DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
	The amendment filed 2022-09-28 has been entered.  Applicant’s amendments have overcome the objection to Claim 12.  Applicant’s amendment to Claim 9 eliminates the interpretation under 35 USC 112(f) of “intrusion detection module.” Applicant’s amendment to Claim 8 eliminates the interpretation under 35 USC 112(f) of “machine learning module.”  The status of claims is as follows:
	Claims 1-13 and 21-31 are pending.
	Claims 8-10 and 12 are amended.
	Claims 14-20 are cancelled.
	Claims 21-31 are new.
Response to Arguments
Regarding Interpretation Under 35 USC 112(f)
Applicant’s arguments in response to interpretation under 35 USC 112(f) have been fully considered but are not persuasive.  Applicant argues on Remarks Pages 7-8 that “At the outset, the claim does not include the phrase ‘means’ or ‘step’, and as such it is presumed that interpretation 35 USC 112(f) does not apply. MPEP at 2181. In this case, the Office Action argues that the presumption against applying 35 USC 112(f) should be ignored because of applicant's use of the terms ‘resource’ and ‘sub-system’ respectively generic placeholders. This is without merit. One of ordinary skill in the art would understand the processing resource used in the context of the claim to be one or more processors, and thus having sufficient definite structure for performing the claimed processes. Similarly, one of ordinary skill in the art would recognize a ‘hardware acceleration sub-system’ as hardware acceleration circuitry including in some cases a processor included within a system, and thus having sufficient definite structure for performing the claimed processes.”  Examiner respectfully disagrees.  The term “processing resource” is not explicitly defined in the Claims, nor is it explicitly defined in the Specification, which only in several places indicates “for example, one or more processors” or “e.g., a microcontroller, a microprocessor, central processing unit core(s), an application-specific integrated circuit (ASIC), a field programmable gate array (FPGA), and the like) and/or in the form of other types of electronic circuitry”.  Examiner notes that “for example” or “e.g.” are not sufficient to explicitly limit a “processing resource” to only electronic circuitry.  Examiner suggests amending this limitation to explicitly recite a “processor”.  Similarly, regarding “hardware acceleration sub-system”, Instant Specification recites “(e.g., hardware accelerator 116).”  However, this does not explicitly restrict the “hardware acceleration sub-system” to a “hardware accelerator", and leaves open the possibility that the “sub-system” could even be, for example, software executed by the accelerator.  Examiner suggests amending this limitation to explicitly recite “hardware accelerator”.  
	Examiner further points out that even if Applicant explicitly recites “hardware accelerator” without “sub-system”, as suggested above, it would still be interpreted under 35 USC 112(f), because of the language “configured to”.  The subsequent limitations “perform pattern matching and regular expression matching of application layer payload data of received packets against string patterns and regular expression patterns; and collect statistics relating to the application layer payload data” amount to purely functional language.  For computer-implemented functional claims, the MPEP 2181(II)(B) states:  “For a computer-implemented 35 U.S.C. 112(f)  claim limitation, the specification must disclose an algorithm for performing the claimed specific computer function, or else the claim is indefinite under 35 U.S.C. 112(b)”, and in the fourth paragraph continues:  “To claim a means for performing a specific computer-implemented function and then to disclose only a general purpose computer as the structure designed to perform that function amounts to pure functional claiming.”  Thus, the Specification would have to detail a specific “pattern matching” algorithm, or a specific algorithm to “collect statistics”. Examiner notes that no such algorithms are detailed in the Specification, and as the “hardware accelerator” amounts to a general purpose computer, the claim is indefinite under 35 USC 112(b) as stated by MPEP 2181(II)(B).  Examiner notes that in order to avoid this interpretation, rather than claiming the “hardware accelerator” is “configured to”, it would be better to treat the “hardware accelerator” in a similar manner to the “processing resource”, wherein it is “caused to” perform the claimed steps by “instructions” stored on the non-transitory medium.
	Regarding Rejections Under 35 USC 112(a) and (b)
	Applicant’s arguments in response to rejections under 35 USC 112(a) and (b) have been fully considered.  The previously set forth rejections of Claims 9 and 10 have been withdrawn in light of the amendments.  Regarding the arguments against rejections of Claims 8 and its dependent claims, Applicant’s arguments are not persuasive.  Applicant argues on Remarks Page 10 that these rejections are based upon a faulty interpretation under 35 USC 112(f).  Examiner reiterates the arguments set forth above that the interpretation under 35 USC 112(f) was proper.
	New rejections under 35 USC 112(b) have been applied to address issues of insufficient antecedent basis that have resulted from the amendments, as will be detailed below in the rejections.
	Regarding Rejections Under 35 USC 101
Applicant’s arguments in response to rejections under 35 USC 101 have been fully considered but are not persuasive.  Applicant argues on Remarks Pages 8-10 that the claimed invention allows for “classification that otherwise would be too computationally intensive” and “could not be practically done by the human mind due to the scale and speed required”, and that the claimed invention is an “improvement to technology”.  Examiner respectfully disagrees, and points out that nothing in the language of the claimed limitations of determining metadata, matching data, collecting statistics, and classifying data is indicative of a process that is too complex to be performed in the human mind, and there is no indication of the “scale and speed required”.  Rather, those four limitations, as claimed, can be performed in the human mind or with pen and paper, even with the classifying using the generically stated “machine learning model”, which could be a simple regression model.  The receiving of network flow data is insufficient extra solution activity (mere data gathering, MPEP 2106.05(g)(3)), and the recitation of “machine learning” and “hardware accelerator” are mere instructions to implement an abstract idea or other exception on a computer (MPEP 2106.05(f)).  Examiner also notes that a specific “improvement to technology”, and how the claimed limitations achieve that improvement to technology, is not recited in the claims, nor in the Specification.
Applicant also argues that “Without a supported finding that the claim limitations involve only well-understood, routine, an conventional activities previously known to the industry, a rejection under 35 USC 101 fails and must be withdrawn.”  Examiner respectfully disagrees, and points out that WURC analysis is only one part of the analysis for rejections under 35 USC 101, specifically for Step 2B, which is applied to the additional elements other than the abstract idea.  As Examiner showed above, the additional element of receiving network flow data is insufficient extra solution activity as it is mere data gathering. Examiner also points out, this alone is sufficient for Step 2B as per MPEP 2106.05(g):  “Another consideration when determining whether a claim integrates the judicial exception into a practical application in Step 2A Prong Two or recites significantly more in Step 2B”.  Nevertheless, WURC analysis, while unnecessary, can be applied here, and “Receiving or transmitting data over a network” is understood to be WURC, see MPEP 2106.05(d)(II)(i).  Additional elements “machine learning” and “hardware accelerator”, as shown above, amount to mere instructions to implement an abstract idea or other exception on a computer, which is also sufficient for Step 2B (MPEP 2106.05(f):  “Another consideration when determining whether a claim integrates a judicial exception into a practical application in Step 2A Prong Two or recites significantly more than a judicial exception in Step 2B is whether the additional elements amount to more than a recitation of the words "apply it" (or an equivalent) or are more than mere instructions to implement an abstract idea or other exception on a computer.”)

