DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is a response to communications dated 03/07/2019. Claims 1-20 are pending in the application.

Information Disclosure Statement
The information disclosure statement filed 05/23/2019 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609.  It has been considered and placed in the application file.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Milliken et al. (US 2010/0205671) (hereinafter “Milliken”).
Regarding claim 1, in accordance with Milliken reference entirety, Milliken discloses an apparatus (FIG. 2; [0041]: "Packet detection logic 200 may include hash processor 210 and hash memory 220. Hash processor 210 may include a conventional processor, an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or some other type of device that generates one or more representations for each received packet and records the packet representations in hash memory 220.") comprising:
 	at least one memory (FIG. 2; 220) and at least one processor (FIG. 2; 210) communicatively coupled to the at least one memory (220) (see FIG. 2 for connection details between 220 and 210), wherein the at least one processor (210) is to (FIG. 4 and its corresponding description begins in paras [0060] to [0071]): 
	provide a first set of one or more portions (packet’s payload field or any field of the packet) of a packet for use in a lookup operation (FIG. 4; blocks 405 to 410; para [0061]: "Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405). Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation."  In addition, [0045]: “Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network."  Furthermore; [0046]: "According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed"); 
	receive feedback indicating lookup performance (malicious) over a time period (FIG. 4; 415&420&430&435&440&445&405 depicts a feedback to block 405 after a certain period of time; (para [0069]: "When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet"); and 
	cause transmission of a performance indication (sending a TCP close message) based on the lookup performance (malicious) meeting or exceeding a threshold level (a set of rules) (para [0069]: "When hash processor 210 determines that the packet may be malicious, however, hash processor 210 may take remedial actions (act 450)."  In addition, para [0070]: "The remedial actions may include raising a warning for a human operator, saving the packet for human analysis, dropping the packet, corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet), delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping other packets originating from the same IP address as the packet, sending a TCP close message to the sender thereby preventing complete transmission of the packet, and/or disconnecting the link on which the packet was received. Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious. This may greatly slow the spread rate of a virus or worm without completely stopping legitimate traffic that happened to match a suspect profile.”  In addition, para [0067]: “Hash processor 210 may use a set of rules to determine whether to identify a packet as potentially malicious. For example, the rules might specify that more than x (where x> 1) packets with the same hash value have to be observed by hash processor 210 before the packets are identified as potentially malicious. The rules might also specify that these packets have to have been observed by hash processor 210 within a specified period of time of one another. The reason for the latter rule is that, in the case of malicious packets, such as polymorphic viruses and worms, multiple packets will likely pass through packet detection logic 200 within a short period of time").
	Regarding claim 2, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the at least one processor (210) is to: receive an indication to use a second set of one or more portions that are different at least in part from the one or more portions of the first set (para [0067]: "If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet"); access a second packet (para [0069]: "When hash processor 210 determines that the packet is not malicious ( e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet"); and provide the second set of one or more portions of the second packet for use in a lookup operation (FIG. 4 depicts flowchart of processing for detecting and/or preventing of a malicious packet having a loop (feedback) as above discussed.  In addition, para [0062]: "In one implementation consistent with the principles of the invention, three hashes may be performed covering each byte of the payload field. A hash block size may be chosen uniformly from a range of 4 to 128 bytes, in 4-byte increments. At the start of the packet payload, a random block size may be selected from this range and the block may be hashed with the three different hash functions. A new block size may then be chosen when the first block finishes, and all three hash functions may start at the same place on the new block. Alternatively, a different block size may be selected for each hash function. In this case, as each hash function completes its current block, it selects a random size for the next block it will hash." Such loop is inherently encompasses the claimed limitations as disclosed “a different block size may be selected for each has function” if no malicious packet is found and the process is repeated).
	Regarding claim 3, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the at least one processor (210) is to: determine a second set of one or more portions that are different at least in part from the one or more portions of the first set based on the lookup performance meeting or exceeding a threshold level and cause transmission of the determined second set ().
claim 4, in addition to features recited in base claim 3 (see rationales discussed above), Milliken also discloses wherein the at least one processor is to: receive an indication to use a third set of one or more portions that are different at least in part from the one or more portions of the second set; access a second packet; and provide the third set of one or more portions of the second packet for use in a lookup operation (FIG. 4 and its corresponding description in paras [0060] to [0071] describes a process for detecting and/or preventing transmission of a malicious packet having a loop as above discussed. Such loop is inherently encompasses the claimed limitations as disclosed “a different block size may be selected for each has function” if no malicious packet is found and the process is repeated).
