DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This action is responsive to the Remark filed on 3/31/22.    
Claims 1, 15 are amended.
Claim(s) 1-16, 18-21 is/are presented for examination.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-10, 13, 15-16 & 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ben-Aroya, U.S. Patent/Pub. No. 2010/0199189 A1 in view of S, U.S. Pat. No. 8,605,629 B1.  
As to claim 1, Ben-Aroya teaches a method, comprising: 
receiving, by a network device of a network, flow-tap content information that identifies content data (Ben-Arova, page 7, paragraph 41; page 8, paragraph 43; i.e., [0041] Referring now to FIG. 5, showing the system when the selected tab of tab list 208 is "content". With the "content" selection, a visual communication such as a fax or web browsing, in this case the fax transmission denoted a 404, is viewed as seen in pane 400 of FIG. 5. The contents are displayed by a viewer which can display the decoded image, the event's information or both. The intercepted images are preferably presented in TIFF format, enabling multiple pages to be wrapped up in a single file; [0043] the video stream can be presented on the content pane. The middle right hand side pane 504 of the screen is dedicated for entering or viewing comments and synopsis, including keywords, of the interaction. The bottom left part of the screen lets the user who reviews a certain interaction to make indications relating to specific interaction, such as priority, language and others, and to order one or more analyses, such as translation, transcription, synopsis and others), wherein 
the content data is to be monitored by a content destination device associated with the law enforcement authority (Ben-Aroya, page 1, paragraph 7; page 3, paragraph 32; i.e., intercept certain communications (equivalent to content information that identifies content to be monitored) and providing them to Law Enforcement); and
generating, by the network device and based on receiving the flow-tap content information, an entry in a flow-tap content filter, and the flow-tap content filter is maintained within a data structure of the network device (Ben-Aroya, page 3, paragraph 34; page 4, paragraph 35; i.e., captured communications complies with an interception criteria such as spotting words (equivalent to filter) and different law enforcement authorities which will be stored in the database for further analyze); 
analyzing, by the network device and using the flow-tap content filter, network traffic of the network to detect a traffic flow that includes the content data (Ben-Aroya, page 1, paragraph 12; page 2, paragraph 13; i.e., communication items comply with the intercept criteria; the traffic flow includes email message, internet browsing session, chat session…); 
generating, by the network device and based on detecting the traffic flow in the network traffic, a traffic flow (Ben-Aroya, page 1, paragraph 4 & 7; i.e., perform interception and monitoring various communications means); and 
 wherein the traffic flow is to be accessible to the content destination device to enable a context analysis of the content data (Ben-Aroya, page 3, paragraph 32; page 4, paragraph 42; i.e., the intercepted communications/traffic based on the IP address, Internet MAC address for analyze, process and can be apply different filtering rules for different fields).  
But Ben-Aroya failed to teach the claim limitation wherein receiving, by a network device of a network and from a mediation device associated with a law enforcement authority, flow-tap content information that identifies content data and flow-tap destination information; the mediation device generates the flow-tap content information based on one or more of: an interaction with an interface of the mediation device, or an investigation report associated with flow tapping; the flow-tap destination information identifies a flow-tap content destination address of the content destination device; generating a traffic flow copy that is associated with the traffic flow; and providing, by the network device and based on the entry, the traffic flow to the flow-tap content destination address of the content destination device; wherein the traffic flow copy is to be accessible; wherein the entry identifies the content data and the flow-tap content destination address of the content destination device.
