DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Terminal Disclaimer
The terminal disclaimer filed on 09/07/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 16/922,329 and 16/921,375 have been reviewed and is accepted.  The terminal disclaimer has been recorded.
Response to Amendment
This action is in response to the communications and remarks filed on 08/18/2022. Claims 1-11 have been amended. Claim 12 has been newly added. Claims 1-12 have been examined and are pending.
Response to Arguments
Applicant's arguments, see pages 8-10, filed 08/18/2022, regarding the 103 rejections of Claims 1-12 have been fully considered and are persuasive. The claims are now in condition for allowance.
	
Acknowledgement to applicant’s amendment to claims 1-4 and 9-11 have been noted. The claim has been reviewed, entered and found obviating to previously raised objection for minor informalities. Objection to the claims 1-4 and 9-11 have hereby withdrawn.
Acknowledgement to applicant's amendment to claims 9-11 have been noted. The claim has been reviewed, entered and found obviating to previously raised rejection under 35 USC 112 2nd. Rejection under 35 USC 112 2nd to claims 9-11 is hereby withdrawn.
Acknowledgement of Applicant's response to obviousness-type double patenting and is further noted as set forth in the Final Office Action mailed 06/27/2022. After further review of co-pending application of 16/568,706; as the co-pending application does not specifically claim or recite an invention that describes methods for intrusion pattern detection in a computer network where a setpoint value from a field  compares/evaluates anomalies. Further, terminal disclaimers have been submitted for 16/922,329 and 16/921,375. Examiner withdraws the Double Patenting rejection.
	
Allowable Subject Matter
Applicant's arguments have been considered and are determined to be persuasive. Accordingly, the previously presented rejections are withdrawn.
Claims 1-12 are allowed.
The following is an examiner's statement of reasons for allowance:
The closest prior art, as previously recited, Mondaeev 20080201772 A1 and newly presented, MPNET International JP 2005507612 A, Baum 20050157664 A1, Binder 20180034912 A1, Guo 20150326534 A1, and Durie 20090106842 A1 are also generally directed a method for intrusion detection in a computer network, comprising the following steps; a device for intrusion detection in a computer network, the device comprising: a system on a chip system, which includes a hardware switch, the hardware switch including processing circuitry and a plurality of ports to which a plurality of devices are network interconnectable by the processing circuitry of the hardware switch, wherein:; and a non-transitory computer-readable memory medium on which is stored a computer program that is executable by a computer of a hardware switch, the hardware switch including a plurality if ports to which a plurality of devices are network interconnectable by the computer of the hardware switch, the computer program, when executed by the computer, causing the computer to perform a method for intrusion detection in a computer network, the method comprising the following steps:  [Mondaeev, ¶¶0028-0029, 0036, 0039, 0042, and 0044: packet processor 10 contains as shown in Fig. 2, the NID system 70 that includes: a first-stage hardware filter 72, a policy switch 80, a deep packet inspection (DPI) module 84, and a CPU 92 for post-processing by a software application within the packet processor 10. Packet processor 10 can locally or remotely connect via WAN/Internet or LAN serving a corporation, a university, or any organization. MPNET International, ¶0100: MP compliant components have one or more network connection points (or ports) that connect to these logical links]; receiving a data packet at an input of a hardware switch that includes a plurality of ports to which a plurality of devices are network interconnectable by processing circuitry of the hardware switch, wherein the data packet includes a plurality of fields providing respective data link layer information;  [MPNET International, ¶¶0014-0016 and 0019-0021: Telecommunication networks can be circuit-switched or packet-switched where setup phase before transmitting data packet propagating from Ethernet LAN to second Ethernet LAN where packet from source to destination. ¶¶0023-0024 and 0030: data link layer address identifies physical network interface for a node; Ethernet MAC address of host and router existing on the route. Addressing datagram addresses used in packet; ¶¶0070-0071: packet switched networks where an actual connections between two nodes. ¶0094: After service gateway 1 40 receives the MP data packet from source host 20, service gateway 1 40 determines the next hop in the path that the MP packet will follow. To make this determination, service gateway 140 extracts some of the partial address subfields from the MP address and uses these subfields to switch the next hop in the forwarding table.]; selecting one of the plurality of ports via which to an output from of the hardware switch the data packet or a copy of the data packet as a function of the data link layer information;  [MPNET International, ¶¶0022-0023: data link layer address is typically used to identify the physical network. Ethernet MAC address does not provide information about the network topology that can be used to assist in packet routing. ¶0052: Flat addressing structures are organized into a single group  ¶¶0158: For top-down transmission, the SGW 1160 sends an MP data packet to the MX 1180 based on partial address information and color information in the hierarchical switch subfield 6050; uses color information to select a packet delivery mechanism. Binder,  ¶0127: Any device in the system, such as a router, a field unit, a home computer, a server... same address or different addresses may be used when communicating over the various networks in the system, and