DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
The objection to Drawings (Fig. 4) has been withdrawn in light of applicant’s amendment to the Drawings (Fig. 4) submitted 7/12/2022.
Status of Claims
The amendment filed 7/12/2022 has been entered. Claims 1-3, 5, 10, 12-17, 20 are currently amended. Claims 1-20 are pending in the application.
The objection of claims 1, 3, 12, 16 due to informalities has been withdrawn in light of applicant’s amendment to the claim. The objection to claim 1, 15, 16 respectively, due to concern of the intended use is shown below for records.
The rejection of claims 1, 5, 10, 15-16, 20 under 35 USC 112(b) due to insufficient antecedent basis has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s arguments, see pg. 10-12 of the Remarks filed 7/12/2022 regarding claim rejection over prior arts has been fully considered and asserted not persuasive due to following reason. 
Examiner acknowledges applicant has amended independent claims 1, 15, 16, respectively, to clarify limitations and to correct concerns identified by the office action mailed 4/12/2022 (the office action), however the examiner maintains his position in view of applicant’s arguments addressed below. First, regarding claim 1 (similarly for claim 16, and claim 15 included now), the examiner has clearly indicated in the office action that the body of the claim recites determining a location in a hash table, inserting or transferring/reinserting data packet classification into the hash table at a location freed from pre-existing data packet classification by transferring the pre-exiting data packet classification to a temporary storage pipeline. Applicant’s arguments are concerning the limitation(s) recited in the preamble of the claim that serves as intended use, or for the purpose of, e.g. “for preventing network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network, the filtering out being based on an association between network addresses and data packet classifications, in which the data packet classifications allow for a determination as to whether a network packet is legitimate”.
Claim 1 recites:
A method of analysing network packets for preventing network attacks by …, the method being executed by a computing devic stored in a computer-readable memory, the method comprising: 
upon determining that a data packet classification is to be inserted in the data structure, determining a location in the hash table at which the data packet classification is to be inserted, the location being determined based on a hash function applied to a network address associated with the data packet classification; 
if the location in the hash table is an empty cell, inserting the data packet classification in the empty cell; 
if the location in the hash table is not an empty cell: 
transferring a pre-existing data packet classification from the hash table to the temporary storage pipeline; 
inserting the data packet classification at the location of the hash table freed from the pre-existing data packet classification; and 
executing a reinsertion routine on the temporary storage pipeline to reinsert the pre-existing data packet classification into the hash table. 
	
	(Emphasis’s are added to show actions performed by the method)
It can be seen from above that the actions performed by the method are 1) determining a location in the hash table… ; 2) inserting the data packet classification in the empty cell; or 3) transferring a pre-existing data packet classification from the hash table to the temporary storage pipeline; inserting the data packet classification at the location of the hash table freed from the pre-existing data packet classification; and executing a reinsertion routine on the temporary storage pipeline to reinsert the pre-existing data packet classification into the hash table. In short, the method recites process of, upon determining a location in a hash table, inserting data (i.e. data packet classification) into the location if the location is empty, or transferring existing data into a temporary storage pipeline to free up space for data to be inserted thereto, and reinserting the pre-existing data into the hash table. Above, storage pipeline is interpreted as storage space or storage of some kind under the BRI. And hash table is well known in the art.
Regarding cited prior art Arad, applicant argued,
“… there is nothing in the Arad '516 reference that remotely acknowledges or suggests "analysing network packets for preventing network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network," as required by the independent claims. 

Applicant submits that artisans of ordinary skill focused on the prevention of network attacks would never look to, or rely on, a reference that is specifically directed to reconciling inherent hash table value collisions. As such, Applicant further submits that the application of the Arad '516 reference to the instant claim requirements is completely improper, as it can only be justified by impermissible hindsight reasoning.” (See page 11 of the Remarks)

