DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 8, 17 are objected to because of the following informalities:  the first instances of “the first counter” should be replaced with “a first counter.”  Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
	None of the instant claims invoke U.S.C. 112(f).

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 6-7, 10, 15-16 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by U.S. Patent No. 8,375,450 B1 to Oliver et al. (“Oliver”).

As to claim 1, Oliver discloses a network device (fig. 1, i.e. entire figure) comprising: 
a substring indicator memory (col. 7, lines 1-9, decision tree with leaf node(s) stored in memory of a computer) including a first search block and a second search block, the first search block is configured for detection of signature pattern substrings of a first substring length, the second search block is configured for detection of signature pattern substrings of a second substring length that is less than the first substring length (fig. 5, first N bytes in the range of 8 to 12, i.e. first search block; fig. 6A, col. 8, line 1 to col. 9, line 55, common substring value 318 from provided byte offset and extends for common string length, i.e. second search block; col. 7, lines 35-45, note the first N bytes string is longer than common string CRC); and 
a signature search hardware module for detecting a signature pattern within a stream of network traffic (fig. 1, fig. 6A, col. 8, line 1 to col. 9, line 55, enterprise servers and backend service (shown as hardware) are collectively a hardware module to detect a malware family), the signature search hardware module is configured to: 
receive the stream of network traffic, the stream of network traffic including a window of bytes equal to the first substring length (fig. 6A, col. 8, line 1 to col. 9, line 55, enterprise server receives suspect file with first 4K bytes);
 identify a first subject substring that includes all of the bytes of the window of bytes (fig. 6A, col. 8, line 1 to col. 9, line 55, extract first 4K bytes); 
identify a second subject substring of a length equal to the second substring length and that includes a subset of bytes of the window of bytes (fig. 6A, col. 6, lines 
search the first search block to determine whether a first signature substring is present in the stream of network traffic (fig. 6A, col. 8, line 1 to col. 9, line 55, determine if there is a match with first 4K bytes and first N bytes); 
search the second search block to determine whether a second signature substring is present in the stream of network traffic (fig. 6A, col. 8, line 1 to col. 9, line 55, determine if there is a match with calculated CRC of a string and common substring value); and 
generate an indication that the signature pattern may be present in the stream of network traffic based on the searches (fig. 6A, col. 8, line 1 to col. 9, line 55, output malware family when matches detected).
As to claim 6, Oliver further discloses the network device of claim 1, wherein the signature search hardware module is further configured to: compare, in response to the generated indication, the first subject substring to a configuration substring to determine whether the first subject substring matches the configuration substring (col. 10, lines 10-37, output results include the malware family (i.e. configuration substring) to which suspect file (i.e. which includes first subject substring) belongs; An IT administrator or a virus researcher at the backend service may use these results to take any particular action or to perform further analysis on the suspect file. The IT administrator or the 
As to claim 7, Oliver further discloses the network device of claim 6, wherein the signature search hardware module is further configured to: generate a plurality of indications that a plurality of configurations substrings associated with the signature pattern are present in the stream of network traffic (fig. 7, indicators 520, 522, 524, 526, 528, i.e. pertain to analyzed CRC and first N bytes substrings are matched to family 530); compare, based on the generated plurality of indications, the signature pattern to the stream of network traffic to determine that the signature pattern is found in the stream of network traffic (fig. 7, malware family 530 identified); and generate, based on the determining that the signature pattern is found in the stream of network traffic, an indication that the signature pattern is present in the stream of network traffic (col. 10, lines 25-37, For example, actions related to the organization may be taken such as: alerting users that a suspicious file has been identified; temporarily adding the hash value of the suspect file to distributed black lists; and quarantining the client machines 
As to claims 10, 15-16, see similar rejection to claims 1, 6-7, respectively.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 2-3, 11-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8,375,450 B1 to Oliver et al. (“Oliver”) in view of U.S. Patent No. 10,387,475 B2 to Bhave et al. (“Bhave”).
As to claim 2, Oliver does not expressly disclose the network device of claim 1, wherein searching the first block and searching the second block are performed simultaneously during each clock cycle.
Bhave discloses at claim 23 and col. 10, lines 52-56, query definition language includes a pair of tree search syntax building blocks which a user can use to enclose two or more tree searches in said search query which said user wishes said computer to perform simultaneously on different attribute data specified in each of said two or more tree searches collected from instances of a resource type named in a root search which meet the filter condition specified in said root search; There are usually several metrics that are measured simultaneously, often on a per minute basis (i.e. clock cycle).
Prior to the effective filing date of invention, it would have been obvious to a

As to claim 3, Oliver and Bhave further disclose the network device of claim 2, wherein the signature search module is further configured to generate a first substring indicator for the first subject substring and a second substring indicator for the second subject substring prior to the simultaneous searching, wherein searching the first search block includes using the first substring indicator as an address into the first search block, wherein searching the second search block includes using the second substring indicator as an address into the second search block (Oliver, col. 7, lines 25-67, once model training has been completed, system is ready to perform an analysis to determine if a suspect file is malware; fig. 5, leaf node (i.e. first substring indicator) created with annotated information 310 (i.e. second substring indicator) that includes first N bytes 322 and common string hash value 318 (i.e. leaf and information 310 are addresses of 322 and 318)).  In addition, the same suggestion/motivation of claim 2 applies.
	As to claims 11-12, see similar rejection to claims 2-3.
Claims 5, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent No. 8,375,450 B1 to Oliver et al. (“Oliver”) in view of CN105978937 A (“CN”) [Note Examiner cites from attached English translation].

