DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 7, 8, 10, 11 have been amended, claims 15, and 16 have been added and claims 9 and 14 have been cancelled.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:

(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are:
“feature information querying unit” in claim 9,
“time point updating unit” in claims 9 and 10,
“timeliness detecting unit” in claims 9 and 11,
“invalidation warning unit” in claim 9,
“valid content updating unit” in claim 11,
“invalid content updating unit” in claim 12,
“third field detecting unit” in claim 13,
“periodical inspection task initiating unit” in claim 14.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 6 -8,10, 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable Jain over et al.(US 20170250954 herein after Jain) in view of Chai et al. (US 11176244 B2 herein after Chai) further in view of Seigel (US 20170031741).

Regarding claims 1, 7, Jain teaches a central node server,
 comprising a system for managing traffic features, wherein the system implements a method for managing traffic features (Fig 4 “host 100”, “Smart NIC”, [0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198”)), and the method includes:
identifying locally received user traffic by a traffic identification device, based on traffic feature data issued by a management server (Fig. 11 “388 Signature”,”200”,  “102”, [0069] “where the inspection software/hardware at the hosts 100 and/or their NICs 104 are configured with filters or rate controllers, mitigation actions such as filter rules and signature rules 388 can be sent to inform control traffic or to inform the inspection processes. For example, if a packet feature is identified as ,
 and reporting a matching traffic feature corresponding to the user traffic to the central node server when identification is successful (([0065] “comparing statistics of entries with normalized thresholds, using time information to identify large rates or sudden rate increases, correlating the topmost statistically significant packet features with congestion signals, and so forth. When a key or packet feature is identified as a problem, the mitigation service 276 is notified”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”),
 wherein the traffic feature data is a combination of an application, the traffic feature corresponding to the application, and a feature identifier corresponding to the traffic feature, the feature identifier uniquely identifies the corresponding traffic feature ([0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”, Examiner’s Note: packet feature is analogous to traffic feature, and port number, or port is analogous to feature identifier ),
 after receiving a traffic feature sent by a traffic identification device (Fig 4 “packets 106”, “Smart NIC”, Fig 11 “Access router”, “edge router”, [0040] “As packets flow through the NIC”)
 querying feature information associated with the traffic feature ([0030] “Locally derived statistics of packet features are then collectively used to identify 134 the top packet features occurring among participating hosts 100 across the network 102. For a client-server implementation, this may involve collating reports or other indicia of local top-N packet features and identifying the top-K features among the collated data.”)
and updating content in the first field ([0040] “The counting modules identify arbitrary packet features of packets or data at different layers and update statistical data in respective tables 196, 198”);
 performing a timeliness detection task for the traffic feature, and determining a time difference between a time point when the timeliness detection task is performed and the time point recorded in the first field; and if the time difference is greater than the time interval threshold ([0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198. In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data. Periodically, the tables or subsets of the most statistically significant rows therein are provided to the overlay 112 through the overlay agent 118”), to allow the management server to update traffic feature data ([0053] “pull cached copies of relevant packets or portions thereof (for instance in buffers 184, 186, 188) based on keys in the global top-K data”, [0056] “top-K analyzer 274 executes on the control server 200. The top-K analyzer 274 monitors the global packet feature data in the top-K tables 202. This can include shuffling out entries that fall out of the top-K range”).
Although, Jain teaches wherein the feature information includes at least a first field for recording a time point of latest successful verification of the traffic feature and a second field (Fig. 4 “198”, “196” “statM”, [0040] “In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data”). Jain does not teach a second field for recording a warning time interval threshold, wherein the warning time interval threshold is an average time length for the application to trigger the network traffic, issuing a warning of invalidation of the traffic feature to a management server.
However, Chai teaches wherein the feature information includes at least a first field for recording a time point of latest successful verification of the traffic feature and a second field for recording a warning time interval threshold (col 16 lines 20-50 “the updating the first characteristic value to a second characteristic value when the to-be-detected cloud application meets a preset characteristic value update condition may include: determining whether a runtime of the to-be-detected cloud application exceeds a preset time, and if the runtime of the to-be-detected cloud application exceeds the preset time, determining that the to-be-detected cloud application meets the preset characteristic value update condition … If a first characteristic value is obtained at 10 o'clock sharp in the morning, the cloud application detection apparatus controls the guard agent to: update the current characteristic value after 10 minutes, that is, at 10 past 10 in the morning, to obtain a second characteristic value; update the second characteristic value after another 10 minutes”, (Examiner Note: the first field is analogous to the time when the characteristic value is obtained, the second field is analogous to the runtime preset time) issuing a warning of invalidation of the traffic feature to a management server (col 12 lines 3 -15 “the cloud detection system .
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Jain to incorporate the teachings of Chai. One of ordinary skill in the art would have been motivated to make this modification in order to ensure up to date information in tables to minimize security vulnerabilities.
Chai does not teach wherein the warning time interval threshold is an average time length for the application to trigger the network traffic.
However, Seigel teaches wherein the warning time interval threshold is an average time length for the application to trigger the network traffic ([0035] “The auditing software 122 may determine that Y hours (where Y>0) is the average time that an alert profile is active and set a next alert profile to expire after Y hours. In some cases, if alert profiles have an associated severity, the average length of time that an alert profile is active may be determined for each severity”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Jain and Chai to incorporate the teachings of Seigel. One of ordinary skill in the art would have been motivated to make this modification in order to allow for a more efficient system.