However, S teaches the limitation wherein receiving, by a network device of a network and from a mediation device associated with a law enforcement authority, flow-tap content information that identifies content data and flow-tap destination information (S, col 4, lines 53-63; i.e., Mediation device 150 may receive provisioning information from law enforcement device 160. The provisioning information may identify one or more subscribers 115 for which to perform lawful interception. Mediation device 150 may send a request to initiate a lawful interception session to network device 140, and may receive information associated with the lawful interception session from network device 140); the mediation device generates the flow-tap content information based on one or more of: an interaction with an interface of the mediation device, or an investigation report associated with flow tapping (S, col 4, lines 53-63; col 7, lines 25-37; i.e., Mediation device 150 may send a request to initiate a lawful interception session to network device 140, and may receive information associated with the lawful interception session from network device 140; In one example, the interface 25
may direct a copy of traffic, provided to or from subscriber 115-1, to mediation device 150); the flow-tap destination information identifies a flow-tap content destination address of the content destination device (S, figure 5-6; col 9, lines 17-36; 45-48 & 59-68; i.e., multicast distribution table 420 may include a multicast (MC) group 20 address field 510, a source address field 520, and a forwarding interface (I/F) field 530. In one example implementation, information 500 may be stored in one or more memories associated with one or more of the example components of device 200 (FIG. 2). Multicast group address field 510 may include entries for multicast group addresses associated with multicast groups provided by provider device 120. The multicast group addresses may include logical identifiers for groups of host devices in a network (e.g., network 100)); generating a traffic flow copy that is associated with the traffic flow (S, figure 7; col 7, lines 48-54; i.e., multicast traffic copy 340, and may forward multicast traffic copy 340 to mediation device 150. Mediation 50 device 150 may forward multicast traffic copy 340 to law enforcement device 160, and law enforcement device 160 may perform further lawful interception processing on multicast traffic copy 340); and providing, by the network device and based on the entry, the traffic flow to the flow-tap content destination address of the content destination device (S, figure 7; col 7, lines 48-54; i.e., S, figure 7; col 7, lines 48-54; i.e., multicast traffic copy 340, and may forward multicast traffic copy 340 to mediation device 150. Mediation 50 device 150 may forward multicast traffic copy 340 to law enforcement device 160, and law enforcement device 160 may perform further lawful interception processing on multicast traffic copy 340); wherein the entry identifies the content data and the flow-tap content destination address of the content destination device (S, figure 5-6; col 9, lines 17-36; 45-48 & 59-68; i.e. multicast distribution table 420 may include a multicast (MC) group 20 address field 510, a source address field 520, and a forwarding interface (I/F) field 530. In one example implementation, information 500 may be stored in one or more memories associated with one or more of the example components of device 200 (FIG. 2). Multicast group address field 510 may include entries for multicast group addresses associated with multicast groups provided by provider device 120. The multicast group addresses may include logical identifiers for groups of host devices in a network (e.g., network 100)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben-Aroya in view of S so that the system able to forward multicast traffic copy to destination device.  One would be motivated to do so to reduce the requirement of additional filtering to retrieve traffic relevant to the particular subscriber (see S, col 1, lines 53-60).
As to claim 2, Ben-Aroya-S teaches the method as recited in claim 1, wherein receiving the flow-tap content information comprises: 
receiving the flow-tap content information from a mediation device associated with the law enforcement authority (Ben-Aroya, page 1, paragraph 7; page 4, paragraph 35; i.e., mediation component for analyzing all the relevant information of the intercepted communication and the Law Enforcement); and 
verifying, based on an authentication process, that the mediation device is authorized to utilize the flow-tap content filter (Ben-Aroya, page 3, paragraph 34; i.e., different law enforcement authorities (equivalent to verifying authorized device) can apply separate rules to the intercepted communication), 
wherein the network traffic is analyzed based on verifying that the mediation device is authorized to utilize the flow-tap content filter (Ben-Aroya, page 4, paragraph 36; i.e., applying different filtering technique or criteria for the components).  
As to claim 3, Ben-Aroya-S teaches the method as recited in claim 1, wherein the content data is associated with a set of keywords or a set of key phrases that are configured to trigger the content destination device to perform the context analysis (Ben-Aroya, page 3, paragraph 34; i.e., spotting keyword to intercepted the communication).  
As to claim 4, Ben-Aroya-S teaches the method as recited in claim 1, wherein destination information that is associated with a destination that is to receive the content data, wherein the traffic flow is detected based on identifying that the traffic flow is to be forwarded to the destination (Ben-Aroya, page 4, paragraph 34; i.e., monitoring the communication based on the IP address MAC address or the spotting word which related to the communication).  
As to claim 5, Ben-Aroya-S teaches the method as recited in claim 1, wherein source information that is associated with a source that is to provide the content data, wherein the traffic flow is detected based on identifying that the traffic flow is associated with the source (Ben-Aroya, page 4, paragraph 35; i.e., monitoring the communication based on the IP address MAC address or the spotting word which related to the communication).  
As to claim 6, Ben-Aroya-S teaches the method as recited in claim 1, wherein determining a protocol associated with the content destination device receiving the traffic flow copy (Ben-Aroya, page 3, paragraph 32; page 4, paragraph 36; i.e., communication protocol for the intercepted communication (which inherently between source and destination)).
providing, according to the protocol, the traffic flow to the corresponding flow-tap content destination address (Ben-Aroya, page 3, paragraph 32; page 4, paragraph 36; i.e., communication protocol for the intercepted communication (which inherently between source and destination))
But Ben-Aroya failed to teach the claim limitation wherein providing, the traffic flow copy to the flow-tap content destination.  
However, S teaches the limitation wherein providing, the traffic flow copy to the flow-tap content destination (S, figure 7; col 7, lines 48-54; i.e., S, figure 7; col 7, lines 48-54; i.e., multicast traffic copy 340, and may forward multicast traffic copy 340 to mediation device 150. Mediation 50 device 150 may forward multicast traffic copy 340 to law enforcement device 160, and law enforcement device 160 may perform further lawful interception processing on multicast traffic copy 340).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben-Aroya in view of S so that the system able to copy the threat traffic for analyzing.  One would be motivated to do so to prevent or mitigate damage and bottlenecks of the system (see S, page 1, paragraph 10).
