Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
Claims 1-20 have been examined and are pending.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 12-13 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 12 recites “sending…a corresponding first request instructing the plurality of other smart brokers to apply the second filter to network traffic…”. However, first requests were initially associated with first filters as indicated in lines 2-3 of claim 9.  The claim language is unclear, since “corresponding first requests” are related to first requests, which are associated with first filters, and as such, it is unclear if the applicant intended “corresponding first requests” to be associated with a second filter.  
Claim 13 recites “sending, to the plurality of other smart packet brokers, a second request instructing the plurality of other smart packet brokers to apply the second filter to network traffic…”  It is vague and unclear why the invention requires sending a second request to apply the same filter that has already been applied in Claim 12 in which Claim 13 depends on.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim(s) 1, 4, 8, 14, and 17 is/are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by US 2011/0149736 A1 to Kashyap et al. (hereinafter “Kashyap”)

Regarding Claim 1, Kashyap teaches A method comprising: 
receiving, at a first smart packet broker from a switch manager, a first request instructing the first smart packet broker to apply a first filter to first network traffic being processed by a first switching system associated with a switch fabric, ([0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a first filter) on an ongoing basis as packets are received at the switch. [0224], discloses the network administrator (i.e. switch manager) also specifies (i.e. request to apply a first filter) one or more ports a rule is applicable to (as well as the port direction, whether ingress or egress), one or more VLANs a rule is applicable to, or whether the rule is a wildcard rule applicable to all ports)
the first switching system including a plurality of ports and configured to switchably couple sets of ports from the plurality of ports;  (Figure 5 and [0223], discloses  The network switch 508 has one or more ports of ingress 510 and one or more ports of egress 512)
applying, by the first smart packet broker, the first filter to the first network traffic using the first switching system, the first filter having a first set of defined attributes; and  ([0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a first filter) on an ongoing basis as packets are received at the switch. [0073], discloses In a second implementation, the one or more rules 402a, 402b, and 402c build on and extend other rules based on matching conditions defined in terms of matching packet profiles, including matching data in the packet header (i.e. first filter having a first set of defined attributes). The following example illustrates such a rule, rule1, for incrementing a counter, counter1, when a packet destined for a particular subnet (having address 192.168.16.0/24 and port 2049) is encountered. This is followed by a second rule, rule2, that denies access by these packets to the network switch if the contents of counter1 exceed a threshold of 1,000,000)
filtering, from the first network traffic, first data corresponding to the first set of defined attributes to the switch manager. (Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. first data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering first data to the switch manager))


Regarding Claim 4, Kashyap teaches The method of claim 1, further comprising: 
receiving, at a second smart packet broker from the switch manager, a second request instructing the second smart packet broker apply the first filter to second network traffic being processed by a second switching system that is different from the first switching system; ([0023] and [0235], discloses one or more non gateway switches and one or more gateway switches (i.e. including a first and second switching system) performing the methods illustrated in Figures 1-3. [0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a second filter) on an ongoing basis as packets are received at the switch. [0224], discloses the network administrator (i.e. switch manager) also specifies (i.e. request to apply a second filter) one or more ports a rule is applicable to (as well as the port direction, whether ingress or egress), one or more VLANs a rule is applicable to, or whether the rule is a wildcard rule applicable to all ports)
applying, by the second smart packet broker, the first filter to the second network traffic using the second switching system; and  (Figure 5 and [0223], discloses the network switch 508 has one or more ports of ingress 510 and one or more ports of egress 512)
filtering, from the second network traffic, second data corresponding to the first set of defined attributes to the switch manager. (Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. second data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering second data to the switch manager))

Regarding Claim 8, Kashyap teaches the method of claim 1, wherein the first switching system comprises a smart network card interface (SmartNIC), a physical network switch, or a virtual network switch. (Figure 5 and [0223], discloses  the network switch 508 (i.e. physical network switch))