	Regarding claim 5, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the performance indication includes one or more of: collision rate over a period of time, a percentage or number of table lookup misses over time, flow rule evictions from flow lookup tables over a period of time, or installation rates of rules into flow lookup tables over a period of time (para [0049]: "The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.").
claim 6, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the one or more portions comprise one or more of: a header field, a portion of a header field, or a virtual local area network tag ([0045]: “Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network."  Furthermore; [0046]: "According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed").
	Regarding claim 7, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the at least one processor (210) is to: access a received packet (FIG. 4; step 405); perform a hash calculation using the first set of one or more portions of the received packet (FIG. 4; step 410); and perform a lookup operation using the hash calculation (FIG. 4; step 415 to step 450), wherein the lookup operation is to indicate at least a next action to be performed based on the received packet (FIG. 4; step 445 (YES) or step 445 (NO)) (FIG. 4 and its corresponding description in paras [0060] to [0071] describes a process for detecting and/or preventing transmission of a malicious packet having a loop as above discussed. Such loop is inherently encompasses the claimed limitations as disclosed “a different block size may be selected for each has function” if no malicious packet is found and the process is repeated.  Otherwise, para [0069]: "When hash processor 210 determines that the packet may be malicious, however, hash processor 210 may take remedial actions (act 450)."  In addition , para [0060]: "The remedial actions may include raising a warning for a human operator, saving the packet for human analysis, dropping the packet, corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet), delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping other packets originating from the same IP address as the packet, sending a TCP close message to the sender thereby preventing complete transmission of the packet, and/or disconnecting the link on which the packet was received. Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious.").
	Regarding claim 8, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the at least one processor (210) is to: access a received packet (FIG. 4; step 405); determine the received packet includes an indication of a second set of one or more portions of a packet to provide for a lookup operation (FIG. 4; step 415); and discard the received packet based on inability to (FIG. 4; step 425 or step 450) (para [0060]: "The remedial actions may include raising a warning
for a human operator, saving the packet for human analysis, dropping the packet, corrupting the packet content in a way likely to render any code contained therein inert (and likely to cause the receiver to drop the packet), delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping other packets originating from the same IP address as the packet, sending a TCP close message to the sender thereby preventing complete transmission of the packet, and/or disconnecting the link on which the packet was received. Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious.").
	Regarding claim 9, in addition to features recited in base claim 1 (see rationales discussed above), Milliken also discloses wherein the apparatus (FIG.2) comprises one or more of: a network interface, a host system, an offload engine, or a virtual switch ([0040]: "FIG. 2 is an exemplary functional block diagram of packet detection logic 200 according to an implementation consistent with the principles of the invention. Packet detection logic 200 may be implemented within a device that taps one or more bidirectional links of a router, such as security routers 126-129, an intruder detection system, such as intruder detection systems 114 and 124, a security server, such as security server 125, a host, such as hosts 111-113 and 121-123, or another type of device. In another implementation, packet detection logic 200 may be implemented within one of these devices. In the discussion that follows, it may be assumed that packet detection logic 200 is implemented within a security router.").
	Regarding claim 10, in accordance with Milliken reference entirety, Milliken teaches a method comprising: 
	providing a first set including one or more portions of a first packet for a lookup operation (FIG. 4; step 405 and para [0061]: "Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405)”.  This limitation is encompasses by a first run of process of FIG. 4; step 405); 
	receiving a lookup performance indication from hash operations (415) using the first set of one or more portions of multiple packets (packet’s payload or any field) (FIG. 4; 415&420&430&435&440&445&405 depicts a feedback to block 405 after a certain period of time; para [0069]: "When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet"); 
	in response to the lookup performance indication (malicious or not) meeting or exceeding a threshold, causing transmission of the lookup performance indication (FIG. 4; steps 410 to 445(NO); para [0061]: "Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405). Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation."  In addition, [0045]: “Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network."  Furthermore; [0046]: "According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed"); 
	receiving an identification of a second set including one or more portions of a packet (FIG. 4; loopback from 445(NO) to step 405); 
	receiving a second packet (FIG. 4; loopback from 445(NO) to step 405 receiving the next packet); and 
	providing the second set of one or more portions of the second packet for a second lookup operation (para [0067]: "If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet."  In addition, para [0069]: "When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet.").
	Regarding claim 11, in addition to features recited in base claim 10 (see rationales discussed above), Milliken also discloses wherein the first set and the second set are different (para [0067]: "If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet."  In addition, para [0069]: "When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet."  It is inherent that the next packet is different from the first packet received at step 405 in the first run of the process).
