DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Non-Final Office Action in response to communication filed on  03/18/2019 and 05/17/2019. Claims 1-15 and 17-18 are pending.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55. The certified copy has been filed in this application 16/331587 on 03/08/2019. 
Applicant cannot rely upon the certified copy of the foreign priority application or the Patent to overcome the rejections below, because a certified translation of said application has not been made of record in accordance with 37 CFR 1.55. See MPEP §§ 2304.01(c), 215 and 216. A certified translation of every foreign benefit application not filed in English is required. See 35 U.S.C. 119(b)(3)  and 372(b)(3)  and 37 CFR 1.55(a)(4). The applicant should provide the required translation if applicant wants the application to be accorded benefit of the non-English language application. Any showing of priority that relies on a non-English language application is prima facie insufficient if no certified translation of the application is on file. See 37 CFR 41.154(b) and 41.202(e).

Information Disclosure Statement
The information disclosure statement filed 03/08/2019 fails to comply with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 because: It fails to comply with 37 CFR 1.98(a)(2), which requires a legible copy of each cited foreign patent document; each non-patent literature publication or that portion which caused it to be listed; and all other information or that portion which caused it to be listed.  It has been placed in the application file, but the information referred to therein has not been considered. The IDS also fails to comply with 37 CFR 1.98(a)(3)(i) because it does not include a concise explanation of the relevance, as it is presently understood by the individual designated in 37 CFR 1.56(c) most knowledgeable about the content of the information, of each reference listed that is not in the English language.  It has been placed in the application file, but the information referred to therein has not been considered.
Therefore, the IDS has been placed in the application file, but the information referred to therein has not been considered as to the merits.  Applicant is advised that the date of any re-submission of any item of information contained in this information disclosure statement or the submission of any missing element(s) will be the date of submission for purposes of determining compliance with the requirements based on the time of filing the statement, including all certification requirements for statements under 37 CFR 1.97(e).  See MPEP § 609.05(a)
Specification
The disclosure is objected to because it contains an embedded hyperlink and/or other form of browser-executable code on page 17. Applicant is required to delete the embedded hyperlink and/or other form of browser-executable code; references to websites should be limited to the top-level domain name without any prefix such as http:// or other browser-executable code. See MPEP § 608.01.

Claim Objections
Claims 1, 2, 10, 15 and 17 are objected to because of the following informalities: 
“ Calculating to a strong hash state “ in 1.3), 15.3) and 17.3) should read “ Calculating a strong hash state “
“saving the updated calculation context, the interval index” in 1.4), 15.4) and 17.4). should read “saving the updated calculation context in the interval index”
“splicing hash values therein and outputting thereof ” in 1.5), 15.5) and 17.5). should specify what is being referred by therein and thereof.
Claim 2 uses the acronym SFH. The acronym should be spelled out.
Claim 10 uses the terms MS Word, MS Power Point and PDF, which are  trade names or a mark used in commerce. The term should be accompanied by the generic terminology; include a proper symbol indicating use in commerce such as ™, SM , or ® following the term.
Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitations are: “ a summary list storage module configured to generate” , “ a packet parsing module configured to parse”, “ a summary generating module configured to generate ”  and “a summary matching module configured to match “ in claim 17.
A review of the specification shows that the following appears to be the corresponding structure described in the specification for the 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph limitation: The specification describes:
 The summary generation module in Page 4, steps 1-5, which provides the algorithm used in the summary generation module.
The summary list storage module in Page 7, lines 7-10, “ a summary list storage module configured to generate a hash value for each file in a target file set to be matched based on the summary generation method, and to store the hash value in a summary list” , which used the algorithm of the summary generation module above and stores the results.  which provides sufficient description of the algorithm used in the summary list storage module.
The summary matching module In page 16, lines 19-23, “Equation 6 is used to calculate the edit distance between the two (LE stands for Levenshtein distance), and finally use Equation 7 to evaluate the similarity of the two using a score of 0~100. The higher the score, the more similar, and the 100 represents complete similarity. Multiple summaries in the target file set to be matched can be compared one by one, or by establishing an index to increase matching speed.” which provides sufficient description of the algorithm used in the summary matching module.

