitting the copied packets to the selected device”; see Fig. 4); and
‘receiving a result of the second DPI operation’ (Manuguri: [0022], “the device performing the method 100 receives the verdict of the DPI performed by another device”; see Fig. 4; [0028], lines 11-12, “verdict of the DPI is received from the Selected host 305 over the DPI tunnel 330”).
A person of ordinary skill in the art before the filing of the claimed invention would be motivated to combine disclosure by Manuguri with that of Mayya to take advantage of distributed DPI as disclosed by Manuguri as disclosed, “In particular, embodiments relate to deep packet inspection distributed across a cluster of host devices in a virtual datacenter” ([0002]), and perform “deep packet inspection or distributed deep packet inspection” ([0011] and come up with the claimed invention.
A person of ordinary skill would be motivated to combine disclosure of Manuguri with that of Mayya to take advantage of computational resource of distributed DPI engines, as disclosed by Manuguri, “The DPI agents 360 exchange computational resource availability data with one another over a communications bus 320. Exemplary availability data includes a heartbeat, processor load, queue depth, available memory, etc” ([0027], lines 6-10).
Mayya teaches, ‘when the generated first and second DPI parameters are different, generating a record regarding the difference’ (Mayya: [0069], lines 6-9, “Prepopulated data is automatically validated by DPI engine and any changes are fed back locally as well as communicated to the orchestrator”).

Regarding claim 2, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above). 
The claim, ‘method further comprising using the generated record to improve the local deep packet inspector's operation’, though not expressly taught by Mayya or Manuguri, it is implied by the  “A second source of information can include a map of DIP/DPORT to applications that is learned from 'mid-flow' application detection by the DPI engine ( e.g. slow learning)”; “The first source of information built into the database can include a pre-populated map of DIP/DPORT (Destination Internet Protocol Address/Destination Port Number) to application types (e.g. termed fast learning)”; DPI is a process of slow learning and once DPI result is obtained and part of the database, it becomes the source for fast learning, implying improvement on the local deep packet inspector’s operation).

Regarding claim 4, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above) further comprising:
‘when the generated record specifies a discrepancy between the first and second sets of
generated DPI parameters, sending data regarding the discrepancy to a remote machine to
aggregate with other data regarding other discrepancies in the DPI operations performed for other
packet flows through the WAN’ (Mayya: [0069], lines 6-10, “Prepopulated data is automatically validated by DPI engine and any changes are fed back locally as well as communicated to the orchestrator. Some or all data can be shared to other edges/enterprises via the orchestrator”).

Regarding claim 5, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above) further comprising:
Combination of Mayya and Manuguri however does not expressly teach, ‘after first DPI operation, specifying the generated first set of DPI parameters as the set of DPI parameters associated with the first packet flow’.
Though not expressly taught, as discussed above in claim 1, the dpi parameters are calculated locally as well as remotely. Therefore a person of ordinary skill in the obviously would have two sets of 
When there is no difference between the first set and the second set, the second set of parameters are same as the first set and therefore the set may be associated with first packet flow.
Combination of Mayya and Manuguri does not also teach, ‘when the first and second DPI parameter sets are different, modifying the set of DPI parameters associated with the first packet flow based on the generated second set of DPI parameters’.
It is obvious that a person of ordinary skill in the art may modify the set of DPI parameters associated with the first packet flow, now that the edge has two sets of data which are different from one another and because estimation is always better when more sets of data are available. 

Regarding claim 6, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above).
Though not expressly taught by combination of Mayya and Manuguri, claim ‘wherein modifying the set of DPI parameters comprises storing the second set of DPI parameters as the set of DPI parameters associated with the first packet flow’ would have been obvious to one of ordinary skill in the art, based on the action of modifying the set of DPI parameters based on the second set of DPI parameters, as per claim 5.
A person of ordinary skill would be motivated to store the second of parameters as the modified parameters, if the second set is considered more reliable.

Regarding claim 7, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above). 

‘based on the generated first set of DPI parameters, forwarding the packets of the first packet
Flow’ (Manuguri: [0020], “If a policy response is not triggered, DPI continues at block 105”); and
‘when the generated first and second sets of DPI parameters are different, modifying the
forwarding of the packets of the first packet flow, said modifying comprising using the second set
of DPI parameters to forward the packets of the first packet flow’ (Manuguri: Fig. 1, step 125, “Perform the policy response on the flow of packets” which may be “redirecting the packet flow” ([0020], line 7); second set of parameters used for redirection because of updating the DPI parameter by second set of parameters as discussed above in claim 6).

Regarding claim 8, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above). 
Manuguri teaches, method further comprising:
‘delaying the forwarding of packets of the first flow to a destination of the flow while
performing the first DPI operation and storing the delayed packets in a storage queue of the
particular edge node, wherein the set of packets are packets stored in the storage queue’ (Manuguri: [0019], lines 11-14, “In an alternate embodiment, packets are stored and not forwarded until the determination if the copied packet(s) triggers policy response”; storage queue is implied); and
‘after the completion of the first DPI operation (Manuguri: [0020], lines 1-2, “If a policy response is not triggered, DPI continues at block 105”; not triggering policy response happens once the DPI operation is completed), 
‘forwarding the set of packets and other packets of the first flow to the destination’ (Manuguri: Fig. 1, step 115), and 
‘forwarding a copy of the set of packets to the remote deep packet inspector’ (Manuguri: Fig. 4, step 420).

Regarding claim 9, combination of Mayya and Manuguri teaches the method of claim 8 (discussed above). 
Though combination of Mayya and Manuguri  do not expressly teach, method further comprising using ‘at least one parameter in the generated first set of DPI parameters to select a path through the WAN to forward the packets of the first packet flow’, it is obvious to one of ordinary skill in the art, based on the disclosure in Mayya, “When the DPI engine fails to identify the application, the network stack can utilize statistical parameters ( e.g. packet arrival rate, throughput) and heuristics” ([0068]), that application may be considered one of the parameter to forward the packets of the first packet flow.

