DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-11 have been examined and are pending.
Examiner Comments

Claims 9-11 are directed towards a computing device and has been analyzed for 35 USC 112(2). No 35 USC 112(2) deemed necessary since specification states: “...a computing device 106 for the intrusion detection. Computing device 106 is described below as an example of a microprocessor. A microcontroller may also be used instead 
of a microprocessor.” (p. 8, lines 27 – p. 9, lines 1-3). Therefore, the a computing device is not rejected under 35 USC 112(2).
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-12 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 7-8, and 13 of copending Application No. 16/568,706; claims  1-2, 4-12 and 16-17 of copending Application No. 16/922,329; and claims 1, 3, 5-12, and 16-17 of copending Application No. 16/921,375. Although the claims at issue are not identical, they are not patentably distinct from each other because invention describes methods for intrusion detection in a computer network where a setpoint value from field is compared and/or evaluate intrusion detections or anomalies.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Claim Objections
Claims 1-4, 9, and 11 objected to because of the following informalities:  
Claim 1, line 15: “...analysis being...;” intentional use. Recommend to positively recite.
Claim 2, line 3: “...analysis being...;” intentional use. Recommend to positively recite. 
Claim 3, line 3: “...analysis being...;” intentional use. Recommend to positively recite. 
Claim 4, line 3: “...analysis being...;” intentional use. Recommend to positively recite.
Claim 6, lines 3-4 and 6-7: “...Virtual Logical Area Network...;” typographical area. Recommend to change to “Local.”
Claim 9, line 20: “...analysis being...;” intentional use. Recommend to positively recite.
Claim 10, line 6: “...a hardware filter...;” antecedent basis due to claim 9, line 4.
Claim 11, line 18: “...analysis being...;” intentional use. Recommend to positively recite. Appropriate correction is required.
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “...a hardware switch unit...a hardware filter...” in claims 9-11.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 9-11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim limitation “...a hardware switch unit...a hardware filter..” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. "There is no association between the structure and the function that can be found in the specification. At most, on p. 9, lines 15-20 describe “Hardware switch unit 102 in the example includes an Ethernet switch. Hardware filter 104 in the example includes a Ternary Content Addressable Memory 108, an Address Translation Unit 110, a Virtual Local Area Network Translation unit 112 and additional hardware filters 114." Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

