Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1, 2 – 4, 7 – 11, 14 – 18 and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lee et al (US 10284476), hereafter Lee and Gupta (US 10382465), hereafter Gup.
Claim 1: Lee teaches an apparatus comprising: a detection controller to: identify a section of a number of bytes of data in a buffer including a first or second byte of data indicative of a value within a preconfigured range (C1L51-53: signature search module is configured to identify a first subject substring from the stream of network traffic (C4L17) in the form of 4, 8, or 16 byte strings in (C20L41-42) data input FIFO acts as a buffer, (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators);
update a merged list with a chunk of data that includes the section having the first or second byte of data indicative of the value within the preconfigured range; (C8L21-22, 57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators);
and a reoccurrence detector to: concatenate the chunk of data in the merged list into a string to identify a number of occurrences the string matches remaining data in the buffer; (C7L21-23: signature update module receives signature patterns to be added to signature detection engine and (C8L36-38) signature table receives one or more signature patterns and creates a new entry in signature table (i.e., concatenate to list) for each received signature pattern and (C4L60-62) then the signature detection engine examines the inbound substring against the configured substring to see if the inbound substring is actually a match);
and in response to a detection of the number of occurrences exceeding an occurrence threshold, determine that the data includes a malicious data stream. (C18L25-30, C24L1-22: when search block output handler receives read results and finds that one or more of the particular read results are HIGH (indicating that all substring search counters are non-zero)... and proceeds to second stage full string pattern matching, , (C20L28-31) subject data is data that is subjected to inspection, for potentially containing one or more signature patterns);
Lee is silent on the preconfigured range corresponding to a range of values indicative of memory addresses;
But analogous art Gup teaches the preconfigured range corresponding to a range of values indicative of memory addresses; (C2L5-13: capture the thread ID and addresses of the instructions that read or write to memory and the address and range of memory operated upon and use pattern matching and machine learning to isolate from this large amount of ... thread ID and memory operations specific to an application and correlate the relationships between these ... memory accesses).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lee to include the idea of range of memory addresses as taught by Gup thereby improving the efficiency of the instrumentation probing web facing application activities (C12L54-55).
Claim 8: Lee teaches a non-transitory computer readable storage medium comprising instructions that, when executed, cause one or more processors to at least (Figs. 1-19): identify a section of a number of bytes of data in a buffer including a first or second byte of data indicative of a value within a preconfigured range; update a merged list with a chunk of data that includes the section having the first or second byte of data indicative of the value within the preconfigured range; concatenate the chunk of data in the merged list into a string to identify a number of occurrences the string matches remaining data in the buffer; and determine that the data includes a malicious data stream when the number of occurrences exceeds an occurrence threshold. (C1L51-53: signature search module is configured to identify a first subject substring from the stream of network traffic (C4L17) in the form of 4, 8, or 16 byte strings in (C20L41-42) data input FIFO acts as a buffer, (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators; C8L21-22,57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators; C7L21-23: signature update module receives signature patterns to be added to signature detection engine and (C8L36-38) signature table receives one or more signature patterns and creates a new entry in signature table (i.e., concatenate to list) for each received signature pattern and (C4L60-62) then the signature detection engine examines the inbound substring against the configured substring to see if the inbound substring is actually a match; C18L25-30, C24L1-22: when search block output handler receives read results and finds that one or more of the particular read results are HIGH (indicating that all substring search counters are non-zero)... and proceeds to second stage full string pattern matching; C16L32-34: determine if that substring indicator counter is less than or equal to a "maximum substring indicator configuration threshold", , (C20L28-31) subject data is data that is subjected to inspection, for potentially containing one or more signature patterns).
Lee is silent on the preconfigured range corresponding to a range of values indicative of memory addresses;
But analogous art Gup teaches the preconfigured range corresponding to a range of values indicative of memory addresses; (C2L5-13: capture the thread ID and addresses of the instructions that read or write to memory and the address and range of memory operated upon and use pattern matching and machine learning to isolate from this large amount of ... thread ID and memory operations specific to an application and correlate the relationships between these ... memory accesses).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lee to include the idea of range of memory addresses as taught by Gup thereby improving the efficiency of the instrumentation probing web facing application activities (C12L54-55).