Regarding Claim 14, Kashyap teaches A system comprising: 
one or more processors; and a non-transitory memory storing instructions that, when executed by the one or more processors, cause the system to: (Figure 4 and 5 and [0067] and [0023], discloses network switch 508 comprising processor readable media 400 working with processor 506)
receive, at a first smart packet broker from a switch manager, a first request instructing the first smart packet broker to apply a first filter to first network traffic being processed by a first switching system associated with a switch fabric, ([0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a first filter) on an ongoing basis as packets are received at the switch. [0224], discloses the network administrator (i.e. switch manager) also specifies (i.e. request to apply a first filter) one or more ports a rule is applicable to (as well as the port direction, whether ingress or egress), one or more VLANs a rule is applicable to, or whether the rule is a wildcard rule applicable to all ports)
the first switching system including a plurality of ports and configured to switchably couple sets of ports from the plurality of ports;  (Figure 5 and [0223], discloses  The network switch 508 has one or more ports of ingress 510 and one or more ports of egress 512)
apply, by the first smart packet broker, the first filter to the first network traffic using the first switching system, the first filter having a first set of defined attributes; and  ([0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a first filter) on an ongoing basis as packets are received at the switch. [0073], discloses In a second implementation, the one or more rules 402a, 402b, and 402c build on and extend other rules based on matching conditions defined in terms of matching packet profiles, including matching data in the packet header (i.e. first filter having a first set of defined attributes). The following example illustrates such a rule, rule1, for incrementing a counter, counter1, when a packet destined for a particular subnet (having address 192.168.16.0/24 and port 2049) is encountered. This is followed by a second rule, rule2, that denies access by these packets to the network switch if the contents of counter1 exceed a threshold of 1,000,000)
filter, from the first network traffic, first data corresponding to the first set of defined attributes to the switch manager. (Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. first data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering first data to the switch manager))

Claim 17 is rejected for having the same limitations as claim 4 above, except the claim is in system format.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 2-3 and 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap in view of US 2004/0039820 A1 to Colby et al. (hereinafter “Colby”)


Regarding Claim 2, Kashyap teaches The method of claim 1, wherein: 
Kashyap teaches the sets of ports include a first set of ports having a first port and second port; (Figure 5 and [0223], discloses  The network switch 508 has one or more ports of ingress 510 (i.e. first port) and one or more ports of egress 512 (i.e. second port) and filtering the first data corresponding to the first set of defined attributes to the switch manager includes determining which packets received at the first port of the first switching system to forward to the second port of the first switching system ([0224], discloses the one or more processors 506 are configured to compile the one or more rules into executable form, and then execute the one or more rules to perform the one or more network switch functions. In this implementation, the network administrator also specifies one or more ports a rule is applicable to (as well as the port direction, whether ingress or egress))
Kashyap does not explicitly teach a first port mapped to a second port.
However, the concept of mapping a first port to a second port in a plurality of ports is well known in the art.  For example, in a similar field of endeavor, Colby discloses in [0003], the architecture of a typical data switch consists of four primary components: (1) a number of physical network ports (both ingress ports and egress ports), (2) a data plane, (3) a control plane, and (4) a management plane. The data plane, sometimes referred to as the "fastpath," is responsible for moving packets from ingress ports of the data switch to egress ports of the data switch based on addressing information contained in the packet headers and information from the data switch's forwarding table. The forwarding table contains a mapping between all the network addresses the data switch has previously seen and the physical port on which packets destined for that address should be sent.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kashyap to include the above limitations as suggested by Colby, such that future packets to the same destination may be forwarded directly by the data plane as indicated in [0003] of Colby, which would result in less processing and faster transmission times.

Regarding Claim 3, Kashyap/Colby teaches The method of claim 2, further comprising: 
Kashyap further teaches responsive to filtering the first data to the switch manager, receiving, at the first smart packet broker from the switch manager, a second request instructing the first smart packet broker to block one or more of the plurality of ports; and signaling the first switching system to block the one or more of the plurality of ports. ([0054]-[0055], discloses the network administrator can examine the packets (i.e. filtered first data) and take appropriate action. In a third example, the network anomaly comprises excessive utilization of a particular switch port, and the method monitors the rate at which packets are received at or transmitted from this particular port. If the rate exceeds a threshold, the method takes appropriate action to mitigate the anomaly, such as by disabling the port.)

Claims 15 and 16 are rejected for having the same limitations as claims 2 and 3, respectively, except the claims are in system format.

