DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 2, 7, 8, 13, 14, and 19-21 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Norton et al. (US 2004/0205360), hereafter “Norton,” in view of Churchyard (US 7,039,702).
Regarding claim 2, Norton teaches a method, comprising: 	parsing data traffic to extract at least one protocol field of a protocol message of the data traffic to generate an extracted protocol field (Norton: 330 of FIG. 3; par 0055, 0056, 0074);	associating the extracted protocol field with a selected model (rule set) of a set of models for the extracted protocol field (Norton: 330 of FIG. 3; par 0055, 0056, 0074);	assessing whether contents of the extracted protocol field are in a safe region as defined by the selected model (Norton: 340 of FIG. 3; par 0075, 0095 [The protocol field search allows a signature to specify a particular field within a protocol to search for a content match. For example, an IDS uses the `uricontent` keyword to search HTTP request URI fields.]); and 	generating an intrusion detection signal based on whether the contents of the extracted protocol field is outside the safe region (Norton: 680 of FIG. 6; par 0018 [The logging system logs intrusion events in a file or provides alerts to users.], 0108). 	Norton does not explicitly teach: 	assessing whether contents of the extracted protocol field are in a safe region of values for the at least one protocol field; and 	generating an intrusion detection signal based on whether the contents of the extracted protocol field is outside the safe region of values. 	Churchyard teaches: 	assessing whether contents of the extracted protocol field are in a safe region of values for the at least one protocol field (Churchyard: col. 3 line 63 – col. 4 line 8 […rules specifying packet fields and a value or range of values that are permitted or denied…the rules 304 may specify actions that need to be performed based on the detected network communications. Typical actions include logging a packet, enabling packet capture, security actions (i.e. firewalling, intrusion detection)…]); and 	generating an intrusion detection signal based on whether the contents of the extracted protocol field is outside the safe region of values (Churchyard: col. 3 line 63 – col. 4 line 8 […rules specifying packet fields and a value or range of values that are permitted or denied…the rules 304 may specify actions that need to be performed based on the detected network communications. Typical actions include logging a packet, enabling packet capture, security actions (i.e. firewalling, intrusion detection)…]). 	It would have been obvious to implement the range detection rules of Churchyard within the Norton system with predictable results. One would be motivated to make the combination to provide the predictable benefit of extending matching/comparing of values to ranges rather than exclusively singular values thereby enhancing the efficiency of the system (i.e. fewer rules needed to designate multiple values). A high likelihood of success is anticipated given that Churchyard and Norton both disclose systems having rules for intrusion detection purposes. Further, in view of this substantial similarity it would have been readily apparent to one of ordinary skill that various beneficial features of Churchyard could have been implemented in the Norton system with predictable results and a beneficial effect. 

Regarding claim 7, the method of claim 2, further comprising, in response to generating the intrusion detection signal outputting an intrusion alert message (Norton: par 0018). 

Regarding claim 8, a system, comprising: 	a processing device (Norton: 240 of FIG. 2; par 0156) to: 	parse data traffic to extract at least one protocol field of a protocol message of the data traffic to generate an extracted protocol field (Norton: 330 of FIG. 3; par 0055, 0056, 0074); 	associate the extracted protocol field with a selected model of a set of models for the extracted protocol field (Norton: 330 of FIG. 3; par 0055, 0056, 0074); 	assess whether contents of the extracted protocol field are in a safe region of values for the at least one protocol field as defined by the selected model (Norton: 340 of FIG. 3; par 0075, 0095 [The protocol field search allows a signature to specify a particular field within a protocol to search for a content match. For example, an IDS uses the `uricontent` keyword to search HTTP request URI fields.]; Churchyard: col. 3 line 63 – col. 4 line 8 […rules specifying packet fields and a value or range of values that are permitted or denied…the rules 304 may specify actions that need to be performed based on the detected network communications. Typical actions include logging a packet, enabling packet capture, security actions (i.e. firewalling, intrusion detection)…]); and 	generate an intrusion detection signal based on whether the contents of the extracted protocol field is outside the safe region of values (Norton: 680 of FIG. 6; par 0018 [The logging system logs intrusion events in a file or provides alerts to users.], 0108; Churchyard: col. 3 line 63 – col. 4 line 8 […rules specifying packet fields and a value or range of values that are permitted or denied…the rules 304 may specify actions that need to be performed based on the detected network communications. Typical actions include logging a packet, enabling packet capture, security actions (i.e. firewalling, intrusion detection)…]). 

