Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Claim Status
Examiner acknowledges withdrawn claims 4-6 and 11-12. Claims 1-3, 7-10, and 13-20 are being considered by the examiner. 

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 02/21/2019 is in compliance with the provisions of 37 CFR 1.97 and is being considered by the examiner. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 15 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the 
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 15 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 15 recites the limitation “executing, using the electronic apparatus, the received data when re-inspection of the received data using the second search criteria determines that malware is not present in the received data; and disregarding, using the electronic apparatus, the received data when the re-inspection of the received data using the second search criteria determines that malware is present in the received data.” It is indefinite and unclear how the electronic apparatus is disregarding the received data when determining that malware is present in the data after it was already recited that re-inspection of the received data determined that malware is not present in the data. It is also unclear why the data is disregarded if malware is 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-3, 7-10, and 13-20 are rejected under 35 U.S.C 101 because the claimed invention is directed to an abstract idea without significantly more. 
Claim 1 recites the limitations “using a first search criteria to determine first result data indicative of a higher level identifying characteristic”, “determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data”, and “inspect the input data using the second search criteria to enable to determine a lower level identifying characteristic of the input data”. All these limitations are mental processes. “Determining”, in context of this claim encompasses the user determining search criteria by observing the input data and coming to a conclusion, all in the mind or with the aid of pen and paper. “Inspecting”, in context of this claim encompasses the user observing data and determining a conclusion based on their observation all in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, claim 1 recites the additional elements “a content inspection processor… and a host controller communicatively coupled to the content inspection processor”, “input data”, “program the content inspection processor”. The content inspection processor and host controller are generic 
Finally, claim 1 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data amounts to no more than mere instructions to apply an exception using a generic computer cannot provide an inventive concept. Further, the additional elements was considered to be insignificant extra-solution activity in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(f) indicate that mere instructions to apply the idea using a generic computer does not amount to an inventive concept. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. Therefore, Claim 1 is not patent eligible. 
Claim 2 recites the limitations “inspect the input data using the first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data”, determine the second search criteria based on the first one or more attack signatures associated with the first code fragment”, and “inspect the data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the input data.” All these limitations are mental processes. “Determining”, in context of this claim encompasses the user determining search criteria by observing data and looking for signatures that were predetermined to be associated with attacks, all in the mind or with the aid of pen and paper, all in the mind or with the aid of pen and paper. “Inspecting”, in context of this claim 
This judicial exception is not integrated into a practical application. In particular, claim 2 recites the additional elements “input data”, content inspection processor, a host controller configure to…., output the first result…., program the content inspection processor. The content inspection processor and host controller are generic computer components. Receiving data and programming the content inspection processor are considered insignificant extra-solution activity. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 2 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(f) indicate that mere instructions to apply the idea using a generic computer does not amount to an inventive concept. The court decisions cited in MPEP 2106.05(g) indicate that 
Claim 3 recites the limitations “inspect the input data using the first search criteria to detect whether a second code fragment associated with a second one or more attack signatures is present”, “determine the second search criteria based on the second one or more attack signatures associated with the second code fragment”, and “inspect the data using the second search criteria to enable the electronic apparatus to detect whether malware is present”. “Determining”, in context of this claim encompasses the user determining search criteria by observing data and looking for signatures that were predetermined to be associated with attacks, all in the mind or with the aid of pen and paper, all in the mind or with the aid of pen and paper. “Inspecting”, in context of this claim encompasses the user observing data and determining a link between the attack signatures observed in the data and the predetermined signatures associated with malware all in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, claim 3 recites the additional elements “input data”, “content inspection processor…host controller configured to”. The content inspection processor and host controller are generic computer components. Receiving data is considered insignificant extra-solution activity. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 

Claim 7 recites the limitation “inspect the input data using the first search criteria”. This limitation is a mental process. “Inspecting”, in context of this claim encompasses the user observing data with a set criteria all in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, claim 7 recites the additional element “receive input data from the communication network”, “communication port configured to communicatively couple the electronic apparatus to a communication network, wherein: the electronic apparatus is configured to”, “and output the first result data to indicate the network protocol used by the communication network.”. Receiving data or transmitting over a network,  is considered insignificant extra-solution activity. The receiving of input data from a communication network is recited at a high-level generality such 
Finally, claim 7 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. The court decisions cited in MPEP 2016.05(h) indicate that generally linking the use of the judicial exception to a particular technological environment or field of use does not amount to an inventive concept. Therefore, Claim 7 is not patent eligible.
Claim 8 recites the same limitations as claim 1. The same reasoning given for claim 1 as to why the limitation are mental processes and recites an abstract idea equally applies to claim 8. 
This judicial exception is not integrated into a practical application. In particular, claim 8 recites the additional element “wherein the input data inspected by the content inspection processor comprises encoded image data output from a video encoder”. Receiving data is considered insignificant extra-solution activity. The receiving of input data from a video encoder is recited at a high-level generality such that it amounts to no more than mere linking the judicial 
Finally, claim 8 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. The court decisions cited in MPEP 2016.05(h) indicate that generally linking the use of the judicial exception to a particular technological environment or field of use does not amount to an inventive concept. Therefore, Claim 8 is not patent eligible.
Claim 9 recites the same limitations as claim 1. The same reasoning given for claim 1 as to why the limitation are mental processes and recites an abstract idea equally applies to claim 9. 
This judicial exception is not integrated into a practical application. In particular, claim 9 recites the additional element “wherein the electronic apparatus comprises a computer, a pager, a cellular phone, a personal organizer, a portable audio player, a network router, a network firewall, or a network switch.”. The computer, pager, cellular phone, personal organizer, portable audio player, network router, network firewall, and network switch is recited at a high-level generality such that it amounts to no more than mere linking the judicial exception to a particular 
Finally, claim 9 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(f) indicate that mere instructions to apply the idea using a generic computer does not amount to an inventive concept. The court decisions cited in MPEP 2016.05(h) indicate that generally linking the use of the judicial exception to a particular technological environment or field of use does not amount to an inventive concept. Therefore, Claim 9 is not patent eligible.
Claim 10 recites the limitations “inspecting,…received data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the received data”, “determining,… a second search criteria based at least in part on the higher level identifying characteristic of the received data indicated in the first result data”, and “re-inspecting, using the second search criteria to enable the electronic apparatus to determine a lower level identifying characteristic of the input data encompassed by the higher level identifying characteristics. All these limitations are mental processes. “Determining”, in context 
This judicial exception is not integrated into a practical application. In particular, claim 10 recites the additional elements “operating an electronic apparatus…using the electronic apparatus”, “received data”. The electronic apparatus is a generic computer. Receiving data is considered insignificant extra-solution activity. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 10 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data was considered to be insignificant extra-solution activity in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(f) indicate that mere instructions to apply the idea using a generic computer does not amount to an inventive concept. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. Therefore, Claim 10 is not patent eligible. 

This judicial exception is not integrated into a practical application. In particular, claim 13 recites the additional element “receive input data from the communication network”, “communicating network communicatively coupled to the electronic apparatus via a communication port, wherein inspecting the received data”. Receiving data is considered insignificant extra-solution activity. The communication network is recited at a high-level generality such that it amounts to no more than mere linking the judicial exception to a particular technological environment or field of use. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 13 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution 
Claim 14 recites the limitations “inspecting the received data using the first search criteria to determine whether a code fragment associated with one or more attack signatures is present in the received data”, “determining the first result data to indicate whether the code fragment is detected in the received data”, and “when the first result data indicates that the code fragment is detected in the received data: determining the second search criteria comprises determining the second search criteria based on the one or more attack signatures associated with the code fragment”, re-inspecting the received data comprises re-inspecting the received data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the received data.” All these limitations are mental processes. “Determining”, in context of this claim encompasses the user determining search criteria by observing data and looking for signatures that were predetermined to be associated with attacks, all in the mind or with the aid of pen and paper, all in the mind or with the aid of pen and paper. “Re-inspecting”, in context of this claim encompasses the user observing data and determining a link between the attack signatures observed in the data and the predetermined signatures associated with malware all in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.

Finally, claim 14 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. Therefore, Claim 14 is not patent eligible.
Claim 15 recites the limitations “re-inspection of the received data using the second search criteria determines that malware is not present in the received data” and “disregarding, using the electronic apparatus, the received data when the re-inspection of the received data using the second search criteria determines that malware is present in the received data”. These limitations are mental processes. “Re-inspecting”, in context of this claim, encompasses the user observing data with a set criteria in mind and performed all in the mind. “Disregarding”, in context of this claim encompasses the user ignoring data once malware has been observed to be present. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls 
This judicial exception is not integrated into a practical application. In particular, claim 15 recites the additional element “received data”, “executing using the electronic apparatus”. Receiving data is considered insignificant extra-solution activity. The electronic apparatus is a generic computer. The receiving of input data is recited at a high-level generality such that it amounts to no more than mere linking the judicial exception to a particular technological environment or field of use. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 15 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. The court decisions cited in MPEP 2016.05(h) indicate that generally linking the use of the judicial exception to a particular technological environment or field of use does not amount to an inventive concept. Therefore, Claim 15 is not patent eligible.