Examiner respectively disagrees with applicant. As being pointed out earlier that the method steps as recited in claim 1, there is no step(s) that can be understood to be related to analysing network packets for preventing network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network, other than, in short, determining a location in hash table, inserting/substituting data (data packet classification) into the hash table. Examiner also notes, data packet classification and the intended “preventing network attacks” aspect of the claim has been addressed by reference O’Connell in the office action.
Applicant further argued,
“Equally notable, Applicant point outs that the independent claims require a ‘data structure comprising a temporary storage pipeline and a hash table stored in a computer-readable memory.’ The independent claims further recite that ‘if the location in the hash table is not an empty cell: transferring a pre-existing data packet classification from the hash table to the temporary storage pipeline ... and executing a reinsertion routine on the temporary storage pipeline to reinsert the pre-existing data packet classification into the hash table.’ 
…
As such, Arad '516 specifically teaches moving a previously-stored key from one hash table location to another location in the same hash table. In so doing, Arad '516 does not, in any way, suggest the use of a ‘temporary storage pipeline’-much less, ‘transferring a pre-existing data packet classification from the hash table to the temporary storage pipeline’ or ‘executing a reinsertion routine on the temporary storage pipeline to reinsert the pre-existing data packet classification into the hash table.’” (see page 11 of the Remarks)

