DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 3-10, 12 and 14-17 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Michelle Carniaux on 3/2/22.
The application has been amended as follows: 
1.  (Currently Amended) A method for intrusion detection in a computer network, the method comprising the following steps:
receiving a data packet at an input of a hardware switch unit;
selecting an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of security layer information from the data packet and as a function of a hardware address;
determining, by the hardware switch unit, context information for the data packet;
comparing, by a hardware filter of the hardware switch unit, an actual value from a field of the data packet with a setpoint value for values from the field, the field including security layer data or mediation layer data;
triggering an interrupt for a microprocessor as a function of a result of the comparison;
carrying out by the microprocessor, triggered by the interrupt, an analysis for detecting an intrusion pattern in a network traffic in the computer network as a function of the context information for the data packet;
wherein the computer network is an automotive network;
wherein the context information for the data packet, determined by the hardware switch unit, is stored in a register, a register access of the microprocessor to the register taking place for the analysis; and
wherein presence of a deviation is detected when: 
(i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or
(ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or
(iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, a time stamp, or sequence number, or correction field, being stored at least temporarily in the register for context information.
 
2.  (Canceled).

3.  (Currently Amended)  The method as recited in claim [[2]] 1, wherein the context information for the data packet is stored in the register when a deviation between the actual value and the setpoint value exists or exceeds the threshold value. 

4.  (Currently Amended)  The method as recited in claim 1, wherein [[the]] updated context information for the data packet is determined, by the microprocessor, as a function of a result of the analysis and is stored in the register. 

5.  (Original)  The method as recited in claim 1, wherein the hardware filter includes a Ternary Content Addressable Memory, in which a mask for the setpoint value is stored, the actual value being compared with the mask stored in the Ternary Content Addressable Memory, and it being established as a function of the result of the comparison of the actual value with the mask whether or not a deviation exists. 

6.  (Original)  The method as recited in claim 1, wherein the setpoint value characterizes a hardware address, the actual value being determined at the input or the output as a function of data from a hardware address field of a data packet. 

7.  (Original)  The method as recited in claim 6, wherein the hardware address is a Medium Access Control address, and wherein the hardware address field is a Medium Access control address of the data packet.

8.  (Original)  The method as recited in claim 1, wherein the setpoint value characterizes a Virtual Local Area Network, and the actual value is determined as a function of data, which characterize an association of a data packet at the input or the output with a Virtual Local Area Network. 

9.  (Original)  The method as recited in claim 1, wherein presence of a deviation is detected, either when the hardware filter at the input or the output for a tagged Virtual Logical Area Network establishes an untagged Virtual Logical Area Network data packet, or when the hardware filter at the input or the output for an untagged virtual logical area network establishes a tagged virtual logical area network data packet. 

10.  (Original)  The method as recited in claim 1, wherein the presence of a deviation is detected when the hardware filter establishes a data packet at the input or the output has an unknown Ethernet type, or a false checksum, or a false packet length, or a false packet structure. 

11.  (Canceled).

12.  (Currently Amended)  A device for intrusion detection in a computer network,wherein the device a system on a chip system, which includes a hardware switch unit, a hardware filter, a register, and a computing device for the intrusion detection, the device being configured to:
receive a data packet at an input of the hardware switch unit;
select an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of security layer information from the data packet and as a function of a hardware address;
determine, by the hardware switch unit, context information for the data packet;
compare, by the hardware filter of the hardware switch unit, an actual value from a field of the data packet with a setpoint value for values from the field, the field including security layer data or mediation layer data;
trigger an interrupt for the computing device as a function of a result of the comparison;
carry out by the computing device, triggered by the interrupt, an analysis for detecting an intrusion pattern in a network traffic in the computer network as a function of the context information for the data packet;
wherein the computer network is an automotive network;
wherein the context information for the data packet, determined by the hardware switch unit, is stored in a register, a register access of the microprocessor to the register taking place for the analysis; and
wherein presence of a deviation is detected when: 
(i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or
(ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or
(iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, a time stamp, or sequence number, or correction field, being stored at least temporarily in the register for context information. 