an apparatus for managing traffic features, comprising
 a management server (Fig 4 “Control Server 200”, “A control server 200 receives the table updates and stores them in corresponding global tables 202”), a central node server (Fig 4 “Smart NIC”, “host 100”, [0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198”)), and at least one traffic identification device (Fig 4 “packets 106”, Fig 11 “Access router”, “edge router”, [0040] “As packets flow through the NIC”), 
wherein: the management server is configured to issue traffic feature data to the central node server and each traffic identification device (Fig. 11”, “mitigation engine 276”, “Signature rules 388”, “white/black list 384”, [0067] “One mitigation action that the mitigation process 380 can perform is to generate white/black lists 384 in near real time, as well as update these lists with new detected patterns”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162”)
 and update the traffic feature data (Fig. 11”, “mitigation engine 276”, “Signature rules 388”, “white/black list 384”, [0067] “One mitigation action that the mitigation process 380 can perform is to generate white/black lists 384 in near real time, as well as update these lists with new detected patterns”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162”);
wherein the traffic feature data is a combination of an application, the traffic feature corresponding to the application, and a feature identifier corresponding to the traffic feature, the feature identifier uniquely identifies the corresponding traffic feature ([0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”, Examiner’s Note: packet feature is analogous to traffic feature, and port number, or port is analogous to feature identifier );
 a traffic identification device is configured to identify locally received user traffic based on the traffic feature data ([0070] “collect more traffic information like capture more packets of that type, to have higher confidence if it is anomalous or not. In parallel to rate limiting, traffic can be mirrored or copied, or only packets that are dropped by rate limiting might be copied. Packets matching a pattern can be re-routed to specific end points e.g., traffic scrubbers”), and report a matching traffic feature corresponding to the user traffic to the central node server when identification is successful ([0036] “Information about packet features identified by the packet analyzer 162 are passed to the overlay interface 163. The overlay interface 163 hooks the host/NIC into the overlay 112.”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”).
and the central node server is configured to issue a warning of invalidation to the management server ([0040] “A control server 200 receives the table updates  when an invalid traffic feature is detected ([0040] “rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data. Periodically, the tables or subsets of the most statistically significant rows therein are provided to the overlay 112 through the overlay agent 118”)
wherein the central node server includes: a feature information querying unit that is configured to, after receiving a traffic feature sent by the traffic identification device (Fig. 11 “202”, [0030] “Locally derived statistics of packet features are then collectively used to identify 134 the top packet features occurring among participating hosts 100 across the network 102. For a client-server implementation, this may involve collating reports or other indicia of local top-N packet features and identifying the top-K features among the collated data”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”),
 query feature information associated with the traffic feature (Fig. 11 “202”, [0030] “Locally derived statistics of packet features are then collectively used to identify 134 the top packet features occurring among participating hosts 100 across the network 102. For a client-server implementation, this may involve collating reports or other ,
 a time point updating unit that is configured to update content in the first field ([0040] “The counting modules identify arbitrary packet features of packets or data at different layers and update statistical data in respective tables 196, 198”),
 a timeliness detecting unit that is configured to perform a timeliness detection task for the traffic feature, and determine a time difference between a time point when the timeliness detection task is performed and a time point recorded in the first field ([0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198. In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data. Periodically, the tables or subsets of the most statistically significant rows therein are provided to the overlay 112 through the overlay agent 118”).
wherein the feature information includes at least a first field recording a time point of latest successful verification of the traffic feature and a second field (Fig. 4 “198”, “196” “statM”, [0040] “In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data”). Jain does not teach and a second field for recording a warning time interval threshold, receive a warning of invalidation sent by the central node server,
 the warning time interval threshold is an average time length for an application to trigger the network traffic, and an invalidation warning unit that is configured to issue a warning of invalidation of the traffic feature if the determined time difference is greater than the warning time interval threshold recorded in the second field.
However, Chai teaches wherein the feature information includes at least a first field recording a time point of latest successful verification of the traffic feature and a second field for recording a warning time interval threshold, receive a warning of invalidation sent by the central node server (col 16 lines 20-50 “the updating the first characteristic value to a second characteristic value when the to-be-detected cloud application meets a preset characteristic value update condition may include: determining whether a runtime of the to-be-detected cloud application exceeds a preset time, and if the runtime of the to-be-detected cloud application exceeds the and an invalidation warning unit that is configured to issue a warning of invalidation of the traffic feature (col 12 lines 3 -15 “the cloud detection system may send a cloud application detection result to a client, so that both a cloud service provider and a cloud service user can learn cloud application security in time”) if the determined time difference is greater than the warning time interval threshold recorded in the second field (col 16 lines 55-65 “determining whether a runtime of the to-be-detected cloud application exceeds a preset time, and if the runtime of the to-be-detected cloud application exceeds the preset time, determining that the to-be-detected cloud application meets the preset characteristic value update condition”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Jain to incorporate the teachings of Guo. One of ordinary skill in the art would have been motivated to make this modification in order to ensure up to date information in tables to minimize security vulnerabilities.
Chai does not teach , the warning time interval threshold is an average time length for an application to trigger the network traffic,