Examiner acknowledges applicant’s perspective however respectively disagrees.
For example, Arad shows the data structure (e.g. Lookup Table) and Hash Table in Memory in Fig. 1; O’Connell shows using circular buffer (as temporary storage pipeline) in a memory module to store the most current highest rate hashes where the destination signature hashes have been stored in the hash table 515, the mitigation process 500 continues by moving the highest rate hashes to the oldest locations in a circular buffer 530 at the end of each data packet window (O’Connell, [49]). Therefore, the combination of Arad and O’Connell teaches the data structure comprising temporary storage pipeline and a hash table stored in computer-readable memory as claimed. As such, the examiner asserts applicant’s argument regarding the teachings of O’Connell is not persuasive, since as indicated above, the examiner interprets the circular buffer as the temporary storage pipeline since the circular buffer continues to update as more data packet windows are assessed by the mitigation device, see [49]. Examiner further asserts applicant’s argument regarding dependent claims is not persuasive due to the deficiency of their respective parent claims as being unpatentable. Therefore, the claim rejections under 35 USC 103 is maintained.
Applicant is encouraged to recite innovative features, especially features related to network security into independent claims to advance the case. 
Claim Objections
Claims 1, 15, 16 are objected to because of the following informalities:  
Claim 1, similarly claim 16, recites method/system of/for analyzing network packets for preventing network attacks … in preamble. However, no method step(s) (inserting, or reinsertion of data packet classification into data structure) in the body of claim can be understood to perform action for preventing attacks. Therefore, the limitation(s) of “for preventing attacks …” is intended use. 
Similarly, claim 15 recites method of operating a networking device to prevent network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network, in preamble. However, no method step(s) (determining a location, inserting, or reinsertion of data packet classification into data structure) in the body of claim can be understood to perform action for preventing attacks. Therefore, the limitation(s) of “to prevent network attacks …” is intended use.
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4-5, 15-17, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Arad et al (US10,587,516B1, hereinafter, “Arad”), in view of O’Connell et al (US20180191773A1, hereinafter, “O’Connell”).
Regarding claim 1, Arad teaches:
A method of analysing network packets (Arad, discloses method for managing network device of determining a current key inserted into a hash lookup table, see [Abstract]. And [Col. 2 lines 4-8] The method additionally includes performing, by the network device, a lookup operation to locate in the lookup table an entry corresponding to a key, the key generated based on a network packet received at the network device) [for preventing network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network, the filtering out being based on an association between network addresses and data packet classifications, in which the data packet classifications allow for a determination as to whether a network packet is legitimate], the method being executed by a computing device, that comprises a data structure associating the network addresses (Arad, See Fig. 1, Hash table in Memory as data structure, see further Arad’s teachings of associating the network address shown below) [with the data packet classifications], the data structure comprising [a temporary storage pipeline] and a hash table stored in a computer-readable memory (see O’Connell for the teachings of limitation(s) in bracket), the method comprising: 
upon determining that [a data packet classification] is to be inserted in the data structure, determining a location in the hash table at which [the data packet classification] is to be inserted, the location being determined based on a hash function applied to a network address associated with [the data packet classification] (Arad, [Col. 1 lines 51-58] a method for managing a network device includes determining, by a hash value generator of the network device, a current hash value (i.e. data packet classification in view of O’Connell’s destination signature hashes shown below) for a current key to be inserted into a lookup table, the current hash value associated with a current set of memory locations in the lookup table, wherein the current set of memory locations includes a memory location corresponding to the current hash value and one or more other memory locations. And [Col. 3 lines 37-43] the lookup table 103 is a forwarding database that stores, for example, associations between the ports 112 of the network device 100 and addresses (for instance, media access control (MAC) addresses, Internet Protocol (IP) addresses, VLANs, multicast addresses, etc.) of network device connected to the ports 112 (i.e. network address associated with hash)); 
if the location in the hash table is an empty cell, inserting [the data packet classification] in the empty cell (Arad, refer to Fig. 5, and [Col. 13, lines 34-43] At block 504, it is determined whether at least one memory location in the current set of memory locations is not occupied by a previously stored key that is currently stored in the hash table. If it is determined at block 504 that at least one memory location in the current set of memory locations is not occupied by a previously stored key that is currently stored in the hash table, the method proceeds to block 506. At block 506, the current key is inserted into the hash table at an un-occupied memory location in the current set of memory locations); 
if the location in the hash table is not an empty cell: transferring a pre-existing [data packet classification] from the hash table to [the temporary storage pipeline] (Arad, [Col. 13 lines 44-51] On the other hand, if it determined at block 504 that each memory location in the current set of memory locations is occupied by some previously stored key that is currently stored in the hash table, the method proceeds to block 508. Block 508 attempts to iteratively move one or multiple previously stored key in the hash table to other memory locations (i.e. temporary storage pipeline in view of O’Connell’s circular buffer shown below) in the hash table to free up a memory location in the current set of memory locations); 
inserting [the data packet classification] at the location of the hash table freed from the pre-existing [data packet classification] (Arad, [Col. 13 lines 60-63] If the attempt at block 508 is successful, then the current key is inserted into the hash table, at block 510, at the freed up memory location); (see O’Connell below for limitation(s) in brackets above)
While Arad teaches inserting hashed key associated with destination address into hash table using freed-up memory space but does not explicitly teaches the following limitation(s), however in the same field of endeavor O’Connell teaches:
for preventing network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network, the filtering out being based on an association between network addresses and data packet classifications, in which the data packet classifications allow for a determination as to whether a network packet is legitimate (O’Connell, discloses method for mitigating DDOS attacks, see [Title] and [Abstract]. And [0024] The various modules 252, 254, 256 and 258 of the mitigation device 250 are also configured to drop data packets received at the mitigation device 250 if it is determined that the target device 130 is experiencing a DDoS attack, thereby blocking the transmission of the attacking data packet to the target device 130 to prevent the target device 130 from being overwhelmed. And [0048] The mitigation device may then execute a hash function 510 on the destination address signature to generate a destination signature hash, which is then stored in a hash table 515 along with the total count for number of occurrences of the destination signature hash in the data packet window);
and executing a reinsertion routine on the temporary storage pipeline to reinsert the pre-existing data packet classification into the hash table (O’Connell, [0049] After the destination signature hashes (i.e. data packet classification) have been stored in the hash table 515, the mitigation process 500 continues by moving the highest rate hashes to the oldest locations in a circular buffer 530 (i.e. temporary storage pipeline) at the end of each data packet window. The circular buffer 530 may be stored in a memory module, such as the memory module 258 of the mitigation device 250 in FIG. 2. The circular buffer 530 stores the most current highest rate hashes and the circular buffer 530 continues to update as more data packet windows are assessed by the mitigation device. As such, the hash table 515 tracks multiple destination address signatures in the plurality of data packet windows and the circular buffer 530 is used to store the hash value of the most commonly occurring destination address signatures that are occurring within the data packets being received, thereby classifying the data packet windows as potential attack windows for a particular destination address signature).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of O’Connell in the method of hash lookup table entry management of Arad by storing data packet signatures into hash table as data packet classification. This would have been obvious because the person having ordinary skill in the art would have been motivated to count number of occurrences of destination address signature for classifying each data packet window as a potential attack window when the total number of occurrences is more than a threshold to mitigate DDOS attacks (O’Connell, [Abstract]).