Claim(s) 4-6, 9-13, and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap in view of US 2020/0186499 A1 to Benjamin (hereinafter “Benjamin”)

Regarding Claim 4, Kashyap teaches The method of claim 1, further comprising: 
receiving, at a second smart packet broker from the switch manager, a second request instructing the second smart packet broker apply the filter to second network traffic being processed by a second switching system that is different from the first switching system; applying, by the second smart packet broker, the first filter to the second network traffic using the second switching system; and filtering, from the second network traffic, second data corresponding to the first set of defined attributes to the switch manager. ([0199], The rule structure allows one or more rules embodying any of the methods illustrated in FIGS. 1-3 to be formulated and then realized on a particular switch by downloading them to the switch, and then arranging to have one or more processors at the switch compile the rules into executable form (if not already in that form) and execute the rules on an ongoing basis as packets are received at the switch. [0023], further discloses a plurality of non-gateway switches and gateway switches (i.e. including first and second switching systems). Examiner notes that each non-gateway/gateway switch has corresponding network traffic (i.e. first and second network traffic), and when filtered, have corresponding filtered data (i.e. first and second data).
Kashyap does not explicitly teach receiving, at a second smart packet broker from the switch manager, a second request instructing the second smart packet broker apply the first filter to second network traffic being processed by a second switching system that is different from the first switching system; 
However, the concept of applying the same filter to multiple network devices is well known in the art. For example, in a similar field of endeavor, Benjamin discloses in [0016], distribution of filters generated by the filter management system to a wide range of devices within a network including switches.  Figure 1 and [0019], illustrates a plurality of network devices implementing filters deployed by filter management system. Each of ND-1 110 (i.e. first switching system), ND-3 114 (i.e. second switching system, server 120, and DNS server 130 are illustrated as including respective filters 132a-132e. The filters 132a-132e are configured to receive and analyze network traffic (incoming and/or outgoing) and to apply one or more filter rules that determine whether such traffic has one or more attributes. If the traffic does not include the attributes, the traffic is passed through the filter. If, on the other hand, the traffic includes the attributes, additional actions are taken.  [0037], discloses the filter management system 122 may generate multiple sets of filters for use in different parts of a network environment or for implementation in different devices. For example, in one implementation, the filter management system 122 may maintain different sets of blocklist data for different networks or subnetworks (e.g., networks belonging to different customers). Accordingly, the filters generated by the filter management system 122 may vary between the any two networks/subnetworks. [0040], discloses the filter management system configured to generate and or distribute filters at a device-specific level, for all devices within a subnetwork or network (i.e. including a second switching system different from the first switching system), or at any other level.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kashyap to include the above limitations as suggested by Benjamin, in order to provide improved security within the network as indicated in [0014] of Benjamin.


Regarding Claim 5, Kashyap/Benjamin teaches The method of claim 4, further comprising: 
Benjamin teaches receiving, at the first smart packet broker and the second smart packet broker from the switch manager, a second request instructing the first smart packet broker and the second smart packet broker to apply a second filter, ([0033], discloses deployment of a reconfiguration message or similar update to devices implementing filters within the network environment. In certain cases, the reconfiguration message or update may instantiate one or more new filters within the device. Alternatively, the reconfiguration message may update or otherwise modify existing filters of the device)
Kashyap/Benjamin further teaches the second filter being determined by the switch manager based on the filtered first data and the filtered second data, the second filter having a second set of defined attributes; applying, by the first smart packet broker, the second filter to the first network traffic using the first switching system; filtering, from the first network traffic, third data corresponding to the second set of defined attributes to the switch manager; applying, by the second smart packet broker, the second filter to the second network traffic using the second switching system; and filtering, from the second network traffic, fourth data corresponding to the second set of defined attributes to the switch manager. (Kashyap, Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. second data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering second data to the switch manager) to determine if a network anomaly is present. Benjamin discloses in [0014], a filter management system that uses a collection of identified threats, referred to herein as “blocklist data”, to generate a one or more filters that may be implemented in networked devices having filtering functionality. The blocklist data may be regularly updated and filters based on the blocklist data may be regularly regenerated and redistributed, thereby providing improved security within the network) 
Examiner maintains same motivation to combine as indicated in Claim 4 above.