Regarding Rejections Under 35 USC 102 and 103
Applicant’s arguments in response to rejections under 35 USC 102 and 103 have been fully considered but are not persuasive.  Applicant argues that “determining metadata relating to the stream of packets; and collecting statistics relating to the application layer payload data…requires two distinct processes” and that “The Office Action conflates the aforementioned two requirements into a single process of gathering metadata relating to the stream of packets. In particular, the Office Action alleges that the same set of information set forth in Table A1 of Gomez is both the aforementioned metadata relating to the stream of packets and the statistics relating to the application layer payload data.  While claim terms must be given there broadest reasonable interpretation in light of the specification during prosecution, a claim interpretation so broad that it conflates two distinct terms cannot be argued as reasonable. Table A1 of Gomez sets forth 77 statistics related to the stream of packets, however, the statistics of Gomez are not related to the application layer payload data as required by claim 1.”  
Examiner respectfully disagrees.  Gomez Page 70 Right Column, discloses:  “The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so” and the full list is shown in Gomez Page 78 Table 1.  Examiner points out that the Specification [00045] describes “metadata” as “The metadata can include any or a combination of a packet size sequence, an arrival interval sequence, an Internet Protocol (IP) family, and a layer four protocol associated with the network flow. In addition, the metadata can include any or a combination of a destination port specified by the layer four protocol, Transport Layer Security (TLS) records, and TLS hello message lengths. The packet size sequence can include sizes of an application layer payload for a predetermined number of initial packets of the network flow.”  Thus, Gomez here includes “metadata” (“packets sizes, inter-arrival packet times”, analogous to “a packet size sequence, an arrival interval sequence), as indicated in the previous office action.  Note that only the “packets sizes, inter-arrival packet times” were mapped to “metadata”.  Therefore, there are still more of the “77 statistics” other than the “metadata” that may be considered “Statistics related to the application layer payload data”.  Therefore, it is not the case that Examiner “conflates two distinct terms”.  Applicant also argues “however, the statistics of Gomez are not related to the application layer payload data as required by claim 1.”  Examiner respectfully disagrees, and points out that, while the statistics are not derived from the inner contents of the payloads themselves, the collective statistics regarding the payloads (for example, “number of packets”) are still “related to” to “payload data”.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: 
Regarding Claim 8:
and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: (Prong A is met with the usage of “resource”. Prong B is met with the functional language, “to: […].” Prong C is met as the modifier “processing” is not sufficient structure.)
a hardware acceleration sub-system configured to: (Prong A is met with the usage of “sub-system”. Prong B is met with the functional language, “configured to: […].” Prong C is met as the modifier “hardware acceleration” is not sufficient structure. )
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 101 – Abstract Idea
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-13 and 21-31 are rejected under 35 U.S.C. 101 for containing an abstract idea without significantly more. 

