DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Amendment
This office action is in response to the amendment filed on 07/30/2022.
Claims 1, 3, 12, 14, and 19 are amended.
Claim 21 is new.
Claim 11 is cancelled.
Claims 1-10 and 12-21 are pending in the application. 
The 112(b) rejections regarding claims 1-20 are withdrawn because the amended claims overcome the rejections or the claim has been cancelled.

Claim Objections
Claim 17 is objected to because of the following informalities:
	Regarding claim 17, the claim recites a limitation “a data stream a storage interface”.  It should be “a data stream from a storage interface”.
	Appropriate corrections are required.

Response to Applicant’s Arguments
Rejections under 35 U.S.C. § 103	In the office action dated 05/06/2022, claims 1, 5-6, 8-12, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bray et al. (US 10990887 B1, hereinafter Bray) in view of Holbrook et al. (US 10778721 B1, hereinafter Holbrook); claims 2 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Li; Yan et al. (US 20140133233 A1 hereinafter Li); claims 3-4 and 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Guo; Zhi et al. (US 20150055481 A1, hereinafter Guo); claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Brisebois et al. (US 9641555 B1, hereinafter Brisebois); claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Mittal; Anuraag et al. (US 20200177654 A1, hereinafter Mittal).	The Applicant’s arguments in the Remarks filed on 07/30/2022 regarding 35 U.S.C. § 103 rejections against claim 1.  The Applicant’s arguments are fully considered.  However, the Examiner respectfully disagrees because the arguments are not persuasive.  Specifically,
	The Applicant argues in the Remarks starting near the bottom of page 1, “the rule evaluation system 100 is not implemented such that it provides acceleration of processes for other devices within the same datacenter. Rather, the computing resources that use services of the rule evaluation system 100 are distributed across "numerous data centers hosting various resource pools". Bray at col. 4, 11. 27-28. Such a distributed scenario requires access to rule evaluation system 100 via relatively slow communication networks which nullifies any possibility of accelerating application of the process compared to simply performing the process in software at the node. Rather, the system of Bray is configured to provide rule evaluation services to a generalized group of resources, but not to accelerate anything. As such, the rule evaluation system of Bray cannot be reasonably argued to be the acceleration device of claim 1, and indeed teaches away from any acceleration”.	The Examiner respectfully disagrees.  Bray teaches the rule evaluation system 100 can be connected to the provider network using one or more network 190 (Bray col. 4 lines 6-21, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects).  Fig. 1 of Bray:
    PNG
    media_image1.png
    927
    899
    media_image1.png
    Greyscale
.  The argument of using fast or slow network is very subjective, and not recited in the claim.  Furthermore, the claim recites “the acceleration device is made available for use by one or more other host devices within the data center to perform on behalf of the one or more of the other host devices any or a combination of intrusion prevention pattern matching, firewall policy search pattern matching and pattern matching for applications”.  The claim recites the one or more host devices within the data center.  However, it only requires the acceleration device to be made available for use by the host devices.  It does not require the acceleration device to be within the data center. 		The Applicant argues Bray’s evaluation system is not providing acceleration and teaches away from any acceleration.  The Examiner respectfully disagrees.  The term acceleration is a label the Applicant uses, and the purpose, intended use or outcome is achieved by the structure or algorithm recited in the device.  The office action dated 05/06/2022 already shows how the prior art teaches the structure and the flow/algorithm recited in the claim limitation.  As a result, the prior art teaches the disputed limitation.	The Examiner also respectfully indicates that the term data center is not set in stone when using BRI in the art.  According to Wikipedia, “https://en.wikipedia.org/w/index.php?title=Data_center&oldid=913301191”, under § “Data center levels and tiers”, a data center can belong to levels and tiers, and defined differently according to Telecommunications Industry Association (TIA) and the Uptime Institute.  These tiers or levels do not define what data center should be, but only for providing service type/level expected by customers.  Furthermore, the instant claim does not specify what tier/level the recited data center belongs to.  Under § “Data center design”, it discloses, “The field of data center design has been growing for decades in various directions”.  As a result, using BRI, an ordinary skilled in the art would not expect data center not growing to be distributed.  For example, Wikipedia discloses “Modularity and flexibility are key elements in allowing for a data center to grow and change over time. Data center modules are pre-engineered, standardized building blocks that can be easily configured and moved as needed”.  Under the § “History”, Wikipedia discloses, “The term cloud data centers (CDCs) has been used.[15] Data centers typically cost a lot to build and to maintain. Increasingly, the division of these terms has almost disappeared and they are being integrated into the term "data center"”. Under section “Dynamic infrastructure”, Wikipedia discloses “Dynamic Infrastructure[115] provides the ability to intelligently, automatically and securely move workloads within a data center[116] anytime, anywhere, for migrations, provisioning,[117] to enhance performance, or building co-location facilities. It also facilitates performing routine maintenance on either physical or virtual systems all while minimizing interruption.” As a result, the Applicant arguments of the term “distributed” Bray uses to contrast with the term “Data Center” is not persuasive.	The Applicant further argues, starting near the top of page 2 of the Remarks, “Holbrook is not even alleged as disclosing an acceleration device. Indeed, even if Holbrook provided the requisite disclosure, which it does not, incorporating Holbrook into Bray would not change Bray to an acceleration device as the configuration of the system of Bray with resources distributed across multiple networks would not allow the rule evaluation system to operate as an acceleration device. Further, changing Bray to include the resources in the same data center as the rule evaluation system would render the system of Bray inoperable for its intended purpose of providing distributed rule evaluation services”. 	As indicated above, Bray teaches that the system 100 can connect to the provider 170 using one or more network(s) 190. Bray does not require the system 100 to be using multiple networks.  Bray also does not disclose to restrict the intended use of system 100 to be used only in distributed environment and would not operate in other environments.  Bray teaches the one possible use does not mean Bray limits its use.  The structure/flow Bray discloses in fig. 1 of Bray does not suggest any requirement of 2 or more data centers involved for the system 100 to operate correctly.	In conclusion the prior art teaches the disputed limitations of the claimed invention.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5-6 and 8-10 are rejected under 35 U.S.C. 103 as being unpatentable over Bray et al. (US 10990887 B1, hereinafter Bray) in view of Holbrook et al. (US 10778721 B1, hereinafter Holbrook).	Regarding method 1, Bray teaches a method comprising:
	receiving (Bray col. 5, lines 10-27, send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A), by an acceleration device of a host device associated with a data center (Bray fig. 1, element 100; Bray col. 4 lines 6-21, the rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects; Bray col. 3 lines 56-67; Bray col. 4 lines 1-32, the rule evaluation system 100 may be implemented using one or more computing devices, any of which may be implemented by the example computing device 3000 illustrated in FIG. 17 of Bray, the rule evaluation system 100 may be coupled to a provider network 170, the resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources, The provider network 170 may include numerous data centers hosting various resource pools, such as collections of physical and/or virtualized computer servers, storage devices, and networking equipment that are used to implement and distribute the infrastructure and services offered by the provider), said input stream comprising any or a combination of a string or an integer range (Bray col. 2 lines 51-67, a stream of events having field names and field values, the events may represent status updates or changes for resources in a multi-tenant provider network, matches of field values on a token-by-token basis, matches of numeric values and numeric ranges; Bray col. 14, lines 10-33, an event with the same field name 810A but a different value such as “ABC456” or “ABC12” or anything other than the literal string “ABC123” would match the rule pattern 300E);
	matching, by the acceleration device (Bray fig. 1, rule evaluation system 100), the input stream or parts thereof with contents of a hash based lookup table to identify one or more units of the input stream (Bray col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), which satisfy at least one condition of a plurality of conditions for any or a combination of a string match and a range comparison (Bray col. 12 lines 22-38, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens);
	correlating, by the acceleration device (Bray fig. 1, rule evaluation system 100), the one or more identified units based on a set of conditions selected from the plurality of conditions to form at least one set of correlated units (Bray col. 6 lines 46-54, the rule patterns 111A may include rule patterns 300A and 300B through 300N. However, it is contemplated that any suitable number of rule patterns may be stored in the data store 115; col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410. The event 50A may match the rule pattern 300D because the event includes the field name 510C and associated field value 520D described in the rule pattern. In one embodiment, once the name 510C and value 520D are found in the event 50A, the rule evaluation 430 may determine that the rule pattern 300D has been matched by the event. The rule evaluation 430 may determine that the rule pattern 300C is not matched by the event 50A once the names 510A and 510B are not found in the event. If the rule base captures only the rules 300C and 300D, then the rule evaluation 430 may examine the event 50A only for field names 510A, 510B, and 510C and disregard other field names in the event (such as name 510D)), wherein the set of conditions define at least one rule related to any of col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410; col. 12, lines 12-38, the finite-state machine may transition between these states when conditions in events match conditions in rule patterns); and
	performing, by the acceleration device (rule evaluation system 100), any or a combination of exact string matching and exact range matching col. 17, lines 10-25, determine which events (if any) match any of the rule patterns, the rule patterns 111A may include rule patterns with numeric values such as rule pattern 300F. Rule pattern 300F may indicate a field name 1010 and a numeric value 1021. For example, the numeric value 1021 may express the integer 1021; col. 20, lines 32-52, the numeric range rule patterns such as patterns 300G in the rule base 1315, maps numeric values to lexically comparable values and generates a set of states and transitions intended to find values matching the specified range, evaluates numeric range rule patterns encoded in the rule base 1315 against the events 50 to determine which events (if any) match any of the rule patterns captured in the rule base, map numeric values in events to lexically comparable values so that comparisons can be made in the same domain. As discussed above, a lexically comparable value may represent a uniform representation of different expressions of the same underlying number);	wherein the acceleration device is made available for use by one or more other host devices within the data center to perform on behalf of the one or more of the other host devices any or a combination of intrusion prevention pattern matching, firewall policy search pattern matching and pattern matching for applications (Bray, col. 4 lines 6-21, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects. The provider network 170 may include a plurality of computing resources such as computing resources 171A and 171B through 171N. The resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources. Although three computing resources 171A, 171B, and 171N are shown for purposes of illustration, it is contemplated that any suitable number and configuration of computing resources may be used. The provider network 170 may include the sources of events 50 that can match rule patterns, the targets of actions, and/or one or more action handlers that perform actions, Bray col. 5 lines 10-27, generate events 50 that describe resources changes in the provider network 170, and send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A).	Although Bray teaches matching a set of conditions and performing, any or a combination of exact string matching and exact range matching, Bray does not explicitly disclose that the matching is based on the at least one set of correlated units and the set of conditions define at least one rule related to any of a network policy definition.	On the other hand, Holbrook teaches the set of conditions define at least one rule related to any of a network policy definition (Holbrook col. 2 lines 5-19, matched rule can result in a decision to permit the forwarding of network data or to deny the forwarding of network data; col. 2 lines 33-55, in response to locating a match in the hardware hash table, are to perform an action on the network data, which is specified by the rule associated with the match. The action can include to permit the network data, deny the network data, set a traffic class for the network data; col. 6 lines 56-67, the forwarding pipeline 300 is configured to forward units of network data that match all conditions in a permit rule).	performing, any or a combination of exact string matching and exact range matching based on the at least one set of correlated units (col. 8, lines 14-28, the L2 lookup 306 stage will reference L2 data 325, which may be a MAC address table, which is an exact-match table. The L3 lookup 308 will reference L3 data 326, which includes an exact-match table that contains /32 IPv4 and /128 IPv6 host routes, and a longest-prefix match (LPM) table that contains IPv4 and IPv6 routes that are not host routes; if the unit of network matches a DENY statement the unit will be dropped. If the unit of network data matches a PERMIT statement, or no port ACL is enabled, the unit of network data is passed to the next block of the pipeline; col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet. Each entry in the bucket is compared against the key and the result is propagated only if the entry matches, otherwise 0 is propagated. The results are ORed together such that there is no implied priority between different entries in a bucket; [Examiner remark: only units that matches the PERMIT statement are sent to the next pipeline, which is further used to match for other rules.  As a result, previous matched units are used to match in the next node of a pipeline]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching policy rule’s conditions and using exact string match and exact range matching into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 5, Bray in view of Holbrook teaches the method of claim 1, wherein the acceleration device generates contents of the hash based lookup table based the one or more conditions of the at least one rule (Bray col. 12, lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens; Bray col. 14, lines 34-58, conditions in events match conditions in rule patterns; Bray col. 8, lines 46-59, the events 50 may describe conditions in the provider network 170, and the rule evaluation system 100 may evaluate a compiled form of the rule patterns 111A against the events to determine which events (if any) describe conditions corresponding to any of the rule patterns 111A).