Regarding Claim 6, Kashyap/Benjamin teaches The method of claim 1, further comprising:
receiving, at the first smart packet broker from the switch manager, a second request instructing the first smart packet broker apply a second filter to the first network traffic, the second filter having a second set of defined attributes that is different than the first set of defined attributes of the first filter; applying, by the first smart packet broker, the second filter to the first network traffic using the first switching system; and filtering, from the first network traffic, second data corresponding the second set of defined attributes to the switch manager. ([0199], The rule structure allows one or more rules embodying any of the methods illustrated in FIGS. 1-3 to be formulated and then realized on a particular switch by downloading them to the switch, and then arranging to have one or more processors at the switch compile the rules into executable form (if not already in that form) and execute the rules on an ongoing basis as packets are received at the switch. [0023], further discloses a plurality of non-gateway switches and gateway switches (i.e. including first and second switching systems). Examiner notes that each non-gateway/gateway switch has corresponding network traffic (i.e. first and second network traffic), and when filtered, have corresponding filtered data (i.e. first and second data).
Kashyap does not explicitly teach responsive to the filtered data being received by the switch manager from other switching systems, receiving, at the first smart packet broker from the switch manager, a second request instructing the first smart packet broker apply a second filter to the first network traffic.
However, in a similar field of endeavor, Benjamin discloses in [0016], distribution of filters generated by the filter management system to a wide range of devices within a network including switches.  Figure 1 and [0019], illustrates a plurality of network devices implementing filters deployed by filter management system. Each of ND-1 110 (i.e. first switching system), ND-3 114 (i.e. second switching system, server 120, and DNS server 130 are illustrated as including respective filters 132a-132e. The filters 132a-132e are configured to receive and analyze network traffic (incoming and/or outgoing) and to apply one or more filter rules that determine whether such traffic has one or more attributes. If the traffic does not include the attributes, the traffic is passed through the filter. If, on the other hand, the traffic includes the attributes, additional actions are taken.  [0037], discloses the filter management system 122 may generate multiple sets of filters for use in different parts of a network environment or for implementation in different devices. For example, in one implementation, the filter management system 122 may maintain different sets of blocklist data for different networks or subnetworks (e.g., networks belonging to different customers). Accordingly, the filters generated by the filter management system 122 may vary between the any two networks/subnetworks. [0040], discloses the filter management system configured to generate and or distribute filters at a device-specific level, for all devices within a subnetwork or network (i.e. including a second switching system different from the first switching system), or at any other level. Benjamin further discloses in [0014], a filter management system that uses a collection of identified threats, referred to herein as “blocklist data”, to generate a one or more filters that may be implemented in networked devices having filtering functionality. The blocklist data may be regularly updated and filters based on the blocklist data may be regularly regenerated and redistributed, thereby providing improved security within the network)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kashyap to include the above limitations as suggested by Benjamin, in order to provide improved security within the network as indicated in [0014] of Benjamin.

Regarding Claim 9, Kashyap teaches A method comprising: 
sending, to a first smart packet broker, a first request instructing the first smart packet broker to apply a first filter to first network traffic processed by a first switching system, ([0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a first filter) on an ongoing basis as packets are received at the switch. [0224], discloses the network administrator (i.e. switch manager) also specifies (i.e. request to apply a first filter) one or more ports a rule is applicable to (as well as the port direction, whether ingress or egress), one or more VLANs a rule is applicable to, or whether the rule is a wildcard rule applicable to all ports)
the first filter having a first set of defined attributes; ([0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a first filter) on an ongoing basis as packets are received at the switch. [0073], discloses In a second implementation, the one or more rules 402a, 402b, and 402c build on and extend other rules based on matching conditions defined in terms of matching packet profiles, including matching data in the packet header (i.e. first filter having a first set of defined attributes). The following example illustrates such a rule, rule1, for incrementing a counter, counter1, when a packet destined for a particular subnet (having address 192.168.16.0/24 and port 2049) is encountered. This is followed by a second rule, rule2, that denies access by these packets to the network switch if the contents of counter1 exceed a threshold of 1,000,000)
receiving first filter data corresponding to the first set of defined attributes from the first switching system; (Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. first data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering first data to the switch manager))
(Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. first data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering first data to the switch manager))
detecting, based on the first filter data, a network condition; ([0022], discloses the method mirrors or redirects the one or more packets to the externally-accessible port if the one or more specified conditions are met. For example, in this step, if the average ping-type packet size exceeds the specified threshold, indicating abnormally large ping-type packets and a potential network anomaly, the method might mirror the ping-type packets to a port accessible by a network administrator or external appliance, allowing the network administrator or external appliance to examine the packets to determine if in fact a network anomaly is present)
Kashyap does not explicitly teach determining, based on the network condition, a second filter; and sending, to the first smart packet broker, a second request instructing the first smart packet broker to apply a second filter to the first network traffic processed by the first switching system, the second filter having a second set of defined attributes that is different from the first set of defined attributes of the first filter.
However, the concept of applying an updated filter is well known in the art. For example, in a similar field of endeavor, Benjamin discloses in [0016], distribution of filters generated by the filter management system to a wide range of devices within a network including switches.  Figure 1 and [0019], illustrates a plurality of network devices implementing filters deployed by filter management system. Each of ND-1 110 (i.e. first switching system), ND-3 114 (i.e. second switching system, server 120, and DNS server 130 are illustrated as including respective filters 132a-132e. The filters 132a-132e are configured to receive and analyze network traffic (incoming and/or outgoing) and to apply one or more filter rules that determine whether such traffic has one or more attributes. If the traffic does not include the attributes, the traffic is passed through the filter. If, on the other hand, the traffic includes the attributes, additional actions are taken. [0033], discloses deployment of a reconfiguration message or similar update to devices implementing filters within the network environment. In certain cases, the reconfiguration message or update may instantiate one or more new filters (i.e. second filter) within the device. Alternatively, the reconfiguration message may update or otherwise modify existing filters of the device. [0014], further discloses a filter management system that uses a collection of identified threats (i.e. network conditions), referred to herein as “blocklist data”, to generate a one or more filters that may be implemented in networked devices having filtering functionality. The blocklist data may be regularly updated and filters based on the blocklist data may be regularly regenerated and redistributed, thereby providing improved security within the network)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kashyap to include the above limitations as suggested by Benjamin, in order to provide improved security within the network as indicated in [0014] of Benjamin. 