Regarding claim 15, Arad teaches:
A method of operating a networking device (Arad, discloses managing a network device where a current hash value is determined for a current key to be inserted into a lookup table [Abstract]) [to prevent network attacks by filtering out illegitimate network packets while permitting legitimate network packets access to the network], based on a data structure (Arad, Fig. 1 Memory) associating network packet signatures (Arad, [Col. 3 lines 37-43] the lookup table 103 is a forwarding database that stores, for example, associations between the ports 112 of the network device 100 and addresses (for instance, media access control (MAC) addresses, Internet Protocol (IP) addresses, VLANs, multicast addresses, etc.) of network device connected to the ports 112) with network packet metadata (Arad, [Col. 3 lines 43-48] the packet processor 102 utilizes the lookup table 103 to determine or “look up” an egress port 112 to which a packet should be forwarded using the destination address contained in a header (i.e. metadata) of the packet as the key, or another suitable key generated based on the destination address), the data structure comprising a [temporary storage pipeline] (see O’Connell below for the teachings of limitation(s) in bracket) and a hash table (Arad, Fig. 1 106 Hash Table) stored in a computer-readable memory, the method comprising:  29 13508685.1 
100534/210upon determining that network packet metadata is to be inserted in the data structure, determining a location in the hash table at which the network packet metadata is to be inserted, the location being determined based on a hash function applied to a network packet signature associated with the network packet metadata (Arad, [Col. 1 lines 51-58] a method for managing a network device includes determining, by a hash value generator of the network device, a current hash value for a current key (i.e. network packet metadata) to be inserted into a lookup table, the current hash value associated with a current set of memory locations in the lookup table, wherein the current set of memory locations includes a memory location corresponding to the current hash value and one or more other memory locations. And [Col. 3 lines 37-43] the lookup table 103 is a forwarding database that stores, for example, associations between the ports 112 of the network device 100 and addresses (for instance, media access control (MAC) addresses, Internet Protocol (IP) addresses (i.e. network packet signature), VLANs, multicast addresses, etc.) of network device connected to the ports 112); 
if the location in the hash table is an empty cell, inserting the network packet metadata in the empty cell (Arad, [Col. 13, lines 34-43] At block 504, it is determined whether at least one memory location in the current set of memory locations is not occupied by a previously stored key that is currently stored in the hash table. If it is determined at block 504 that at least one memory location in the current set of memory locations is not occupied by a previously stored key that is currently stored in the hash table, the method proceeds to block 506. At block 506, the current key is inserted into the hash table at an un-occupied memory location in the current set of memory locations); 
if the location in the hash table is not an empty cell: transferring a pre-existing network packet metadata from the hash table to the temporary storage pipeline (Arad, [Col. 13 lines 44-51] On the other hand, if it determined at block 504 that each memory location in the current set of memory locations is occupied by some previously stored key that is currently stored in the hash table, the method proceeds to block 508. Block 508 attempts to iteratively move one or multiple previously stored key in the hash table to other memory locations (i.e. temporary storage pipeline in view of O’Connell’s circular buffer) in the hash table to free up a memory location in the current set of memory locations); 
inserting the network packet metadata at the location of the hash table freed from the pre-existing network packet metadata (Arad, [Col. 13 lines 60-63] If the attempt at block 508 is successful, then the current key is inserted into the hash table, at block 510, at the freed up memory location); and 
While Arad reaches inserting hashed key associated with destination address into hash table using freed-up memory space but does not explicitly teaches the following limitation(s), however in the same field of endeavor O’Connell teaches:
temporary storage pipeline (O’Connell, circular buffer 530 in Fig. 5),
executing a reinsertion routine on the temporary storage pipeline to reinsert the pre-existing network packet metadata into the hash table (O’Connell, [0049] After the destination signature hashes (i.e. network packet metadata) have been stored in the hash table 515, the mitigation process 500 continues by moving the highest rate hashes to the oldest locations in a circular buffer 530 (i.e. temporary storage pipeline) at the end of each data packet window. The circular buffer 530 may be stored in a memory module, such as the memory module 258 of the mitigation device 250 in FIG. 2. The circular buffer 530 stores the most current highest rate hashes and the circular buffer 530 continues to update as more data packet windows are assessed by the mitigation device. As such, the hash table 515 tracks multiple destination address signatures in the plurality of data packet windows and the circular buffer 530 is used to store the hash value of the most commonly occurring destination address signatures that are occurring within the data packets being received, thereby classifying the data packet windows as potential attack windows for a particular destination address signature).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of O’Connell in the method of hash lookup table entry management of Arad by storing data packet signatures into hash table as network packet metadata. This would have been obvious because the person having ordinary skill in the art would have been motivated to count number of occurrences of destination address signature for classifying each data packet window as a potential attack when the total number of occurrences is more than a threshold for mitigating DDOS attacks (O’Connell, [Abstract]).  