	Regarding claim 6, Bray in view of Holbrook teaches the method of claim 1 (see discussion above), wherein the input stream pertains to a data stream from a storage interface (Bray, col. 4 lines 62-67 to col. 5 lines 1-9, monitoring the resources in the provider network may include monitoring one or more service logs, monitoring one or more service metrics, and/or monitoring any suitable data streams, the monitoring may compare performance metrics, usage metrics, and/or other suitable data relating to the operation of the resources 171A-171N; see fig. 1).	Bray does not explicitly disclose the following limitation that Holbrook teaches the input stream pertains to a packet stream from a network interface (Holbrook, col. 4 lines 46-62, the network data being communicated by the network element 102 can be a stream of network frames, datagrams or data packets, or other types of discretely switched network data second ref, packet stream; Holbrook, col. 8 lines 14-28, comparison for the unit of network data; Holbrook col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching data using data from packet stream into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help expand the usefulness of Bray’s teaching into additional data sources. In addition, both references teach features that are directed to analogous art, such as, data filtering. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claim 8, Bray in view of Holbrook teaches the method of claim 1. Bray does not explicitly disclose the following limitations that Holbrook teaches:  wherein when the input stream pertains to the integer range, a mask is applied to the input stream to match the input stream or parts thereof with the contents of the hash based lookup table (Holbrook col. 8 lines 41-60, each subsection consists of rules with the same mask, the match criterion for each rule is a pair (V, M), where V is a numeric value up to N bits long and M is a mask of N 0 and 1 bits. A value X matches the rule if (X & M)=(V & M), where “&” is the bitwise “logical and” operator. In one embodiment, the values (X) matched against an ACL are Internet Protocol (IP) v4 or IPv6 addresses, or representations thereof, the (V, M) pairs match subsets of the IPv4 or IPv6 address space; col. 8, lines 61-67, col. 9 lines 1-20, (39) rules in each such subsection are then loaded into one or more hardware hash table(s) 412 that can be referenced to perform lookups of unmasked fields of a network data packet that are associated with the subsection, a TCAM based approach of evaluating ACLs can be replaced by a software/hardware-based approach that includes processing the ACL and performing lookups on the processed ACL using the hash-based ACL lookup offload engine). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches masking of integer range value and matching with a hash-based table into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claim 9, Bray in view of Holbrook teaches the method of claim 1. Bray does not explicitly disclose the following limitations that Holbrook teaches:  wherein the step of matching is performed in plurality of levels such that each level of the plurality of levels matches a specific length of input stream or part thereof with an entry of the hash based lookup table (Holbrook col. 8 lines 14-28 (35) the L2 lookup 306 stage will reference L2 data 325, which may be a MAC address table, which is an exact-match table [Examiner remark: each MAC address is 48 bit in length]. The L3 lookup 308 will reference L3 data 326, which includes an exact-match table that contains /32 IPv4 and /128 IPv6 host routes, and a longest-prefix match (LPM) table that contains IPv4 and IPv6 routes that are not host routes; Holbrook fig. 3 elements 306, 308). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which matching a specific length of input stream with an entry of a hash-based lookup table into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 10, Bray in view of Holbrook teaches the method of claim 9.  Bray does not explicitly disclose the following limitations that Holbrook teaches: each entry of the hash based lookup table corresponds to a format of the input steam and includes a value of the integer range or the string (Holbrook col. 8 lines 41-60, each subsection consists of rules with the same mask, the match criterion for each rule is a pair (V, M), where V is a numeric value up to N bits long and M is a mask of N 0 and 1 bits. A value X matches the rule if (X & M)=(V & M), where “&” is the bitwise “logical and” operator. In one embodiment, the values (X) matched against an ACL are Internet Protocol (IP) v4 or IPv6 addresses, or representations thereof, the (V, M) pairs match subsets of the IPv4 or IPv6 address space; Holbrook fig. 3 elements 306, 308; col. 8, lines 61-67, col. 9 lines 1-20, (39) rules in each such subsection are then loaded into one or more hardware hash table(s) 412 that can be referenced to perform lookups of unmasked fields of a network data packet that are associated with the subsection, a TCAM based approach of evaluating ACLs can be replaced by a software/hardware-based approach that includes processing the ACL and performing lookups on the processed ACL using the hash-based ACL lookup offload engine; [Examiner remark: the IPv4 and IPv6 have specific formats, the instant specification does not disclose what the format is,  (V&M) is an integer range look up value]). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches each entry of a hash-based lookup table corresponds to format of input data and include an integer range into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Li; Yan et al. (US 20140133233 A1 hereinafter Li).
	Regarding claim 2, Bray in view of Holbrook teaches the method of claim 1. Bray in view of Holbrook does not explicitly disclose the following limitations that Li teaches:  wherein when a length of said input stream is less than a pre-defined threshold, the input stream is passed through a symbol content address memory to identify the one or more units of the input stream, which satisfy at least one condition (¶116, while the longest length of key/content that can be compared in one plane is 16 KB; ¶118 In a content addressable memory, to retrieve the data, a search key is supplied; all the keys in the memory are searched for a match. If a match is found, the corresponding data is retrieved. This section presents a storage drive using a Flash based NAND array as described in the preceding section as a content addressable memory that is addressed using key-value pairs instead of a logical block address. This drive can provide both Binary and Ternary search capability, meaning that bit patterns in the key can have the values 1 or 0 as well as "don't care" entries. This type of NAND based CAS drive can then be used to replace other implementations of CAM or CAS functionality). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Li, which teaches to pass input stream is passed through a symbol content address memory to identify one or more unites of the input stream when the length of the input stream is less than a pre-defined threshold into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Li’s teaching would help improve performance perform network data filtering. In addition, both references of Li and Holbrook teach features that are directed to analogous art, such as data matching and replacement method for data matching and content addressable memory (Li ¶3, Holbrook col. 9 lines 1-20). This close relation between both references highly suggests an expectation of success when combined.
Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Guo; Zhi et al. (US 20150055481 A1, hereinafter Guo).
	Wikipedia, “Bloom filter”, downloaded from the Internet on 05/02/2022, dated 2016, pages 1-14, using URL: http://web.archive.org/web/20160201194147/https://en.wikipedia.org/wiki/Bloom_filter) is used as extrinsic evidence in support of rejection of claim 3.
	Regarding claim 3, Bray in view of Holbrook teaches the method of claim 1 (see discussion above).	Although the combination of Bray in view of Holbrook teaches one or more tokens are matched with the contents of the hash based lookup table to identify the one or more units of the input stream, which satisfy the at least one condition (Bray col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), the combination does not explicitly disclose wherein when the input stream pertains to the string, the method comprises determining one or more fixed length characters from the string so that the one or more fixed length characters are matched with the contents of the hash based lookup table to identify the one or more units of the input stream, which satisfy the at least one condition.	On the other hand, Guo teaches determining one or more fixed set of characters from the string so that the one or more fixed length characters are matched with the contents of the hash based lookup table to identify the one or more units of the input stream (Guo [0075] FIG. 7 illustrates an exemplary implementation of a string-matching module 700 in accordance with an embodiment of the present invention. In the context of the present example, string-matching module 700 can be configured to support different lengths of strings, each of which can have a bloom filter such as 702 and 706, and an exact string matching such as 704 and 708; [Examiner remark: see NPL U, Bloomfilter, Algorithm description section, starting page 2, “There must also be k different hash functions defined, each of which maps or hashes some set element to one of the m array positions with a uniform random distribution.”]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Guo, which teaches using Bloomfilter to look up different lengths of strings into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Guo’s teaching would help improve performance. In addition, both references teach features that are directed to analogous art, such as, data matching. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 4, Bray in view of Holbrook and Guo teaches the method of claim 3 (see discussion above).	Bray teaches wherein the input stream pertaining to the string is passed through a set of filters arranged in a cascaded manner (Bray col. 12 lines 22-38, FIG. 6 illustrates an example of a finite-state machine usable for event-stream matching using compiled rule patterns, a directed graph in which nodes represent finite states and edges represent transitions between those states, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens).	Bray in view of Holbrook does not explicitly disclose the input stream pertaining to the string is passed through a set of filters arranged in a cascaded manner to determine the one or more fixed length characters from the string.	On the other hand, Guo teaches determine the one or more fixed length characters from the string (Guo ¶75). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Guo, which teaches using Bloomfilter to look up different lengths of strings into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Guo’s teaching would help improve performance. In addition, both references teach features that are directed to analogous art, such as, data matching. This close relation between both references highly suggests an expectation of success when combined.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Brisebois et al. (US 9641555 B1, hereinafter Brisebois).