Claim 15: Lee teaches a method comprising: identifying a section of a number of bytes of data in a buffer including a first or second byte of data indicative of a value within a preconfigured range; updating a merged list with a chunk of data that includes the section having the first or second byte of data indicative of the value within the preconfigured range; concatenating the chunk of data in the merged list into a string to identify a number of occurrences the string matches remaining data in the buffer; and in response to a detection of the number of occurrences exceeding an occurrence threshold, determining that the data includes a malicious data stream. (C1L51-53: signature search module is configured to identify a first subject substring from the stream of network traffic (C4L17) in the form of 4, 8, or 16 byte strings in (C20L41-42) data input FIFO acts as a buffer, (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators; C8L21-22,57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators; C7L21-23: signature update module receives signature patterns to be added to signature detection engine and (C8L36-38) signature table receives one or more signature patterns and creates a new entry in signature table (i.e., concatenate to list) for each received signature pattern and (C4L60-62) then the signature detection engine examines the inbound substring against the configured substring to see if the inbound substring is actually a match; C18L25-30, C24L1-22: when search block output handler receives read results and finds that one or more of the particular read results are HIGH (indicating that all substring search counters are non-zero)... and proceeds to second stage full string pattern matching; C16L32-34: determine if that substring indicator counter is less than or equal to a "maximum substring indicator configuration threshold", (C20L28-31) subject data is data that is subjected to inspection, for potentially containing one or more signature patterns).
Lee is silent on the preconfigured range corresponding to a range of values indicative of memory addresses;
But analogous art Gup teaches the preconfigured range corresponding to a range of values indicative of memory addresses; (C2L5-13: capture the thread ID and addresses of the instructions that read or write to memory and the address and range of memory operated upon and use pattern matching and machine learning to isolate from this large amount of ... thread ID and memory operations specific to an application and correlate the relationships between these ... memory accesses).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lee to include the idea of range of memory addresses as taught by Gup thereby improving the efficiency of the instrumentation probing web facing application activities (C12L54-55).
Claim 21: Lee teaches a server to distribute first software on a network, the server comprising: at least one storage device including second instructions; and at least one processor to execute the second instructions to transmit first instructions over the network, the first instructions, when executed, to cause at least one device to (Figs. 1-19): identify an incoming file as a first open data file or a second open data file, the first or second open data file susceptible to manipulation; remove a sledge of data in the incoming file identified as the first or second open data file, the sledge of data corresponding to a sequence of repetitive data; and detect a sequence of the one or more bytes of data [indicative of the memory address] value as a malicious data stream. (C1L51-53: signature search module is configured to identify a first subject substring from the stream of network traffic (C4L17) in the form of 4, 8, or 16 byte strings in (C20L41-42) data input FIFO acts as a buffer, (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators (C3L45-46) to examine source data (a sequence of data bytes from a computer file); C8L21-22,57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C12L60-63) where Q is the Qth substring indicator for the masked substring, ranging between 1 and Qmax, the number of bit masks used to build the set of substring indicators; (C4L60-62) the signature detection engine examines the inbound substring against the configured substring to see if the inbound substring is actually a match; C15L47-49: if that substring indicator is later removed, the same counter is decremented; C18L25-30, C24L1-22: when search block output handler receives read results and finds that one or more of the particular read results are HIGH (indicating that all substring search counters are non-zero)... and proceeds to second stage full string pattern matching; C16L32-34: determine if that substring indicator counter is less than or equal to a "maximum substring indicator configuration threshold", (C20L2-5, 28-31) signature masking module deletes the first byte from signature substring and try the substring masking process again using the shortened signature substring… subject data is data that is subjected to inspection, for potentially containing one or more signature patterns).
Lee is silent on analyze remaining data in the incoming file for one or more bytes of data indicative of a memory address value;
But analogous art Gup teaches analyze remaining data in the incoming file for one or more bytes of data indicative of a memory address value;  (C2L5-13: capture the thread ID and addresses of the instructions that read or write to memory and the address and range of memory operated upon and use pattern matching and machine learning to isolate from this large amount of ... thread ID and memory operations specific to an application and correlate the relationships between these ... memory accesses).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Lee to include the idea of range of memory addresses as taught by Gup thereby improving the efficiency of the instrumentation probing web facing application activities (C12L54-55).
Claim 2: the combination of Lee and Gup teaches the apparatus of claim 1, wherein the detection controller is to iterate through the chunk of data in the buffer, the chunk of data corresponding to a number of sections of the number of bytes of data, the detection controller to analyze the number of sections in the chunk of data. (Lee: C20L2-5: signature masking deletes the first byte from signature substring and try the substring masking process again using the shortened signature substring and (C23, 24, Fig. 13) searches for patterns at each clock cycle).
Claim 3: the combination of Lee and Gup teaches the apparatus of claim 1, wherein the detection controller is to: update a suspicious list with the section including the first or second byte of data indicative of the value within the preconfigured range; compare a length of the suspicious list with a threshold length; and in response to the length of the suspicious list exceeding the threshold length: concatenate the chunk of data in the merged list. (Lee: C8L21-22,57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C9L11-13) metadata also include a substring length ("SBL") which identifies a length of substring used for substrings partitioned from signature, (C25L14-16) compares the subject substring from match results with the full substring returned in read results with subject substrings and (C22L5-7) data partition receives a new byte from data input queue module, updates the subject substrings).
