DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is in response to the communication filed on 09/16/2019.
Claims 1-20 are pending for consideration.

Claim Rejections - 35 USC § 112The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
	Independent claims 1, 12, and 19 recite limitation “the plurality of conditions” in lines 7 and 10 claim 1, lines 9 and 12 of claim 12, and lines 9 and 12 of claims 19. There is a lack of antecedent basis for the limitation because it was not recited before.	The dependent claims 2-11, 13-18 and 20 are rejected for the same reasons as that of the independent claims since they do not cure the indefiniteness recited in the independent claims.	Claims 3-4, 14-15 recites limitation “the one or more fixed length characters”. The limitation lacks antecedent basis since “one or more fixed length characters” is not recited before.  It is not clear if “one or more fixed length characters” refers to “one or more fixed set of characters” in line 2 of claims 3 and 14 respectively, or something else.	For the purpose of prior art examination, the limitations are interpreted as best understood.	Appropriate corrections are required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-6, 8-12, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bray et al. (US 10990887 B1, hereinafter Bray) in view of Holbrook et al. (US 10778721 B1, hereinafter Holbrook).

	Regarding method 1, Bray teaches a method comprising:
	receiving (col. 5, lines 10-27, send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A), by an acceleration device of a host device associated with a data center (Bray fig. 1, element 100; col. 4 lines 6-21, the rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects; col. 3 lines 56-67, col. 4 lines 1-21, the rule evaluation system 100 may be implemented using one or more computing devices, any of which may be implemented by the example computing device 3000 illustrated in FIG. 17, the rule evaluation system 100 may be coupled to a provider network 170, the resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources), said input stream comprising any or a combination of a string or an integer range (col. 2 lines 51-67, a stream of events having field names and field values, the events may represent status updates or changes for resources in a multi-tenant provider network, matches of field values on a token-by-token basis, matches of numeric values and numeric ranges, col. 14, lines 10-33, an event with the same field name 810A but a different value such as “ABC456” or “ABC12” or anything other than the literal string “ABC123” would match the rule pattern 300E);
	matching, by the acceleration device (rule evaluation system 100), the input stream or parts thereof with contents of a hash based lookup table to identify one or more units of the input stream (col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), which satisfy at least one condition of the plurality of conditions for any or a combination of a string match and a range comparison (col. 12 lines 22-38, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens);
	correlating, by the acceleration device (rule evaluation system 100), the one or more identified units based on a set of conditions selected from the plurality of conditions to form at least one set of correlated units (col. 6 lines 46-54, the rule patterns 111A may include rule patterns 300A and 300B through 300N. However, it is contemplated that any suitable number of rule patterns may be stored in the data store 115; col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410. The event 50A may match the rule pattern 300D because the event includes the field name 510C and associated field value 520D described in the rule pattern. In one embodiment, once the name 510C and value 520D are found in the event 50A, the rule evaluation 430 may determine that the rule pattern 300D has been matched by the event. The rule evaluation 430 may determine that the rule pattern 300C is not matched by the event 50A once the names 510A and 510B are not found in the event. If the rule base captures only the rules 300C and 300D, then the rule evaluation 430 may examine the event 50A only for field names 510A, 510B, and 510C and disregard other field names in the event (such as name 510D)), wherein the set of conditions define at least one rule col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410; col. 12, lines 12-38, the finite-state machine may transition between these states when conditions in events match conditions in rule patterns); and
	performing, by the acceleration device (rule evaluation system 100), any or a combination of exact string matching and exact range matching col. 17, lines 10-25, determine which events (if any) match any of the rule patterns, the rule patterns 111A may include rule patterns with numeric values such as rule pattern 300F. Rule pattern 300F may indicate a field name 1010 and a numeric value 1021. For example, the numeric value 1021 may express the integer 1021; col. 20, lines 32-52, the numeric range rule patterns such as patterns 300G in the rule base 1315, maps numeric values to lexically comparable values and generates a set of states and transitions intended to find values matching the specified range, evaluates numeric range rule patterns encoded in the rule base 1315 against the events 50 to determine which events (if any) match any of the rule patterns captured in the rule base, map numeric values in events to lexically comparable values so that comparisons can be made in the same domain. As discussed above, a lexically comparable value may represent a uniform representation of different expressions of the same underlying number).	