	Regarding claim 7, Bray in view of Holbrook teaches the method of claim 1.  Bray in view of Holbrook does not explicitly disclose the following limitations that Brisebois teaches wherein the acceleration device transmits the at least one set of correlated units to one or more other host devices of the data center (Brisebois, col. 8 lines 6-50, the business logic security manager 208 can include any system that can implement security and data access policies for data accessed by the collection engine 202. In some embodiments, the business logic security manager 208 may apply the security and data access policies to data before the data is collected; the business logic security manager 208 may apply a set of security and data access policies to any data or metadata provided to the classification system 134 for processing and storage. These security and data access policies can include any policy for regulating the storage and access of data obtained or generated by the data collection system 132. For example, the security and data access policies may identify the users who can access the data provided to the data classification system 134; col. 8 lines 51-59, the data classification system 134 can include a data repository engine; col. 16 lines 48-67, the business logic security manager 208 can filter any data marked for exclusion from storage in the databases 232 at block 310. Further, the business logic security manager 208 and/or the business logic engine 206 can filter out any data to be excluded based on a data access policy, which can be based on any type of factor for excluding data; col. 17 lines 1-11, At block 312, the business logic security manager 208 may classify the collected and/or filtered data. The data may be classified based on, for example, who can access the data, the type of data, the source of the data, or any other factor that can be used to classify data. In some embodiments, the data may be provided to the data classification system 134 for classification). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Brisebois, which teaches a logic security manager filtering out data based on data access policy and provide the filtered data to another system for further processing into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Brisebois’ teaching would help efficiency in data matching (col. 1 lines 29-52) and improve data protection (col. 1 lines 56-67, col. 2 lines 1-22). In addition, both references of Brisebois and Bray teach features that are directed to analogous art, such as data matching. This close relation between both references highly suggests an expectation of success when combined.
Claims 12 and 16-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Chilikin; Andrey et al. (US 20190044866 A1, hereinafter Chilikin).	Regarding claim 12, Bray teaches a non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of an acceleration device of a host device associated with a data center, causes the one or more processors to perform a method comprising:	receiving an input stream of information (Bray col. 5, lines 10-27, send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A), said input stream comprising any or a combination of a string or an integer range (Bray col. 2 lines 51-67, a stream of events having field names and field values, the events may represent status updates or changes for resources in a multi-tenant provider network, matches of field values on a token-by-token basis, matches of numeric values and numeric ranges, col. 14, lines 10-33, an event with the same field name 810A but a different value such as “ABC456” or “ABC12” or anything other than the literal string “ABC123” would match the rule pattern 300E);	matching the input stream or parts thereof with contents of a hash based lookup table to identify one or more units of the input stream (Bray col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), which satisfy at least one condition of a plurality of conditions for any or a combination of a string match and a range comparison (Bray col. 12 lines 22-38, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens);	correlating the one or more identified units based on a set of conditions selected from the plurality of conditions to form at least one set of correlated units (Bray col. 6 lines 46-54, the rule patterns 111A may include rule patterns 300A and 300B through 300N. However, it is contemplated that any suitable number of rule patterns may be stored in the data store 115; col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410. The event 50A may match the rule pattern 300D because the event includes the field name 510C and associated field value 520D described in the rule pattern. In one embodiment, once the name 510C and value 520D are found in the event 50A, the rule evaluation 430 may determine that the rule pattern 300D has been matched by the event. The rule evaluation 430 may determine that the rule pattern 300C is not matched by the event 50A once the names 510A and 510B are not found in the event. If the rule base captures only the rules 300C and 300D, then the rule evaluation 430 may examine the event 50A only for field names 510A, 510B, and 510C and disregard other field names in the event (such as name 510D)), wherein the set of conditions define at least one rule related to any of Bray col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410; col. 12, lines 12-38, the finite-state machine may transition between these states when conditions in events match conditions in rule patterns); and	performing any or a combination of exact string matching and exact range matching Bray col. 17, lines 10-25, determine which events (if any) match any of the rule patterns, the rule patterns 111A may include rule patterns with numeric values such as rule pattern 300F. Rule pattern 300F may indicate a field name 1010 and a numeric value 1021. For example, the numeric value 1021 may express the integer 1021; Bray col. 20, lines 32-52, the numeric range rule patterns such as patterns 300G in the rule base 1315, maps numeric values to lexically comparable values and generates a set of states and transitions intended to find values matching the specified range, evaluates numeric range rule patterns encoded in the rule base 1315 against the events 50 to determine which events (if any) match any of the rule patterns captured in the rule base, map numeric values in events to lexically comparable values so that comparisons can be made in the same domain. As discussed above, a lexically comparable value may represent a uniform representation of different expressions of the same underlying number); and	wherein the one or more processors are part of an acceleration device that isBray col. 3 lines 56-67, Bray fig. 17, elements 3010a-3010n; Bray, col. 4 lines 6-32, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects. The provider network 170 may include a plurality of computing resources such as computing resources 171A and 171B through 171N. The resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources. Although three computing resources 171A, 171B, and 171N are shown for purposes of illustration, it is contemplated that any suitable number and configuration of computing resources may be used. The provider network 170 may include the sources of events 50 that can match rule patterns, the targets of actions, and/or one or more action handlers that perform actions; The provider network 170 may include numerous data centers hosting various resource pools, such as collections of physical and/or virtualized computer servers, storage devices, and networking equipment that are used to implement and distribute the infrastructure and services offered by the provider; Bray col. 5 lines 10-27, generate events 50 that describe resources changes in the provider network 170, and send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A), and wherein the acceleration device is made available for use by the one or more other host devices to perform on behalf of other of the one or more host devices any or a combination of intrusion prevention pattern matching, firewall policy search pattern matching and pattern matching for applications (Bray, col. 4 lines 6-32, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects. The provider network 170 may include a plurality of computing resources such as computing resources 171A and 171B through 171N. The resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources. Although three computing resources 171A, 171B, and 171N are shown for purposes of illustration, it is contemplated that any suitable number and configuration of computing resources may be used. The provider network 170 may include the sources of events 50 that can match rule patterns, the targets of actions, and/or one or more action handlers that perform actions, Bray col. 5 lines 10-27, generate events 50 that describe resources changes in the provider network 170, and send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A).	