However, Seigel teaches the warning time interval threshold is an average time length for the application to trigger the network traffic ([0035] “The auditing software 122 may determine that Y hours (where Y>0) is the average time that an alert profile is active and set a next alert profile to expire after Y hours. In some cases, if alert profiles have an associated severity, the average length of time that an alert profile is active may be determined for each severity”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Jain and Chai to incorporate the teachings of Seigel. One of ordinary skill in the art would have been motivated to make this modification in order to allow for a more efficient system.


wherein the time point updating unit is further configured to update the content in the first field to a time point when the traffic feature is received ([0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198. In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data”), or update the content in the first field to a time point when the traffic identification device reports the traffic feature, or update the content in the first field to a matching time point reported by the traffic identification device, wherein the matching time point indicates a time point when the traffic identification device successfully matches the traffic feature.

Regarding claim 6, 14, Jain teaches
wherein, before receiving the traffic feature sent by the traffic identification device, the method further includes:
 initiating a periodical inspection task, wherein the periodical inspection task, when executed ([0074] ““statistical values” and similar terms also refer to time-variant measures of packet features, such as occurrences over a given period of time, changes in the number of occurrences over a given period of time (i.e., accelerating/decelerating packet features), and so on”), implements the timeliness detection task according to a specified time interval ([0040] “As packets flow .

Regarding claim 15, Jain teaches wherein identifying locally received user traffic by a traffic identification device, based on traffic feature data issued by a management server (Fig. 11 “388 Signature”,”200”,  “102”, [0069] “where the inspection software/hardware at the hosts 100 and/or their NICs 104 are configured with filters or rate controllers, mitigation actions such as filter rules and signature rules 388 can be sent to inform control traffic or to inform the inspection processes. For example, if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”, [0071] “above using NICs to perform packet inspection, other designs can be used. A host with an ordinary “dumb” NIC can perform the inspection techniques described herein with software executing on the host's CPU”)), includes:
 receiving the user traffic generated by a user client when the user client runs applications ([0038] “As noted above, packets sent to and from a corresponding host are provided to the packet analyzer 162 as they transit the NIC. A logical tap 180 ;
 performing a matching between the feature included in the user traffic and various traffic features included in the traffic feature data ([0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”, [0051] “those packets can be compared to each other in multiple ways, statistically, without a priori information or patterns to look for in the packets. When the same partitioning, hashing, and counting functions are implemented by each host/NIC”);
 and using the matching traffic feature as the traffic feature corresponding to the user traffic ([0065] “comparing statistics of entries with normalized thresholds, using time information to identify large rates or sudden rate increases, correlating the topmost statistically significant packet features with congestion signals, and so forth. When a key or packet feature is identified as a problem, the mitigation service 276 is notified”).