Although Bray teaches matching a set of conditions and performing, any or a combination of exact string matching and exact range matching, Bray does not explicitly disclose that the matching is based on the at least one set of correlated units and the set of conditions define at least one rule related to any of a network policy definition.	On the other hand, Holbrook teaches the set of conditions define at least one rule related to any of a network policy definition (Holbrook col. 2 lines 5-19, matched rule can result in a decision to permit the forwarding of network data or to deny the forwarding of network data; col. 2 lines 33-55, in response to locating a match in the hardware hash table, are to perform an action on the network data, which is specified by the rule associated with the match. The action can include to permit the network data, deny the network data, set a traffic class for the network data; col. 6 lines 56-67, the forwarding pipeline 300 is configured to forward units of network data that match all conditions in a permit rule).	performing, any or a combination of exact string matching and exact range matching based on the at least one set of correlated units (col. 8, lines 14-28, the L2 lookup 306 stage will reference L2 data 325, which may be a MAC address table, which is an exact-match table. The L3 lookup 308 will reference L3 data 326, which includes an exact-match table that contains /32 IPv4 and /128 IPv6 host routes, and a longest-prefix match (LPM) table that contains IPv4 and IPv6 routes that are not host routes; if the unit of network matches a DENY statement the unit will be dropped. If the unit of network data matches a PERMIT statement, or no port ACL is enabled, the unit of network data is passed to the next block of the pipeline; col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet. Each entry in the bucket is compared against the key and the result is propagated only if the entry matches, otherwise 0 is propagated. The results are ORed together such that there is no implied priority between different entries in a bucket; [Examiner remark: only units that matches the PERMIT statement are sent to the next pipeline, which is further used to match for other rules.  As a result, previous matched units are used to match in the next node of a pipeline]).	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching policy rule’s conditions and using exact string match and exact range matching into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art , such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 5, Bray in view of Holbrook teaches the method of claim 1, wherein the acceleration device generates contents of the hash based lookup table based the one or more conditions of the at least one rule (Bray col. 12, lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens; Bray col. 14, lines 34-58, conditions in events match conditions in rule patterns; Bray col. 8, lines 46-59, the events 50 may describe conditions in the provider network 170, and the rule evaluation system 100 may evaluate a compiled form of the rule patterns 111A against the events to determine which events (if any) describe conditions corresponding to any of the rule patterns 111A).

	Regarding claim 6, Bray in view of Holbrook teaches the method of claim 1 (see discussion above), wherein the input stream pertains to a data stream from a storage interface (Bray, col. 4 lines 62-67 to col. 5 lines 1-9, monitoring the resources in the provider network may include monitoring one or more service logs, monitoring one or more service metrics, and/or monitoring any suitable data streams, the monitoring may compare performance metrics, usage metrics, and/or other suitable data relating to the operation of the resources 171A-171N; see fig. 1).	Bray does not explicitly disclose the following limitation that Holbrook teaches the input stream pertains to a packet stream from a network interface (Holbrook, col. 4 lines 46-62, the network data being communicated by the network element 102 can be a stream of network frames, datagrams or data packets, or other types of discretely switched network data second ref, packet stream; Holbrook, col. 8 lines 14-28, comparison for the unit of network data; Holbrook col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching data using data from packet stream into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help expand the usefulness of Bray’s teaching into additional data sources. In addition, both references teach features that are directed to analogous art, such as, data filtering. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claim 8, Bray in view of Holbrook teaches the method of claim 1. Bray does not explicitly disclose the following limitations that Holbrook teaches:  wherein when the input stream pertains to the integer range, a mask is applied to the input stream to match the input stream or parts thereof with the contents of the hash based lookup table (Holbrook col. 8 lines 41-60, each subsection consists of rules with the same mask, the match criterion for each rule is a pair (V, M), where V is a numeric value up to N bits long and M is a mask of N 0 and 1 bits. A value X matches the rule if (X & M)=(V & M), where “&” is the bitwise “logical and” operator. In one embodiment, the values (X) matched against an ACL are Internet Protocol (IP) v4 or IPv6 addresses, or representations thereof, the (V, M) pairs match subsets of the IPv4 or IPv6 address space; col. 8, lines 61-67, col. 9 lines 1-20, (39) rules in each such subsection are then loaded into one or more hardware hash table(s) 412 that can be referenced to perform lookups of unmasked fields of a network data packet that are associated with the subsection, a TCAM based approach of evaluating ACLs can be replaced by a software/hardware-based approach that includes processing the ACL and performing lookups on the processed ACL using the hash-based ACL lookup offload engine). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches masking of integer range value and matching with a hash-based table into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claim 9, Bray in view of Holbrook teaches the method of claim 1. Bray does not explicitly disclose the following limitations that Holbrook teaches:  wherein the step of matching is performed in plurality of levels such that each level of the plurality of levels matches a specific length of input stream or part thereof with an entry of the hash based lookup table (Holbrook col. 8 lines 14-28 (35) the L2 lookup 306 stage will reference L2 data 325, which may be a MAC address table, which is an exact-match table [Examiner remark: each MAC address is 48 bit in length]. The L3 lookup 308 will reference L3 data 326, which includes an exact-match table that contains /32 IPv4 and /128 IPv6 host routes, and a longest-prefix match (LPM) table that contains IPv4 and IPv6 routes that are not host routes; Holbrook fig. 3 elements 306, 308). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which matching a specific length of input stream with an entry of a hash-based lookup table into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 10, Bray in view of Holbrook teaches the method of claim 9.  Bray does not explicitly disclose the following limitations that Holbrook teaches: each entry of the hash based lookup table corresponds to a format of the input steam and includes a value of the integer range or the string (Holbrook col. 8 lines 41-60, each subsection consists of rules with the same mask, the match criterion for each rule is a pair (V, M), where V is a numeric value up to N bits long and M is a mask of N 0 and 1 bits. A value X matches the rule if (X & M)=(V & M), where “&” is the bitwise “logical and” operator. In one embodiment, the values (X) matched against an ACL are Internet Protocol (IP) v4 or IPv6 addresses, or representations thereof, the (V, M) pairs match subsets of the IPv4 or IPv6 address space; Holbrook fig. 3 elements 306, 308; col. 8, lines 61-67, col. 9 lines 1-20, (39) rules in each such subsection are then loaded into one or more hardware hash table(s) 412 that can be referenced to perform lookups of unmasked fields of a network data packet that are associated with the subsection, a TCAM based approach of evaluating ACLs can be replaced by a software/hardware-based approach that includes processing the ACL and performing lookups on the processed ACL using the hash-based ACL lookup offload engine; [Examiner remark: the IPv4 and IPv6 have specific formats, the instant specification does not disclose what the format is,  (V&M) is an integer range look up value]). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches each entry of a hash-based lookup table corresponds to format of input data and include an integer range into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 11, Bray in view of Holbrook teaches the method of claim 1, wherein the acceleration device is made available for use by other host devices within the data center to perform on behalf of one or more of the other host devices any or a combination of intrusion prevention pattern matching, firewall policy search pattern matching and pattern matching for applications (Bray, col. 4 lines 6-21, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects. The provider network 170 may include a plurality of computing resources such as computing resources 171A and 171B through 171N. The resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources. Although three computing resources 171A, 171B, and 171N are shown for purposes of illustration, it is contemplated that any suitable number and configuration of computing resources may be used. The provider network 170 may include the sources of events 50 that can match rule patterns, the targets of actions, and/or one or more action handlers that perform actions, Bray col. 5 lines 10-27, generate events 50 that describe resources changes in the provider network 170, and send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A).
	Regarding claims 12 and 19, the claims are rejected for the same reasons as that of claim 1, respectively, because they recite essentially the same limitations as that of claim 1, respectively.	Regarding claims 16-17, the claims are rejected for the same reasons as that of claims 5-6, respectively, because they recite essentially the same limitations as that of claims 5-6, respectively.

	Regarding claim 18, the claim is rejected for the same reasons as that of claim 8, because it recites essentially the same limitations as that of claim 8.
Claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Li; Yan et al. (US 20140133233 A1 hereinafter Li).