This judicial exception is not integrated into a practical application. In particular, claim 16 recites the additional element “receive input data from the communication network”, “A network device comprising: a communication port configured to communicatively couple the network device to a communication network to enable the network device to receive input data from the communication network; and one or more processors communicatively coupled to the communication port, wherein the one or more processors are programmed to”. The network device comprising a communication port containing one or more processors is a generic computer. Receiving data and programming the processor are considered insignificant extra-solution activity. The receiving of input data is recited at a high-level generality such that it 
Finally, claim 16 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. The court decisions cited in MPEP 2016.05(h) indicate that generally linking the use of the judicial exception to a particular technological environment or field of use does not amount to an inventive concept. Therefore, Claim 16 is not patent eligible.
Claim 17 recites the limitations “determine second result data indicative of a network protocol used by the communication network”, “determine the first search criteria based at least in part on the network protocol indicated in the first result data”, “inspecting the received data using the first search criteria to determine a network protocol used by the communication network”. “Determining”, in context of this claim encompasses the user determining search criteria or a result by observing the network protocol by observing the first result data, all in the mind or with the aid of pen and paper. “Determining”, in context of this claim, encompasses the 
This judicial exception is not integrated into a practical application. In particular, claim 17 recites the additional element “receive input data from the communication network”. Receiving data is considered insignificant extra-solution activity. The receiving of input data is recited at a high-level generality such that it amounts to no more than mere linking the judicial exception to a particular technological environment or field of use. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 17 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the abstract idea into a practical application, the additional element of receiving data from a communication network amounts to no more than mere instructions to apply an exception using a generic computer component and cannot provide an inventive concept. Further, the additional element was considered to be insignificant extra-solution activity and generally linking the judicial exception to a particular technological environment or field of use in Step 2A prong 2, and thus it is re-evaluated in Step 2B to determine if it is more than insignificant extra-solution activity. The court decisions cited in MPEP 2106.05(g) indicate that mere data gathering does not amount to an inventive concept. The court decisions cited in MPEP 2016.05(h) indicate that 
Claim 18 recites the limitations “inspect the input data using the first search criteria to detect whether a second code fragment associated with a second one or more attack signatures is present”, “determine the second search criteria based on the second one or more attack signatures associated with the second code fragment”, and “inspect the data using the second search criteria to enable the electronic apparatus to detect whether malware is present”. “Determining”, in context of this claim encompasses the user determining search criteria by observing data and looking for signatures that were predetermined to be associated with attacks, all in the mind or with the aid of pen and paper, all in the mind or with the aid of pen and paper. “Inspecting”, in context of this claim encompasses the user observing data and determining a link between the attack signatures observed in the data and the predetermined signatures associated with malware all in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, claim 18 recites the additional elements “input data”. Receiving data is considered insignificant extra-solution activity. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 18 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the 
Claim 19 recites the limitation “re-inspect the input data using the second search criteria to determine second result data indicative of whether malware is present in the input data.” This limitation is a mental process. “Re-inspecting”, in context of this claim, encompasses the user observing data with a set criteria in mind and performed all in the mind. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind, but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application. In particular, claim 19 recites the additional element “received data”. Receiving data is considered insignificant extra-solution activity. The receiving of input data is recited at a high-level generality such that it amounts to no more than mere linking the judicial exception to a particular technological environment or field of use. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 
Finally, claim 19 does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed with respect to integration of the 
Claim 20 recites the same limitations as claim 16. The same reasoning given for claim 16 as to why the limitation are mental processes and recites an abstract idea equally applies to claim 20. 
This judicial exception is not integrated into a practical application. In particular, claim 20 recites the additional element “wherein the electronic apparatus comprises a computer, a pager, a cellular phone, a personal organizer, a portable audio player, a network router, a network firewall, or a network switch.”. The computer, pager, cellular phone, personal organizer, portable audio player, network router, network firewall, and network switch is recited at a high-level generality such that it amounts to no more than mere linking the judicial exception to a particular technological environment or field of use. Accordingly, this additional element does not integrate the abstract idea because they do not pose any meaningful limit or on practicing the abstract idea. The claim is directed to an abstract idea. 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 9 of U.S. Patent No. 8,489,534. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the respective claims of the reference patent.
Application 16/280,872
Patent 8,489,534
1. An electronic apparatus, comprising: a content inspection processor configured to inspect input data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the input data; and 
a host controller communicatively coupled to the content inspection processor, wherein the host controller is configured to: 


determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data;
and program the content inspection processor to inspect the input data using the second search criteria to enable the content inspection to determine a lower level identifying characteristic of the input data.

a content inspection processor configured to inspect data using search criteria and to output results data corresponding to the inspected data;
processing logic coupled to the content inspection processor;
the first bus configured to receive results data from the content inspection processor and to provide results data to the processing logic;
a second bus coupled between the processing logic and the content inspection processor, the second bus configured to receive an output from the processing logic and to provide the output to the content inspection processor, wherein the content inspection processor is programmed based on the output received from the second bus.

3. The apparatus of claim 1, further comprising an input bus coupled to the processing logic and the content inspection processor configured to provide input data to the content inspection processor.
5. The apparatus of claim 3, wherein the content inspection processor is configured to identify information with respect to the input data.
8. The apparatus of claim 5, wherein the processing logic programs the content inspection processor, based on the information identified with respect to the input data.
9. The apparatus of claim 8, wherein the information identified with respect to the input data comprises first information, and wherein the content inspection processor is further configured to identify second information with respect to the input data after identification of the information.


The higher level identifying characteristic and lower level identifying characteristic of the instant application is the same as the first information and second information, respectively, identified in claim 9 of U.S. Patent No. 8,489,534. The host controller of the instant application is the same as processing logic in claim 1 of U.S. Patent No. 8,489,534.

Claims 1, 2, 7, 9 and 10-11 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, of U.S. Patent No. 9,684,867. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the respective claims of the reference patent.
Application 16/280,872
Patent 9,684,867
1. An electronic apparatus, comprising: a content inspection processor configured to inspect input data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the input data; and 
a host controller communicatively coupled to the content inspection processor, wherein the host controller is configured to: 

determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data; and program the content inspection processor to inspect the input data using the second search criteria to enable the content inspection to determine a lower level identifying characteristic of the input data.
1. An apparatus, comprising:
a content inspection processor configured to inspect input data and output first result data based at least in part on inspection of the input data; and

processing logic communicatively coupled to the content inspection processor via one or more busses, wherein the processing logic is configured to:
transfer the input data to the content inspection processor via the one or more busses;
receive the first result data from the content inspection processor via the one or more busses; and
determine program data based at least in part on the first result data, wherein the content inspection processor is configured to be programmed using the program data to adapt operation of the content inspection processor;
wherein the content inspection processor is configured to:
determine the first result data by inspecting the input data using a first search criteria, wherein the first result data indicates a first identifying characteristic of a first characteristic type associated with the input data;
receive the program data from the processing logic, wherein the program data comprises a second search criteria determined by adapting the first search criteria based at least in part on the first identifying characteristic; and
determine second result data by inspecting the input data using the second search criteria, wherein the second result data indicates a second identifying characteristic of a second characteristic type different from the first characteristic type associated with the input data.
. The electronic apparatus of claim 1, wherein: 

the content inspection processor configured to: inspect the input data using the first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; 
and output the first result data to indicate whether the first code fragment is detected in the input data; 
and the host controller is configured to, when the first result data indicates that the first code fragment is detected in the input data: 
determine the second search criteria based on the first one or more attack signatures associated with the first code fragment; 
and program the content inspection processor to inspect the input data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the input data.
1. An apparatus, comprising:
a content inspection processor configured to inspect input data and output first result data based at least in part on inspection of the input data; and
processing logic communicatively coupled to the content inspection processor via one or more busses, wherein the processing logic is configured to:
transfer the input data to the content inspection processor via the one or more busses;
receive the first result data from the content inspection processor via the one or more busses; and
determine program data based at least in part on the first result data, wherein the content inspection processor is configured to be programmed using the program data to adapt operation of the content inspection processor;

4. The apparatus of claim 1, wherein:
the content inspection processor is configured to use the first search criteria to identify code fragments in the input data expected to be found in close proximity to an attack signature; and
the processing logic is configured to determine the second search criteria by adapting the first search criteria based on the attack signature.
the processing logic is configured to determine the second search criteria by adapting the first search criteria based on the attack signature.
7. The apparatus of claim 1, wherein the processing logic comprises a host controller.
1. An electronic apparatus, comprising: a content inspection processor configured to inspect input data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the input data; and 
a host controller communicatively coupled to the content inspection processor, wherein the host controller is configured to: 

determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data; and program the content inspection processor to inspect the input data using the second search criteria to enable the content inspection to determine a lower level identifying characteristic of the input data
7. The electronic apparatus of claim 1, 
comprising a communication port configured to communicatively couple the electronic apparatus to a communication network, wherein: 
the electronic apparatus is configured to receive the input data from the communication network via the communication port; 
and the content inspection processor is configured to: inspect the input data using the first search criteria to determine a network protocol used by the communication network; and output the first result data to indicate the network protocol used by the communication network.
A method for operating an electronic device comprising:
receiving, using a content inspection processor, input data from processing logic;
inspecting, using the content inspection processor, the input data to determine first result data, wherein inspecting the input data comprises determining, using the content inspection processor, a first identifying characteristic of the input data by inspecting the input data using a first search criteria, wherein the first identifying characteristic comprises a first characteristic type associated with the input data;
outputting, using the content inspection processor, the first result data to the processing logic to enable the processing logic to determine program data based at least in part on the first result data;
receiving, using the content inspection processor, the program data from the processing logic, wherein the program data is used to program the content inspection processor to adapt operation of the content inspection processor
determining, using the content inspection processor, a second search criteria to be used to inspect the input data, wherein the second search criteria is determined by adapting the first search criteria based at least in part on the first identifying characteristic;
determining, using the content inspection processor, a second identifying characteristic of the input data by inspecting the input data using the second search criteria, wherein the second identifying characteristic comprises a second characteristic type different from the first characteristic type associated with the input data; and
communicating, using the content inspection processor, the first result data and second result data to an apparatus processor to enable the apparatus processor to control operation of the electronic device based at least in part on the first result data and the second result data, wherein the first result data comprises the first identifying characteristic of the input data and the second result data comprises the second identifying characteristic of the input data.