the address may be or locally administered addresses universally administered addresses, where the address is uniquely assigned to a device by its manufacture; The address may be layer 2 address such as MAC address (e.g., MAC-48, EUI-48, or EUI-64). ¶¶0176-0177: router to other devices via network interfaces; ¶0197: apparatus exchanges packet with control server over two distinct path where packets. ¶0376: selected physical link to switching core 44010. In particular, the selector 44030 selects a physical link (s) having an active signal using a known method (e.g., round robin or first-in first-out), and selects a packet on the selected physical link (s)]; for each of the plurality of fields, comparing, a respective actual value of the respective field to a respective predefined value;  [Mondaeev, ¶0009-0010: the packet inspection engine includes a matching unit coupled to the first memory unit to compare a section of the packet to the set of patterns...applying the processing rule list and the third pattern list to the data segment to populate a rule status registry stored in a random-access memory unit separate from the content-addressable memory, and repeating the acts of comparing. ¶¶0047-0049: policy switch populate DPI queuing traffic class (QTC) indicator 120 in each descriptor 100; the policy switch 80 may assign a value to the QTC indicator 120 according to the Class of Service (CoS) of the data packet 35. FIG. 3 shows the policy switch 80 assigns one of several predefined values to a default congestion command indicator 135. The policy switch 80 may assign this value based on the programmable policy information stored in the memory unit of the policy switch 80. MPNET International, ¶0039: actual data signal can be compared to data signal at receiver. ¶¶0155-0156 and 0161: checking of data packets for MP-compliant components. Baum, ¶¶0039-0041: IP layer examine network layer 722 where header and trailer 760 acknowledgement of frame check sequence. The TCP segment 410 is then passed to the TCP layer 740, which removes the header 402 and may check the frame check sequence. (In the event of a match, the match is acknowledged and in the event of a mismatch. Guo, ¶¶0007: field based constraints, string based conditions as criterions; 0008: analyze network packets based on rules/conditions where packets are extract header and payload portions] and detecting whether there is an intrusion pattern in a network traffic in the computer network in response to satisfaction of a predefined condition that, for any individual one of the comparisons individually, a result of the respective comparison is that there is a predefined deviation of the respective actual value from the respective corresponding predefined setpoint value. [Binder, ¶¶0051-0052: regulating phenomena to a setpoint (target value);  ¶¶0190-0192 and 0197: apparatus exchanges packet with control server over two distinct path where packets comprises: a source address, a destination address, an information type, and information content. Guo, ¶0008: subsequent matches of parsed portions of packets; ¶0012: pre-matching process; machines one or more strings or over-flow patterns associated with IPS. Context-aware pattern matching based on predefined conditions associated with multiple candidate rule. Durie, ¶¶0120-0122: encoded intrusion-protection filters and detection rules devised for host-specific provisioning of intrusion-protection filters. The detection rules use detection expressions and each rule bases its filter selection on a set of data elements; A local server 140 may, therefore, need only a subset of the centrally maintained filters at the central server 120. Treinan, ¶0013: The intrusion detection sensors 13, 23 and 33 detect intruding messages based on known signatures or patterns of the intrusions.]
However, none of Mondaeev, MPNET International, Baum, Binder, Guo, and Durie teach or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 9, and 11.  For example, none of the cited prior art teaches or suggest selecting one of the plurality of ports via which to an output from of the hardware switch the data packet or a copy of the data packet as a function of the data link layer information and the hardware address; for each of the plurality of fields, comparing, a respective actual value of the respective field to a respective corresponding predefined setpoint value; and detecting whether there is an intrusion pattern in a network traffic in the computer network in response to satisfaction of a predefined condition that, for any individual one of the comparisons individually, a result of the respective comparison is that there is a predefined deviation of the respective actual value from the respective corresponding predefined setpoint value, in combination with other limitations of claims 1, 9, and 11.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
The closest prior art made of record are:
Guo (20150326534 A1) teaches methods and systems for improving accuracy, speed, and efficiency of context-aware pattern matching are provided. According to one embodiment, a packet stream is received by a first stage of a CPMP hardware accelerator of a network device. A pre-matching process is performed by the first stage to identify a candidate packet that matches a string or over-flow pattern associated with IPS or ADC rules. A candidate rule is identified based on a correlation of results of the pre-matching process. The candidate packet is tokened to produce matching tokens and corresponding locations. A full-match process is performed on the candidate packet by a second stage of the CPMP hardware accelerator to determine whether it satisfies the candidate rule by performing one or more of (i) context-aware pattern matching, (ii) context-aware string matching and (iii) regular expression matching based on contextual information, the matching tokens and the corresponding locations. (¶¶0007-0008).