Regarding claim 13, the system of claim 8, wherein the processing device is further to, in response to generating the intrusion detection signal outputting an intrusion alert message (Norton: par 0018). 

Regarding claim 14, a non-transitory computer readable medium having instructions stored thereon which, when executed by a processing device, causes the processing device (Norton: par 0156) to: 	parse data traffic to extract at least one protocol field of a protocol message of the data traffic to generate an extracted protocol field (Norton: 330 of FIG. 3; par 0055, 0056, 0074); 	associate the extracted protocol field with a selected model of a set of models for the extracted protocol field (Norton: 330 of FIG. 3; par 0055, 0056, 0074); 	assess, by the processing device, whether contents of the extracted protocol field are in a safe region of values for the at least one protocol field as defined by the selected model (Norton: 340 of FIG. 3; par 0075, 0095 [The protocol field search allows a signature to specify a particular field within a protocol to search for a content match. For example, an IDS uses the `uricontent` keyword to search HTTP request URI fields.]; Churchyard: col. 3 line 63 – col. 4 line 8 […rules specifying packet fields and a value or range of values that are permitted or denied…the rules 304 may specify actions that need to be performed based on the detected network communications. Typical actions include logging a packet, enabling packet capture, security actions (i.e. firewalling, intrusion detection)…]); and 	generate an intrusion detection signal based on whether the contents of the extracted protocol field is outside the safe region of values (Norton: 680 of FIG. 6; par 0018 [The logging system logs intrusion events in a file or provides alerts to users.], 0108; Churchyard: col. 3 line 63 – col. 4 line 8 […rules specifying packet fields and a value or range of values that are permitted or denied…the rules 304 may specify actions that need to be performed based on the detected network communications. Typical actions include logging a packet, enabling packet capture, security actions (i.e. firewalling, intrusion detection)…]). 

Regarding claim 19, the computer readable program of claim 14, wherein the processing device is further to, in response to generating the intrusion detection signal outputting an intrusion alert message (Norton: par 0018).

Regarding claim 20, the computer readable program of claim 14, wherein the model for the protocol field comprises a set of predefined intrusion signatures (Norton: par 0095). 

Regarding claim 21, the computer readable program of claim 14, wherein the protocol message is one of a SCADA protocol message, an industrial control network protocol message, a data center network protocol message, an office data network protocol message, or a HTTP protocol message (Norton: par 0095).

Claims 3-5, 9-11, and 15-17 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Norton et al. (US 2004/0205360), in view of Churchyard (US 7,039,702), and further in view of Kashyap et al. (US 2011/0149736), hereafter “Kashyap.”
Regarding claim 3, Norton teaches the method of claim 2, wherein the set of models comprises a model for an argument protocol field (Norton: par 0095). 	Norton-Churchyard does not teach: 	a model for an operator protocol field.	Kashyap teaches: 	a model for an operator protocol field (Kashyap: par 0090 […a "number" operator can be used to define a match condition based on a packet field being equal to a particular numerical value…]). 	It would have been obvious to one of ordinary skill in the art to implement the operator matching rules of Kashyap within the Norton-Churchyard system with predictable results. One would be motivated to make the combination because the rule structures of Norton-Churchyard and Kashyap are substantially similar and are both used to analyze protocol fields of packets. Accordingly, a high likelihood of success is anticipated. One would further be motivated to make the combination to provide the unique benefits of Kashyap’s rule formats to allow users greater abilities to specify the criteria used to identify particular packets within the rules. One would further be motivated to make the combination because in view of the substantial similarity of the references it would have been apparent to one of ordinary skill that various beneficial features of Kashyap could have been implemented within the Norton system with predictable results and a beneficial effect. 