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-15 and 17-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim limitations  “ a packet parsing module configured to parse” in claim 17  invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is devoid of adequate structure to perform the claimed function. 
The specification states in Page 10, lines 16-21, “The packet parsing module performs link restoration, protocol parsing, and decompression on the network packet to be detected captured from the network traffic. A specific file format can be identified by a URL, network protocol information (such as an HTTP header) or a file header signature, or any protocol payload in the network can be treated as a file to be detected. Specifically, the file to be detected is selected according to different application scenarios:” which does not sufficiently describe the packet parsing module. 
Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

The terms “weak hash state”, “weak hash value” and “strong hash state” in claims 1, 15 and 17 are relative terms which renders the claim indefinite. The terms are not defined by the claims, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention. 
Claim 1, 15 and 17 recites the limitation " the partial strong hash value" in 1. 3), 15.3) and 17.3) respectively.  There is insufficient antecedent basis for these limitations in the claims.
Claim 5 recites the limitation “ the calculation context p and its right neighbor n “ in 5. 4-1). There is insufficient antecedent basis for this limitation in the claim.
Claim 7 recites the limitations " the summary generated" in the preamble .  There is insufficient antecedent basis for this limitation in the claim.
Claim 17 recites the limitations " the summary generation method" in the preamble .  There is insufficient antecedent basis for this limitation in the claim.
Claims 2-14 and 18 are rejected because of their dependency on claims 1 and 17 respectively.
The claims are generally narrative and indefinite, failing to conform with current U.S. practice.  They appear to be a literal translation into English from a foreign document and are replete with grammatical and idiomatic errors.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1 and 5 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Zheng et. al. ( CN 106407400 A, published on 02/15/2017), hereinafter Zheng .
Applicant cannot rely upon the certified copy of the foreign priority application to overcome this rejection because a translation of said application has not been made of record in accordance with 37 CFR 1.55. See MPEP §§ 215 and 216.

Regarding claim 1,  Zheng discloses A method for generating a summary, comprising (Page 3, line5 A real-time digest generation method for streaming data, comprising): 
1) searching an interval index in a calculation handle to find a calculation context in a left neighbor of an input data block; and if the data block has no left neighbor, initializing a new calculation context (Page 3, lines 5-8, Updating the calculation context of the left side of each data block of the stream input, if the data block is not left adjacent, it is used as the initial calculation context, and the updated calculation context is saved to the interval index); 
2) retaining first w-1 bytes of the input data block into a buffer in the calculation context, resetting a weak hash state and a strong hash state, and calculating a weak hash value for each byte of the input data block from the weak hash state and updating the strong hash state, wherein w is a sliding window value of a weak hash function (Page 3, lines 15 -19, the step of updating the calculation context of the left side of each data block of the stream input in step 1) comprises: to keep the preceding w-1 bytes of the data block into the buffer, where w is the sliding window value of the weak hash function (which can be set to 1 byte or more), and the start position of the data block is S;); 
3) finding a reset point when the calculated weak hash value satisfies a slicing condition; if a first reset point is found in the calculation context, saving the strong hash state to the partial strong hash value (Page 3, lines 21-26, When the calculated weak hash value satisfies the slice condition in step 1-2), the reset point is found, I. If it is the first reset point in the context, then the part between s and the reset point is called the left truncated data, and its strong hash value is calculated, denoted as the partial strong hash value pshv), resetting the strong hash state; if it is not the first reset point, calculating a strong hash value of a slice divided by two reset points, until end of slicing (Page 3, lines 27-19, If it is not the first one, the new division is divided into a slice, denoted as a strong hash of the slice; Iii. Update s for the next byte after the end of the slice); calculating to a strong hash state of the data between a last reset point and an end position of the input data block, completing updating of the calculation context (Page 4, lines 1-3, When all the data blocks in the input data are finished, the data between the last reset point and the end of the data block is called the right truncated data. The strong hash value of the part is called the strong hash state. For shs); 
4) saving the updated calculation context the interval index, find the computation context of already entered data in the interval index, and merging adjacent calculation contexts (Page 3, lines 8-10, updated calculation context is saved to the interval index; 2)In the interval index to find the input data has been calculated in the context of the adjacent computing context to merge); and 
5) traversing the interval index, splicing hash values therein and outputting thereof (Page 3, line 11, Traverse the interval index, the summary value of which will be spliced and output.).