15. The method of claim 12, wherein:
determining the first identifying characteristic comprises inspecting the input data using the first search criteria to identify:
code fragments in the input data expected to be found in close proximity to an attack signature;
a network protocol used to communicate the input data;
encoding information used to encode the input data;
decoding information used to decode the input data; or
any combination thereof.

The electronic apparatus of claim 1, 
wherein the electronic apparatus comprises a computer, a pager, a cellular phone, a personal organizer, a portable audio player, a network router, a network firewall, or a network switch
1. An apparatus, comprising:
a content inspection processor configured to inspect input data and output first result data based at least in part on inspection of the input data; and
processing logic communicatively coupled to the content inspection processor via one or more busses, wherein the processing logic is configured to:
transfer the input data to the content inspection processor via the one or more busses;
receive the first result data from the content inspection processor via the one or more busses; and
determine program data based at least in part on the first result data, wherein the content inspection processor is configured to be programmed using the program data to adapt operation of the content inspection processor;
wherein the content inspection processor is configured to:
determine the first result data by inspecting the input data using a first search criteria, wherein the first result data indicates a first identifying characteristic of a first characteristic type associated with the input data;

determine second result data by inspecting the input data using the second search criteria, wherein the second result data indicates a second identifying characteristic of a second characteristic type different from the first characteristic type associated with the input data.

11. The apparatus of claim 1, wherein the apparatus comprises a computer, a pager, a cellular phone, a personal organizer, a portable audio player, a network device, a control circuit, or a camera.

. A method of operating an electronic apparatus comprising: 
inspecting, using the electronic apparatus, received data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the received data; 
determining, using the electronic apparatus, a second search criteria based at least in part on the higher level identifying characteristic of the received data indicated in the first result data; and re-inspecting, 
using the electronic apparatus, the received data using the second search criteria to enable the electronic apparatus to determine a lower level identifying characteristic of the input data encompassed by the higher level identifying characteristics of the received data.
12. A method for operating an electronic device comprising:
receiving, using a content inspection processor, input data from processing logic;
inspecting, 
using the content inspection processor, the input data to determine first result data, wherein inspecting the input data comprises determining, using the content inspection processor, a first identifying characteristic of the input data by inspecting the input data using a first search criteria, wherein the first identifying characteristic comprises a first characteristic type associated with the input data;
outputting, using the content inspection processor, the first result data to the processing logic to enable the processing logic to determine program data based at least in part on the first result data;
receiving, using the content inspection processor, the program data from the processing logic, wherein the program data is used to program the content inspection processor to adapt operation of the content inspection processor
determining, using the content inspection processor, a second search criteria to be used to inspect the input data, wherein the second search criteria is determined by adapting the first search criteria based at least in part on the first identifying characteristic;
determining, using the content inspection processor, a second identifying characteristic of the input data by inspecting the input data using the second search criteria, wherein the second identifying characteristic comprises a second characteristic type different from the first characteristic type associated with the input data; and
communicating, using the content inspection processor, the first result data and second result data to an apparatus processor to enable the apparatus processor to control operation of the electronic device based at least in part on the first result data and the second result data, wherein the first result data comprises the first identifying characteristic of the input data and the second result data comprises the second identifying characteristic of the input data.



The host controller of the instant application is the same as processing logic in claim 1 of US Patent No. 9,684,867. The higher level and lower level of identifying recited in claim 1 of the instant application corresponds to the first identifying characteristic and the second identifying characteristic recited in claim 1 of US Patent No. 9.684.867, Where the a network router, network firewall, and  network switch recited in claim 9 of the instant application are examples of network devices recited in claim 11 of US Patent No. 9,684,867. The communication port recited in claim 7 of the instant application is the same as the communication interface recited in claim 18 of US Patent No 9,684,867. Claim 7 of the instant application is obvious to method Claims 12 and 15 of US Patent No 9,684,867. The electronic device used in the operation of method recited is the same as the electronic apparatus recited in claim 7 of the instant .  

Claims 2-3, 7 and 13-19 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of U.S. Patent No. 10,235,627. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are anticipated by the respective claims of the reference patent.
Application 16/280,872
Patent 10,235,627
1. An electronic apparatus, comprising: a content inspection processor configured to inspect input data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the input data; and a host controller communicatively coupled to the content inspection processor, wherein the host controller is configured to: determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data; and program the content inspection processor to inspect the input data using the second search criteria to enable the content inspection to determine a lower level identifying characteristic of the input data.

2. The electronic apparatus of claim 1, wherein: the content inspection processor configured to: inspect the input data using the first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and output the first result data to indicate whether the first code fragment is detected in the input data; and the host controller is configured to, when the first result data indicates that the first code fragment is detected in the input data: determine the second search criteria based on the first one or more attack signatures associated with the first code fragment; and program the content inspection processor to inspect the input data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the input data.
. An apparatus, comprising:
a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network;
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:
inspect the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and
output first results data that indicates whether the first code fragment is detected in the input data; and
processing logic communicatively coupled to the content inspection processor, wherein the processing logic is configured to:
receive the first results data from the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; and
program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.


3. The electronic apparatus of claim 2, wherein: the content inspection processor configured to: inspect the input data using the first search criteria to detect whether a second code fragment associated with a second one or more attack signatures is present in the input data; and output the first result data to indicate whether the second code fragment is detected in the input data; 
and the host controller is configured to, when the first result data indicates that the second code fragment is detected in the input data: determine the second search criteria based on the second one or more attack signatures associated with the second code fragment; 
and program the content inspection processor to inspect the input data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the input data.
1. An apparatus, comprising:
a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network;
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:
inspect the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and
output first results data that indicates whether the first code fragment is detected in the input data; and
processing logic communicatively coupled to the content inspection processor, wherein the processing logic is configured to:
receive the first results data from the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; and
program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.

8. The apparatus of claim 1, wherein:
the content inspection processor is configured to: inspect the input data using the first search criteria to detect whether a second code fragment associated with a second one or more attack signatures is present in the input data; and
output the first results data to indicate whether the second code fragment is detected in the input data; and
the processing logic is configured to determine the second search criteria based on the second one or more attack signatures associated with the second code fragment when the first results data indicates that the second code fragment is detected in the input data.



7. The electronic apparatus of claim 1, comprising a communication port configured to communicatively couple the electronic apparatus to a communication network, wherein: the electronic apparatus is configured to receive the input data from the communication network via the communication port; and the content inspection processor is configured to: inspect the input data using the first search criteria to determine a network protocol used by the communication network; and output the first result data to indicate the network protocol used by the communication network.
1. An apparatus, comprising: a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network; a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:

6. The apparatus of claim 1, wherein:
the content inspection processor is configured to:
inspect the input data using a third search criteria to identify a network protocol used by the input data; and output second results data that indicates the network protocol used by the input data; and
the processing logic is configured to:
receive the second results data from the content inspection processor;
determine the first search criteria based at least in part on the network protocol used by the input data; and
program the content inspection processor to inspect the input data using the first search criteria.
. A method of operating an electronic apparatus comprising: inspecting, using the electronic apparatus, received data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the received data; determining, using the electronic apparatus, a second search criteria based at least in part on the higher level identifying characteristic of the received data indicated in the first result data; and re-inspecting, using the electronic apparatus, the received data using the second search criteria to enable the electronic apparatus to determine a lower level identifying characteristic of the input data encompassed by the higher level identifying characteristics of the received data.