Regarding claim 16, Arad-O’Connell combination teaches:
A system for analysing network packets (Arad, discloses method and network device for managing network device of determining a current key inserted into a hash lookup table, see [Abstract]. And [Col. 2 lines 4-8] The method additionally includes performing, by the network device, a lookup operation to locate in the lookup table an entry corresponding to a key, the key generated based on a network packet received at the network device) for preventing network attacks by filtering out illegitimate network packets while permitting legitimate network packets to access the network, the filtering out being based on an association between network addresses and data packet classifications in which the data packet classifications allow for a determination as to whether a network packet is legitimate (O’Connell, see [24], [48]), the system comprising: a non-transitory computer-readable medium storing a data structure associating the network addresses with the data packet classifications, the data structure comprising a temporary storage pipeline and a hash table; a processor configured to execute control logic (Arad, [col. 14 lines 40-43] The software or firmware instructions may include machine readable instructions that, when executed by the processor, cause the processor to perform various acts) so as to cause: performing method steps substantially similar to the method steps of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 17, Arad-O’Connell combination teaches:
The method of claim 1, the system of claim 16,
The combination of Arad-O’Connell further teaches: 
wherein the pre-existing data packet classification is a first pre-existing data packet classification and further comprising:26 13508685.1100534/210determining a reinsertion location in the hash table at which the first pre-existing data packet classification is to be reinserted (Arad, see [Col. 1 lines 51-58], and [Col. 3 lines 37-43]. Examiner notes, the teachings of Arad on data packet classification can be applied to first-existing data packet in a similar way since the first-existing data packet classification can be regarded as data packet classification); if the reinsertion location in the hash table is not an empty cell: transferring a second pre-existing data packet classification occupying the reinsertion location from the hash table to the temporary storage pipeline (Arad, see [Col. 13 lines 44-51]); inserting the first pre-existing data packet classification at the reinsertion location of the hash table freed from the second pre-existing data packet classification (Arad, [Col. 13 lines 60-63]; and executing the reinsertion routine on the temporary storage pipeline to reinsert the second pre-existing data packet classification into the hash table (O’Connell, see [0049]).  

Regarding claim 4, similarly claim 19, Arad-O’Connell combination teaches:
The method of claim 1, the system of claim 16, wherein the data packet classification is a first data packet classification and wherein the method further comprises: 
Arad further teaches: upon determining that a second data packet classification is to be looked up in the data structure: looking up at least one of the temporary storage pipeline and/or the hash table (Arad, [Col. 4 lines 7-14] The packet processor 102 is configured to utilize a suitable lookup technique to locate the key within a set of multiple memory locations associated with a hash value corresponding to the key, in such embodiments. Upon locating the key in the lookup table 103, the packet processor 102 retrieves, from the lookup table 103, information associated with the key and utilizes the information to further process the packet, …); and identifying a location of the at least one of the temporary storage pipeline and/or the hash table at which the second data packet classification is located (Arad, [Col. 6 line 53-Col. 7 line 3] the packet processor 102 is configured to use a suitable lookup technique to locate, in the hash table 106, a key generated based on a packet received at a port 112 of the network device 100... the packet processor 102 is configured to generate multiple hash values for the key, and to use the multiple hash values to determine which of the multiple memory locations should be checked in an attempt to locate the key).  