Regarding claim 5, Zheng  discloses the method of claim 1, Zheng further discloses wherein the step of merging adjacent calculation contexts in step 4) comprises ( Page 9, lines 22-23, the method of combining two adjacent calculation contexts in step 2) comprises the steps of:): 
4-1) updating w-1 bytes of the calculation context p and its right neighbor n stored in the buffer ( Page 9, line 24 - 25, performing an update operation on the w-1 bytes of the calculation context p and its right neighbor n stored in the buffer;);
 4-2) calculating a matrix product of a strong hash state value shs of p and part of a strong hash value pshv of n ( Page 9, lines 26 -27, Calculate the matrix product of the partial strong hash value pshv of the strong hash state values shs and n of p;);  
Page 4 4-3) if p does not include a reset point, updating the status strong hash value shs of p using the matrix product; otherwise, updating part of the status strong hash state value pshv of n using the matrix product (Page 9, lines 28-30, if p does not contain a reset point in p, the strong hash state value shs of p is updated with the matrix product, otherwise the partial strong hash state value pshv of n is updated with that product;); and
 4-4) splicing the strong hash values of p and n updated in step 4-3) (Page 9, line 31, Use matrix multiplication to join the strong hash of p and n after step c).).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Applicant cannot rely upon the certified copy of the foreign priority application to overcome this rejection because a translation of said application has not been made of record in accordance with 37 CFR 1.55. See MPEP §§ 215 and 216.
Claims 7 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Jain et. al. (U.S Patent Application Publication No. 20160191530 A1), hereinafter Jain.

Regarding claim 7, Zhang discloses the method of claim 1. Zhang fails to disclose the method of detecting network traffic based on the summary generated. However, Jain teaches a method for detecting network traffic based on the summary generated, comprising: 
2-1) generating, in each of target file sets to be matched, a hash value based on the summary generating method of claim 1, and storing the hash value as a summary list of the target file set to be matched (Par. [0028], As such, in the illustrative embodiment, the access control database 308 includes a reference hash 320 for each access control rule. Further, although the hash of the masked n-tuple may be generated (by the hash generation module 314) based on any suitable hash algorithm, it should be appreciated that the hash is generated based on the same hash algorithm and that used to generate the corresponding reference hash 320. ); 
2-2) generating a hash value based on the summary generating method for the to-be-detected network packet (Par. [0038], In block 520, the computing device 100 generates a hash of the masked n-tuple. As discussed above, it should be appreciated that the computing device 100 utilizes the same hash algorithm/function as that used to generate the corresponding reference hash 320 for the selected access control rule.) parsed from the network traffic (Par. [0034], In block 504, the computing device 100 parses the received network packet. In doing so, in block 506, the computing device 100 identifies an n-tuple of the header of the network packet for access control.); and
 2-3) matching the hash value generated in step 2) with the hash value in the summary list to complete detection of network traffic (Par. [0039], In block 528, the computing device 100 compares the retrieved reference hash 320 to the generated hash of the n-tuple. In block 530, the computing device 100 determines whether there is a probabilistic match between the rule and the packet. If so, in block 532, the computing device 100 performs one or more access control actions in some embodiments.).
Zhang and Jain are analogous references to the claimed invention since both relate to detecting network traffic. Zhang discloses , on Page 2, lines 29-32, “This method is suitable for detecting files from network traffic …”. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhang using the network traffic detection method taught by Jain since the summary generation method by Zhang is intended to be used in application related to network traffic detection.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Jain and further in view of Vincent et. al. (U.S Patent No. US 10515214 B1), hereinafter Vincent.