Regarding claim 16, Jain teaches wherein identifying locally received user traffic by a traffic identification device, based on traffic feature data issued by a management server, further includes: determining the application that sends the current network traffic, based on the matching traffic feature ([0065] “comparing statistics of entries with normalized thresholds, using time information to identify large .



Claims 3-5, 11-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Jain in view of  Chai further in view of Seigel as applied to claims 1-2, 6 -8,10, 15-16 above, and further in view of Guo et al. (US 20150081612 herein after Guo).

	Regarding claim 3, 11, Jain teaches the central node server further includes after receiving the traffic feature sent by the traffic identification device ([0070] “collect more traffic information like capture more packets of that type, to have higher confidence if it is anomalous or not. In parallel to rate limiting, traffic can be mirrored or copied, or only packets that are dropped by rate limiting might be copied. Packets matching a pattern can be re-routed to specific end points e.g., traffic scrubbers”, [0036] “Information about packet features identified by the packet analyzer 162 are passed to the overlay interface 163. The overlay interface 163 hooks the host/NIC into the overlay 112.”).
Jain, Chai and Seigel does not teach wherein the feature information further includes a third field for indicating whether the traffic feature is valid,  a valid content updating unit that is configured to set content in the third field to content indicating that the traffic feature is currently valid.
However, Guo teaches wherein the feature information further includes a third field for indicating whether the traffic feature is valid ([0140] “dimensional entries and each two-dimensional entry includes an offset and a character; when a rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry corresponding to the specific offset and the specific character to a valid value; and when no rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry corresponding to the specific offset and the specific character to an invalid value”), a valid content updating unit that is configured to set content in the third field to content indicating that the traffic feature is currently valid ([0140] “dimensional entries and each two-dimensional entry includes an offset and a character; when a rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry corresponding to the specific offset and the specific character to a valid value; and when no rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry corresponding to the specific offset and the specific character to an invalid value”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Jain, Chai, and Seigel to incorporate the teachings of Guo. One of ordinary skill in the art would have been motivated to make this modification in order to increase the performance of system.

an invalid content updating unit that is configured to set the content in the third field to content indicating that the traffic feature is currently invalid.
Chai teaches wherein the central node server further includes after the warning of invalidation of the traffic feature is issued to the management server (col 12 lines 3 -15 “the cloud detection system may send a cloud application detection result to a client, so that both a cloud service provider and a cloud service user can learn cloud application security in time”) .
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Jain to incorporate the teachings of Chai. One of ordinary skill in the art would have been motivated to make this modification in order to ensure up to date information in tables.

Chai and Seigel does not teach an invalid content updating unit that is configured to set the content in the third field to content indicating that the traffic feature is currently invalid.
However, Guo teaches an invalid content updating unit that is configured to set the content in the third field to content indicating that the traffic feature is currently invalid ([0140] “dimensional entries and each two-dimensional entry includes .
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Jain, Chai, and Seigel to incorporate the teachings of Guo. One of ordinary skill in the art would have been motivated to make this modification in order to increase the performance of system.

Regarding claim 5, 13, Jain teaches wherein the central node server further includes: the timeliness detecting unit then determines the time difference between the time point when the timeliness detection task is performed and the time point recorded in the first field ([0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198. In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data. Periodically, the tables or subsets of the most statistically significant rows therein are provided to the overlay 112 through the overlay agent 118”).
a third field detecting unit that is configured to detect content recorded in the third field, and wherein, if the content recorded in the third field indicates that the traffic feature is currently valid.

However, Guo teaches a third field detecting unit that is configured to detect content recorded in the third field ([0142-143] “The detecting unit 122 includes: a feature table matching unit 1224, configured to match each character at each offset in the packet with the two-dimensional entries in the feature table corresponding to each rule group; if a value of a two-dimensional entry that includes a current offset and a current character is valid”), and wherein, if the content recorded in the third field indicates that the traffic feature is currently valid ([0140] “dimensional entries and each two-dimensional entry includes an offset and a character; when a rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry corresponding to the specific offset and the specific character to a valid value; and when no rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry corresponding to the specific offset and the specific character to an invalid value”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Jain, Chai, Seigel to incorporate the teachings of Guo. One of ordinary skill in the art would have been motivated to make this modification in order to increase the performance of system.
Response to Arguments
Applicant's arguments filed 12/02/2021 have been fully considered but they are not persuasive.