13. The method of claim 10, comprising receiving the received data from a communicating network communicatively coupled to the electronic apparatus via a communication port, 
wherein inspecting the received data comprises: inspecting the received data using the first search criteria to determine a network protocol used by the communication network; 
and determining the first result data to indicate the network protocol used by the communication network.
10. A method, comprising:
receiving, using a content inspection processor implemented in an electronic device, input data from a communication network communicatively coupled to the electronic device;
inspecting, using the content inspection processor, the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data;
outputting, using the content inspection processor, first results data that indicates whether the first code fragment is detected in the input data to a host controller communicatively coupled to the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determining, using the host controller, a second search criteria based on the first one or more attack signatures associated with the first code fragment and
programming, using the host controller, the content inspection processor to inspect the input data using the second search criteria to enable the electronic device to detect whether malware is present in the input data before execution.
11. The method of claim 10, comprising:
inspecting, using the content inspection processor, the input data using a third search criteria to identify a network protocol used by the input data;
outputting, using the content inspection processor, second results data that indicates the network protocol used by the input data to the host controller;
determining, using the host controller, the first search criteria based at least in part on the network protocol used by the input data; and
programming, using the host controller, the content inspection processor to inspect the input data using the first search criteria.
A method of operating an electronic apparatus comprising: inspecting, using the electronic apparatus, received data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the received data; determining, using the electronic apparatus, a second search criteria based at least in part on the higher level identifying characteristic of the received data indicated in the first result data; and re-inspecting, using the electronic apparatus, the received data using the second search criteria to enable the electronic apparatus to determine a lower level identifying characteristic of the input data encompassed by the higher level identifying characteristics of the received data.

14. The method of claim 10, wherein: inspecting the received data comprises: inspecting the received data using the first search criteria to determine whether a code fragment associated with one or more attack signatures is present in the received data; and determining the first result data to indicate whether the code fragment is detected in the received data; and when the first result data indicates that the code fragment is detected in the received data: determining the second search criteria comprises determining the second search criteria based on the one or more attack signatures associated with the code fragment; and re-inspecting the received data comprises re-inspecting the received data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the received data.
10. A method, comprising: receiving, using a content inspection processor implemented in an electronic device, input data from a communication network communicatively coupled to the electronic device; inspecting, using the content inspection processor, the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; outputting, using the content inspection processor, first results data that indicates whether the first code fragment is detected in the input data to a host controller communicatively coupled to the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determining, using the host controller, a second search criteria based on the first one or more attack signatures associated with the first code fragment and programming, using the host controller, the content inspection processor to inspect the input data using the second search criteria to enable the electronic device to detect whether malware is present in the input data before execution.
10. A method of operating an electronic apparatus comprising: inspecting, using the electronic apparatus, received data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the received data; determining, using the electronic apparatus, a second search criteria based at least in part on the higher level identifying characteristic of 

14. The method of claim 10, wherein: inspecting the received data comprises: inspecting the received data using the first search criteria to determine whether a code fragment associated with one or more attack signatures is present in the received data; and determining the first result data to indicate whether the code fragment is detected in the received data; and when the first result data indicates that the code fragment is detected in the received data: determining the second search criteria comprises determining the second search criteria based on the one or more attack signatures associated with the code fragment; and re-inspecting the received data comprises re-inspecting the received data using the second search criteria to enable the electronic apparatus to detect whether malware is present in the received data.


15. The method of claim 14, comprising: executing, using the electronic apparatus, the received data when re-inspection of the received data using the second search criteria determines that malware is not present in the received data; 
and disregarding, using the electronic apparatus, the received data when the re-inspection of the received data using the second search criteria determines that malware is present in the received data.
A method, comprising: receiving, using a content inspection processor implemented in an electronic device, input data from a communication network communicatively coupled to the electronic device;
inspecting, using the content inspection processor, the input data using a first search criteria to detect whether a first code fragment 
outputting, using the content inspection processor, first results data that indicates whether the first code fragment is detected in the input data to a host controller communicatively coupled to the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determining, using the host controller, a second search criteria based on the first one or more attack signatures associated with the first code fragment and
programming, using the host controller, the content inspection processor to inspect the input data using the second search criteria to enable the electronic device to detect whether malware is present in the input data before execution.



15. The method of claim 10, comprising:
inspecting, using the content inspection processor, the input data using a third search criteria to identify a natural language of the input data;
outputting, using the content inspection processor, second results data that indicates the natural language of the input data to the host controller;
determining, using the host controller, a fourth search criteria based at least in part on a language pattern used in the natural language of the input data; and
programming, using the host controller, the content inspection processor to inspect the input data using the fourth search criteria to enable the electronic device to translate the natural language of the input data into a different language.

16. The method of claim 15, wherein programming the content inspection processor to inspect the input data using the third search criteria comprises programming the content inspection processor to inspect the input data using the third search criteria after the electronic device determines that malware is not present in the input data.


. A network device comprising: a communication port configured to communicatively couple the network device to a communication network to enable the network device to receive input data from the communication network; 
and one or more processors communicatively coupled to the communication port, wherein the one or more processors are programmed to: inspect the input data using a first search criteria to determine first result data indicative of whether a first code fragment associated with a first one or more attack signatures is present in the input data; and when the first result data indicates that the first code fragment is detected in the input data:
 determine a second search criteria based at least in part on the first one or more attack signatures associated with the first code fragment; and re-inspect the input data using the second search criteria to enable the network device to detect whether malware is present in the input data before execution.
1. An apparatus, comprising:
a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network; 
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to: inspect the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and
output first results data that indicates whether the first code fragment is detected in the input data; and processing logic communicatively coupled to the content inspection processor, wherein the processing logic is configured to:
receive the first results data from the content inspection processor; and when the first results data indicates that the first code fragment is detected in the input data: determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; 
and program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.
16. A network device comprising: a communication port configured to communicatively couple the network device to a communication network to enable the network device to receive input data from the communication network; and one or more processors communicatively coupled to the 


17. The network device of claim 16, wherein the one or more processors are programmed to: inspect the input data using a third search criteria before the first search criteria to determine second result data indicative of a network protocol used by the communication network; and determine the first search criteria based at least in part on the network protocol indicated in the first result data.
The apparatus of claim 1, wherein:
the content inspection processor is configured to: inspect the input data using a third search criteria to identify a network protocol used by the input data; and output second results data that indicates the network protocol used by the input data; and
the processing logic is configured to: receive the second results data from the content inspection processor; determine the first search criteria based at least in part on the network protocol used by the input data; and program the content inspection processor to inspect the input data using the first search criteria.



18. The network device of claim 16, wherein the one or more processors are programmed to: inspect the input data using the first search criteria to determine the first result data such that the first result data indicates of whether a second code fragment associated with a second one or more attack signatures is present in the input data; and determine the second search criteria based at least in part on the second one or more attack signatures associated with the second code fragment when the first result data indicates that the second code fragment is detected in the input data.

a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network;
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:
inspect the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and
output first results data that indicates whether the first code fragment is detected in the input data; and

receive the first results data from the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; and
program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.

8. The apparatus of claim 1, wherein:
the content inspection processor is configured to:
inspect the input data using the first search criteria to detect whether a second code fragment associated with a second one or more attack signatures is present in the input data; and output the first results data to indicate whether the second code fragment is detected in the input data; and the processing logic is configured to determine the second search criteria based on the second one or more attack signatures associated with the second code fragment when the first results data indicates that the second code fragment is detected in the input data.
A network device comprising: a communication port configured to communicatively couple the network device to a communication network to enable the network device to receive input data from the communication network; and one or more processors communicatively coupled to the communication port, wherein the one or more processors are programmed to: inspect the input data using a first search criteria to determine first result data indicative of whether a first code fragment associated with a first one or more attack signatures is present 

19. The network device of claim 16, wherein the one or more processors are programmed to re-inspect the input data using the second search criteria to determine second result data indicative of whether malware is present in the input data.
. An apparatus, comprising:
a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network;
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:
inspect the input data using a first search criteria to detect whether a first code fragment 
output first results data that indicates whether the first code fragment is detected in the input data; and
processing logic communicatively coupled to the content inspection processor, wherein the processing logic is configured to:
receive the first results data from the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; and
program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.


The host controller of the instant application is the same as processing logic in claim 1 of Patent US Patent No. 10,235,627.
Claim 8 is rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10,235,627 in view of Suzuki et al. (JP 2007288634 A). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are obvious over those of the reference patent, in view of Suzuki et al. to have the input data comprise of image data from a video encoder. The suggestion and/or motivation for doing so is to be able to inspect the content of moving image data It would have been obvious to have the input data of Patent 10,235,627 to comprise of image data from a video encoder. The suggestion and/or motivation for doing so is to be able to inspect the content of moving image data, such as video,  as suggested by Suzuki et al.

Patent 10,235,627
Suzuki et al. (JP 2007288634 A)
1. An electronic apparatus, comprising: a content inspection processor configured to inspect input data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the input data; and a host controller communicatively coupled to the content inspection processor, wherein the host controller is configured to: determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data; and program the content inspection processor to inspect the input data using the second search criteria to enable the content inspection to determine a lower level identifying characteristic of the input data.


8. The electronic apparatus of claim 1, 

wherein the input data inspected by the content inspection processor comprises encoded image data output from a video encoder.

1. An apparatus, comprising:
a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network;
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:
inspect the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and
output first results data that indicates whether the first code fragment is detected in the input data; and
processing logic communicatively coupled to the content inspection processor, wherein the processing logic is configured to:
receive the first results data from the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; and
program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.