Regarding claim 8,  The combination of Zhang and Jain teaches the method of claim 7. The combination teaches a method of generating a summary of network data and using the summary to detect network traffic. The combination does not explicitly teach applying the method to a virus detection scenario.
However,  Vincent teaches  wherein in a virus detection scenario (Col. 3, lines 35-36, Techniques for malware detection using intelligent static analysis and dynamic analysis are described herein.), a file to-be- detected is based on a transmission protocol, or is an email attachment, or is downloaded by HTTP (Col. 12, lines 47-50, Object capturing logic 201 is to fetch or capture a specimen from a content source. The specimen can be Web content, email attachment, or manually submitted content for malware detection), where the target file set to be matched is a sample of known viruses or a Trojan file ((Col. 12, lines 66-67) - (Col. 13, lines 1-3) According to one embodiment, identifier matching logic 203 is to match the identifying information of the specimen with a list of identifiers identifying a set of known malware (e.g., black list) and a set of known non-malware (e.g., white list)).  
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Jain in claim 7, by incorporating the well-known method of virus detection taught by Vincent so that the summary generation and network traffic detection methods taught by Zhang and Jain can be applied to solving real-world problems (Zhang ,  Page 2, lines 29-32, “ This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on.”.).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Jain and further in view of Alagar et al (U.S Patent Application Publication No. 20200186548 A1), hereinafter Alagar.

Regarding claim 9,  The combination of Zhang and Jain  teaches the method of claim 7. The combination teaches a method of generating a summary of network data. The combination teaches a method of generating a summary of network data and using the summary to detect network traffic. The combination does not explicitly teach applying the method to  intrusion detection scenario.
However,  Alagar teaches wherein in an intrusion detection scenario (Par. [0015], FIG. 1 is an example of an intrusion detection system configured to detect attacks (e.g. intrusions) in a network.), a control command or a script carried in a protocol including Telnet or FTP is used as a file to be detected ( Par. [0028], In this example, each field value 302 is a variant of a command DELETE FROM USERS. Because existing approaches rely on looking for exact matches to previously seen attacks, these approaches are unable to detect an attack that uses a variant of a previous attacks such as the examples shown in FIG. 3. In contrast, the intrusion detection system 100 is able to detect new attacks, previously seen attacks, and variants of previously seen attacks.), wherein the target file set to be matched is known control commands or scripts ( Par. [0030], In this example, the attack vector array 136 comprises flag bits 402 corresponding with an SQL injection attack type, a command injection attack type, and a cross site scripting attack type. In other examples, the attack vector array 136 may comprise flag bits 402 corresponding with any other suitable attack types. ) (Par. [0031], The intrusion analyzer engine 116 is configured to determine whether the attack vector array 136 comprises any set flag bits 402 and to trigger an event 137 (e.g. an alert or instructions) in response to determining that at least one flag bit 402 is set in the attack vector array 136.).  
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Jain in claim 7, by incorporating the well-known method of intrusion detection taught by Alagar so that the summary generation and network traffic detection methods taught by Zhang and Jain can be applied to solving real-world problems (Zhang ,  Page 2, lines 29-32, “ This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on.”.).

Claims 10 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Kojima (U.S Patent Application Publication No. 20060288206 A1), hereinafter Kojima.