	Regarding claim 2, Bray in view of Holbrook teaches the method of claim 1. Bray in view of Holbrook does not explicitly disclose the following limitations that Li teaches:  wherein when a length of said input stream is less than a pre-defined threshold, the input stream is passed through a symbol content address memory to identify the one or more units of the input stream, which satisfy at least one condition (¶116, while the longest length of key/content that can be compared in one plane is 16 KB; ¶118 In a content addressable memory, to retrieve the data, a search key is supplied; all the keys in the memory are searched for a match. If a match is found, the corresponding data is retrieved. This section presents a storage drive using a Flash based NAND array as described in the preceding section as a content addressable memory that is addressed using key-value pairs instead of a logical block address. This drive can provide both Binary and Ternary search capability, meaning that bit patterns in the key can have the values 1 or 0 as well as "don't care" entries. This type of NAND based CAS drive can then be used to replace other implementations of CAM or CAS functionality). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Li, which teaches to pass input stream is passed through a symbol content address memory to identify one or more unites of the input stream when the length of the input stream is less than a pre-defined threshold into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Li’s teaching would help improve performance perform network data filtering. In addition, both references of Li and Holbrook teach features that are directed to analogous art, such as data matching and replacement method for data matching and content addressable memory (Li ¶3, Holbrook col. 9 lines 1-20). This close relation between both references highly suggests an expectation of success when combined.
		Regarding claim 13, the claim is rejected for the same reasons as that of claim 2, because it recites essentially the same limitations as that of claim 2.
Claims 3-4 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Guo; Zhi et al. (US 20150055481 A1, hereinafter Guo).
	Wikipedia, “Bloom filter”, downloaded from the Internet on 05/02/2022, dated 2016, pages 1-14, using URL: http://web.archive.org/web/20160201194147/https://en.wikipedia.org/wiki/Bloom_filter) is used as extrinsic evidence in support of rejection of claim 3.
	Regarding claim 3, Bray in view of Holbrook teaches the method of claim 1 (see discussion above).	Although the combination of Bray in view of Holbrook teaches one or more tokens are matched with the contents of the hash based lookup table to identify the one or more units of the input stream, which satisfy the at least one condition (Bray col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), the combination does not explicitly disclose wherein when the input stream pertains to the string, the method comprises determining one or more fixed set of characters from the string so that the one or more fixed length characters are matched with the contents of the hash based lookup table to identify the one or more units of the input stream, which satisfy the at least one condition.	On the other hand, Guo teaches determining one or more fixed set of characters from the string so that the one or more fixed length characters are matched with the contents of the hash based lookup table to identify the one or more units of the input stream (Guo [0075] FIG. 7 illustrates an exemplary implementation of a string-matching module 700 in accordance with an embodiment of the present invention. In the context of the present example, string-matching module 700 can be configured to support different lengths of strings, each of which can have a bloom filter such as 702 and 706, and an exact string matching such as 704 and 708; [Examiner remark: see NPL U, Bloomfilter, Algorithm description section, starting page 2, “There must also be k different hash functions defined, each of which maps or hashes some set element to one of the m array positions with a uniform random distribution.”]).	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Guo, which teaches using Bloomfilter to look up different lengths of strings into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Guo’s teaching would help improve performance. In addition, both references teach features that are directed to analogous art, such as, data matching. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 4, Bray in view of Holbrook and Guo teaches the method of claim 3 (see discussion above).	Bray teaches wherein the input stream pertaining to the string is passed through a set of filters arranged in a cascaded manner (Bray col. 12 lines 22-38, FIG. 6 illustrates an example of a finite-state machine usable for event-stream matching using compiled rule patterns, a directed graph in which nodes represent finite states and edges represent transitions between those states, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens).	Bray in view of Holbrook does not explicitly disclose the input stream pertaining to the string is passed through a set of filters arranged in a cascaded manner to determine the one or more fixed length characters from the string.	On the other hand, Guo teaches determine the one or more fixed length characters from the string (Guo ¶75). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Guo, which teaches using Bloomfilter to look up different lengths of strings into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Guo’s teaching would help improve performance. In addition, both references teach features that are directed to analogous art, such as, data matching. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claims 14-15, the claims are rejected for the same reasons as that of claims 3-4, respectively, because they recite essentially the same limitations as that of claims 3-4, respectively.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Brisebois et al. (US 9641555 B1, hereinafter Brisebois).