Applicant’s Argument 1
Jain fails to disclose the features "identifying locally received user traffic by a traffic identification device, based on traffic feature data issued by a management server, and reporting a matching traffic feature corresponding to the user traffic to the central node server when identification is successful, wherein the traffic feature data is a combination of an application, the traffic feature corresponding to the application, and a feature identifier corresponding to the traffic feature, the feature identifier uniquely identifies the corresponding traffic feature" as recited in amended claim 1.

Examiner’s Argument 1
Examiner respectfully disagrees with the applicant. Jain teaches identifying locally received user traffic by a traffic identification device, based on traffic feature data issued by a management server (Fig. 11 “388 Signature”,”200”,  “102”, [0069] “where the inspection software/hardware at the hosts 100 and/or their NICs 104 are configured with filters or rate controllers, mitigation actions such as filter rules and signature rules 388 can be sent to inform control traffic or to inform the inspection processes. For example, if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report ,
 and reporting a matching traffic feature corresponding to the user traffic to the central node server when identification is successful (([0065] “comparing statistics of entries with normalized thresholds, using time information to identify large rates or sudden rate increases, correlating the topmost statistically significant packet features with congestion signals, and so forth. When a key or packet feature is identified as a problem, the mitigation service 276 is notified”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”),
 wherein the traffic feature data is a combination of an application, the traffic feature corresponding to the application, and a feature identifier corresponding to the traffic feature, the feature identifier uniquely identifies the corresponding traffic feature ([0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”, Examiner’s Note: packet feature is analogous to traffic feature, and port number, or port is analogous to feature identifier ).

Applicant’s Argument 2 


Examiner’s Response 2
	Examiner respectfully disagrees with applicant. The combination of Jain in view of Chai further in view of Seigel teaches the features "a second field for recording a warning time interval threshold, the warning time interval threshold is an average time length for an application to trigger the network traffic" as recited in amended claim 1.
	Regarding claims 1, 7, Jain teaches a central node server,
 comprising a system for managing traffic features, wherein the system implements a method for managing traffic features (Fig 4 “host 100”, “Smart NIC”, [0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198”)), and the method includes:
identifying locally received user traffic by a traffic identification device, based on traffic feature data issued by a management server (Fig. 11 “388 Signature”,”200”,  “102”, [0069] “where the inspection software/hardware at the hosts 100 and/or their NICs 104 are configured with filters or rate controllers, mitigation actions such as filter rules and signature rules 388 can be sent to inform control traffic or to inform the inspection processes. For example, if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to ,
 and reporting a matching traffic feature corresponding to the user traffic to the central node server when identification is successful (([0065] “comparing statistics of entries with normalized thresholds, using time information to identify large rates or sudden rate increases, correlating the topmost statistically significant packet features with congestion signals, and so forth. When a key or packet feature is identified as a problem, the mitigation service 276 is notified”, [0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”),
 wherein the traffic feature data is a combination of an application, the traffic feature corresponding to the application, and a feature identifier corresponding to the traffic feature, the feature identifier uniquely identifies the corresponding traffic feature ([0069] “if a packet feature is identified as anomalous, and an unusual port number or large number of unique ports is associated with the packet feature, update rules can be sent to force the packet analyzers 162 to count and possibly report packets having that port number”, Examiner’s Note: packet feature is analogous to traffic feature, and port number, or port is analogous to feature identifier ),
 after receiving a traffic feature sent by a traffic identification device (Fig 4 “packets 106”, “Smart NIC”, Fig 11 “Access router”, “edge router”, [0040] “As packets flow through the NIC”)
 querying feature information associated with the traffic feature ([0030] “Locally derived statistics of packet features are then collectively used to identify 134 the top packet features occurring among participating hosts 100 across the network 102. For a client-server implementation, this may involve collating reports or other indicia of local top-N packet features and identifying the top-K features among the collated data.”)
and updating content in the first field ([0040] “The counting modules identify arbitrary packet features of packets or data at different layers and update statistical data in respective tables 196, 198”);
 performing a timeliness detection task for the traffic feature, and determining a time difference between a time point when the timeliness detection task is performed and the time point recorded in the first field; and if the time difference is greater than the time interval threshold ([0040] “As packets flow through the NIC, statistical summaries of respective features of the packets are accumulated in the tables 196, 198. In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data. Periodically, the tables or subsets of the most statistically significant rows therein are provided to the overlay 112 through the overlay agent 118”), to allow the management server to update traffic feature data ([0053] “pull cached copies of relevant packets or portions thereof (for instance in buffers 184, 186, 188) based on keys in the global top-K data”, [0056] “top-K analyzer 274 executes on the control server 200. The top-K analyzer 274 monitors the global packet feature data in the top-K tables 202. This can include shuffling out entries that fall out of the top-K range”).
Although, Jain teaches wherein the feature information includes at least a first field for recording a time point of latest successful verification of the traffic feature and a second field (Fig. 4 “198”, “196” “statM”, [0040] “In one embodiment, rows with the lowest statistics are removed from the tables periodically or as they go below a threshold rank, count, age since last update, etc. Items in the tables 196, 198 may also be timestamped for computations of rates of packet feature occurrences and for removal of stale data”). Jain does not teach a second field for recording a warning time interval threshold, wherein the warning time interval threshold is an average time length for the application to trigger the network traffic, issuing a warning of invalidation of the traffic feature to a management server.
However, Chai teaches wherein the feature information includes at least a first field for recording a time point of latest successful verification of the traffic feature and a second field for recording a warning time interval threshold (col 16 lines 20-50 “the updating the first characteristic value to a second characteristic value when the to-be-detected cloud application meets a preset characteristic value update condition may include: determining whether a runtime of the to-be-detected cloud application exceeds a preset time, and if the runtime of the to-be-detected cloud application exceeds the preset time, determining that the to-be-detected cloud  issuing a warning of invalidation of the traffic feature to a management server (col 12 lines 3 -15 “the cloud detection system may send a cloud application detection result to a client, so that both a cloud service provider and a cloud service user can learn cloud application security in time”).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Jain to incorporate the teachings of Chai. One of ordinary skill in the art would have been motivated to make this modification in order to ensure up to date information in tables to minimize security vulnerabilities.
Chai does not teach wherein the warning time interval threshold is an average time length for the application to trigger the network traffic.
However, Seigel teaches wherein the warning time interval threshold is an average time length for the application to trigger the network traffic ([0035] “The auditing software 122 may determine that Y hours (where Y>0) is the average time that an alert profile is active and set a next alert profile to expire after Y hours. In some .
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Jain and Chai to incorporate the teachings of Seigel. One of ordinary skill in the art would have been motivated to make this modification in order to allow for a more efficient system.