Regarding claim 10 The combination of Zhang and Jain  teaches the method of claim 7. The combination teaches a method of generating a summary of network data. The combination teaches a method of generating a summary of network data and using the summary to detect network traffic. The combination does not explicitly teach applying the method to a data leakage prevention scenario.
However,  Kojima teaches wherein in a data leakage prevention scenario, a format document including MS Word or MS Power Point or PDF is identified by a feature code of a file header, and is treated as a file is detected ( Par. [0122], A key ID identifying a private key and an encrypted common key data are extracted from the header of the data file, as shown in FIG. 14A.), wherein the set of target files to be matched is a document valuable to a user (Par. [0124], In step S605, the hash values determined in step S604 are compared with the key ID extracted from the header of the data file to detect a private key corresponding to the key ID.).  
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Jain in claim 7, by incorporating the well-known method of data leakage prevention taught by Kojima so that the summary generation and network traffic detection methods taught by Zhang and Jain can be applied to solving real-world problems (Zhang ,  Page 2, lines 29-32, “ This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on.”.).

Claims 11 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Combaz (U.S Patent Application Publication No. 20080027895 A1), hereinafter Combaz.

Regarding claim 11 The combination of Zhang and Jain  teaches the method of claim 7. The combination teaches a method of generating a summary of network data. The combination teaches a method of generating a summary of network data and using the summary to detect network traffic. The combination does not explicitly teach applying the method to a data leakage prevention scenario.
However,  Combaz teaches wherein in a network content review scenario (Par. [0052], While other tools used to explore the Web or electronic documents remain mostly idle during the time it takes the user to read or view the documents, the present invention is constantly working (using multi-threaded processes) on analyzing the current document, to recognize, understand or infer as much information as possible in it.), the data of the specific site based on a URL is selected as a file to be detected, or the file to be detected is identified according to the file feature (Par. [0052], This semantic information will be compiled and added to the user's Web Memory, using the URL as unique ID. Each time the user grabs data from this URL and when a scraper is created (automatically or manually) and used on this URL, the scraping information will also be saved and linked to the URL.), wherein the target to be matched is not needed, wherein a collection of files record user access behavior (Par. [0052], Statistics on the user's behavior (number of visits, time spent . . . ) will also be linked to the URL, allowing to infer information on the user and his/her fields of interest and expertise.).  
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Jain in claim 7, by incorporating the well-known method of network content review taught by Combaz so that the summary generation and network traffic detection methods taught by Zhang and Jain can be applied to solving real-world problems (Zhang ,  Page 2, lines 29-32, “ This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on.”.).

Claims 12 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Hogg et al (U.S Patent Application Publication No. US 20190236661 A1), hereinafter Hogg.

Regarding claim 12 The combination of Zhang and Jain  teaches the method of claim 7. The combination teaches a method of generating a summary of network data. The combination teaches a method of generating a summary of network data and using the summary to detect network traffic. The combination does not explicitly teach applying the method to a digital forensics’ scenario.
However,  Hogg teaches wherein in a digital forensics scenario (Par. [0055], In some embodiments, the external capabilities 110 include capabilities that an enterprise or individual may wish to consume in the event of compromised computer systems (e.g., digital forensic and/or incident response services).), on the basis of identifying types of documents through feature codes of file headers, the image and the video are identified by extending the feature codes or relying on information in HTTP headers as a file to be detected (Par. [0055], a tool that operates upon digital images of computers to perform forensic functions typically performed upon file systems of compromised computers (e.g., identify every file that was deleted, identify every removable device that was connected to the computer, identify all information about all remote desktop connections to this computer, and the like)), wherein the target document collection to be matched is digital files held by law enforcement agencies (Par. [0055], a tool that operates against a file system of a computer to identify files that match certain patterns, defined, for example by regular expressions, which are defined by the user (i.e. law enforcement agencies), where the patterns indicate compromise of the system,).  
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Jain in claim 7, by incorporating the well-known method of digital forensics taught by Hogg so that the summary generation and network traffic detection methods taught by Zhang and Jain can be applied to solving real-world problems (Zhang ,  Page 2, lines 29-32, “ This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on.”.).