	Regarding claim 7, Bray in view of Holbrook teaches the method of claim 1.  Bray in view of Holbrook does not explicitly disclose the following limitations that Brisebois teaches wherein the acceleration device transmits the at least one set of correlated units to one or more other host devices of the data center (Brisebois, col. 8 lines 6-50, the business logic security manager 208 can include any system that can implement security and data access policies for data accessed by the collection engine 202. In some embodiments, the business logic security manager 208 may apply the security and data access policies to data before the data is collected; the business logic security manager 208 may apply a set of security and data access policies to any data or metadata provided to the classification system 134 for processing and storage. These security and data access policies can include any policy for regulating the storage and access of data obtained or generated by the data collection system 132. For example, the security and data access policies may identify the users who can access the data provided to the data classification system 134; col. 8 lines 51-59, the data classification system 134 can include a data repository engine; col. 16 lines 48-67, the business logic security manager 208 can filter any data marked for exclusion from storage in the databases 232 at block 310. Further, the business logic security manager 208 and/or the business logic engine 206 can filter out any data to be excluded based on a data access policy, which can be based on any type of factor for excluding data; col. 17 lines 1-11, At block 312, the business logic security manager 208 may classify the collected and/or filtered data. The data may be classified based on, for example, who can access the data, the type of data, the source of the data, or any other factor that can be used to classify data. In some embodiments, the data may be provided to the data classification system 134 for classification). 	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Brisebois, which teaches a logic security manager filtering out data based on data access policy and provide the filtered data to another system for further processing into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Brisebois’ teaching would help efficiency in data matching (col. 1 lines 29-52) and improve data protection (col. 1 lines 56-67, col. 2 lines 1-22). In addition, both references of Brisebois and Bray teach features that are directed to analogous art, such as data matching. This close relation between both references highly suggests an expectation of success when combined.
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Mittal; Anuraag et al. (US 20200177654 A1, hereinafter Mittal).

	Regarding claim 20, Bray in view of Holbrook teaches the non-transitory computer-readable storage medium of claim 19 (see discussion above).	Bray in view of Holbrook does not explicitly disclose the following limitation that Mittal teaches: the NIC is utilized for pattern matching by one or more other of the plurality of network nodes (Mittal fig. 1, elements 104, 108N and 106N.  [Examiner remark: this is consistent with the instant specification fig. 2B where the accelerator device is coupled with a network interface]; ¶34, one service device (104), which may be directly-connected to at least one network element (e.g., 106N); ¶35, , a network element (106A-106N) may be a physical device that includes persistent storage, memory (e.g., random access memory (RAM), shared memory, etc.), one or more computer processors (e.g., integrated circuits) (including a switch chip or network processor), the computer processor(s) may include logical egress and ingress network interfaces that may connect to physical network interfaces on the network element (106A-106N). Further, each physical network interface may or may not be connected to a service device (104); ¶39 a VTEP (108A-108N) may include a directly-connected service device (104); ¶46, a service device (104) may be a physical or virtual computing device that includes functionality to provide a service to one or more hosts (102A-102N). A service device (104) may include at least one or more processors, memory, and two or more physical network interfaces, a service device (104) may include functionality to process network traffic, redirected thereto from various VTEPs (108A-108N), and the specific service thus provided by, the service device (104). Subsequently, a service device (104) may include functionality to filter, mirror, store, forward, drop, transform, and/or perform any other action, or any combination thereof, to redirected network traffic, which is afforded by the configuration and provided service of the service device (104)).	It is obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Mittal, which teaches a network interface device that perform network filtering and forwarding and providing services to a plural of hosts into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Mittal’s teaching would help improving network security (Mittal ¶46) and increase flexibility in system configurations. In addition, both references of Mittal and Bray teach features that are directed to analogous art, such as network data filtering. This close relation between both references highly suggests an expectation of success when combined.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 8850060 B1 - provide services to other VEEs running on multiple computer systems arranged in a cluster, the dedicated server-type VEE can intercept or filter a flow of IP packets and check the content of these packets for malicious code or unwanted data.
US 11005950 B1 - if the length of the bit string changes, for example with an increase or a decrease of the number of services represented by the Bloom filter and/or with a desired change of the probability of a false positive indication in the Bloom filter, the multiple hash functions may need to be re-applied to each of one or more inputs.
US 7941605 B1 - CAMs are increasingly being used in packet classification especially because of their performance. A typical implementation performs a lookup operation on a CAM with the CAM result being used as input to a memory, which produces the actual result used in processing a packet.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/V.H.H/
Examiner, Art Unit 2497
/ANDREW J STEINLE/Primary Examiner, Art Unit 2497