 (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-4, 9, and 11 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Mondaeev, US  PG Publication (2008/0201772 A1).
Regarding claims 1, 9, and 11, Mondaeev teaches a method for intrusion detection in a computer network, comprising the following steps; a device for intrusion detection in a computer network, comprising: a system on a chip system, which includes a hardware switch unit, a hardware filter, and a computing device, for the intrusion detection, the system on a chip system configured to; and a non-transitory computer-readable memory medium on which is stored a computer program for intrusion detection in a computer network, the computer program, when executed by a computer, causing the computer to perform or control the following steps:  [Mondaeev, ¶0029 : packet processor 10  (a hardware switch unit); ¶0036, 0039, 0042, and 0044: Fig. 2 shows the NID system 70 (a hardware filter) that includes: a first-stage hardware filter 72, a policy switch 80, a deep packet inspection (DPI) module 84, and a CPU 92 for post-processing by a software application within the packet processor 10.]
receiving a data packet at an input of a hardware switch unit;  [Mondaeev et al 20080201772 A1, ¶0032: packet processor 10 performs deep packet inspection by receiving a data packet 35 (a data packet) at a Media Access Control (MAC) reception (Rx) unit 50. The MAC Rx unit 50 (an input) may then propagate each packet to a NIDS hardware component 52. The MAC Tx unit 54 may also direct some of the packets marked by the NIDS hardware component 52 to a NIDS software component 56. The NIDS software component 56 may be Snort, Clam Antivirus, or similar software stored in a non-volatile memory (not shown) and running on a processor of the packet processor 10  (a hardware switch unit).]
selecting an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of data link layer information from the data packet and as a function of a hardware address;  [Mondaeev et al 20080201772 A1, ¶¶0006, 0029, 0032, 0036, 0039, 0042, and 0044:  The NIDS determines a switch coupled to the hardware filter to selectively direct the packet for further packet inspection by packet processor 10  (a hardware switch unit) that proceeds to MAC Transmit (Tx) unit 54 responsible for directing data to another network via Ethernet link 20. Fig. 2 shows the NID system 70 that includes: a first-stage hardware filter 72, a policy switch 80, a deep packet inspection (DPI) module 84, and a CPU 92 for post-processing by a software application, within the packet processor 10.]
comparing, by a hardware filter, an actual value from a field of the data packet with a setpoint value for values from the field, the field including data link layer data or network layer data;  [Mondaeev, ¶0010: “.. a method of inspecting a data stream for unauthorized data comprises comparing a data segment to a first set of patterns stored in a content-addressable memory.” ¶¶0031 and 0045: Fig. 1 shows data packet 35 include a header 37 and a payload 39 that belong to flow 29; where operator configures parameters in view of size, access speed. ¶¶0041-0042 and 0045: Fig. 3 shows packet descriptor 100 associated with the data packet 35. In one embodiment, the first-stage hardware filter 72 of the NID 70 generates the packet descriptor 100 and sets a first-stage filter flag 102. The first-stage hardware filter 72 may execute direct comparisons between stored patterns and the incoming or outgoing data patterns. The policy switch inspects the TCP/IP and UDP/IP, or transport and network layer. The policy switch 80 may further update several fields of the packet descriptor 100 to indicate, via a bitmask 104, to which of the flows 25-29 the data packet 35 belongs (i.e. conveys information about network-layer protocol, etc.).] and 
providing the data packet or the copy of the data packet to a computing device for analysis as a function of a result of the comparison, the analysis being an analyzing for detecting an intrusion pattern in a network traffic in the computer network and is carried out by the computing device as a function of information from the data packet. [Mondaeev, ¶¶0044-0045: The packet descriptor may contain packet information such as the address of the packet in the memory buffer and the length of the packet, several auxiliary fields related to NID processing, etc. Rather than propagating the entire data packet 35 through the modules 72, 80, 84, and 92, the NID system 70 may instead propagate only the associated packet descriptor. Fig. 3 shows packet descriptor 100 associated with the data packet 35. In one embodiment, the first-stage hardware filter 72 of the NID 70 generates the packet descriptor 100 and sets a first-stage filter flag 102. In particular, a positive value of the first-stage filter flag 102 may indicate that the first-stage hardware filter 72 has identified at least one suspicious pattern in the data packet 35]
Regarding claim 2, Mondaeev teaches claim 1 as described above.
Mondaeev teaches wherein the hardware filter includes a Ternary Content Addressable Memory in which a mask for the setpoint value is stored, the actual value being compared with the mask stored in the Ternary Content Addressable Memory, and wherein it is established as a function of the result of the comparison whether or not a deviation is present.  [Mondaeev, Figs. 3 and 5, ¶¶0043-0046 and 0049: The policy switch 80 of the NID system 70 may further update several fields of the packet descriptor 100 to indicate, via a bitmask 104, to which of the flows 25-29 the data packet 35 belongs. The policy switch 80 of the NID system 70 include Ternary CAM (TCAM) or a Content Addressable Memory (CAM) for fast searches and comparisons. The sub-flows 110-116 contain packet descriptors corresponding to data packets rather than actual data packets. As one of ordinary skill in the art will recognize, certain patterns may include one or more bits that have no impact on a result of comparing a sequence of data with the pattern. DPI analysis whenever the rate monitor 152 detects a significant statistical deviation in the ratios between the sub-flows 114 and 116.  ¶¶0058-0059: the TCAM of the NID system 70 implemented where the DPI engine 160 include a pattern matching stage 250 which compares a selected portion of the data packets 35 to one or more patterns, a pattern identity retrieval stage 252, a rule retrieval stage 254, and a pattern application stage 256.]

Regarding claim 3, Mondaeev teaches claim 1 as described above.
Mondaeev teaches wherein the setpoint value characterizes a hardware address from a memory of the hardware switch unit, the actual value being determined at the input or 100671706.121the output as a function of data from a hardware address field of a data packet.  [Mondaeev, See ¶¶0044-0045: The packet descriptor may contain packet information such as the address of the packet in the memory buffer (a hardware address from a memory of the hardware switch unit) and the length of the packet, several auxiliary fields related to NID processing, etc. The policy switch 80 may further update several fields of the packet descriptor 100 to indicate, via a bitmask 104, to which of the flows 25-29 the data packet 35 belongs.]