Although Bray teaches matching a set of conditions and performing, any or a combination of exact string matching and exact range matching, Bray does not explicitly disclose that the matching is based on the at least one set of correlated units and the set of conditions define at least one rule related to any of a network policy definition.	On the other hand, Holbrook teaches the set of conditions define at least one rule related to any of a network policy definition (Holbrook col. 2 lines 5-19, matched rule can result in a decision to permit the forwarding of network data or to deny the forwarding of network data; col. 2 lines 33-55, in response to locating a match in the hardware hash table, are to perform an action on the network data, which is specified by the rule associated with the match. The action can include to permit the network data, deny the network data, set a traffic class for the network data; col. 6 lines 56-67, the forwarding pipeline 300 is configured to forward units of network data that match all conditions in a permit rule).	performing, any or a combination of exact string matching and exact range matching based on the at least one set of correlated units (col. 8, lines 14-28, the L2 lookup 306 stage will reference L2 data 325, which may be a MAC address table, which is an exact-match table. The L3 lookup 308 will reference L3 data 326, which includes an exact-match table that contains /32 IPv4 and /128 IPv6 host routes, and a longest-prefix match (LPM) table that contains IPv4 and IPv6 routes that are not host routes; if the unit of network matches a DENY statement the unit will be dropped. If the unit of network data matches a PERMIT statement, or no port ACL is enabled, the unit of network data is passed to the next block of the pipeline; col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet. Each entry in the bucket is compared against the key and the result is propagated only if the entry matches, otherwise 0 is propagated. The results are ORed together such that there is no implied priority between different entries in a bucket; [Examiner remark: only units that matches the PERMIT statement are sent to the next pipeline, which is further used to match for other rules.  As a result, previous matched units are used to match in the next node of a pipeline]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching policy rule’s conditions and using exact string match and exact range matching into the teaching of Bray to result in the aforementioned limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.	Bray in view of Holbrook teaches an acceleration device for rule matching that provides service to hosts in data centers (see discussion above). Although the acceleration device is readily to be installed within a data center, Bray in view of Holbrook does not explicitly mention the acceleration device is installed within a data center.	On the other hand, Chilikin teaches a device performing rule matching that is included in a datacenter offloading work for other devices (Chilikin [0047], the rule compressor 226 may be configured to adjust the matching set by dropping some bits that are uniformly distributed among keys (e.g., closest frequency of ‘0’ and ‘1’ values). Accordingly, those bits can be dropped from hardware matching. It should be appreciated that “k” keys would need to be dropped, such that X/2̂k is less than or equal to “N”; Chilikin [0053] In block 324, the NIC 120 determines whether a rule matched the input set; Chilikin ¶53, the NIC 120 may be configured to find a single matching rule (e.g., the first rule that matches the input set) or any number of rules that match the input set, perform an action on the received network packet based on the set of matching rules; Chilikin fig. 1, Chilikin ¶13, the source compute device 102 and destination compute device 106 have been illustratively designated herein as being one of a “source” and a “destination” for the purposes of providing clarity to the description and that the source compute device 102 and/or the destination compute device 106 may be capable of performing any of the functions described herein, the source compute device 102 and the destination compute device 106 may reside in the same data center or high-performance computing (HPC) environment. In other words, the source compute device 102 and destination compute device 106 may reside in the same network 104 connected via one or more wired and/or wireless interconnects; Chilikin ¶14, a network interface controller (NIC) 120 of the destination compute device 106, performs analysis on the data associated with the received network traffic to identify a subsequent action, such as further analysis and/or processing of the network traffic data. The analysis includes applying a filter to at least a portion of the data associated with the received network traffic to identify the subsequent action. Accordingly, the subsequent action can be identified based on matching data relative to the filter; Chilikin ¶17, compute device 106 may be embodied as any type of computation or computer device capable of performing the functions described herein, including, without limitation, a computer, a server (e.g., stand-alone, rack-mounted, blade, etc.), a sled (e.g., a compute sled, an accelerator sled, a storage sled, a memory sled, etc.), an enhanced or smart NIC (e.g., a host fabric interface (HFI)); see also ¶25-¶26 of Chilikin; see also Chilikin ¶2; [Examiner remark: Chilikin teaches that both the source and the destination devices are capable of performing similar function, and the destination device is made to perform rule matching and an action.  As a result, Chilikin teaches the offloading of the work from the source device to the destination device]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Chilikin, which teaches a network interface device in a data center that perform network filtering and performing an action as a result into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.	One of ordinary skilled would be motivated to do so as incorporating Chilikin’s teaching would help improve performance (Chilikin ¶2). In addition, both references of Chilikin and Bray teach features that are directed to analogous art, such as network data filtering. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claim 16, Bray in view of Holbrook and Chilikin teaches the non-transitory computer-readable storage medium 12 (see discussion above), wherein the acceleration device generates contents of the hash based lookup table based the one or more conditions of the at least one rule (Bray col. 12, lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens; Bray col. 14, lines 34-58, conditions in events match conditions in rule patterns; Bray col. 8, lines 46-59, the events 50 may describe conditions in the provider network 170, and the rule evaluation system 100 may evaluate a compiled form of the rule patterns 111A against the events to determine which events (if any) describe conditions corresponding to any of the rule patterns 111A).

	Regarding claim 17, Bray in view of Holbrook and Chilikin teaches the non-transitory computer-readable storage medium 12 (see discussion above), wherein the input stream pertains to any or a combination of a packet stream from a network interface and a data stream a storage interface (Bray, col. 4 lines 62-67 to col. 5 lines 1-9, monitoring the resources in the provider network may include monitoring one or more service logs, monitoring one or more service metrics, and/or monitoring any suitable data streams, the monitoring may compare performance metrics, usage metrics, and/or other suitable data relating to the operation of the resources 171A-171N; see fig. 1).	Bray does not explicitly disclose the following limitation that Holbrook teaches the input stream pertains to a packet stream from a network interface (Holbrook, col. 4 lines 46-62, the network data being communicated by the network element 102 can be a stream of network frames, datagrams or data packets, or other types of discretely switched network data second ref, packet stream; Holbrook, col. 8 lines 14-28, comparison for the unit of network data; Holbrook col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching data using data from packet stream into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help expand the usefulness of Bray’s teaching into additional data sources. In addition, both references teach features that are directed to analogous art, such as, data filtering. This close relation between both references highly suggests an expectation of success when combined.