Binder (20180034912 A1) teaches a system and method in a building or vehicle for an actuator operation in response to a sensor according to a control logic, the system comprising a router or a gateway communicating with a device associated with the sensor and a device associated with the actuator over in-building or in-vehicle networks, and an external Internet-connected control server associated with the control logic implementing a PID closed linear control loop and communicating with the router over external network for controlling the in-building or in-vehicle phenomenon. The sensor may be a microphone or a camera, and the system may include voice or image processing as part of the control logic. A redundancy is used by using multiple sensors or actuators, or by using multiple data paths over the building or vehicle internal or external communication. The networks may be wired or wireless, and may be BAN, PAN, LAN, WAN, or home networks. (¶¶0051-0052 0190-0192 0176-0177 0197).
Durie (20090106842 A1) teaches methods and apparatus for dynamically revising host-intrusion-protection configurations according to varying host state and changing intrusion patterns are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the hosts, maintains and updates protection software containing filters and rules for deploying each filter. A local server cyclically monitors each host of its subset of hosts at time instants separated by adjustable monitoring periods to acquire host-characterizing data and determine an optimal set of filters. The local server maintains a profile for each host and determines a current monitoring period for a host according to the host's current profile. The processing effort is reduced by judicial adjustment of successive monitoring periods and selectively tailoring the host-characterizing data to the conditions of each host. (¶¶0120-0122).
Baum (20050157664 A1) teaches limiting or controlling access to various services thereby performing a firewall function. An access router may permit or deny a packet based on at least a portion of a unique bit string (or context information) which replaced layer 2 header information (e.g., the layer 2 (e.g., MAC) address). Further, a particular quality of service may be indicated by at least a part of the unique bit string (or context information). The service provided to a group of customers, that group of customers being defined by at least a portion of the unique bit string (or context information), may be monitored. Multicast groups may be supported by checking at least a part of the unique bit string (or context information) to determine whether or not a customer associated with that port is permitted to join the multicast group. (¶¶0036-0037 and 0039-0041).
MPNET International (JP 2005507612 A) teaches an invention based on a highly efficient protocol for transmitting high quality multimedia communication services over a packet switched network. The present invention can be expressed in various types, including methods, systems, and data structures. In one aspect of the invention, a packet of multimedia data (10) is routed through multiple logical links in a packet-switched network using a datagram address contained in the packet (ie, routing based on the datagram address). Involved in the method of being transferred. The address information in the partial address subfield of the datagram address by itself directs the packet through multiple top-down logical links. (The top-down logical links are a subset of the logical links.) Packets remain unchanged as they are forwarded along the links in the logical links. (¶¶0019-0021 0023-0024 0039-0041 and 0158).
Treinan (20080016208 A1) teaches a computer system, method and program for graphically representing network intrusions. Source icons are displayed in rows in a first column. The source icons represent source IP addresses from which intrusions were sent. Destination icons are displayed in rows in a second column. The destination icons represent destination IP addresses to which the intrusions were sent. The destination icons that receive intrusions from a same source icon are clustered together in the graphical representation across from the same source icon. An arrow is displayed from each of the source icons pointing to each of the destination icons to which each source icon sent an intrusion, such that there are "N" arrows from each source icon to "N" destination icons to which each source icon sent at least one intrusion. (¶0013).
Smith  (20150127790 A1) teaches systems (100) and methods (1400) for enterprise mission management of a Computer Network (“CN”). The methods involve configuring CN to operate in accordance with a first Mission Plan (“MP”) specifying a manner in which an assigned value for a first IDentity Parameter (“IDP”) is to be dynamically modified by a first node of CN; detecting a trigger event which indicates that a new MP needs to be implemented within CN; obtaining a second MP that specifies a manner in which an assigned value for a second IDP is to be dynamically modified by a second node of CN; determining if any conflicts exist between operations of the second node defined by the second MP and operations of the first node defined by the first MP; and configuring operations of CN to further operate in accordance with the second MP if it is determined that no conflict exists. (Fig. 1 and ¶¶0036-0046).
       
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAKINAH W TAYLOR whose telephone number is (571)270-0682. The examiner can normally be reached Monday-Friday, 9:45-5:45.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ELENI SHIFERAW can be reached on 571-272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Sakinah White Taylor/           Primary Examiner, Art Unit 2497