Regarding claim 10, combination of Mayya and Manuguri teaches the method of claim 1  (discussed above). Though not expressly taught by combination of Mayya and Manuguri, ‘further comprising distributing at least a subset of the generated DPI parameters to other edge nodes from the particular edge node’, Manuguri discloses in [0027], “In a distributed DPI embodiment, the DPI module 340 cooperates with a DPI agent 360 in the application layer 315 to maintain a map of all hosts that are accessible within the cluster of devices and able to perform DPI”.
A person of ordinary skill would be motivated to share the DPI parameters with other DPI engines available to augment the database with the cluster of edge devices for pre-population of DPI parameters calculated by other DPI engines with intention to help in future DPI processing.

Regarding claim 11, combination of Mayya and Manuguri teaches the method of claim 1  (discussed above). Though not expressly taught by the combination, the claim element ‘method further comprising distributing at least a subset of the generated DPI parameters to at least one gateway from the particular edge node’ is obvious to a person of ordinary skill in the art based on the discussion above in claim 10.

Regarding claim 12, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above), wherein each generated DPI parameter set comprises an identifier that identifies a type of traffic carried in payloads of the packets (obvious based on the disclosure in Manuguri [0003], “While some cloud service providers offer DPI Solutions, the round trip delays of remote packet inspection results in undesirable delays in network traffic”).

Regarding claim 13, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above), wherein each generated DPI parameter set comprises an identifier that identifies an application that is a source of the first packet flow (application routing is discussed above in claim 1; identifier of application is implied).

Regarding claim 14, combination of Mayya and Manuguri teaches the method of claim 1 (discussed above), wherein the particular edge node is an edge machine that operates at a location of an entity with a plurality of computers and connects the plurality of computers to the WAN (Manuguri: [0003], lines 9-12, “Physical DPI equipment often sits on the edge of a network and performs packet inspection before packets are transmitted outside of the network or permitted within the network”; [0015] “As used herein, a flow of packets or packet flow refers to a sequence of packets from a source computer, which may be physical device or a virtual machine, to a destination computer, which may be a physical device, a virtual machine, a multicast group, or a broadcast domain. The source and destination computers may be within the same host device, separate devices within the same network, or separate devices within disparate networks”; Existence of computers for computation of DPI parameters are implied).

Regarding claim 15, combination of Mayya and Manuguri teaches the method of claim 14 (discussed above), ‘wherein the local deep packet inspector operates on a first computing device along with the edge node machine, while the remote deep packet inspector operates on a separate, second computing device’ (Manuguri: Fig. 3 discloses DPI agents 360 and DPI modules 340 are located in separate hosts 305 and are connected through DPI tunnel 330).

Regarding claim 16, combination of Mayya and Manuguri teaches the method of claim 15 (discussed above). 
Though not expressly taught by combination of Mayya and Manuguri, it is obvious to a person of ordinary skill in the art that ‘wherein the first and second computing devices are computers’, because in a broad sense, any computing device may be considered computers.

Regarding claim 17, combination of Mayya and Manuguri teaches the method of claim 15 (discussed above), 
Though not expressly taught by combination of Mayya and Manuguri, it is obvious to a person of ordinary skill in the art that ‘wherein the first and second computing devices are appliances’ based on the fact that appliances are also computing devices in a network.

Regarding claim 18, combination of Mayya and Manuguri teaches the method of claim 15 (discussed above), 
Though not expressly taught by combination of Mayya and Manuguri, it is obvious to a person of ordinary skill in the art that ‘wherein the first computing device is an appliance, and the second
computing device is a computer on which the remote deep packet inspector executes’ based on discussion above in claim 17 and that all appliances may be considered as computers.

Regarding claim 19, combination of Mayya and Manuguri teaches the method of claim 14 (discussed above), ‘wherein the location is a first physical location, and the local deep packet inspector operates at the first physical location, while the remote deep packet inspector operates a different second physical location that does not neighbor the first physical location’ (Manuguri: Fig.3 illustrates local deep packet inspector and remote deep packet inspectors are operating on different hosts 305).







Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over combination of Mayya and Manuguri as applied to claim 1 above, and further in view of Wo et al. (WO 2016/061546 A1), hereinafter “Wo”.
Regarding claim 3, combination of Mayya and Manuguri teaches the method of claim 2 (discussed above). 
Combination of Mayya and Manuguri  however fails to teach, ‘wherein the local deep packet inspector is a third party inspector that is used by the particular edge node’.
Wo in the same field of endeavor teaches use of third party inspector for deep packet inspection, “The threat analysis log data may also contain results produced by one or more third-party threat analysis systems (e.g., deep packet inspection appliance)” (Wo: [0043], lines 3-5).
“Depending on the embodiment, third-party threat analysis systems may be analyzing the network traffic prior to, in parallel with, or subsequent to the signature-based threat analysis being performed by the threat analysis system 108. For some embodiments, third-party threat analysis systems analyze the network traffic prior to the threat analysis system 108 performing the heuristic-based threat analysis” ([0043], lines 5-9).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
a) US-20170126516-A1 teaches a method of collecting health check metrics for a network using deep packet inspector.
b) US-20170288987-A1 teaches generation of application signatures and use of deep packet inspection.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to INTEKHAAB AALAM SIDDIQUEE whose telephone number is (571)272-0895. The examiner can normally be reached Monday to Friday 9AM-5PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yemane Mesfin can be reached on 571-272-3927. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/INTEKHAAB A SIDDIQUEE/Examiner, Art Unit 2462