Claim 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over Claim 1 of U.S. Patent No. 10,235,627 in view of Morse et al. (US 20070225931 A1). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application are obvious over those of the reference patent, in view of Suzuki et al. to have the input data comprise of image data from a video encoder. The suggestion and/or motivation for doing so is to be able to inspect the content of moving image data, as suggested by Suzuki et al.  It would have been obvious to have the apparatus of Patent 10,235,627 to include a computer, network router, or a network switch. The suggestion and/or motivation for doing so is to allow the network device/apparatus to not only run locally on a device such as a computer but also over run the network device/apparatus on a network consisting of multiple computers, as suggested by Morse et al.
Application 16/280,872
Patent 10,235,627
Morse et al.
(US 20070225931A1)
16. A network device comprising: a communication port configured to communicatively couple the network device to a communication network to enable the network device to receive input data from the communication network; and one or more processors communicatively coupled to the communication port, wherein the one or more processors are programmed to: inspect the input data using a first search criteria to determine first result data indicative of whether a first code fragment associated with a first one or more attack signatures is present in the input data; and when the first result data indicates that the first code fragment is detected in the input data: determine a second search criteria based at least in part on the first one or more attack signatures associated with the first code fragment; and re-inspect the input data using the second search criteria to enable the network device to detect whether malware is present in the input data before execution.

20. The network device of claim 16, wherein the network device comprises a network router, a network firewall, a network switch, or any combination thereof.
An apparatus, comprising:
a communication port configured to communicatively couple the apparatus to a communication network to enable the apparatus to receive input data from the communication network;
a content inspection processor communicatively coupled to the communication port, wherein the content inspection processor is configured to:
inspect the input data using a first search criteria to detect whether a first code fragment associated with a first one or more attack signatures is present in the input data; and
output first results data that indicates whether the first code fragment is detected in the input data; and
processing logic communicatively coupled to the content inspection processor, wherein the processing logic is configured to:
receive the first results data from the content inspection processor; and
when the first results data indicates that the first code fragment is detected in the input data:
determine a second search criteria based on the first one or more attack signatures associated with the first code fragment; and
program the content inspection processor to inspect the input data using the second search criteria to enable the apparatus to detect whether malware is present in the input data before execution.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this or a foreign country, before the invention thereof by the applicant for a patent.


Claims 1, 9 and 10 are rejected under pre-AIA  35 U.S.C. 102(a) as being anticipated by Smith et al. (US 20060031217 A1).
Regarding claim 1, Smith et al. teaches an electronic apparatus, comprising (Smith et al. [Abstract] “A method and apparatus for ontology-based classification of media content are provided.”): a content inspection processor (Smith et al. [0032; 0033] “With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which exemplary aspects of the present invention may be implemented. Data processing system 300 is an example of a client computer…Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302…An operating system runs on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in FIG. 3.”, processor 302 is the content inspection processor.) configured to inspect input data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the input data (Smith et al. [0071; 0072; 0073l Figure 8] “As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where the root classification higher level identifying characteristic and the confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification.); and a host controller communicatively coupled to the content inspection processor, wherein the host controller is configured to (Smith et al. [0032; Figure 3] “Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302.”, where PCI bridge 308 shown in Fig. 3 is the host controller.): determine a second search criteria based at least in part on the higher level identifying characteristic of the input data indicated in the first result data; and program the content inspection processor to inspect the input data using the second search criteria to enable the content inspection to determine a lower level identifying characteristic of the input data (Smith et al. [0072-73; Figure 8] “The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.).
Regarding claim 9, Smith et al. teaches wherein the electronic apparatus comprises a computer (Smith et al. [0032; Figure 3] “With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which exemplary aspects of the present invention may be implemented. Data processing system 300 is an example of a client computer.”).
Regarding claim 10, Smith et al. teaches a method of operating an electronic apparatus comprising: inspecting, using the electronic apparatus (Smith et al. [Abstract] “A method and apparatus for ontology-based classification of media content are provided.”), received data using a first search criteria to determine first result data indicative of a higher level identifying characteristic of the received data (Smith et al. [0071; 0072; 0073l Figure 8] “As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where the root classification higher level identifying characteristic and the confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification.); determining, using the electronic apparatus, a second search criteria based at least in part on the higher level identifying characteristic of the received data indicated in the first result data; and re-inspecting, using the electronic apparatus, the received data using the second search criteria to enable the electronic apparatus to determine a lower level identifying characteristic of the input data encompassed by the higher level identifying (Smith et al. [0072; Figure 8] “The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.).

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.

4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 2-3,14-16, and 18-19 rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Smith et al. (US 20060031217 A1) in view of Archer et al. (US 20090293126 A1).
Regarding claim 2, Smith et al. teaches wherein: the content inspection processor configured to (Smith et al. [0032; 0033] “With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which exemplary aspects of the present invention may be implemented. Data processing system 300 is an example of a client computer…Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302…An operating system runs on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in FIG. 3.”, processor 302 is the content inspection processor.): inspect the input data using the first search criteria to detect whether a first fragment associated with a first one or more signatures is present in the input data; and output the first result data to indicate whether the first fragment is detected in the input data (Smith et al. [0056; 0057; 0071; 0072; 0073l Figure 8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…The class models in the class models storage 640 represent the various possible classifications or classifiers with which media data may be classified. The class models include the attributes of media data that are most characteristic of data that matches the corresponding classification. The confidence value that is determined for each possible classification, or class model, is a measure of the amount by which the attributes of the input media data matches the attributes associated with the class model. Thus, if the attributes of the input media data closely match the attributes of a class model, then the confidence that the classification associated with that class model applies to the input media data is high…As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where controller 610 detects media data, signature, to classify input data, the root classification signifies a match between the fragment in the input data and a signature associated with a classification. The confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification); and the host controller is configured to, when the first result data indicates that the first fragment is detected in the input data (Smith et al. [0056; 0057] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…The class models in the class models storage 640 represent the various possible classifications or classifiers with which media data may be classified. The class models include the attributes of media data that are most characteristic of data that matches the corresponding classification. The confidence value that is determined for each possible classification, or class model, is a measure of the amount by which the attributes of the input media data matches the attributes associated with the class model. Thus, if the attributes of the input media data closely match the attributes of a class model, then the confidence that the classification associated with that class model applies to the input media data is high”, where controller 610 detects media data found in within fragments of the input data.): determine the second search criteria based on the first one or more signatures associated with the first fragment; and program the content (Smith et al. [0056; 0057; 0058; 0059; 0072; Figure 7; Figure 8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640. The class models include the attributes of media data that are most characteristic of data that matches the corresponding classification. The confidence value that is determined for each possible classification, or class model, is a measure of the amount by which the attributes of the input media data matches the attributes associated with the class model. Thus, if the attributes of the input media data closely match the attributes of a class model, then the confidence that the classification associated with that class model applies to the input media data is high…The class models are preferably organized in a hierarchical classification structure such that the class models represent nodes in the hierarchical classification structure. Thus, some class models may be parent nodes in the hierarchical classification structure, some class models may be child nodes, and others may be both parent nodes and child nodes. The class models are models that are determined from training of the media classification mechanism. That is, as discussed above, training data in which the actual classifications for input media data are known a priori, are input to the media classification mechanism. Parameters associated with the class models are adjusted based on the results generated by the media classification mechanism operating on the input media data. The parameters are adjusted such that the results generated in subsequent iterations more closely match the actual classifications for the input media data. In this way, the parameters or attributes associated with each class model are trained to better predict whether input media data matches those particular classifications…The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where controller 610 detects media data, a signature, to classify input data, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.).
 Smith et al. does not teach inspecting the input data to detect whether a first code fragment is associated with an attack signature is present in the input data; and enabling the electronic apparatus to detect whether malware is present in the input data.
	Archer et al. teaches inspecting the input data to detect whether a first code fragment is associated with a first one or more attack signatures is present in the input data (Archer et al. [0026; 0041; 0042] “The processor 30 may use malware signatures to identify the presence of malware in a data transfer over the data pathway 26. In one exemplary approach, the signatures may include indicia of malware such as file names, copies of malware files, hash codes of malware files, etc…Next, in step 420, the data transfer may be analyzed using malware signatures…Next, in step 425, it may be determined whether malware is identified in the data transfer. When a portion of the data transfer, such as the portion buffered in step 415 above, corresponds to a malware signature or heuristic, malware may be identified. The correspondence may be an exact correspondence such as a match between a malware signature and the buffered data. In another exemplary approach, malware may be identified based on a degree of correspondence between the portion of data and the malware signature exceeding a predetermined threshold.”, where the data transfer over pathway 26 is the input data, the malware signatures, attack signatures, stored on the device is the search criteria used to detect the same malware signatures, attack signatures, in the input data.); and enabling the electronic apparatus to detect whether malware is present in the input data (Archer et al. [0042; Figure 4] Next, in step 430, the data transfer may be interrupted and the data transfer devices may be alerted to the existence of malware. The malware detection device 20 may communicate with the data transfer devices 12 through the host interface module 47…Next, in step 435, it may be determined whether the data transfer should proceed. In one exemplary approach, the operator may be given the opportunity to allow the data transfer to proceed. For example, the alert presented in step 430 may also include a dialogue box or similar user interface element to accept a decision of the operator…, the host interface module 47 may be configured with alert overrides. Overrides may accommodate data transfers that are improperly identified as malware. Through the use of overrides, the malware detection device 20 in cooperation with the host interface module 47 may automatically determine that the data transfer should proceed.”).