Claims 13 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Schmelzer et al (U.S Patent No. US 7707088 B2), hereinafter Schmelzer.

Regarding claim 13 The combination of Zhang and Jain  teaches the method of claim 7. The combination teaches a method of generating a summary of network data. The combination teaches a method of generating a summary of network data and using the summary to detect network traffic. The combination does not explicitly teach applying the method to a digital copyright protection scenario.
However,  Schmelzer teaches wherein in a digital copyright protection scenario (Col. 4, lines 21-26,  FIG. 1 generally illustrates a copyright protection system ("CPS") 100 according to a first embodiment for monitoring a network segment 102 bearing at least one packet-based digital signal in accordance with one aspect of the CPS 100.), the multimedia data or the software installation package transmitted by a transmission protocol is used as the file to be detected (Col. 5, lines 4-6,, Preferably, a fingerprint is generated for the frame by the media analysis system 126 to aid in identifying the content of the frame. ), wherein the target file set to be matched is copyrighted data (Col. 5, lines 6-8, A generated fingerprint may then be compared with an archive of fingerprints for registered copyrighted works.).
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Jain in claim 7, by incorporating the well-known method of digital copyright protection taught by Schmelzer so that the summary generation and network traffic detection methods taught by Zhang and Jain can be applied to solving real-world problems (Zhang ,  Page 2, lines 29-32, “ This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on.”.).

Claims 15 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Brandeburg et. al. (U.S Patent Application Publication No. 20160191678 A1), hereinafter Brandeburg.

Regarding claim 15, Zhang discloses the steps of generating a summary:
1) searching an interval index in a calculation handle to find a calculation context in a left neighbor of an input data block; and if the data block has no left neighbor, initializing a new calculation context (Page 3, lines 5-8, Updating the calculation context of the left side of each data block of the stream input, if the data block is not left adjacent, it is used as the initial calculation context, and the updated calculation context is saved to the interval index); 
2) retaining first w-1 bytes of the input data block into a buffer in the calculation context, resetting a weak hash state and a strong hash state, and calculating a weak hash value for each byte of the input data block from the weak hash state and updating the strong hash state, wherein w is a sliding window value of a weak hash function (Page 3, lines 15 -19, the step of updating the calculation context of the left side of each data block of the stream input in step 1) comprises: to keep the preceding w-1 bytes of the data block into the buffer, where w is the sliding window value of the weak hash function (which can be set to 1 byte or more), and the start position of the data block is S;); 
3) finding a reset point when the calculated weak hash value satisfies a slicing condition; if a first reset point is found in the calculation context, saving the strong hash state to the partial strong hash value (Page 3, lines 21-26, When the calculated weak hash value satisfies the slice condition in step 1-2), the reset point is found, I. If it is the first reset point in the context, then the part between s and the reset point is called the left truncated data, and its strong hash value is calculated, denoted as the partial strong hash value pshv), resetting the strong hash state; if it is not the first reset point, calculating a strong hash value of a slice divided by two reset points, until end of slicing (Page 3, lines 27-19, If it is not the first one, the new division is divided into a slice, denoted as a strong hash of the slice; Iii. Update s for the next byte after the end of the slice); calculating to a strong hash state of the data between a last reset point and an end position of the input data block, completing updating of the calculation context (Page 4, lines 1-3, When all the data blocks in the input data are finished, the data between the last reset point and the end of the data block is called the right truncated data. The strong hash value of the part is called the strong hash state. For shs); 
4) saving the updated calculation context the interval index, find the computation context of already entered data in the interval index, and merging adjacent calculation contexts (Page 3, lines 8-10, updated calculation context is saved to the interval index; 2)In the interval index to find the input data has been calculated in the context of the adjacent computing context to merge); and 
5) traversing the interval index, splicing hash values therein and outputting thereof (Page 3, line 11, Traverse the interval index, the summary value of which will be spliced and output.).