As to claim 7, Ben-Aroya-S teaches the method as recited in claim 1, wherein forwarding, and without indicating to a traffic flow destination that the traffic flow copy has been generated, the traffic flow to the traffic flow destination (Ben-Aroya, page 4, paragraph 36; i.e., communication between devices (equivalent to source and destination)).  
As to claim 9, Ben-Aroya-S teaches the network device as recited in claim 8, wherein the one or more processors, prior to monitoring the network traffic, are to: 
verify, based on credentials of the mediation device, that the mediation device is an authorized device (Ben-Aroya, page 3, paragraph 34; i.e., different law enforcement authorities (equivalent to verifying authorized device) can apply separate rules to the intercepted communication), 
wherein the network traffic is monitored based on verifying that the mediation device is an authorized device (Ben-Aroya, page 4, paragraph 36; i.e., applying different filtering technique or criteria for the components).  
As to claim 10, Ben-Aroya-S teaches the network device as recited in claim 8, wherein the one or more processors are further to: 
prior to monitoring the network traffic, identify, from the flow-tap content information, the traffic flow destination or a traffic flow source associated with the traffic flow (Ben-Aroya, page 1, paragraph 7; i.e., define the communication to be intercepted), 
wherein the traffic flow is identified based on the traffic flow being associated with the at least one of the traffic flow destination or the traffic flow source (Ben-Aroya, page 3, paragraph 34; i.e., identified the communication based the IP address, MAC address…).  
As to claim 13, Ben-Aroya-S teaches the network device as recited in claim 8, wherein the one or more processors, prior to generating the traffic flow copy, are to: 
notify the content destination device that the traffic flow was identified based on the content data (Ben-Aroya, page 4, paragraph 36; i.e., notification concern the intercepted communication); and 
receive, from the content destination device, a tap authorization to provide the traffic flow copy (Ben-Aroya, page 3, paragraph 32; i.e., forwarding the intercepted communication to the law enforcement (equivalent to authorized device)), 
wherein the traffic flow copy is provided based on receiving the tap authorization (Ben-Aroya, page 3, paragraph 32; i.e., ., forwarding the intercepted communication to the law enforcement (equivalent to authorized device)).  
As to claim 16, Ben-Aroya-S teaches the non-transitory computer-readable medium as recited in claim 15, wherein the traffic flow is associated with at least one of: 
a particular source, of the traffic flow, that is identified in the entry, or 
a particular destination, of the traffic flow, that is identified in the entry (Ben-Aroya, page 3, paragraph 34; page 4, paragraph 35; i.e., captured communications complies with an interception criteria such as spotting words (equivalent to entry) and different law enforcement authorities (equivalent to entry)).  
As to claim 19, Ben-Aroya-S teaches the non-transitory computer-readable medium as recited in claim 15, wherein the one or more instructions, that cause the one or more processors to provide the traffic flow copy of the traffic flow to the content destination device, cause the one or more processors to: 
configure the traffic flow copy for the transmission to the corresponding flow-tap content destination address based on a communication protocol of the content destination device (Ben-Aroya, page 1, paragraph 7; i.e., define the communication to be intercepted); and 
provide the traffic flow copy to the content destination device according to the communication protocol of the content destination device source (Ben-Aroya, page 3, paragraph 34; i.e., identified the communication based the IP address, MAC address…).  
As to claim 20, Ben-Aroya-S teaches the non-transitory computer-readable medium as recited in claim 15, wherein transmit, and without indicating to the traffic flow destination that the traffic flow copy was generated, the traffic flow to the traffic flow destination (Ben-Aroya, page 4, paragraph 35; i.e., monitoring the communication based on the IP address MAC address or the spotting word, which related to the communication).

Claim(s) 8 & 15 are directed to a device & non-transitory computer readable medium claims and they do not teach or further define over the limitations recited in claim(s) 1.  Therefore, claim(s) 8 & 15 are also rejected for similar reasons set forth in claim(s) 1.
Claim(s) 21 is/are directed to a device & non-transitory computer readable medium claims and they do not teach or further define over the limitations recited in claim(s) 2.  Therefore, claim(s) 21 is/are also rejected for similar reasons set forth in claim(s) 2.


Claim(s) 11-12, 14 & 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ben-Aroya, U.S. Patent/Pub. No. 2010/0199189 A1 in view of S, U.S. Patent/Pub. No. 2007/0157306 A1, and further in view of Keppel, U.S. Pub. No. 2017/0187587 A1.