Regarding Claim 1:
Step 1 – Is the claim to a process, machine, manufacture or composition of matter?
Yes, the claim is a process.
Step 2A – Prong 1 – Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the claim recites an abstract idea.
determining, [by the processor], metadata relating to the stream of packets; – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
matching, [by the processor or by a pattern matching and regular expression matching module of a hardware acceleration sub-system of the network security device], application layer payload data of one or more packets of the stream of packets against string patterns and regular expression patterns; – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
and classifying, [by the processor], the network flow as being associated with a particular network service of a plurality of network services by applying a [machine-learning] model to the metadata, results of said matching, and the collected statistics. – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
Step 2A – Prong 2 – Does the claim recite additional elements that integrate the judicial exception into a practical application?
No, there are no additional elements that integrate the judicial exception into a practical application. The additional elements:
receiving, by a processor of a network security device, a stream of packets representing a network flow; – This limitation is directed to insignificant extra-solution activity as it is mere data gathering (see MPEP 2106.05(g)). 
by the processor – This limitation is merely using a computer as a tool (see MPEP 2106.04(d)). 
[matching], by the processor or by a pattern matching and regular expression matching module of a hardware acceleration sub-system of the network security device, [application layer payload data of one or more packets of the stream of packets against string patterns and regular expression patterns]; – This limitation is merely using a computer as a tool (see MPEP 2106.04(d)). 
collecting, by the processor or by the hardware acceleration sub-system, statistics relating to the application layer payload data; – This limitation is directed to insignificant extra-solution activity as it is mere data gathering (see MPEP 2106.05(g)).  
Step 2B - Does the claim recite additional elements that amount to significantly more than the judicial exception?
	No, there are no additional elements that amount to significantly more than the judicial exception.
receiving, by a processor of a network security device, a stream of packets representing a network flow; – This limitation is directed to receiving data over a network. The courts (as per Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362) have recognized receiving or transmitting data over a network as well‐understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity (see MPEP 2106.05(d) II.).
collecting, by the processor or by the hardware acceleration sub-system, statistics relating to the application layer payload data; –  This limitation is directed to receiving data over a network. The courts (as per Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362) have recognized receiving or transmitting data over a network as well‐understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity (see MPEP 2106.05(d) II.).