Regarding claim 4, the method of claim 2, wherein the protocol message comprises at least one primitive protocol field and at least one composite protocol field (Kashyap: par 0090).

Regarding claim 5, the method of claim 2, wherein the set of models comprises a respective model for each protocol field of the set of protocol fields (Kashyap: par 0090; Norton: par 0094, 0095). 

Regarding claim 9, the system of claim 8, wherein the set of models comprises a model for an operator protocol field and a model for an argument protocol field (Kashyap: par 0090 […a "number" operator can be used to define a match condition based on a packet field being equal to a particular numerical value…]; Norton: par 0095). 

Regarding claim 10, the system of claim 8, wherein the protocol message comprises at least one primitive protocol field and at least one composite protocol field (Kashyap: par 0090). 

Regarding claim 11, the system of claim 8, wherein the set of models comprises a respective model for each protocol field of the set of protocol fields (Kashyap: par 0090; Norton: par 0094, 0095). 

Regarding claim 15, the non-transitory computer readable medium of claim 14, wherein the set of models comprises a model for an operator protocol field and a model for an argument protocol field (Kashyap: par 0090 […a "number" operator can be used to define a match condition based on a packet field being equal to a particular numerical value…]; Norton: par 0095). 

Regarding claim 16, the non-transitory computer readable medium of claim 14, wherein the protocol message comprises at least one primitive protocol field and at least one composite protocol field (Kashyap: par 0090).

Regarding claim 17, the non-transitory computer readable medium of claim 14, wherein the set of models comprises a respective model for each protocol field of the set of protocol fields (Kashyap: par 0090; Norton: par 0094, 0095).

Claims 6, 12, and 18 are rejected as being unpatentable over Norton et al. (US 2004/0205360), in view of Churchyard (US 7,039,702), and further in view of Soni et al. (US 2007/0110053), hereafter “Soni.”
Regarding claim 6, Norton-Churchyard does not explicitly teach the method of claim 2, wherein the intrusion detection signal is further generated when the extracted protocol field cannot be associated with any of the models of the set of models. 	Soni teaches: 	wherein an intrusion detection signal is further generated when an extracted protocol field cannot be associated with any models of a set of models (Soni: Table 2 [Illegal TCP options]; par 0117). 	It would have been obvious to one of ordinary skill in the art to implement the malformed packet detection and handling of Soni within the Norton system with predictable results. One would be motivated to make the combination because various network attacks are performed using malformed packets and adapting the technique of Soni within the Norton system would provide the predictable benefits of detecting and handling these types of attacks. One would further be motivated to make the combination because of the substantial similarity of the references. Both Norton and Soni disclose systems for intrusion detection through packet analysis. In view of this substantial similarity it would have been readily apparent to one of ordinary skill that various beneficial features of Soni could have been implemented within the Norton system with predictable results and a beneficial effect. 

Regarding claim 12, the system of claim 8, wherein the processing device is to generate the intrusion detection signal when the extracted protocol field cannot be associated with any of the models of the set of models (Soni: Table 2 [Illegal TCP options]; par 0117).

Regarding claim 18, the non-transitory computer readable medium of claim 14, wherein the processing device is to generate the intrusion detection signal when the extracted protocol field cannot be associated with any of the models of the set of models (Soni: Table 2 [Illegal TCP options]; par 0117).

Response to Arguments
Applicant’s arguments, filed 05 August 2022, have been fully considered but are moot in view of the new grounds of rejection presented herein.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES E SPRINGER whose telephone number is (571)270-5640. The examiner can normally be reached 9am - 5:30pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GLENTON BURGESS can be reached on 571-272-3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JAMES E. SPRINGER
Primary Examiner
Art Unit 2454



/JAMES E SPRINGER/           Primary Examiner, Art Unit 2454