Regarding Claim 10, Kashyap/Benjamin teaches The method of claim 9, further comprising: 
Benjamin further teaches receiving second filter data corresponding to the second set of defined attributes from the first switching system; processing the second filter data to confirm the network condition; and executing a remedial action to address the network condition. ([0035], discloses Because of this over-inclusiveness, filters generated by the filter management system 122 may be implemented as the first of multiple filters in a given device and may be used to significantly reduce the number of packets requests for which additional analysis may be required. So, for example, a given filter generated by the filter management system 122 may capture 3% of packets for further processing by a secondary filter, but may allow the remaining 97% of packets to pass. The captured 3% of packets may then be passed through one or more additional filters (i.e. second filter)) to further evaluate whether such packets (i.e. second filter data) are associated with a threat (i.e. confirm a threat) and should be blocked (i.e. executing a remedial action))
Examiner maintains same motivation to combine as indicated in Claim 9 above.

Regarding Claim 11, Kashyap/Benjamin teaches The method of claim 10, wherein Kashyap further teaches the network condition includes one or more of an increase in volume of the first network traffic relative to a threshold and a detected pattern of first network traffic that corresponds to a defined pattern. ([0012], discloses one or more conditions based on the one or more usage-derived packet statistics, such as whether the cumulative count of packet bytes received at the switch from the particular user or transmitted from the switch by a particular user exceeds a specified threshold)


Regarding Claim 12, Kashyap/Benjamin teaches The method of claim 9, further comprising: 
Kashyap further teaches sending, to a plurality of other smart packet brokers respectively associated with a plurality of other switching systems, a corresponding first request instructing the plurality of other smart packet brokers to apply the second filter to network traffic processed by the plurality of other smart packet brokers; ([0023] and [0235], discloses one or more non gateway switches and one or more gateway switches (i.e. including a first and second switching system) performing the methods illustrated in Figures 1-3. [0199], discloses rules downloaded to a switch (i.e. switching system associated with a switch fabric), and then arranging to have one or more processors at the switch (i.e. first smart packet broker) compile the rules into executable form (if not already in that form) and execute the rules (i.e. apply a second filter) on an ongoing basis as packets are received at the switch. [0224], discloses the network administrator (i.e. switch manager) also specifies (i.e. request to apply a second filter) one or more ports a rule is applicable to (as well as the port direction, whether ingress or egress), one or more VLANs a rule is applicable to, or whether the rule is a wildcard rule applicable to all ports)
and receiving other first filter data corresponding to the first set of defined attributes from the plurality of other switching systems, (Figure 3 and [0057]-[0063], discloses receiving or transmitting one or more packets at the network switch, updating one or more usage-derived packet statistics responsive to the receipt or transmission of the one or more packet, determining if one or more conditions are met, the one or more conditions comprising or including one or more conditions based on the one or more usage-derived packet statistics, and mirroring or redirecting the one or more packets to the externally accessible port if the one or more conditions are met (i.e. other first data corresponds to the first set of defined attributes), where they may be examined by a network administrator or external appliance (i.e. filtering other first data to the switch manager))
Kashyap/Benjamin further teaches wherein detecting the network condition further includes processing the first filter data and the other first filter data corresponding to the first set of defined attributes to detect the network condition. (Kashyap, [0054]-[0055], discloses the network administrator can examine the packets (i.e. filtered data) and take appropriate action. In a third example, the network anomaly comprises excessive utilization of a particular switch port, and the method monitors the rate at which packets are received at or transmitted from this particular port. If the rate exceeds a threshold, the method takes appropriate action to mitigate the anomaly, such as by disabling the port. [0038], further discloses in another example, the blocklist data 124 may include a relative threat-related metric for each entry of the blocklist data 124. So, for example, a known and verified threat may be assigned a score of 1.0 (on a scale of 0 to 1.0) while a suspected but unverified threat may be assigned a lower score, e.g., 0.6. Accordingly, the score may provide a general indication of a confidence level regarding whether the blocklist data entry indicates an actual threat. Different devices, networks, or subnetworks may then be assigned different security thresholds that may then be used by the filter management system 122 to selectively include or exclude blocklist data entries when generating filters for the devices, networks, or subnetworks. (i.e. detecting the network condition further includes processing the first filter data and the other first filter data corresponding to the first set of defined attributes to detect the network condition))
Examiner maintains same motivation to combine as indicated in Claim 9 above.