Zhang discloses the steps of generating a summary. However, Zhang does not disclose the apparatus required to execute the above steps. However, Brandeburg  teaches;
 Apparatus for generating a summary ( Par. [0014], Referring now to FIG. 1, in an illustrative embodiment, a system 100 for ensuring data integrity (i.e., maintaining and assuring the accuracy and consistency) of network communications), comprising: 
a receiver (The communication circuitry 210 ); a memory (a memory 206); and a processor (a processor 202); 
wherein the receiver is configured to receive data to be calculated (Par. [0024], The communication circuitry 210 may be embodied as any communication circuit, device, or collection thereof, capable of enabling communications between the computing device 102 and the remote computing device 108 over the network 104. The communication circuitry 210 may be configured to use any one or more communication technology (e.g., wired or wireless communications) and associated protocols (e.g., Ethernet, Bluetooth®, Wi-Fi®, WiMAX, etc.) to effect such communication.), 
wherein the memory is configured to store the received data to be calculated  (Par. [0022], In operation, the memory 206 may store various data and software used during operation of the computing device 102), 
wherein the processor is configured to execute program instructions stored in the memory (Par. [0022], The processor 202 may be embodied as any type of processor capable of performing the functions described herein… The memory 206 is communicatively coupled to the processor 202 via the I/O subsystem 204) to perform the steps:

Zhang and Brandeburg  are analogous references to the claimed invention since they both pertain to generating a summary of network activity to detect network traffic. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Zhang using the teaching of Brandeburg. Since the apparatus taught by Brandeburg are essential components of executing instructions to perform the steps discloses by Zhang.

Regarding claim 17,  Zhang discloses A network traffic detection system based on the summary generation method (Page 2, lines 29 -32, This method is suitable for detecting files from network traffic and can be applied to areas such as virus detection, intrusion detection, data leakage prevention, network content review, digital forensics, digital copyright protection and so on), comprising: 
wherein summary generation method comprises: 
1) searching an interval index in a calculation handle to find a calculation context in a left neighbor of an input data block; and if the data block has no left neighbor, initializing a new calculation context (Page 3, lines 5-8, Updating the calculation context of the left side of each data block of the stream input, if the data block is not left adjacent, it is used as the initial calculation context, and the updated calculation context is saved to the interval index); 
2) retaining first w-1 bytes of the input data block into a buffer in the calculation context, resetting a weak hash state and a strong hash state, and calculating a weak hash value for each byte of the input data block from the weak hash state and updating the strong hash state, wherein w is a sliding window value of a weak hash function (Page 3, lines 15 -19, the step of updating the calculation context of the left side of each data block of the stream input in step 1) comprises: to keep the preceding w-1 bytes of the data block into the buffer, where w is the sliding window value of the weak hash function (which can be set to 1 byte or more), and the start position of the data block is S;); 
3) finding a reset point when the calculated weak hash value satisfies a slicing condition; if a first reset point is found in the calculation context, saving the strong hash state to the partial strong hash value (Page 3, lines 21-26, When the calculated weak hash value satisfies the slice condition in step 1-2), the reset point is found, I. If it is the first reset point in the context, then the part between s and the reset point is called the left truncated data, and its strong hash value is calculated, denoted as the partial strong hash value pshv), resetting the strong hash state; if it is not the first reset point, calculating a strong hash value of a slice divided by two reset points, until end of slicing (Page 3, lines 27-19, If it is not the first one, the new division is divided into a slice, denoted as a strong hash of the slice; Iii. Update s for the next byte after the end of the slice); calculating to a strong hash state of the data between a last reset point and an end position of the input data block, completing updating of the calculation context (Page 4, lines 1-3, When all the data blocks in the input data are finished, the data between the last reset point and the end of the data block is called the right truncated data. The strong hash value of the part is called the strong hash state. For shs); 
4) saving the updated calculation context the interval index, find the computation context of already entered data in the interval index, and merging adjacent calculation contexts (Page 3, lines 8-10, updated calculation context is saved to the interval index; 2)In the interval index to find the input data has been calculated in the context of the adjacent computing context to merge); and 
5) traversing the interval index, splicing hash values therein and outputting thereof (Page 3, line 11, Traverse the interval index, the summary value of which will be spliced and output.).