Regarding claim 5, similarly claim 20, Arad-O’Connell combination teaches:
The method of claim 1, the system of claim 16,
O’Connell further teaches: wherein the network address is a first network address and wherein a looking up the at least one of the temporary storage pipeline and/or the hash table2713508685.1 100534/210comprises applying the hash function to a second network address associated with a second data packet classification (O’Connell, [0049] the hash table 515 tracks multiple destination address signatures in the plurality of data packet windows and the circular buffer 530 is used to store the hash value of the most commonly occurring destination address signatures that are occurring within the data packets being received, thereby classifying the data packet windows as potential attack windows for a particular destination address signature. The mitigation device then uses the hashes stored in the circular buffer 530 and the sliding time window, as previously described, to determine if the one or more of the destination addresses signatures exceeds a potential attack window threshold).  

Claims 3, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Arad-O’Connell combination as applied above, in further view of Stacy et al (US20050213570A1, hereinafter, “Stacy”).
Regarding claim 3, similarly claim 18, Arad-O’Connell combination teaches:
The method of claim 1, the system of claim 16,
While the combination of Arad-O’Connell does not explicitly teach FIFO, in the same field of endeavor Stacy teaches: 
wherein the temporary storage pipeline comprises a first in, first out (FIFO) data buffer (Stacy, discloses filtering data packets against DoS packets, see [Abstract]. And [0046] If the HWA module 500 determines that the received data packet 160 is a DoS packet or other type of malicious packet, e.g., based on the packet's identified data flow, the HWA module enqueues the packet's descriptors on the delete egress ring 356 or on a first in, first out queue (not shown) of "free" buffer descriptors, i.e., descriptors whose referenced buffers 242 are available to store new packet data, associated with the network interface 210. Advantageously, descriptors placed on the delete ring 356 or on the free-buffer FIFO are "recycled"),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Stacy in the method of hash lookup table entry management of Arad-O’Connell by implementing free-buffer FIFO for on-chip memory. This would have been obvious because the person having ordinary skill in the art would have been motivated to have hardware assist module (HWA) to enqueue packet’s descriptor on FIFO before forwarding to CPU for the filtering of DoS traffic (Stacy, [Abstract], [0003], [0046]).
O’Connell further teaches: and the reinsertion routine is executed, wherein a latest pre-existing data packet classification transferred into the temporary storage pipeline is the latest to be reinserted in the hash table (O’Connell, [0049] After the destination signature hashes have been stored in the hash table 515, the mitigation process 500 continues by moving the highest rate hashes to the oldest locations in a circular buffer 530 at the end of each data packet window... The circular buffer 530 stores the most current highest rate hashes and the circular buffer 530 continues to update as more data packet windows are assessed by the mitigation device).  

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Arad-O’Connell combination as applied above to claim 4, in further view of Polychroniou et al (US20190377683A1, hereinafter, “Polychroniou”).
Regarding claim 6, Arad-O’Connell combination teaches:
The method of claim 4, 
While the combination of Arad-O’Connell does not explicitly teach, in the similar field of endeavor Polychroniou teaches:
further comprising: upon determining that the second data packet classification is to be updated, replacing the second data packet classification by inserting a third data packet classification at the location of the at least one of the temporary storage pipeline and/or the hash table at which the second data packet classification is located (Polychroniou, discloses system of placing second subset data elements into first cache of first subset of data elements, see [Abstract]. And [0014] a cyclic buffer is a first-in-first-out (FIFO) data structure in which data is stored (pushed) to the end of the cyclic buffer and removed (popped) from the front… the system replaces a first tuple with a second tuple (e.g., replaces tuple i with tuple i+w+1) by popping tuple i from the front of the cyclic buffer, thereby causing the front and back of the buffer to be updated so that the next tuple i+1 is at the front of the cyclic buffer and, after tuple i is popped from the front of the buffer, pre-fetching the hash table entry for tuple i+w+1 and pushing it to the back of the cyclic buffer (i.e., to the memory location of where tuple i was previously store)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Polychroniou in the method of hash lookup table entry management of Arad-O’Connell by replacing first tuple with second tuple at the memory location using FIFO with cyclic buffer. This would have been obvious because the person having ordinary skill in the art would have been motivated to use cyclic buffer with FIFO data structure by pre-fetching the hash table entry to improve the computational efficiency (Polychroniou, [Abstract], [0014]).