	Regarding claim 12, in addition to features recited in base claim 10 (see rationales discussed above), Milliken also discloses wherein the lookup performance indication comprises one or more of: hash collision rate over a period of time, a percentage or number of table lookup misses over time, flow rule evictions from flow lookup tables over a period of time, or installation rates of rules into flow lookup tables over a period of time (para [0049]: "The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.").
	Regarding claim 13, in addition to features recited in base claim 10 (see rationales discussed above), Milliken also discloses wherein the one or more portions comprise one or more of: a header field, a portion of a header field, or a virtual local area network tag ([0045]: “Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network."  Furthermore; [0046]: "According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed").
	Regarding claim 14, in addition to features recited in base claim 10 (see rationales discussed above), Milliken also discloses wherein the receiving an identification of a second set including one or more portions of a packet comprises para [0069]: "When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet."  In addition, [0045] Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network."  Moreover, [0046]: "According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed.").
	Regarding claim 15, in addition to features recited in base claim 10 (see rationales discussed above), Milliken also discloses performing a hash calculation using the first set including one or more portions of the first packet and performing a lookup operation using the hash calculation, wherein the lookup operation provides at least a acts 420 and 425) for the first packet ([0063]: "Hash processor 210 may optionally compare the generated hash value(s) to hash values of known viruses and/or worms within hash memory 220 ( act 415). In this case, hash memory 220 may be preprogrammed to store hash values corresponding to known viruses and/or worms. If one or more of the generated hash values match one of the hash values of known viruses and/or worms, hash processor 210 may take remedial actions (acts 420 and 425). The remedial actions may include raising a warning for a human operator, delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping the packet and possibly other packets originating from the same Internet Protocol (IP) address as the packet, sending a Transmission Control Protocol (TCP) close message to the sender thereby preventing complete transmission of the packet, disconnecting the link on which the packet was received, and/or corrupting the packet content in a way likely to render any code contained therein inert ( and likely to cause the receiver to drop the packet). Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious.").
	Regarding claim 16, in addition to features recited in base claim 15 (see rationales discussed above), Milliken also discloses wherein the lookup operation comprises receive side scaling (RSS) and the next action comprises storing the first packet into a queue associated with a core (FIG. 4; step 435) (para [0065]: "hash processor 210 may record the generated hash value(s) in hash memory 220 (act 435). For example, hash processor 210 may set the one or more bits stored in indicator field 312 (FIGS. 3A-3C) or increment the count value in counter field 322 (FIGS. 3B and 3C), corresponding to each of the generated hash values, to indicate that the corresponding packet was observed by hash processor 210."  In addition, [0053]: "As shown in FIG. 3B, hash memory 220 may alternatively include counter fields 322 addressable by corresponding hash addresses 314. Counter field 322 may record the number of occurrences of packet blocks with the corresponding hash value. Counter field 322 may be incremented on each hit. The more hits a counter receives, the more important the hit should be considered in determining the overall suspiciousness of the packet.”  In addition,  [0054]:  “As shown in FIG. 3C, hash memory 220 may store additional information relating to a packet. For example, hash memory 220 may include link identifier (ID) fields 332 and status fields 334. Link ID field 332 may store information regarding the particular link upon which the packet arrived at packet detection logic 200. Status field 334 may store information to aid in monitoring the status of packet detection logic 200 or the link identified by link ID field 332.").