Zhang discloses a summary generation method above. Zhang does not disclose the different modules that uses the summary generation method to detect network traffic. However Brandeburg teaches;
a summary list storage module configured to generate a hash value for each file in a target file set to be matched based on a summary generation method, and to store the hash value in a summary list (Par. [0045], Example 1 includes a computing device to store a data integrity check into network communication transmissions, the computing device comprising a hash generator module to compute a hash value of a payload of a network packet, wherein the payload of the network packet is a result of a segmentation operation; a data integrity preparation module to store the hash value in the network packet and store an indication in the network packet to indicate to a recipient of the network packet that the hash value is stored in the network packet; and a network communication module to transmit the network packet to a remote computing device.

a packet parsing module configured to parse network packets to be detected from the network traffic (Par. [0028], Additionally, the network communication module 402 may process a received network packet by parsing the network packet header to determine network flow information (a source port, a destination port, etc.) of the received network packet and/or prepare a network packet for transmission by storing network flow information into the header of the network packet.); 
a summary generating module configured to generate a hash value according to the summary generating method for each network packet to be detected (Par. [0055], a hash generator module to compute a second hash value of a payload of a received network packet); and 
a summary matching module configured to match the hash value generated from the network packet to be detected with the hash value in the summary list ( Par. [0032], The hash comparator module 426 is configured to perform a data integrity check by comparing the extracted hash value with a hash value of the payload of the received network packet.).
Zhang and Brandeburg  are analogous references to the claimed invention since they both pertain to generating a summary of network activity to detect network traffic. Therefore, it would have been obvious to one of ordinary skill before the effective filing date of the invention to modify Zhang using the modules taught by Brandeburg. Since the apparatus taught by Brandeburg are essential components of executing instructions to perform the steps discloses by Zhang.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Brandeburg and further in view of Mulka et. al. (U.S Patent Application Publication No. 20180191679 A1), hereinafter Mulka.

Regarding claim 18,  the combination of Zhang and Brandeburg teaches the network traffic detection system of claim 17. The combination does not explicitly teach where the network detection system will be deployed and how it obtains the network data.
However, Mulka teaches, wherein the network traffic detection system ( A network security system 108) is deployed at a user's Internet gateway, which obtains network traffic of an internal network and the Internet through a method of serial connection, splitting, or port mirroring (Par. [0029], In some embodiments, a network security system 108 is communicatively coupled to one or more SDN applications 103. For example, as described herein, a firewall network security system 108 may send alert messages to an SDN application 103 that indicate malicious activity occurring on a data flow path 110 of the SDN control system 101.), or the network traffic detection system is deployed in an internal gateway, a proxy server, a VPN gateway, which obtains network traffic of the internal network and the internet by installing a plug-in .
Therefore, it would have been obvious to one of ordinary skilled in the art before the effective filing date of the claimed invention to modify the combined teaching of Zhang and Brandeburg in claim 17, by incorporating the system taught by Mulka to achieve the predictable result of detecting network traffic.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
kumar (U.S Patent Publication No. 10606844 B1) teaches a method of generating partial hash of files and looking up a reputation score of the files using the hash value.
Kao (U.S Patent Application Publication No. 2008/0033942 A1) teaches a method of generating a hash value for searching for substrings in a data stream without reading more than one element at a time
 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Dawit Woldemariam whose telephone number is (571)272-2560. The examiner can normally be reached on 9:30 AM - 6:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado, can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Dawit Woldemariam/
Art Unit 2496

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496