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Arad-O’Connell combination as applied above to claim 4, in further view of Arad et al (US9,171,030B1, hereinafter, “Arad2”).
Regarding claim 7, Arad-O’Connell combination teaches:
The method of claim 4, 
While the combination of Arad-O’Connell does not explicitly teach, in the same field of endeavor Arad2 teaches:
further comprising: upon determining that the second data packet classification is to be deleted, emptying the location of the at least one of the temporary storage pipeline and/or the hash table at which the second data packet classification is located (Arad2, discloses freed up locations in the hash table for reinsertion of keys, see [Abstract]. And [Col. 8 lines 25-29] to allow insertion of the key X into the lookup table 304, the key insertion unit 310 deletes the key A from the hash table 306d, and inserts the key X into the freed up location in the hash table 306d. The key insertion unit 310 then attempts to insert the removed key A into a different one of the hash tables 306).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Arad2 in the method of hash lookup table entry management of Arad-O’Connell by deleting key A to free up location in hash table for key X. This would have been obvious because the person having ordinary skill in the art would have been motivated to free up the location in hash table for key insertion without causing key collision with keys preciously stored at respective locations (Arad2, [Abstract], [Col. 5 lines 16-20]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Arad-O’Connell combination as applied above to claim 1, in further view of Koren et al (US20170180253A1, hereinafter, “Koren”).
Regarding claim 8, Arad-O’Connell combination teaches:
The method of claim 1, wherein the computer-readable memory comprises a dedicated memory for storing the temporary storage pipeline (O’Connell, [0049] The circular buffer 530 may be stored in a memory module, such as the memory module 258 of the mitigation device 250 in FIG. 2) and 
While the combination of Arad-O’Connell does not explicitly teach the following limitation, in the same field of endeavor Koren teaches:
a Random-Access Memory (RAM) for storing the hash table (Koren, discloses method for searching packet classification information based on packet field values, see [Abstract]. And [0016] The memory 115 is a set of one or more memory modules configured to store and retrieve data in response to corresponding memory access requests. Accordingly, the memory 115 can be volatile memory such as random access memory (RAM), ...The memory 115 stores a hash table database 110 including a plurality of entries).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Koren in the method of hash lookup table entry management of Arad-O’Connell by storing hash table in RAM. This would have been obvious because the person having ordinary skill in the art would have been motivated to store hash table in volatile memory such as RAM for efficient processing of received packets (Koren, [Abstract], [0004]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Arad-O’Connell-Koren combination as applied above to claim 8, in further view of Murashov et al (US20150373167A1, hereinafter, “Murashov”).
Regarding claim 9, Arad-O’Connell-Koren combination teaches:
The method of claim 8, 
While the combination of Arad-O’Connell-Koren does not explicitly teach the following limitation, in the same field of endeavor Murashov teaches:
wherein the RAM comprises at least a first Quad Data Rate (QDR) SRAM memory and a second QDR SRAM memory (Murashov, discloses means for receiving, forwarding, inspecting of received data units, see [Abstract]. And [0116] The external memory component also comprises any number of Static Random Access Memory (SRAM) modules, such as Quadruple Data-Rate (QDR) SRAM 348, see Fig. 3 QDR SRAM).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Murashov in the method of hash lookup table entry management of Arad-O’Connell-Koren by using a plurality of QRD SRAM as RAM as external memory. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the QRD SRAM to rapidly access to data (Murashov, [Abstract], [0116]).