13.  (Canceled).

14.  (Original)  The device as recited in claim 12, wherein the hardware switch unit is configured to store the context information for the data packet in the register when a deviation between the actual value and the setpoint value exists, or a threshold value is exceeded. 

15.  (Currently Amended)   The device as recited in claim 12, wherein the computing device is configured to determine updated context information for the data packet as a function of a result of the analysis and to store the determined updated context information for the data packet in the register. 

16.  (Currently Amended)  The device as recited in claim 12, wherein a Ternary Content Addressable Memory, and/or an Address Translation Unit, and/or a Virtual Local Area Network Translation Unit, and/or [[a]] the Dynamic Host Configuration Protocol filter, and/or [[a]] the Transmission Control Protocol or User Datagram Protocol filter, and/or [[a]] the Precision Time Protocol filter, is the hardware filter and is configured to check the data packet for the intrusion detection and to provide the interrupt to the microprocessor for the intrusion detection as a function of the result of the check. 

17.  (Currently Amended)  A non-transitory computer-readable memory medium on which is stored a computer program for intrusion detection in a computer network, the computer program, when executed by a computer, causing the computer to perform or control the following steps:
receiving a data packet at an input of a hardware switch unit;
selecting an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of security layer information from the data packet and as a function of a hardware address;
determining, by the hardware switch unit, context information for the data packet;
comparing, by a hardware filter of the hardware switch unit, an actual value from a field of the data packet with a setpoint value for values from the field, the field including security layer data or mediation layer data;
triggering an interrupt for a microprocessor as a function of a result of the comparison;
carrying out by the microprocessor, triggered by the interrupt, an analysis for detecting an intrusion pattern in a network traffic in the computer network as a function of the context information for the data packet;
wherein the network is an automotive network;
wherein the context information for the data packet, determined by the hardware switch unit, is stored in a register, a register access of the microprocessor to the register taking place for the analysis; and
wherein presence of a deviation is detected when: 
(i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or
(ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or
(iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, a time stamp, or sequence number, or correction field, being stored at least temporarily in the register for context information.

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance:
Mondaeev et al. U.S. Pub. No. 20080201772 discloses a method of determining whether a data stream includes unauthorized data, the data stream is analyzed using a hardware filter to detect a presence of one or more of a first set of patterns in the data stream, wherein a set of rules is applied to the packet to produce rule match status data if it is determined that the packet belongs to one of the plurality of data flows to be further inspected.
Bangalore Krishnamurthy U.S. Pub. No. 20180183756 discloses deep packet inspection with enhanced data packet analyzers to determine whether packet should be subject to further analysis based on filters.
The prior art of record does not explicitly disclose, in light of other features recited in independent claims, wherein the network is an automotive network; wherein the context information for the data packet, determined by the hardware switch unit, is stored in a register, a register access of the microprocessor to the register taking place for the analysis; and wherein presence of a deviation is detected when:  (i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or (ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or (iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, a time stamp, or sequence number, or correction field, being stored at least temporarily in the register for context information.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Nanda et al. U.S. Pat. No. 10264020 discloses method for scalable network monitoring in virtual data centers.
Taylor U.S. Pub. No. 20170126745 discloses industrial network security translator.
Emmadi et al. U.S. Pub. No. 20160234091 discloses method for controlling switches to capture and monitor network traffic.
Kapoor et al. U.S. Pub. No. 20120240185 discloses method for processing data flows.
Dennerline et al. U.S. Pat. No. 8006303 discloses method for intrusion protection of a network.
Richmond et al. U.S. Pub. No. 20100268818 discloses method for forensic analysis of network behavior.
Rekhter U.S. Pat. No. 7463639 discloses edge devices for providing a transparent LAN segment service and configuring edge devices.
Mao et al. U.S. Pub. No. 20030065944 discloses method for implementing a layer3/layer 7 firewall in an L2 device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHIN HON (ERIC) CHEN whose telephone number is (571)272-3789. The examiner can normally be reached Monday to Thursday 9am- 7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHIN-HON (ERIC) CHEN/               Primary Examiner, Art Unit 2431