Regarding Claim 13, Kashyap/Benjamin teaches The method of claim 12, further comprising:
Kashyap further teaches sending, to the plurality of other smart packet brokers, a second request instructing the plurality of other smart packet brokers to apply the second filter to network traffic processed by the plurality of other switching systems; receiving other second filter data corresponding to the second set of defined attributes from the plurality of other switching systems; receiving second filter data corresponding to the second set of defined attributes from the first switching system; ([0199], The rule structure allows one or more rules embodying any of the methods illustrated in FIGS. 1-3 to be formulated and then realized on a particular switch by downloading them to the switch, and then arranging to have one or more processors at the switch compile the rules into executable form (if not already in that form) and execute the rules on an ongoing basis as packets are received at the switch. [0023], further discloses a plurality of non-gateway switches and gateway switches (i.e. including first system and other switching systems). Examiner notes that each non-gateway/gateway switch has corresponding network traffic, and when filtered, have corresponding filtered data (i.e. second filtered data from first and other switching systems)).
Benjamin further teaches processing the second filter data to confirm the network condition; and executing a remedial action to address the network condition. ([0035], discloses Because of this over-inclusiveness, filters generated by the filter management system 122 may be implemented as the first of multiple filters in a given device and may be used to significantly reduce the number of packets requests for which additional analysis may be required. So, for example, a given filter generated by the filter management system 122 may capture 3% of packets for further processing by a secondary filter, but may allow the remaining 97% of packets to pass. The captured 3% of packets may then be passed through one or more additional filters (i.e. second filter)) to further evaluate whether such packets (i.e. second filter data) are associated with a threat (i.e. confirm a threat) and should be blocked (i.e. executing a remedial action)) 
Examiner maintains same motivation to combine as indicated in Claim 9 above.

Claims 17-19 are rejected for having the same limitations as claims 4-6, respectively, except the claims are in system format.



Claim(s) 7 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kashyap in view of US 2015/0089045 A1 to Agarwal et al. (hereinafter “Agarwal”)

Regarding Claim 7, Kashyap teaches the method of claim 1, further comprising:
Kaskyap does not explicitly teach redistributing further network traffic processed by the switch fabric based on at least the first data filtered to the switch manager.
However, in a similar field of endeavor, [0064], discloses In addition to the switch 300, the mechanisms of the illustrative embodiments further make use of a collector computing device 320 that collects sampled data packets from the switch 300 (i.e. filtered data to the switch manager), stores them, and analyzes the data packets to generate data traffic characteristic information that may be output to a network administrator or other authorized user via the network administrator computing device 340, provided to a traffic engineering system 350 in order to automatically perform traffic engineering operations, such as load balancing of links (i.e. redistribution of further network traffic), deployment of resources, reconfiguration of resources, or the like.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Kashyap to include the above limitations as suggested by Agarwal, in order to optimize data traffic flows as indicated in [0018] of Agarwal.

Claim 20 is rejected for having the same limitations as claim 7, except the claim is in system format.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENKEY VAN whose telephone number is (571)270-7160. The examiner can normally be reached Monday - Friday 9am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Gregory Sefcheck can be reached on (571)272-3098. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JENKEY VAN/           Primary Examiner, Art Unit 2477