Claims 10-14 are rejected under 35 U.S.C. 103 as being unpatentable over Arad-O’Connell-Koren-Murashov combination as applied above, in further view of Levy et al (US20140310307A1, hereinafter, “Levy”).
Regarding claim 10, Arad-O’Connell-Koren-Murashov combination teaches:
The method of claim 9, 
While the combination of Arad-O’Connell-Koren-Murashov does not explicitly teach the following limitation, in the same field of endeavor Levy teaches:
wherein the hash table comprises a first sub-hash table stored in a first memory and a second sub-hash table stored in a second memory (Levy, discloses method for lookup key for network packet using hash function, see [Abstract]. And [0028] In the embodiment shown in FIG. 1, the multi-hash lookup table 26 is subdivided into four hash table portions (i.e. sub-hash table) stored in four different memory banks (i.e. first, second memory) 30-1 through 30-4 of lookup memory 24).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Levy in the method of hash lookup table entry management of Arad-O’Connell-Koren-Murashov by subdividing hash table portions into different memory banks. This would have been obvious because the person having ordinary skill in the art would have been motivated to key search or insertion can be performed according to the memory banks of multi-hash lookup table corresponding to the hash functions (Levy, [Abstract], [0028]).

Regarding claim 11, Arad-O’Connell-Koren-Murashov-Levy combination teaches:
The method of claim 10, 
Levy further teaches: wherein the hash function comprises a first sub-hash function directing to the first sub-hash table and a second sub-hash function directing to the second sub- hash table (Levy, [0021] each hash table corresponding to a larger key is restricted to a particular set of the memory banks based on the key size, and the particular hash function used to access the hash table depends on which set of memory banks is utilized. In one embodiment, for example, each hash table is accessed using a hash function associated with a first memory bank of the grouping of one or more memory banks corresponding to that hash table).  

Regarding claim 12, Arad-O’Connell-Koren-Murashov-Levy combination teaches:
The method of claim 11, 
O’Connell further teaches: wherein the determining the location in the hash table at which the data packet classification is to be inserted comprises applying the first sub-hash function to the network address to generate a first sub-hash table location associated with the first sub-hash table and applying the second sub-hash function to the network address to generate a second sub-hash table location associated with the second sub-hash table (O’Connell, [0048] The mitigation device may then execute a hash function 510 on the destination address signature to generate a destination signature hash (i.e. generate a first sub-hash table location, or second sub-hash table location), which is then stored in a hash table 515 along with the total count for number of occurrences of the destination signature hash in the data packet window. The use of a hash table 515 allows for faster searching of particular destination address signatures. Examiner notes, the generation of location in the hash table for first sub-hash table location can be applied to generation of location in the hash table for second sub-hash table location).  

Regarding claim 13, Arad-O’Connell-Koren-Murashov-Levy combination teaches:
The method of claim 12, 
Arad further teaches: wherein the determining if the location in the hash table is an empty cell comprises determining if one of the first sub-hash table location and the second sub-hash table location is an empty cell, and wherein inserting the data packet classification in the empty cell comprises inserting the data packet classification in one of the first sub-hash table location and the second sub-hash table location (Arad, [Col. 7 lines 52-55] Referring first to FIG. 2A, the hash table 200 is initially empty, in the illustrated embodiment. A first key K.sub.1 to be inserted into the hash table 200 hashes to a hash value h.sub.1 corresponding to the memory location 202-1).  

Regarding claim 14, Arad-O’Connell-Koren-Murashov-Levy combination teaches:
The method of claim 13, 
Arad further teaches: wherein the determining if the location in the hash table is not an empty cell comprises determining if none of the first sub-hash table location and the second sub-hash table location is an empty cell, and wherein transferring the pre-existing data packet classification from the hash table to the temporary storage pipeline comprises transferring the pre-existing data packet classification from one of the first sub-hash table and the second sub- hash table to the temporary storage pipeline (Arad, [Col. 13 lines 44-51] On the other hand, if it determined at block 504 that each memory location in the current set of memory locations is occupied by some previously stored key that is currently stored in the hash table, the method proceeds to block 508. Block 508 attempts to iteratively move one or multiple previously stored key in the hash table to other memory locations in the hash table to free up a memory location in the current set of memory locations).  

Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Dumitrescu et al (US20150341473A1) discloses method for packet flow classification on a computing device include a hash table including a plurality of hash table buckets in which each hash table bucket maps a plurality of keys to corresponding traffic flows.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436  

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436