	Regarding claim 18, Bray in view of Holbrook and Chilikin teaches the method of claim 11, Bray does not explicitly disclose the following limitations that Holbrook teaches:  wherein when the input stream pertains to the integer range, a mask is applied to the input stream to match the input stream or parts thereof with the contents of the hash based lookup table (Holbrook col. 8 lines 41-60, each subsection consists of rules with the same mask, the match criterion for each rule is a pair (V, M), where V is a numeric value up to N bits long and M is a mask of N 0 and 1 bits. A value X matches the rule if (X & M)=(V & M), where “&” is the bitwise “logical and” operator. In one embodiment, the values (X) matched against an ACL are Internet Protocol (IP) v4 or IPv6 addresses, or representations thereof, the (V, M) pairs match subsets of the IPv4 or IPv6 address space; col. 8, lines 61-67, col. 9 lines 1-20, (39) rules in each such subsection are then loaded into one or more hardware hash table(s) 412 that can be referenced to perform lookups of unmasked fields of a network data packet that are associated with the subsection, a TCAM based approach of evaluating ACLs can be replaced by a software/hardware-based approach that includes processing the ACL and performing lookups on the processed ACL using the hash-based ACL lookup offload engine). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches masking of integer range value and matching with a hash-based table into the teaching of Bray to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.	Regarding claim 19, Bray teaches non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network interface card (NIC) of a network node of a plurality of network nodes within a data center, causes the one or more processors to perform a method comprising:	receiving an input stream of information (col. 5, lines 10-27, send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A), said input stream comprising any or a combination of a string or an integer range (col. 2 lines 51-67, a stream of events having field names and field values, the events may represent status updates or changes for resources in a multi-tenant provider network, matches of field values on a token-by-token basis, matches of numeric values and numeric ranges, col. 14, lines 10-33, an event with the same field name 810A but a different value such as “ABC456” or “ABC12” or anything other than the literal string “ABC123” would match the rule pattern 300E);	matching the input stream or parts thereof with contents of a hash based lookup table to identify one or more units of the input stream (col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), which satisfy at least one condition of a plurality of conditions for any or a combination of a string match and a range comparison (col. 12 lines 22-38, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens);	correlating the one or more identified units based on a set of conditions selected from the plurality of conditions to form at least one set of correlated units (col. 6 lines 46-54, the rule patterns 111A may include rule patterns 300A and 300B through 300N. However, it is contemplated that any suitable number of rule patterns may be stored in the data store 115; col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410. The event 50A may match the rule pattern 300D because the event includes the field name 510C and associated field value 520D described in the rule pattern. In one embodiment, once the name 510C and value 520D are found in the event 50A, the rule evaluation 430 may determine that the rule pattern 300D has been matched by the event. The rule evaluation 430 may determine that the rule pattern 300C is not matched by the event 50A once the names 510A and 510B are not found in the event. If the rule base captures only the rules 300C and 300D, then the rule evaluation 430 may examine the event 50A only for field names 510A, 510B, and 510C and disregard other field names in the event (such as name 510D)), wherein the set of conditions define at least one rule related to any of col. 11, lines 1-50, the rule evaluation 430 may evaluate the rule patterns 300C and 300D against the event using the rule base 410; col. 12, lines 12-38, the finite-state machine may transition between these states when conditions in events match conditions in rule patterns); and	performing any or a combination of exact string matching and exact range matching col. 17, lines 10-25, determine which events (if any) match any of the rule patterns, the rule patterns 111A may include rule patterns with numeric values such as rule pattern 300F. Rule pattern 300F may indicate a field name 1010 and a numeric value 1021. For example, the numeric value 1021 may express the integer 1021; col. 20, lines 32-52, the numeric range rule patterns such as patterns 300G in the rule base 1315, maps numeric values to lexically comparable values and generates a set of states and transitions intended to find values matching the specified range, evaluates numeric range rule patterns encoded in the rule base 1315 against the events 50 to determine which events (if any) match any of the rule patterns captured in the rule base, map numeric values in events to lexically comparable values so that comparisons can be made in the same domain. As discussed above, a lexically comparable value may represent a uniform representation of different expressions of the same underlying number); and	wherein the one or more processors of the NIC are part of an acceleration device that is Bray col. 3 lines 56-67, Bray fig. 17, elements 3010a-3010n; Bray, col. 4 lines 6-32, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects. The provider network 170 may include a plurality of computing resources such as computing resources 171A and 171B through 171N. The resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources. Although three computing resources 171A, 171B, and 171N are shown for purposes of illustration, it is contemplated that any suitable number and configuration of computing resources may be used. The provider network 170 may include the sources of events 50 that can match rule patterns, the targets of actions, and/or one or more action handlers that perform actions; The provider network 170 may include numerous data centers hosting various resource pools, such as collections of physical and/or virtualized computer servers, storage devices, and networking equipment that are used to implement and distribute the infrastructure and services offered by the provider; Bray col. 5 lines 10-27, generate events 50 that describe resources changes in the provider network 170, and send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A), and wherein the acceleration device is made available for use by the one or more other of the plurality network nodes to perform on behalf of a respective network node any or a combination of intrusion prevention pattern matching, firewall policy search pattern matching and pattern matching for applications (Bray, col. 4 lines 6-32, The rule evaluation system 100 may be coupled to a provider network 170 using one or more networks 190 or other interconnects. The provider network 170 may include a plurality of computing resources such as computing resources 171A and 171B through 171N. The resources 171A-171N may include any suitable number and configuration of compute instances and/or other processing resources, storage resources, database resources, network resources, power resources, and/or other suitable types of computing resources. Although three computing resources 171A, 171B, and 171N are shown for purposes of illustration, it is contemplated that any suitable number and configuration of computing resources may be used. The provider network 170 may include the sources of events 50 that can match rule patterns, the targets of actions, and/or one or more action handlers that perform actions, Bray col. 5 lines 10-27, generate events 50 that describe resources changes in the provider network 170, and send the events to the rule evaluation system 100 to determine which of the events (if any) match the rule patterns 111A).	Although Bray teaches matching a set of conditions and performing, any or a combination of exact string matching and exact range matching, Bray does not explicitly disclose that the matching is based on the at least one set of correlated units and the set of conditions define at least one rule related to any of a network policy definition.	On the other hand, Holbrook teaches the set of conditions define at least one rule related to any of a network policy definition (Holbrook col. 2 lines 5-19, matched rule can result in a decision to permit the forwarding of network data or to deny the forwarding of network data; col. 2 lines 33-55, in response to locating a match in the hardware hash table, are to perform an action on the network data, which is specified by the rule associated with the match. The action can include to permit the network data, deny the network data, set a traffic class for the network data; col. 6 lines 56-67, the forwarding pipeline 300 is configured to forward units of network data that match all conditions in a permit rule).	