As to claim 11, Ben-Aroya-S teaches the network device as recited in claim 8, wherein the one or more processors, when processing the traffic flow, are to: 
generate routing data for the transmission of the traffic flow to the traffic flow destination (Ben-Aroya, page 3, paragraph 34; i.e., transfer the intercepted communication to the backend of the relevant authority), 
wherein the traffic flow destination is associated with a destination address identified in the traffic flow (Ben-Aroya, page 3, paragraph 34; i.e., identify the IP address, MAC address (equivalent to destination address) for the communication (equivalent to traffic flow)).  
But Ben-Aroya-S failed to teach the claim limitation wherein extract payload data of the traffic flow based on a structure of the traffic flow, wherein the traffic flow copy is generated to include the payload data, and wherein the content data is a subset of the payload data.
However, Keppel teaches the limitation wherein extract payload data of the traffic flow based on a structure of the traffic flow, wherein the traffic flow copy is generated to include the payload data (Keppel, page 8, paragraph 73; i.e., extract data from the payload from the trace data), and wherein the content data is a subset of the payload data (Keppel, page 7, paragraph 66; i.e., a header portion, trace portion and payload portion of the network package).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben-Aroya-S in view of Keppel so that the system able to extract the data for further consideration.  One would be motivated to do so to improve the performance for the system (see Keppel, page 1, paragraph 3).
As to claim 12, Ben-Aroya-S-Keppel teaches the network device as recited in claim 11.  But Ben-Aroya-S failed to teach the claim limitation wherein the payload data is extracted from a set of traffic of the traffic flow, wherein the set of traffic is associated with traffic that is received during a threshold time period after the content data is identified.  
However, Keppel teaches the limitation wherein the payload data is extracted from a set of traffic of the traffic flow, wherein the set of traffic is associated with traffic that is received during a threshold time period after the content data is identified (Keppel, page 5, paragraph 48; page 8, paragraph 73; i.e., extract the trace data or payload; determine the network packets in a predetermined threshold).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben-Aroya-S in view of Keppel so that the system able to extract the data for further consideration.  One would be motivated to do so to improve the performance for the system (see Keppel, page 1, paragraph 3).
As to claim 14, Ben-Aroya-S teaches the network device as recited in claim 13.  But Ben-Aroya-S failed to teach the claim limitation wherein provide the traffic flow to the traffic flow destination without notifying the traffic flow destination that the traffic flow copy was generated.  
However, Keppel teaches the limitation wherein provide the traffic flow to the traffic flow destination without notifying the traffic flow destination that the traffic flow copy was generated (Keppel, page 2, paragraph 20-21; i.e., forwarded the network traffic or packet flow to the target endpoint node).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben-Aroya-S in view of Keppel so that the system able to extract the data for further consideration.  One would be motivated to do so to improve the performance for the system (see Keppel, page 1, paragraph 3).
As to claim 18, Ben-Aroya-S teaches the non-transitory computer-readable medium as recited in claim 17.  But Ben-Aroya-S failed to teach the claim limitation wherein the traffic flow is associated with a time period that follows a detection of the content data.  
However, Keppel teaches the limitation wherein the traffic flow is associated with a time period that follows a detection of the content data (Keppel, page 5, paragraph 48; i.e., determine the network packets in a predetermined threshold).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Ben-Aroya-S in view of Keppel so that the system able to extract the data for further consideration.  One would be motivated to do so to improve the performance for the system (see Keppel, page 1, paragraph 3).

Response to Arguments
Applicant’s argument(s) filed 3/31/22 have been fully considered but they are not persuasive.  Applicant argues in substance that:  A) with respect to claims 1, 8, 15 & 21; Ben-Aroya in view of S does not teach the claimed limitation of “the mediation device generates the flow-tap content information based on one or more of: an interaction with an interface of the mediation device, or an investigation report associated with flow tapping” (page 12-13).

In response to A); S does teach the claimed limitation of “the mediation device generates the flow-tap content information based on one or more of: an interaction with an interface of the mediation device, or an investigation report associated with flow tapping” (S, col 4, lines 53-63; col 7, lines 25-37; i.e., Mediation device 150 may send a request to initiate a lawful interception session to network device 140, and may receive information associated with the lawful interception session from network device 140; In one example, the interface 25
may direct a copy of traffic, provided to or from subscriber 115-1, to mediation device 150).  Clearly, receiving the information from the subscriber of network device is equivalent to the mediation device  Therefore, Ben-Aroya in view of S meets the claim limitation.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Listing of Relevant Arts
Thesayi, U.S. Patent/Pub. No. US 8537818 B1 discloses communicate with the mediation device.
Shribman, U.S. Patent/Pub. No. US 20220103525 A1 discloses communicate with the mediation device through a transmission path.

Contact Information
The present application is being examined under the pre-AIA  first to invent provisions. 
THUONG NGUYEN whose telephone number is (571)272-3864.  The examiner can normally be reached on Monday-Friday 9:00-6:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 571-272-7304.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/THUONG NGUYEN/Primary Examiner, Art Unit 2449