	Regarding claim 17, in accordance with Milliken reference entirety, Milliken discloses a system (FIG. 2) comprising: a network interface; at least one processor (210) communicatively coupled to the network interface (OUTPUT PORTS), wherein the at least one processor (210) to ([0060]: "FIG. 4 is a flowchart of exemplary processing for detecting and/or preventing transmission of a malicious packet, such as a polymorphic virus or worm, according to an implementation consistent with the principles of the invention. The processing of FIG. 4 may be performed by packet detection logic 200 within a tap device, a security router, such as security router 126, an IDS, such as IDS 124, a LAN switch, or other devices configured to detect and/or prevent transmission of malicious packets. In other implementations, one or more of the described acts may be performed by other systems or devices within system 100"): 
access a first packet (FIG. 4; step 405) (para [0061]: "Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405)); 
provide a first set comprising one or more portions of the first packet for a lookup (FIG. 4; step 410) (para [0061]: Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation"); 
receive an indication to use a second set comprising one or more portions of a packet for a lookup (FIG. 4; loopback from 445(NO) to step 405. In addition; para [0061]: "Processing may begin when packet detection logic 200 receives, or otherwise observes, a packet (act 405). Hash processor 210 may generate one or more hash values by hashing variable-sized blocks from the packet's payload field (act 410). Hash processor 210 may use one or more conventional techniques to perform the hashing operation."  Moreover, [0045]: “Hash processor 210 may determine one or more hash values over variable-sized blocks of bytes in the payload field (i.e., the contents) of an observed packet. When multiple hashes are employed, they may, but need not, be done on the same block of payload bytes. As described in more detail below, hash processor 210 may use the hash results of the hash operation to recognize duplicate occurrences of packet content and raise a warning if it detects packets with replicated content within a short period of time. Hash processor 210 may also use the hash results for tracing the path of a malicious packet through the network."  Furthermore; [0046]: "According to implementations consistent with the present invention, the content (or payload) of a packet may be hashed to detect the packet or trace the packet through a network. In other implementations, the header of a packet may be hashed. In yet other implementations, some combination of the content and the header of a packet may be hashed")) ); 
access a second packet (FIG. 4; loopback from 445(NO) to step 405 receiving the next packet); and 
provide the second set comprising one or more portions of the second packet for a lookup (para [0067]: "If there were no prior packets received with the same hash value(s), then processing may return to act 405 to await receipt of the next packet."  In addition, para [0069]: "When hash processor 210 determines that the packet is not malicious (e.g., not a polymorphic worm or virus), such as when less than x number of packets with the same hash value or less than a predetermined number of the packet blocks with the same hash values are observed or when the packets are observed outside the specified period of time, processing may return to act 405 to await receipt of the next packet.").
	Regarding claim 18, in addition to features recited in base claim 17 (see rationales discussed above), Milliken also discloses wherein the at least one processor is to: provide lookup performance information based on use of the first set causing lookup performance to meet or exceed a threshold, wherein the lookup performance information comprises one or more of: hash collision rate over a period of time, a percentage or number of table lookup misses over time, flow rule evictions from flow or installation rates of rules into flow lookup tables over a period of time (para [0049]: "The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.").
	Regarding claim 19, in addition to features recited in base claim 17 (see rationales discussed above), Milliken also discloses wherein the at least one processor is to: perform a hash calculation using the first set including one or more portions of the first packet and perform a lookup operation using the hash calculation, wherein the lookup operation is to indicate at least a next action (acts 420 and 425) for the first packet  ([0063]: "Hash processor 210 may optionally compare the generated hash value(s) to hash values of known viruses and/or worms within hash memory 220 ( act 415). In this case, hash memory 220 may be preprogrammed to store hash values corresponding to known viruses and/or worms. If one or more of the generated hash values match one of the hash values of known viruses and/or worms, hash processor 210 may take remedial actions (acts 420 and 425). The remedial actions may include raising a warning for a human operator, delaying transmission of the packet, capturing a copy of the packet for human or automated analysis, dropping the packet and possibly other packets originating from the same Internet Protocol (IP) address as the packet, sending a Transmission Control Protocol (TCP) close message to the sender thereby preventing complete transmission of the packet, disconnecting the link on which the packet was received, and/or corrupting the packet content in a way likely to render any code contained therein inert ( and likely to cause the receiver to drop the packet). Some of the remedial actions, such as dropping or corrupting the packet, may be performed probabilistically based, for example, on the count value in counter field 322 (FIGS. 3B and 3C), which may also be used to determine a probability that the packet is potentially malicious.").
	Regarding claim 20, in addition to features recited in base claim 17 (see rationales discussed above), Milliken also discloses a compute sled, rack, or server computer ([0040]: "FIG. 2 is an exemplary functional block diagram of packet detection logic 200 according to an implementation consistent with the principles of the invention. Packet detection logic 200 may be implemented within a device that taps one or more bidirectional links of a router, such as security routers 126-129, an intruder detection system, such as intruder detection systems 114 and 124, a security server, such as security server 125, a host, such as hosts 111-113 and 121-123, or another type of device. In another implementation, packet detection logic 200 may be implemented within one of these devices. In the discussion that follows, it may be assumed that packet detection logic 200 is implemented within a security router.").

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Mao et al. (US 9,755,972).
Bowers et al. (US 2019/0260686).
Sites (US 9,270,592).
Shemesh (US 2012/0215932).
Grinberg et al. (US 11,018,978).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FRANK DUONG whose telephone number is (571)272-3164. The examiner can normally be reached 7:00AM-3:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MICHAEL THIER can be reached on 571-272-2832. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http://www.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.




/FRANK DUONG/Primary Examiner, Art Unit 2474                                                                                                                                                                                                        March 10, 2022