Regarding claim 4, Mondaeev teaches claim 1 as described above.
Mondaeev teaches wherein the setpoint value characterizes a Medium Access Control address from a memory of the hardware switch unit, the actual value being determined at the input or the output as a function of data from a Medium Access Control address field of a data packet.  [Mondaeev, ¶0032: The packet processor 10 performs deep packet inspection by first receiving a packet such as the data packet 35 at a Media Access Control (MAC) reception (Rx) unit 50...Thus, the NIDS hardware component 52 is responsible for pre-processing and the NIDS software component 56 is responsible for post-processing of data. The components 52 and 56 together form a network intrusion detection (NID) system 70. ¶0035: The NIDS hardware component 52 and the NIDS software component 56 may interact via a dedicated memory location such as a register (a Medium Access Control address from a memory of the hardware switch unit).]
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Mondaeev, US  PG Publication (2008/0201772 A1), in view of Schroder, US Patent (10,701,002 B1).
Regarding claim 5, Mondaeev teaches claim 1 as described above.
While Mondaeev teaches the setpoint value [Mondaeev, ¶¶¶0041-0042 and 0045: Fig. 3 shows packet descriptor 100 associated with the data packet 35; however, Mondaeev fails to explicitly teach but Schroder teaches wherein the setpoint value characterizes a Virtual Local Area Network, the setpoint value being determined from a memory of the hardware switch unit, the actual value being determined as a function of data, which characterize an association of a data packet at the input or the output with a Virtual Local Area Network.  [Schroder, col 2, lines 65-67 – col 3, lines 1-6:  “a network device receives a multicast packet from a computer network and stores the multicast packet in one or more memory cells of the network device. A packet processor of the network device processes the multicast packet (or a related data structure) to determine two or more physical or virtual egress ports of the network device from which a copy of the multicast packet is to be transmitted and to generate corresponding packet descriptors for the respective copies”. col 7, lines 54-61: ... :the network device 100 includes multiple processors, for example, a receive processor, packet processor, and transmit processor. In some scenarios, an egress port 105 receives two or more packet descriptors corresponding to the packet 160, for example, to transmit a copy of the packet 160 on different virtual local area networks (VLANs)”.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings the Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection (NID) of Mondaeev before him or her by including the teachings of System And Method For Memory Deallocation of Schroder. The motivation/suggestion would have been obvious to try to modify packet descriptors of Mondaeev by adding the network device 100 that associates packet descriptors to packets at input of VLAN as taught by Schroder [Schroder, col 7, lines 54-61].  

Claims 6, 8, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Mondaeev, US  PG Publication (2008/0201772 A1), in view of Jungck et al., hereinafter (“Jungck”), US PG Publication (20120218901 A1).
Regarding claim 6, Mondaeev teaches claim 1 as described above.
While Mondaeev teaches presence of a deviation [Mondaeev, ¶0049: DPI analysis whenever the rate monitor 152 detects a significant statistical deviation in the ratios between the sub-flows 114 and 116.]; however, Mondaeev fails to explicitly teach but Jungck teaches wherein presence of a deviation is detected, either when the hardware filter at the input or the output for a tagged Virtual Logical Area Network establishes an untagged Virtual Logical Area Network data packet, or when the hardware filter at the input or the output for an untagged Virtual Logical Area Network establishes a tagged Virtual Logical Area Network Data Packet.  [Jungck, ¶0242-0243: Through Deep Packet Inspection technology to classify flows and inspect traffic; a database is referenced to determine appropriate virtual machine to navigate traffic to. At this point Ethernet MAC addresses will be modified to navigate traffic appropriately within the chassis and the Ethernet header will be converted to an 802.1q header to include a VLAN tag which will be specified by the DPPM Blade. Upon completion of processing returned traffic will have a VLAN Tag applied by the ESX Server and transmission to either the original source MAC address or a prescribed destination will cause the packet to be directed to the appropriate DPPM for egress of the chassis. FIG. 22 shows a normal untagged Ethernet frame as it would be received by the chassis and its difference with regards to the packet that would be sent within the chassis containing a VLAN tag.]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings the Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection (NID) of Mondaeev before him or her by including the teachings of a Transparent provisioning of services over a network of Jungck. The motivation/suggestion would have been obvious to try to modify packet descriptors of Mondaeev by adding the Deep Packet Inspection technology that determines if the input should be converted to tagged VLAN of Jungck [Jungck, ¶¶0242-0243].  