Regarding Claim 2:
Claim 2 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the machine learning model directed to the classifying limitation which was considered the abstract idea of a mental process. The additional limitation:
wherein the machine learning model comprises one or more of a decision tree model, a logistic regression model, and a neural network model. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of machine learning models. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 3:
Claim 3 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the machine learning model directed to the classifying limitation which was considered the abstract idea of a mental process. The additional limitation:
wherein an output layer of the machine learning model outputs a classification of the network flow based on a highest score among predetermined confidence classification scores associated with the decision tree model, the logistic regression model, and the neural network model. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of machine learning models. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 4:
Claim 4 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the network security device directed to the receiving limitation which was considered insignificant extra-solution activity. The additional limitation:
wherein the network security device is also operable to perform intrusion detection functionality and wherein the pattern matching and regular expression matching module is shared by network traffic classification functionality and the intrusion detection functionality. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the network security device. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 5:
Claim 5 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the metadata directed to the determining limitation which was considered the abstract idea of a mental process. The additional limitation:
wherein the metadata comprises any or a combination of a packet size sequence, an arrival interval sequence, an Internet Protocol (IP) family, and a layer four protocol associated with the network flow. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the metadata. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 6:
Claim 6 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the metadata directed to the determining limitation which was considered the abstract idea of a mental process. The additional limitation:
wherein the metadata further comprises any or a combination of a destination port specified by the layer four protocol, Transport Layer Security (TLS) records, and TLS hello message lengths. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the metadata. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 7:
Claim 7 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the packet size sequence directed to the metadata comprises limitation of claim 5 which was considered field of use. The additional limitation:
wherein the packet size sequence comprises sizes of the application layer payload for a predetermined number of initial packets of the network flow. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the packet size sequence. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 8:
Step 1 – Is the claim to a process, machine, manufacture or composition of matter?
Yes, the claim is a machine.
Step 2A – Prong 1 – Does the claim recite an abstract idea, law of nature, or natural phenomenon?
Yes, the claim recites an abstract idea.
perform pattern matching and regular expression matching of application layer payload data of received packets against string patterns and regular expression patterns; – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
determine metadata relating to the stream of packets; – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
and classify the network flow as being associated with a particular network service of a plurality of network services by applying a [machine-learning] model to the metadata, results of said pattern matching and regular expression matching, and the collected statistics. – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
Step 2A – Prong 2 – Does the claim recite additional elements that integrate the judicial exception into a practical application?
No, there are no additional elements that integrate the judicial exception into a practical application. The additional elements:
A network security device comprising:– This limitation is merely using a computer as a tool (see MPEP 2106.04(d)). 
a hardware acceleration sub-system configured to: – This limitation is merely using a computer as a tool (see MPEP 2106.04(d)). 
and collect statistics relating to the application layer payload data; – This limitation is directed to insignificant extra-solution activity as it is mere data gathering (see MPEP 2106.05(g)). 
a processing resource;– This limitation is merely using a computer as a tool (see MPEP 2106.04(d)). 
and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to:– This limitation is merely using a computer as a tool (see MPEP 2106.04(d)). 
receive a stream of packets representing a network flow; – This limitation is directed to insignificant extra-solution activity as it is mere data gathering (see MPEP 2106.05(g)). 
Step 2B - Does the claim recite additional elements that amount to significantly more than the judicial exception?
	No, there are no additional elements that amount to significantly more than the judicial exception.
receive a stream of packets representing a network flow; – This limitation is directed to receiving data over a network. The courts (as per Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362) have recognized receiving or transmitting data over a network as well‐understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity (see MPEP 2106.05(d) II.).
and collect statistics relating to the application layer payload data; –  This limitation is directed to receiving data over a network. The courts (as per Symantec, 838 F.3d at 1321, 120 USPQ2d at 1362) have recognized receiving or transmitting data over a network as well‐understood, routine, and conventional functions when they are claimed in a merely generic manner (e.g., at a high level of generality) or as insignificant extra-solution activity (see MPEP 2106.05(d) II.).