	Regarding claim 3, Smith et al. in view of Archer et al. teaches all elements of the claim. Smith further teaches wherein: the content inspection processor configured to (Smith et al. [0032; 0033] “With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which exemplary aspects of the present invention may be implemented. Data processing system 300 is an example of a client computer…Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302…An operating system runs on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in FIG. 3.”, processor 302 is the content inspection processor.): inspect the input data using the first search criteria to detect whether a first fragment associated with a first one or more signatures is present in (Smith et al. [0056-59; 0071; 0072; 0073l Figure 7,8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where controller 610 detects media data, a signature, where the root classification signifies a match between the fragment in the input data and a signature associated with a classification. The confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification; and the host controller is configured to, when the first result data indicates that the second fragment is detected in the input data (Smith et al. [0032; Figure 3] “Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302.”, where PCI bridge 308 shown in Fig. 3 is the host controller.): determine the second search criteria based on the second one or more signatures associated with the second fragment; and program the content inspection processor to inspect the input data using the second search criteria (Smith et al. par. 57-59, [0072; Figure7- 8] “The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.)
	Archer et al. further teaches inspecting the input data to detect whether a first code fragment is associated with a second one or more attack signatures is present in the input data (Archer et al. [0026; 0041; 0042] “The processor 30 may use malware signatures to identify the presence of malware in a data transfer over the data pathway 26. In one exemplary approach, the signatures may include indicia of malware such as file names, copies of malware files, hash codes of malware files, etc…Next, in step 420, the data transfer may be analyzed using malware signatures…Next, in step 425, it may be determined whether malware is identified in the data transfer. When a portion of the data transfer, such as the portion buffered in step 415 above, corresponds to a malware signature or heuristic, malware may be identified. The correspondence may be an exact correspondence such as a match between a malware signature and the buffered data. In another exemplary approach, malware may be identified based on a degree of correspondence between the portion of data and the malware signature exceeding a predetermined threshold.”, where the data transfer over pathway 26 is the input data, the malware signatures, attack signatures, stored on the device is the search criteria used to detect the same malware signatures, attack signatures, in the input data.); and enabling the electronic apparatus to detect whether malware is present in the input data (Archer et al. [0043; 0044; 0045; Figure 4] Next, in step 430, the data transfer may be interrupted and the data transfer devices may be alerted to the existence of malware. The malware detection device 20 may communicate with the data transfer devices 12 through the host interface module 47…Next, in step 435, it may be determined whether the data transfer should proceed. In one exemplary approach, the operator may be given the opportunity to allow the data transfer to proceed. For example, the alert presented in step 430 may also include a dialogue box or similar user interface element to accept a decision of the operator…, the host interface module 47 may be configured with alert overrides. Overrides may accommodate data transfers that are improperly identified as malware. Through the use of overrides, the malware detection device 20 in cooperation with the host interface module 47 may automatically determine that the data transfer should proceed.”)
Regarding claim 14, Smith et al. teaches wherein: the content inspection processor configured to (Smith et al. [0032; 0033] “With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which exemplary aspects of the present invention may be implemented. Data processing system 300 is an example of a client computer…Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302…An operating system runs on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in FIG. 3.”, processor 302 is the content inspection processor.): inspect the input data using the first search criteria to detect whether a first fragment associated with a first one or more signatures is present in the input data; and output the first result data to indicate whether the first fragment is detected in the input data (Smith et al. [0056; 0071; 0072; 0073l Figure 8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where controller 610 detects media data, a signature, to classify input data, where the root classification signifies a match between the fragment in the input data and a signature associated with a classification. The confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification; and the host controller is configured to, when the first result data indicates that the first fragment is detected in the input data (Smith et al. [0032; Figure 3] “Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302.”, where PCI bridge 308 shown in Fig. 3 is the host controller.): determine the second search criteria based on the first one or more signatures associated with the first fragment; and program the content inspection processor to inspect the input data using the second search criteria (Smith et al. [0072; Figure 8] “The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.). Smith et al. does not teach inspecting the input data to detect whether a first code fragment is associated with an attack signature is present in the input data; and enabling the electronic apparatus to detect whether malware is present in the input data.
(Archer et al. [0026; 0041; 0042] “The processor 30 may use malware signatures to identify the presence of malware in a data transfer over the data pathway 26. In one exemplary approach, the signatures may include indicia of malware such as file names, copies of malware files, hash codes of malware files, etc…Next, in step 420, the data transfer may be analyzed using malware signatures…Next, in step 425, it may be determined whether malware is identified in the data transfer. When a portion of the data transfer, such as the portion buffered in step 415 above, corresponds to a malware signature or heuristic, malware may be identified. The correspondence may be an exact correspondence such as a match between a malware signature and the buffered data. In another exemplary approach, malware may be identified based on a degree of correspondence between the portion of data and the malware signature exceeding a predetermined threshold.”, where the data transfer over pathway 26 is the input data, the malware signatures, attack signatures, stored on the device is the search criteria used to detect the same malware signatures, attack signatures, in the input data.); and enabling the electronic apparatus to detect whether malware is present in the input data (Archer et al. [0043; 0044; 0045; Figure 4] Next, in step 430, the data transfer may be interrupted and the data transfer devices may be alerted to the existence of malware. The malware detection device 20 may communicate with the data transfer devices 12 through the host interface module 47…Next, in step 435, it may be determined whether the data transfer should proceed. In one exemplary approach, the operator may be given the opportunity to allow the data transfer to proceed. For example, the alert presented in step 430 may also include a dialogue box or similar user interface element to accept a decision of the operator…, the host interface module 47 may be configured with alert overrides. Overrides may accommodate data transfers that are improperly identified as malware. Through the use of overrides, the malware detection device 20 in cooperation with the host interface module 47 may automatically determine that the data transfer should proceed.”). The same motivation utilized to combine Smith et al. and Archer et al. utilized in claim 2 is equally applicable to claim 14.
	Regarding claim 15, Smith et al. in view of Archer et al. teaches the elements of the claim. Archer et al. further teaches comprising: executing, using the electronic apparatus, the received data when re-inspection of the received data using the second search criteria determines that malware is not present in the received data (Archer et al. [0042; Fig. 4] “Next, in step 425, it may be determined whether malware is identified in the data transfer”); and disregarding, using the electronic apparatus, the received data when the re-inspection of the received data using the second search criteria determines that malware is present in the received data (Archer et al. [0042; Fig. 4] “Next, in step 425, it may be determined whether malware is identified in the data transfer”, where according to the flowchart in Fig. 4, where malware is not detected in the received data, the data gets disregarded and more portions of the received data are then analyzed for malware detection.).
Regarding claim 16, Smith et al. teaches a network device comprising: a communication port configured to communicatively couple the network device to a communication network to (Smith et al. [0025; 0026; Figure 1] “With reference now to the figures, FIG. 1 depicts a pictorial representation of a network of data processing systems in which exemplary aspects of the present invention may be implemented. Network data processing system 100 is a network of computers in which the present invention may be implemented. Network data processing system 100 contains a network 102, which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100. Network 102 may include connections, such as wire, wireless communication links, or fiber optic cables… In the depicted example, server 104 is connected to network 102 along with storage unit 106. In addition, clients 108, 110, and 112 are connected to network 102. These clients 108, 110, and 112 may be, for example, personal computers or network computers. In the depicted example, server 104 provides data, such as boot files, operating system images, and applications to clients 108-112. Clients 108, 110, and 112 are clients to server 104.”, where the network device is connected to a network and able to receive data from storage or other computers, over a network, the network device being either of the clients 108, 110, or 112.); inspect the input data using the first search criteria to detect whether a first fragment associated with a first one or more signatures is present in the input data; and output the first result data to indicate whether the first fragment is detected in the input data (Smith et al. [0056; 0057;  0071; 0072; 0073l, Figure 7-8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…The class models in the class models storage 640 represent the various possible classifications or classifiers with which media data may be classified. The class models include the attributes of media data that are most characteristic of data that matches the corresponding classification. The confidence value that is determined for each possible classification, or class model, is a measure of the amount by which the attributes of the input media data matches the attributes associated with the class model. Thus, if the attributes of the input media data closely match the attributes of a class model, then the confidence that the classification associated with that class model applies to the input media data is high…As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where controller 610 detects media data, a signature, to classify input data, where the root classification signifies a match between the fragment in the input data and a signature associated with a classification. The confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification); and the host controller is configured to, when the first result data indicates that the first fragment is detected in the input data (Smith et al. [0056; 0057; 0058; 0059] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…The class models include the attributes of media data that are most characteristic of data that matches the corresponding classification. The confidence value that is determined for each possible classification, or class model, is a measure of the amount by which the attributes of the input media data matches the attributes associated with the class model. Thus, if the attributes of the input media data closely match the attributes of a class model, then the confidence that the classification associated with that class model applies to the input media data is high…The class models are preferably organized in a hierarchical classification structure such that the class models represent nodes in the hierarchical classification structure. Thus, some class models may be parent nodes in the hierarchical classification structure, some class models may be child nodes, and others may be both parent nodes and child nodes. The class models are models that are determined from training of the media classification mechanism. That is, as discussed above, training data in which the actual classifications for input media data are known a priori, are input to the media classification mechanism. Parameters associated with the class models are adjusted based on the results generated by the media classification mechanism operating on the input media data. The parameters are adjusted such that the results generated in subsequent iterations more closely match the actual classifications for the input media data. In this way, the parameters or attributes associated with each class model are trained to better predict whether input media data matches those particular classifications”, where controller 610 detects media data found in within fragments of the input data.): determine the second search criteria based on the first one or more signatures associated with the first fragment; and program the content inspection processor to inspect the input data using the second search criteria (Smith et al. [0056; 0057; 0058; 0059; 0072; Figure 8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640… The class models include the attributes of media data that are most characteristic of data that matches the corresponding classification. The confidence value that is determined for each possible classification, or class model, is a measure of the amount by which the attributes of the input media data matches the attributes associated with the class model. Thus, if the attributes of the input media data closely match the attributes of a class model, then the confidence that the classification associated with that class model applies to the input media data is high…The class models are preferably organized in a hierarchical classification structure such that the class models represent nodes in the hierarchical classification structure. Thus, some class models may be parent nodes in the hierarchical classification structure, some class models may be child nodes, and others may be both parent nodes and child nodes. The class models are models that are determined from training of the media classification mechanism. That is, as discussed above, training data in which the actual classifications for input media data are known a priori, are input to the media classification mechanism. Parameters associated with the class models are adjusted based on the results generated by the media classification mechanism operating on the input media data. The parameters are adjusted such that the results generated in subsequent iterations more closely match the actual classifications for the input media data. In this way, the parameters or attributes associated with each class model are trained to better predict whether input media data matches those particular classifications…The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where controller 610 detects media data, a signature, to classify input data, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.). Smith et al. does not teach inspecting the input data to detect whether a first code fragment is associated with an attack signature is present in the input data; and enabling the electronic apparatus to detect whether malware is present in the input data.