Regarding claim 8, Mondaeev teaches claim 1 as described above.
While Mondaeev teaches presence of a deviation [Mondaeev, ¶0049: DPI analysis whenever the rate monitor 152 detects a significant statistical deviation in the ratios between the sub-flows 114 and 116.]; however, Mondaeev fails to explicitly teach but Jungck teaches wherein presence of a deviation is detected when: 100671706.122(i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or 
(ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or 
(iii) a Precision Time Protocol filter at the input or output establishes a Precision Time Protocol message, the content of which, including time stamp, sequence number, correction field, is stored at least temporarily in a register for context information. [Jungck, ¶0253: firewall service, malicious content detection service, IDS, URL filtering service, intrusion detection and/or prevention service, internet protocol (IPv4 to IPv6) gateway service etc. the network carrying a plurality of packets each being transmitted by an associated source, .e.g. an end user or client device or router, proxy server, web server, etc., to at least one associated intended destination intended by the source, e.g. the destination(s) to which the packet(s) are specifically addressed, routed or otherwise directed by the source. Each of the plurality of packets includes routing data, such as Layer 2 or Layer 3 data, which is operative to cause the forwarding of the packet via the network towards the at least one intended destination]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings the Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection (NID) of Mondaeev before him or her by including the teachings of a Transparent provisioning of services over a network of Jungck. The motivation/suggestion would have been obvious to try to modify packet descriptors of Mondaeev by adding the IDS and filtering services of Jungck [Jungck, ¶0253].  

Regarding claim 10, Mondaeev teaches claim 1 as described above.
	While Mondaeev teaches presence of a deviation [Mondaeev, ¶0049: DPI analysis whenever the rate monitor 152 detects a significant statistical deviation in the ratios between the sub-flows 114 and 116.]; however, Mondaeev fails to explicitly teach but Jungck teaches wherein a Ternary Content Addressable Memory, and/or an Address Translation Unit, and/or a Virtual Local Area Network Translation Unit, and/or a Dynamic Host Configuration Protocol filter, and/or a Transmission Control Protocol or User Datagram Protocol filter, and/or a Precision Time Protocol filter, is provided as a hardware filter to check the data packet for the intrusion detection and to provide the data packet or a copy of the data packet to the computing device for the intrusion detection as a function of the result of the check.  [Jungck, ¶0165: The classification co-processor 810 and content addressable memory 816 are used by the network processor 804 to offload specific rule processing tasks when it is more efficient to do so. In particular, processing of rules which involves table look ups or matching values to table entries is best handled by the content addressable memory 816. Establishing packet type or other classifying operations are best handled by the classification co-processor 810.
¶¶0286-0287]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings the Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection (NID) of Mondaeev before him or her by including the teachings of a Transparent provisioning of services over a network of Jungck. The motivation/suggestion would have been obvious to try to modify packet descriptors of Mondaeev by adding the Deep Packet Inspection technology that determines if the input should be converted to tagged VLAN of Jungck [Jungck, ¶¶0242-0243].  

Claims 7 is rejected under 35 U.S.C. 103 as being unpatentable over Mondaeev, US  PG Publication (2008/0201772 A1), in view of Murali, US PG Publication (20190059055 A1).
Regarding claim 7, Mondaeev teaches claim 1 as described above.
While Mondaeev teaches presence of a deviation [Mondaeev, ¶0049: DPI analysis whenever the rate monitor 152 detects a significant statistical deviation in the ratios between the sub-flows 114 and 116]; however, Mondaeev fails to explicitly teach but Murali teaches wherein presence of a deviation is detected when the hardware filter establishes the data packet at the input or the output having an unknown Ethernet type, or a false checksum, or a false packet length, or a false packet structure.  [Murali 20190059055 A1, ¶¶0027-0028: ...the preamble detector having an accumulator with a length equal to a PLCP template used for the cross-correlation, the accumulator forming an accumulated sum of each value of the linear array of values, the accumulated sum having a peak value which is compared to a threshold during a first interval equal to a first plurality of PLCP intervals; where the threshold over the first interval is set for a false packet detection rate of greater than 1% and less than 50%]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teachings the Method and Apparatus for Deep Packet Inspection for Network Intrusion Detection (NID) of Mondaeev before him or her by including the teachings of Quick Decision Preamble Detector With Hierarchical Processing of Murali. The motivation/suggestion would have been obvious to try to modify packet descriptors of Mondaeev by adding  the functions of the preamble detector to detect false packets of Murali [Murali, ¶¶0027-0028].  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Mammen et al (20080071779 A1) discloses method and apparatus for managing multiple data flows in a content search system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/           Primary Examiner, Art Unit 2497