Regarding Claim 9:
Claim 9 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). The additional limitation:
wherein the instructions that when executed by the processing resource further cause the processing resource to: make use of the results of pattern matching and regular expression matching to detect intrusion  – This limitation is directed to the abstract idea of a mental process (including an observation, evaluation, judgment, opinion) which can be performed in the human mind, or by a human using pen and paper (see MPEP 2106.04(a)(2) III. C.).
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 10:
Claim 10 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the machine learning model directed to the classifying limitation of claim 8 which was considered the abstract idea of a mental process. The additional limitation:
wherein the machine-learning module comprises a decision tree based, a logistic regression, and a neural network. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of machine learning models. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 11:
Claim 11 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the hardware acceleration sub-system includes a decision tree co-processor, a multiply-accumulate co-processor, and a lookup table co-processor. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the hardware acceleration sub-system. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 12:
Claim 12 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the metadata directed to the hardware acceleration sub-system limitation of claim 11 which was considered field of use. The additional limitation:
wherein the multiply-accumulate co-processor is shared by the logistic regression module and the neural network module. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the multiply-accumulate co-processor. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 13:
Claim 13 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the hardware acceleration sub-system and the processing resource are implemented within a network interface card of the network security device. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the hardware acceleration sub-system. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 21:
Claim 21 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the metadata includes at least one of: a packet size sequence; an arrival interval sequence; an internet protocol (IP) family; a layer four protocol associated with the network flow; a destination port specified by a layer four protocol associated with the network flow; and a packet size sequence including a size of an application layer payload. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the metadata. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 22:
Claim 22 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the statistics are specific to information included within the application layer payload data. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the statistics. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 23:
Claim 23 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the statistics comprise: a frequency of characters occurring within the application layer payload data. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the statistics. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 24:
Claim 24 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the statistics comprise: a frequency of character ranges occurring within the application layer payload data. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the statistics. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 25:
Claim 25 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 1 which included an abstract idea (see rejection for claim 1). This claim merely recites “wherein the classifying yields a classification, and wherein the method further comprises: reporting, by the processor, the classification.”  Reporting the classification amounts to insignificant extra solution activity (necessary data gathering and outputting, see MPEP 2106.05(g)(3)), thus failing step 2A Prong 2 and Step 2B.  The claim does not include additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception.

Regarding Claim 26:
Claim 26 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the metadata includes at least one of: a packet size sequence; an arrival interval sequence; an internet protocol (IP) family; a layer four protocol associated with the network flow; a destination port specified by a layer four protocol associated with the network flow; and a packet size sequence including a size of an application layer payload. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the metadata. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 27:
Claim 27 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the statistics are specific to information included within the application layer payload data. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the statistics. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 28:
Claim 28 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the statistics comprise: a frequency of characters occurring within the application layer payload data. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the statistics. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 29:
Claim 29 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the statistics comprise: a frequency of character ranges occurring within the application layer payload data. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the statistics. 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.

Regarding Claim 30:
Claim 30 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites a further limitation on the hardware acceleration sub-system which was considered using a generic computer as a tool. The additional limitation:
wherein the hardware acceleration sub- system is further configured to make use of the results of pattern matching and regular expression matching to detect intrusion. –  This limitation is directed to field of use (see MPEP 2106.05(h)) as it is merely limiting the field of the hardware acceleration sub-system 
Thus, the judicial exception is not integrated into a practical application (see MPEP 2106.04(d) I.), failing step 2A Prong 2. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception under step 2B.