	Archer et al. teaches inspecting the input data to detect whether a first code fragment is associated with a first one or more attack signatures is present in the input data (Archer et al. [0026; 0041; 0042] “The processor 30 may use malware signatures to identify the presence of malware in a data transfer over the data pathway 26. In one exemplary approach, the signatures may include indicia of malware such as file names, copies of malware files, hash codes of malware files, etc…Next, in step 420, the data transfer may be analyzed using malware signatures…Next, in step 425, it may be determined whether malware is identified in the data transfer. When a portion of the data transfer, such as the portion buffered in step 415 above, corresponds to a malware signature or heuristic, malware may be identified. The correspondence may be an exact correspondence such as a match between a malware signature and the buffered data. In another exemplary approach, malware may be identified based on a degree of correspondence between the portion of data and the malware signature exceeding a predetermined threshold.”, where the data transfer over pathway 26 is the input data, the malware signatures, attack signatures, stored on the device is the search criteria used to detect the same malware signatures, attack signatures, in the input data.); and enabling the electronic apparatus to detect whether malware is present in (Archer et al. [0043; 0044; 0045; Figure 4] Next, in step 430, the data transfer may be interrupted and the data transfer devices may be alerted to the existence of malware. The malware detection device 20 may communicate with the data transfer devices 12 through the host interface module 47…Next, in step 435, it may be determined whether the data transfer should proceed. In one exemplary approach, the operator may be given the opportunity to allow the data transfer to proceed. For example, the alert presented in step 430 may also include a dialogue box or similar user interface element to accept a decision of the operator…, the host interface module 47 may be configured with alert overrides. Overrides may accommodate data transfers that are improperly identified as malware. Through the use of overrides, the malware detection device 20 in cooperation with the host interface module 47 may automatically determine that the data transfer should proceed.”). The same motivation utilized to combine Smith et al. and Archer et al. in claim 2, is equally applicable to claim 16.
	Regarding claim 18, Smith et al. in view of Archer teaches all elements of the claim. Smith further teaches wherein: the content inspection processor configured to (Smith et al. [0032; 0033] “With reference now to FIG. 3, a block diagram illustrating a data processing system is depicted in which exemplary aspects of the present invention may be implemented. Data processing system 300 is an example of a client computer…Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302…An operating system runs on processor 302 and is used to coordinate and provide control of various components within data processing system 300 in FIG. 3.”, processor 302 is the content inspection processor.): inspect the input data using the first search criteria to detect whether a first fragment associated with a first one or more signatures is present in the input data; and output the first result data to indicate whether the first fragment is detected in the input data (Smith et al. [0056-59; 0071; 0072; 0073l Figure 8] “The controller 610 controls the overall operation of the media classification mechanism and orchestrates the operation of the other elements 620-670. Media data that is to be classified in order to generate an index for representing the media data is received via the media data interface 620. The controller 610 detects the reception of this media data and instructs the classification engine 630 to operate on the media data to determine an initial set of classification confidence values for the various class models stored in the class models storage 640…As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where controller 610 detects media data, a signature, to classify input data, where the root classification signifies a match between the fragment in the input data and a signature associated with a classification. The confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification; and the host controller is configured to, when the first result data indicates that the second fragment is detected in the input data (Smith et al. [0032; Figure 3] “Processor 302 and main memory 304 are connected to PCI local bus 306 through PCI bridge 308. PCI bridge 308 also may include an integrated memory controller and cache memory for processor 302.”, where PCI bridge 308 shown in Fig. 3 is the host controller.): determine the second search criteria based on the second one or more signatures associated with the second fragment; and program the content inspection processor to inspect the input data using the second search criteria (Smith et al. [0072; Figure 8] “The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.)
	Archer et al. further teaches inspecting the input data to detect whether a first code fragment is associated with a second one or more attack signatures is present in the input data (Archer et al. [0026; 0041; 0042] “The processor 30 may use malware signatures to identify the presence of malware in a data transfer over the data pathway 26. In one exemplary approach, the signatures may include indicia of malware such as file names, copies of malware files, hash codes of malware files, etc…Next, in step 420, the data transfer may be analyzed using malware signatures…Next, in step 425, it may be determined whether malware is identified in the data transfer. When a portion of the data transfer, such as the portion buffered in step 415 above, corresponds to a malware signature or heuristic, malware may be identified. The correspondence may be an exact correspondence such as a match between a malware signature and the buffered data. In another exemplary approach, malware may be identified based on a degree of correspondence between the portion of data and the malware signature exceeding a predetermined threshold.”, where the data transfer over pathway 26 is the input data, the malware signatures, attack signatures, stored on the device is the search criteria used to detect the same malware signatures, attack signatures, in the input data.); and enabling the electronic apparatus to detect whether malware is present in the input data (Archer et al. [0043; 0044; 0045; Figure 4] Next, in step 430, the data transfer may be interrupted and the data transfer devices may be alerted to the existence of malware. The malware detection device 20 may communicate with the data transfer devices 12 through the host interface module 47…Next, in step 435, it may be determined whether the data transfer should proceed. In one exemplary approach, the operator may be given the opportunity to allow the data transfer to proceed. For example, the alert presented in step 430 may also include a dialogue box or similar user interface element to accept a decision of the operator…, the host interface module 47 may be configured with alert overrides. Overrides may accommodate data transfers that are improperly identified as malware. Through the use of overrides, the malware detection device 20 in cooperation with the host interface module 47 may automatically determine that the data transfer should proceed.”).
	Regarding claim 19, Smith et al. in view of Archer et al. teaches all elements of the claim. Smith et al. further teaches wherein the one or more processors are programmed to re-inspect the input data using the second search criteria (Smith et al. [0072; Figure 8] “The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations. The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870).”, where the child classifications corresponds to a root classification, like the lower-level identifying characteristic corresponds to the higher-level identifying characteristic. The boosting factor, confusion factor and confidence factor are search criteria used to determine the child classification, lower-level identifying characteristic.)
Archer et al. further teaches determine second result data indicative of whether malware is present in the input data (Archer et al. [0043; 0044; 0045; Figure 4] Next, in step 430, the data transfer may be interrupted and the data transfer devices may be alerted to the existence of malware. The malware detection device 20 may communicate with the data transfer devices 12 through the host interface module 47…Next, in step 435, it may be determined whether the data transfer should proceed. In one exemplary approach, the operator may be given the opportunity to allow the data transfer to proceed. For example, the alert presented in step 430 may also include a dialogue box or similar user interface element to accept a decision of the operator…, the host interface module 47 may be configured with alert overrides. Overrides may accommodate data transfers that are improperly identified as malware. Through the use of overrides, the malware detection device 20 in cooperation with the host interface module 47 may automatically determine that the data transfer should proceed.”).
Claim 7, 13 rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Smith et al. (US 20060031217 A1) in view of Naudus (US 6105068 A).
Regarding claim 7, Smith et al. teaches the electronic apparatus, comprising a communication port configured to communicatively couple the electronic apparatus to a communication network, wherein: the electronic apparatus is configured to receive the input data from the communication network via the communication port  (Smith et al. [0025; 0026; Figure 1] “With reference now to the figures, FIG. 1 depicts a pictorial representation of a network of data processing systems in which exemplary aspects of the present invention may be implemented. Network data processing system 100 is a network of computers in which the present invention may be implemented. Network data processing system 100 contains a network 102, which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100. Network 102 may include connections, such as wire, wireless communication links, or fiber optic cables… In the depicted example, server 104 is connected to network 102 along with storage unit 106. In addition, clients 108, 110, and 112 are connected to network 102. These clients 108, 110, and 112 may be, for example, personal computers or network computers. In the depicted example, server 104 provides data, such as boot files, operating system images, and applications to clients 108-112. Clients 108, 110, and 112 are clients to server 104.”, where the network device is connected to a network and able to receive data from storage or other computers, over a network, the network device being either of the clients 108, 110, or 112.); and the content inspection processor is configured to: inspect the input data using the first search criteria (Smith et al. [0071; 0072; 0073l Figure 8] “As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where the root classification higher level identifying characteristic and the confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification.)
Smith does not teach determining a network protocol used by the communication network; and output the first result data to indicate the network protocol used by the communication network.
	Naudus teaches determining a network protocol used by the communication network; (Naudus [Abstract; Claim 1 ] “A method and apparatus for determining a network protocol type as the protocol is received on a network connection is presented… In an internetworking device connecting a first computer network to a second computer network with a plurality of communication links, the plurality of communication links using a plurality of network protocols for communications, a method of determining a network protocol being used over a communication link… identifying a network protocol being used on the communication link); and output the first result data to indicate the network protocol used by the communication network (Naudus [Claim 4, Claim 5] “The method of claim 1 further comprising: determining whether a network protocol has been identified with the initial selection input, and if so, selecting protocol processing software for the identified network protocol on the internetworking device for use on the communication link…verifying the network protocol being used on the communication link is the identified network protocol.”).
	Before the effective filing date of the invention it would have been obvious to a person of ordinary skill in the art having the teachings of Smith et al. and Naudus to have a hierarchical classifier detect the network protocol used by the input data coming from a communication network. The suggestion and/or motivation for doing so is to save significant resources on the gateway as one would have to implement multiple protocol interpreters to interconnect computer networks using dissimilar network protocols, as suggested by Naudus.
Regarding claim 13, Smith et al. teaches the electronic apparatus, comprising a communication port configured to communicatively couple the electronic apparatus to a communication network, wherein: the electronic apparatus is configured to receive the input data from the communication network via the communication port  (Smith et al. [0025; 0026; Figure 1] “With reference now to the figures, FIG. 1 depicts a pictorial representation of a network of data processing systems in which exemplary aspects of the present invention may be implemented. Network data processing system 100 is a network of computers in which the present invention may be implemented. Network data processing system 100 contains a network 102, which is the medium used to provide communications links between various devices and computers connected together within network data processing system 100. Network 102 may include connections, such as wire, wireless communication links, or fiber optic cables… In the depicted example, server 104 is connected to network 102 along with storage unit 106. In addition, clients 108, 110, and 112 are connected to network 102. These clients 108, 110, and 112 may be, for example, personal computers or network computers. In the depicted example, server 104 provides data, such as boot files, operating system images, and applications to clients 108-112. Clients 108, 110, and 112 are clients to server 104.”, where the network device is connected to a network and able to receive data from storage or other computers, over a network, the network device being either of the clients 108, 110, or 112.); and the content inspection processor is configured to: inspect the input data using the first search criteria (Smith et al. [0071; 0072; 0073l Figure 8] “As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where the root classification higher level identifying characteristic and the confusion factor, boosting factor, and confidence factor are search criteria used to determine the root classification.)