Claim 4: the combination of Lee and Gup teaches the apparatus of claim I, further including an output generator to terminate an input file when the malicious data stream is detected, the input file including the data in the buffer. (Lee: C4L63-67: upon detecting each substring of a signature, the signature detection engine generate an indication that the particular search pattern has been identified within the network flow, or the signature detection engine is configured to take some action relative to the detection).
Claim 7: the combination of Lee and Gup teaches the apparatus of claim 1, further including a screening controller to determine an input file as susceptible to manipulation, the input file including the number of bytes of data in the buffer. (Lee: C6L59-62: signature detection engine utilized to analyze non-network data, such as a stream of binary data (static data from an electronic file), or for applications involving hierarchical historical data records and (C20L28-31) subject data is data that is subjected to inspection, by signature detection engine for potentially containing one or more signature patterns).
Claim 9: the combination of Lee and Gup teaches the non-transitory computer readable storage medium of claim 8, wherein the instructions, when executed, cause the one or more processors to iterate through the chunk of data in the buffer, the chunk of data corresponding to a number of sections of the number of bytes of data. (Lee: C20L2-5: signature masking deletes the first byte from signature substring and try the substring masking process again using the shortened signature substring and (C23, 24, Fig. 13) searches for patterns at each clock cycle).
Claim 10: the combination of Lee and Gup teaches the non-transitory computer readable storage medium of claim 8, wherein the instructions, when executed, cause the one or more processors to: update a suspicious list with the section including the first or second byte of data indicative of the value within the preconfigured range; compare a length of the suspicious list with a threshold length; and in response to the length of the suspicious list exceeding the threshold length: concatenating the chunk of data in the merged list. (Lee: C8L21-22,57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C9L11-13) metadata also include a substring length ("SBL") which identifies a length of substring used for substrings partitioned from signature, (C25L14-16) compares the subject substring from match results with the full substring returned in read results with subject substrings and (C22L5-7) data partition receives a new byte from data input queue module, updates the subject substrings).
Claim 11: the combination of Lee and Gup teaches the non-transitory computer readable storage medium of claim 8, wherein the instructions, when executed, cause the one or more processors to terminate an input file when the malicious data stream is detected, the input file including the data in the buffer. (Lee: C4L63-67: upon detecting each substring of a signature, the signature detection engine generate an indication that the particular search pattern has been identified within the network flow, or the signature detection engine is configured to take some action relative to the detection).
Claim 14: the combination of Lee and Gup teaches the non-transitory computer readable storage medium of claim 8, wherein the instructions, when executed, cause the one or more processors to determine an input file as susceptible to manipulation, the input file including the number of bytes of data in the buffer. (Lee: C6L59-62: signature detection engine utilized to analyze non-network data, such as a stream of binary data (static data from an electronic file), or for applications involving hierarchical historical data records and (C20L28-31) subject data is data that is subjected to inspection, by signature detection engine for potentially containing one or more signature patterns).
Claim 16: the combination of Lee and Gup teaches the method of claim 15, further including iterating through the chunk of data in the buffer, the chunk of data corresponding to a number of sections of the number of bytes of data. (Lee: C20L2-5: signature masking deletes the first byte from signature substring and try the substring masking process again using the shortened signature substring and (C23, 24, Fig. 13) searches for patterns at each clock cycle).
Claim 17: the combination of Lee and Gup teaches the method of claim 15, further including: updating a suspicious list with the section including the first or second byte of data indicative of the value within the preconfigured range; comparing a length of the suspicious list with a threshold length; and in response to the length of the suspicious list exceeding the threshold length: concatenating the chunk of data in the merged list. (Lee: C8L21-22,57-59: signature partition module is configured to receive signature update (C4L17) in the form of 4, 8, or 16 byte strings and prepare the associated original signature string for configuration including all metadata and (C9L11-13) metadata also include a substring length ("SBL") which identifies a length of substring used for substrings partitioned from signature, (C25L14-16) compares the subject substring from match results with the full substring returned in read results with subject substrings and (C22L5-7) data partition receives a new byte from data input queue module, updates the subject substrings).
Claim 18: the combination of Lee and Gup teaches the method of claim 15, further including terminating an input file when the malicious data stream is detected, the input file including the data in the buffer. (Lee: C4L63-67: upon detecting each substring of a signature, the signature detection engine generate an indication that the particular search pattern has been identified within the network flow, or the signature detection engine is configured to take some action relative to the detection).

Allowable Subject Matter
Claims 5, 6, 12, 13, 19 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867. The examiner can normally be reached M-F: 8:30am-5pm (EST). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge L. Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2496.