performing, any or a combination of exact string matching and exact range matching based on the at least one set of correlated units (col. 8, lines 14-28, the L2 lookup 306 stage will reference L2 data 325, which may be a MAC address table, which is an exact-match table. The L3 lookup 308 will reference L3 data 326, which includes an exact-match table that contains /32 IPv4 and /128 IPv6 host routes, and a longest-prefix match (LPM) table that contains IPv4 and IPv6 routes that are not host routes; if the unit of network matches a DENY statement the unit will be dropped. If the unit of network data matches a PERMIT statement, or no port ACL is enabled, the unit of network data is passed to the next block of the pipeline; col. 10, lines 60-67 to col. 11 lines 1-6, when a bucket containing multiple entries is accessed, only a single entry from the bucket is retrieved and compared against a packet. Each entry in the bucket is compared against the key and the result is propagated only if the entry matches, otherwise 0 is propagated. The results are ORed together such that there is no implied priority between different entries in a bucket; [Examiner remark: only units that matches the PERMIT statement are sent to the next pipeline, which is further used to match for other rules.  As a result, previous matched units are used to match in the next node of a pipeline]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Holbrook, which teaches matching policy rule’s conditions and using exact string match and exact range matching into the teaching of Bray to result in the aforementioned limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Holbrook’s teaching would help improve performance by providing an optimized method for perform network data filtering (Holbrook col. 2 lines 57-58; col. 11 lines 19-25). In addition, both references teach features that are directed to analogous art, such as, network data filtering. This close relation between both references highly suggests an expectation of success when combined.	Bray in view of Holbrook teaches an acceleration device for rule matching that provides service to hosts in data centers (see discussion above). Although the acceleration device is readily to be installed within a data center, Bray in view of Holbrook does not explicitly mention the acceleration device is installed within a data center.	On the other hand, Chilikin teaches a device performing rule matching that is included in a datacenter offloading work for other devices (Chilikin [0047], the rule compressor 226 may be configured to adjust the matching set by dropping some bits that are uniformly distributed among keys (e.g., closest frequency of ‘0’ and ‘1’ values). Accordingly, those bits can be dropped from hardware matching. It should be appreciated that “k” keys would need to be dropped, such that X/2̂k is less than or equal to “N”; Chilikin [0053] In block 324, the NIC 120 determines whether a rule matched the input set; Chilikin ¶53, the NIC 120 may be configured to find a single matching rule (e.g., the first rule that matches the input set) or any number of rules that match the input set, perform an action on the received network packet based on the set of matching rules; Chilikin fig. 1, Chilikin ¶13, the source compute device 102 and destination compute device 106 have been illustratively designated herein as being one of a “source” and a “destination” for the purposes of providing clarity to the description and that the source compute device 102 and/or the destination compute device 106 may be capable of performing any of the functions described herein, the source compute device 102 and the destination compute device 106 may reside in the same data center or high-performance computing (HPC) environment. In other words, the source compute device 102 and destination compute device 106 may reside in the same network 104 connected via one or more wired and/or wireless interconnects; Chilikin ¶14, a network interface controller (NIC) 120 of the destination compute device 106, performs analysis on the data associated with the received network traffic to identify a subsequent action, such as further analysis and/or processing of the network traffic data. The analysis includes applying a filter to at least a portion of the data associated with the received network traffic to identify the subsequent action. Accordingly, the subsequent action can be identified based on matching data relative to the filter; Chilikin ¶17, compute device 106 may be embodied as any type of computation or computer device capable of performing the functions described herein, including, without limitation, a computer, a server (e.g., stand-alone, rack-mounted, blade, etc.), a sled (e.g., a compute sled, an accelerator sled, a storage sled, a memory sled, etc.), an enhanced or smart NIC (e.g., a host fabric interface (HFI)); see also ¶25-¶26 of Chilikin; see also Chilikin ¶2; [Examiner remark: Chilikin teaches that both the source and the destination devices are capable of performing similar function, and the destination device is made to perform rule matching and an action.  As a result, Chilikin teaches the offloading of the work from the source device to the destination device]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Chilikin, which teaches a network interface device in a data center that perform network filtering and performing an action as a result into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Chilikin’s teaching would help improve performance (Chilikin ¶2). In addition, both references of Chilikin and Bray teach features that are directed to analogous art, such as network data filtering. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 20, Bray in view of Holbrook and Chilikin teaches the non-transitory computer-readable storage medium of claim 19 (see discussion above), wherein the NIC is utilized for pattern matching by one or more other of the plurality of network nodes (Chilikin fig. 1, Chilikin ¶13, the source compute device 102 and destination compute device 106 have been illustratively designated herein as being one of a “source” and a “destination” for the purposes of providing clarity to the description and that the source compute device 102 and/or the destination compute device 106 may be capable of performing any of the functions described herein; Chilikin [0053] In block 324, the NIC 120 determines whether a rule matched the input set; Chilikin ¶53, the NIC 120 may be configured to find a single matching rule (e.g., the first rule that matches the input set) or any number of rules that match the input set, perform an action on the received network packet based on the set of matching rules; ¶2, performing control/data plane separation in software generally requires a significant number of processor clock cycles for packet parsing and classification, and expensive hardware filters (e.g., ternary content-addressable memory (TCAM) hardware filters) are typically required to offload such classification to the network interface controller (NIC); see also ¶14-¶18; ¶27, the NIC 120 typically includes one or more physical ports (e.g., for facilitating the ingress and egress of network traffic) and, in some embodiments, one or more accelerator (e.g., ASIC, FPGA, etc.) and/or offload hardware components for performing/offloading certain network functionality and/or processing functions (e.g., a DMA engine).).
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook, Chilikin and further in view of Li; Yan et al. (US 20140133233 A1 hereinafter Li).
	Regarding claim 13, Bray in view of Holbrook and Chilikin teaches the method of claim 12 (see discussion above). Bray in view of Holbrook and Chilikin does not explicitly disclose the following limitations that Li teaches:  wherein when a length of said input stream is less than a pre-defined threshold, the input stream is passed through a symbol content address memory to identify the one or more units of the input stream, which satisfy at least one condition (¶116, while the longest length of key/content that can be compared in one plane is 16 KB; ¶118 In a content addressable memory, to retrieve the data, a search key is supplied; all the keys in the memory are searched for a match. If a match is found, the corresponding data is retrieved. This section presents a storage drive using a Flash based NAND array as described in the preceding section as a content addressable memory that is addressed using key-value pairs instead of a logical block address. This drive can provide both Binary and Ternary search capability, meaning that bit patterns in the key can have the values 1 or 0 as well as "don't care" entries. This type of NAND based CAS drive can then be used to replace other implementations of CAM or CAS functionality). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Li, which teaches to pass input stream is passed through a symbol content address memory to identify one or more unites of the input stream when the length of the input stream is less than a pre-defined threshold into the teaching of Bray in view of Holbrook and Chilikin to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Li’s teaching would help improve performance perform network data filtering. In addition, both references of Li and Holbrook teach features that are directed to analogous art, such as data matching and replacement method for data matching and content addressable memory (Li ¶3, Holbrook col. 9 lines 1-20). This close relation between both references highly suggests an expectation of success when combined.