Oliver does not expressly disclose the network device of claim 1, wherein the first substring length is 16 bytes, wherein the second substring length is one of 4 bytes and 8 bytes.
	CN at page 5 discloses each frame data can occupy 18 bytes, including 2 bytes of block sequence number, update data of 16 bytes and CRC check information (4 bytes).
Prior to the effective filing date of invention, it would have been obvious to a
person of ordinary skill in the art to incorporate the bytes of CN into the invention of Oliver. The suggestion/motivation would have been to have a Bluetooth slave device and upgrading method (CN, page 1). Including the bytes of CN into the invention of Oliver was within the ordinary ability of one of ordinary skill in the art based on the teachings of CN.
As to claim 14, see similar rejection to claim 5.
Claim 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 2016/0337540 A1 to Fujisawa in view of U.S. Patent No. 8,375,450 B1 to Oliver et al. (“Oliver”).
As to claim 19, Fujisawa discloses a network interface card (fig. 8, NIC 230) for performing hardware-based pattern matching in a network device (fig. 8, NIC 230 with Pattern Analyses Section 420, connected to information processing device 210; para. 0052, The proxy response function is a function in which when the data pattern matches a specific data pattern associated therewith, the above-mentioned program generates 
Fujisawa does not expressly disclose the stream of network traffic including a window of bytes equal to the first substring length; identify a first subject substring that includes all of the bytes of the window of bytes; identify a second subject substring of a length equal to the second substring length and that includes a subset of bytes of the window of bytes; search the first search block to determine whether a first signature substring is present in the stream of network traffic; search the second search block to determine whether a second signature substring is present in the stream of network traffic; and generate an indication that the signature pattern may be present in the stream of network traffic based on the searches.

receive the stream of network traffic, the stream of network traffic including a window of bytes equal to the first substring length (fig. 6A, col. 8, line 1 to col. 9, line 55, enterprise server receives suspect file with first 4K bytes);
 identify a first subject substring that includes all of the bytes of the window of bytes (fig. 6A, col. 8, line 1 to col. 9, line 55, extract first 4K bytes); 
identify a second subject substring of a length equal to the second substring length and that includes a subset of bytes of the window of bytes (fig. 6A, col. 6, lines 40-60, col. 8, line 1 to col. 9, line 55, calculate CRC of a string in the suspect file that begins at the provided byte offset and extends for the common string length 316, byte offset is relative to the beginning of the data at which the common substring begins, i.e. it includes a subset of the first 4K bytes [abstract, byte offset is likely where common string begins]); 
search the first search block to determine whether a first signature substring is present in the stream of network traffic (fig. 6A, col. 8, line 1 to col. 9, line 55, determine if there is a match with first 4K bytes and first N bytes); 
search the second search block to determine whether a second signature substring is present in the stream of network traffic (fig. 6A, col. 8, line 1 to col. 9, line 55, determine if there is a match with calculated CRC of a string and common substring value); and 

Prior to the effective filing date of invention, it would have been obvious to a
person of ordinary skill in the art to incorporate the malware detection of Oliver into the invention of Fujisawa. The suggestion/motivation would have been to identify unknown malware using common substrings from known malware families (Oliver, col. 1, lines 5-10). Including the malware detection of Oliver into the invention of Fujisawa was within the ordinary ability of one of ordinary skill in the art based on the teachings of Oliver.
Allowable Subject Matter
Claims 4, 8-9, 13, 17-18, 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
U.S. Publication No. 2015/0067836 A1 at para. 0220 discloses in relation to FIG. 14, the graph walk engine begins processing the string node (1402). The graph walk engine loads string data, which includes the length (e.g., count 2310 of string node 2330 of FIG. 23) of the string from the node, determines the number of bytes (or other size of data) available in the payload, and determines whether the number of bytes available in the payload is equal to or greater than the length of the string (1404). If so, the graph walk engine sets the "match length" to the "string length" (1406). Otherwise, the graph 
U.S. Patent No. 9,270,517 B1 discloses the mask word and the tuple field value are shifted in two stages. In stage 526, the tuple field value and the mask word are left shifted by a number of bits indicated by the low-order bits of the field offset 528, and in stage 530 the output of the first shift stage is shifted by a number of bits indicated by the high-order bits of the field offset. In stage 526, multiplexer 532 selects from inputs in which the tuple field value has been left shifted by 0 to n−1 bits. The notation “<<x” in the diagram indicates a circuit that left shifts the input by x bits. The input tuple field value 534 occupies the low-order (right-most) bits of the input word, and the other bits are logic 0. Logic 0 values are shifted in as the tuple field value is left shifted. The mask in the mask word is also left shifted, and multiplexer 536 selects the mask word that was shifted by the same number of bits as the tuple field value. The mask occupies the low-order bits in the input mask word 538, and the other bits are logic 1. Logic 1 bits are shifted in as the mask is left shifted.
selected tuple field value is stored in register 540, and the selected mask word is stored in register 542. The tuple, field enable signal, and field offset are forwarded to registers 544, 546, and 548, respectively, to maintain proper timing within the pipeline and allow the next tuple and tuple field value to be processed (col. 5, lines 13-40).


Any inquiry concerning this communication or earlier communications from the examiner should be directed to OMAR J GHOWRWAL whose telephone number is (571)270-5691. The examiner can normally be reached M-F 9:00am-6:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Pankaj Kumar can be reached on 571- 272-3011. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/OMAR J GHOWRWAL/Primary Examiner, Art Unit 2463