Examiner’s Response 3
Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Jain in view of Chai further in view of Seigel, further in view of Guo, teach the features that "after receiving the traffic feature sent by the traffic identification device, the method further includes: setting content in the third field to content indicating that the traffic feature is currently valid" as recited in claim 3.


Applicant’s Argument 4
The feature "after issuing the warning of invalidation of the traffic feature to the management server" as recited in claim 4. Thus, Guo2 fails to disclose the features that "after issuing the warning of invalidation of the traffic feature to the management server, the method further includes: setting the content in the third field to content indicating that the traffic feature is currently invalid" as recited in claim 4.

Examiner’s Response 4
Examiner respectfully disagrees. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Jain in view of Chai further in view of Seigel, further in view of Guo, teach the features that "after issuing the warning of invalidation of the traffic feature to the management server, the method further includes: setting the content in the third field to content indicating that the traffic feature is currently invalid" as recited in claim 4.
	Chai is relied upon to teach after issuing the warning of invalidation of the traffic feature to the management server (col 12 lines 3 -15 “the cloud detection system may send a cloud application detection result to a client, so that both a cloud service provider and a cloud service user can learn cloud application security in time”) .
	Guo is relied upon to teach setting the content in the third field to content indicating that the traffic feature is currently invalid ([0140] “dimensional entries and each two-dimensional entry includes an offset and a character; when a rule in the rule group has a specific character at a specific offset, set a value of a two-dimensional entry 
The combination of Jain in view of Chai further in view of Seigel, further in view of Guo teaches claim 4.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEITH TRAN-DANH FOLLANSBEE whose telephone number is (571)272-3071. The examiner can normally be reached 10am -6 pm M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Derrick Ferris can be reached on 571-272-3123. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/K.T.F./Examiner, Art Unit 2411              

/DERRICK W FERRIS/Supervisory Patent Examiner, Art Unit 2411