Claims 14-15 are rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and Chilikin and further in view of Guo; Zhi et al. (US 20150055481 A1, hereinafter Guo).
	Wikipedia, “Bloom filter”, downloaded from the Internet on 05/02/2022, dated 2016, pages 1-14, using URL: http://web.archive.org/web/20160201194147/https://en.wikipedia.org/wiki/Bloom_filter) is used as extrinsic evidence in support of rejection of claim 3.
	Regarding claim 14, Bray in view of Holbrook and Chilikin teaches the method of claim 12 (see discussion above).	Although the combination of Bray in view of Holbrook teaches one or more tokens are matched with the contents of the hash based lookup table to identify the one or more units of the input stream, which satisfy the at least one condition (Bray col. 12 lines 22-38, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens), the combination does not explicitly disclose wherein when the input stream pertains to the string, the method comprises determining one or more fixed length characters from the string so that the one or more fixed length characters are matched with the contents of the hash based lookup table to identify the one or more units of the input stream, which satisfy the at least one condition.	On the other hand, Guo teaches determining one or more fixed set of characters from the string so that the one or more fixed length characters are matched with the contents of the hash based lookup table to identify the one or more units of the input stream (Guo [0075] FIG. 7 illustrates an exemplary implementation of a string-matching module 700 in accordance with an embodiment of the present invention. In the context of the present example, string-matching module 700 can be configured to support different lengths of strings, each of which can have a bloom filter such as 702 and 706, and an exact string matching such as 704 and 708; [Examiner remark: see NPL U, Bloomfilter, Algorithm description section, starting page 2, “There must also be k different hash functions defined, each of which maps or hashes some set element to one of the m array positions with a uniform random distribution.”]).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Guo, which teaches using Bloomfilter to look up different lengths of strings into the teaching of Bray in view of Holbrook and Chilikin to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Guo’s teaching would help improve performance. In addition, both references teach features that are directed to analogous art, such as, data matching. This close relation between both references highly suggests an expectation of success when combined.

	Regarding claim 15, Bray in view of Holbrook, Chilikin and Guo teaches the method of claim 14 (see discussion above).	Bray teaches wherein the input stream pertaining to the string is passed through a set of filters arranged in a cascaded manner (Bray col. 12 lines 22-38, FIG. 6 illustrates an example of a finite-state machine usable for event-stream matching using compiled rule patterns, a directed graph in which nodes represent finite states and edges represent transitions between those states, transition between these states when conditions in events match conditions in rule patterns, each of the states 600-604 may be implemented using a hash table for efficient matching of tokens).	Bray in view of Holbrook and Chilikin does not explicitly disclose the input stream pertaining to the string is passed through a set of filters arranged in a cascaded manner to determine the one or more fixed length characters from the string.	On the other hand, Guo teaches determine the one or more fixed length characters from the string (Guo ¶75). 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Guo, which teaches using Bloomfilter to look up different lengths of strings into the teaching of Bray in view of Holbrook and Chilikin to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Guo’s teaching would help improve performance. In addition, both references teach features that are directed to analogous art, such as, data matching. This close relation between both references highly suggests an expectation of success when combined.

Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Bray in view of Holbrook and further in view of Greenfield; Daniel Leo et al. (US 8176545 B1, hereinafter Greenfield).	
	Regarding claim 21, Bray in view of Holbrook teaches the method of claim 1 (see discussion above).	Bray in view of Holbrook teaches the acceleration device provides hardware acceleration to the one or more host devices within the data center (see discussion above).  Although the claim recites the relative speed between the acceleration device and the hosts, it merely states the intended results of a process step positively recited (see MPEP 2111.04 (I)); and as a result, it does not have patentable weight.	However, Bray in view of Holbrook does not explicitly mention that the host devices are slower than the acceleration device.	On the other hand, Greenfield teaches: the acceleration device provides hardware acceleration to the one or more other [processor] ([Examiner remark: the crossed over text is taught by Bray in view of Holbrook above]; Greenfield col. 2 lines 4-18, the communication speed in networks has increased faster than processor speed. This increase has produced an input/output (I/O) bottleneck. The processor, which is designed primarily for computing and not for I/O, cannot typically keep up with the data flowing through networks. As a result, the data flow is processed at a rate slower than the speed of the network. TOE technology solves this problem by removing the burden from the processor (i.e. offloading processing) and/or I/O subsystem; There is thus a need for more efficient techniques of performing IPSec-type processing in the context of a system equipped with a TOE; [Examiner remark: Greenfield discloses a system that offloads processing network processing that is more efficient than TOE, which is keeps up the speed that general purpose processor cannot keep up, if processing by the general purpose processor]; Greenfield column 2 lines 60-67, If the hash associated with the SYN/ACK packet matches the hash associated with the control block, the SYN/ACK packet is accepted. Still yet, if the hash associated with the SYN/ACK packet matches the hash associated with the control block, a handshake ACK packet may be generated. On the other hand, if the hash associated with the SYN/ACK packet does not match the hash associated with the control block, the SYN/ACK packet may be rejected; Greenfield column 3 lines 1-15, the packet matches the hash associated with the control block, the packet may be accepted. If not, the packet may be rejected).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Greenfield, which teaches a system that performs network packets matching that is faster than regular process when processing network packets into the teaching of Bray in view of Holbrook to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Greenfield’s teaching would help improve performance (Greenfield col. 2 lines 4-18). In addition, both references of Greenfield and Bray teach features that are directed to analogous art, such as network packet matching and filtering. This close relation between both references highly suggests an expectation of success when combined.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 8850060 B1 - provide services to other VEEs running on multiple computer systems arranged in a cluster, the dedicated server-type VEE can intercept or filter a flow of IP packets and check the content of these packets for malicious code or unwanted data.
US 11005950 B1 - if the length of the bit string changes, for example with an increase or a decrease of the number of services represented by the Bloom filter and/or with a desired change of the probability of a false positive indication in the Bloom filter, the multiple hash functions may need to be re-applied to each of one or more inputs.
US 7941605 B1 - CAMs are increasingly being used in packet classification especially because of their performance. A typical implementation performs a lookup operation on a CAM with the CAM result being used as input to a memory, which produces the actual result used in processing a packet.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
	A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/V.H.H/
Examiner, Art Unit 2497

/ELENI A SHIFERAW/Supervisory Patent Examiner, Art Unit 2497