	Naudus teaches determining a network protocol used by the communication network; (Naudus [Abstract; Claim 1] “A method and apparatus for determining a network protocol type as the protocol is received on a network connection is presented… In an internetworking device connecting a first computer network to a second computer network with a plurality of communication links, the plurality of communication links using a plurality of network protocols for communications, a method of determining a network protocol being used over a communication link… identifying a network protocol being used on the communication link); and output the first result data to indicate the network protocol used by the communication network (Naudus [Claim 4, Claim 5] “The method of claim 1 further comprising: determining whether a network protocol has been identified with the initial selection input, and if so, selecting protocol processing software for the identified network protocol on the internetworking device for use on the communication link…verifying the network protocol being used on the communication link is the identified network protocol.”). The same motivation utilized in combining Smith et al. and Naudus in claim 7, is equally applicable to claim 13.

Claim 8 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Smith et al. (US 20060031217 A1) in view of Suzuki et al. (JP 2007288634 A).

Suzuki et al. teaches wherein the input data inspected by the content inspection processor comprises encoded image data output from a video encoder (Suzuki [Abstract]: “To provide a video inspection system for performing the moving image inspection of a DTV board which receives digital broadcasting… This video inspection system is provided with a transmission means for transmitting a data stream including moving image data; an inspection object decoder board for outputting video data by decoding the data stream; and an inspection device for inspecting the decoder board.”).
Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art having the teachings of Smith et al. and Suzuki et al. to have the input for the classifier of Smith et al. data comprise of image data from a video encoder, as taught by Suzuki et al. The suggestion and/or motivation for doing so is to be able to inspect and classify the content of moving image data, such as video, as suggested by Suzuki et al. 

Claim 17 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Smith et al. (US 20060031217 A1) in view of Archer et al. (US 20090293126 A1), hereinafter, Naudus (US 6105068 A).
 	Smith et al. in view of Archer et al. teaches all elements of the claim, Smith et al. further teaches except wherein the one or more processors are programmed to: inspect the input data using a third search criteria before the first search criteria and determining the first search criteria based at least in part on the first result data. (Smith et al. [0071; 0072; 0073l Figure 8] “As shown in FIG. 8, the operation starts by receiving input media data that is to be classified (step 810). The input media data is classified using a trained classification mechanism (step 820) and the classification hierarchy and initial confidence scores for each classification are stored (step 830)… The next classification in the classification hierarchy is then determined (step 840). This would be the root classification the first time this step is encountered and will be child classifications of the root classification in later iterations.…The boosting factor to be applied to this classification based on its ancestors is then determined (step 850). The confusion factor that is to be applied to this classification based on mutually exclusive classifications is also determined (step 860). The confidence score associated with this classification is then adjusted based on the boosting factor and the confidence factor (step 870)… A determination is then made as to whether there are any more classifications in the classification hierarchy that need to have their confidence scores adjusted (step 880). If so, the operation returns to step 840. Otherwise, the modified or adjusted confidence scores are stored (step 890) and are used to determine which classifications apply to the input media data to thereby generate indices for the input media data (step 895).”, where the root classification signifies the broadest content search, and the resulting child classification would represents narrower searches within the root classification.). Smith et al. in view of Archer et al. does not teach determining second result data indicative of a network protocol used by the communication network; 
	Naudus teaches determining second result data indicative of a network protocol used by the communication network (Naudus [Abstract; Claim 1] “A method and apparatus for determining a network protocol type as the protocol is received on a network connection is presented… In an internetworking device connecting a first computer network to a second computer network with a plurality of communication links, the plurality of communication links using a plurality of network protocols for communications, a method of determining a network protocol being used over a communication link… identifying a network protocol being used on the communication link).
	Before the effective filing date of the invention, it would have been obvious to a person of ordinary skill in the art, having the teachings of Smith et al, Archer et al, and Naudus to have the network device of Smith et al. and Archer et al. to be able to determine the network protocol used by the communication network the device is coupled to. The suggestion and/or motivation for doing so is to save significant resources on the gateway while searching content for input data over a network protocol as one would have to implement multiple protocol interpreters to interconnect computer networks using dissimilar network protocols, as suggested by Naudus.

Claim 20 is rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Smith et al. (US 20060031217 A1) in view of Archer et al. (US 20090293126 A1), hereinafter, Morse et al. (US 20070225931A1).
Regarding claim 20, Smith et al. in view of Archer et al. teaches all elements of the claim except wherein the network device comprises a network router, a network firewall, a network switch, or any combination thereof (Morse et al. [Abstract; 0006; 0054; Fig. 1]: “An inspection apparatus… FIG. 1 a is a view of a visual inspection system which in the embodiment shown has local and remote computers… Remote server 700-2 and local server 700-1 can be connected via an IP network 500 and suitable gateways and routers where necessary (not shown) can be disposed between IP network 600”).
.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure
Savchuk (WO 2005027539 A2) teaches a platform for high-performance network content analysis. The method may detect the extrusion of the data and uncover hidden transport mechanisms. The method also detects unauthorized encrypted sessions and stop data transfers deemed malicious.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to IAN K ALLEYNE whose telephone number is (571)272-1327. The examiner can normally be reached 8:30 - 5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/IAN K ALLEYNE/Examiner, Art Unit 2127                                                                                                                                                                                                        

/ABDULLAH AL KAWSAR/Supervisory Patent Examiner, Art Unit 2127