Regarding Claim 31:
Claim 31 is rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim is dependent on claim 8 which included an abstract idea (see rejection for claim 8). This claim merely recites “wherein the classifying yields a classification, and wherein the method further comprises: reporting, by the processor, the classification.”  Reporting the classification amounts to insignificant extra solution activity (necessary data gathering and outputting, see MPEP 2106.05(g)(3)), thus failing step 2A Prong 2 and Step 2B.  The claim does not include additional elements that integrate the abstract idea into a practical application or are sufficient to amount to significantly more than the judicial exception.

Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 8-13 and 26-31 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

Regarding Claim 8 and dependent claims:
Claim limitation “a hardware acceleration sub-system configured to: ” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
The instant specification cites in ¶34, “Hardware accelerator 116 is operatively coupled to general purpose processor 104 and includes a hardware acceleration sub- system. […].” The specification further cites in ¶72, “Depending upon the particular implementation, the matching may be performed by software running on a general purpose processor or may be accelerated by a pattern matching and regular expression matching module (e.g., pattern matching and regular expression matching module 502) of a hardware acceleration sub-system (e.g., hardware accelerator 116).” It is unclear from these citations whether the hardware acceleration sub-system is the hardware accelerator or if the hardware acceleration sub-system is part of the hardware accelerator. The specification further cites what the sub-system can be comprised of in ¶36, “In yet another embodiment, the hardware acceleration sub-system includes a decision tree co-processor, a multiply-accumulate co-processor, and a lookup table co-processor.” The specification cites what the accelerator can be comprised of in ¶63, “In the context of the present example, the hardware accelerator 600 includes a control processor 620, a main memory 622, a data memory 618, multiple co-processors (e.g., one or more decision tress processors 602, a multiply-accumulate (MAC) processor 604, a lookup table (LUT) processor 606), and corresponding data buffers 608, 612, and 616 and instruction caches 610, 614, and 615.” These citations do not clarify whether the hardware acceleration sub-system is a component in the hardware accelerator or if they are equivalent. The written description is unclear as to the structure of the sub-system. 
For examination purposes, hardware acceleration sub-system is interpreted under broadest reasonable interpretation as any system that uses hardware accelerators. 
Further, claim limitation “and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: ” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
Multiple processing resources are mentioned throughout the specification. For example, in ¶70, the specification cites two different processors, “For example, the stream of packets may be received by a processor of a network security device (e.g., network security device 102). Depending upon the particular implementation, the processor may be an embedded processor (e.g., embedded processor 154) of a NIC (e.g., NIC 152) or a general purpose processor (e.g., general purpose processor 104).” The specification cites multiple structures for the processing resources in ¶41, “ In the context of the present example, network security device 102 can include one or more processing resources (e.g., processor(s) 202). Processor(s) 202 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that manipulate data based on operational instructions.” The written description is unclear as to what specific structure is meant by the “processing resource” in the claim limitation. 
For examination purposes, processing resource is interpreted as any processor. 

Therefore, claim 8 is rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph. The dependent claims of 8, claims 9-13 and 26-31, are rejected for inheriting the deficiencies of the parent claim. 

Claim Rejections - 35 USC § 112(b)
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 8-13 and 15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Regarding Claim 8 and dependent claims:
Claim limitation “a hardware acceleration sub-system configured to: ” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
The instant specification cites in ¶34, “Hardware accelerator 116 is operatively coupled to general purpose processor 104 and includes a hardware acceleration sub- system. […].” The specification further cites in ¶72, “Depending upon the particular implementation, the matching may be performed by software running on a general purpose processor or may be accelerated by a pattern matching and regular expression matching module (e.g., pattern matching and regular expression matching module 502) of a hardware acceleration sub-system (e.g., hardware accelerator 116).” It is unclear from these citations whether the hardware acceleration sub-system is the hardware accelerator or if the hardware acceleration sub-system is part of the hardware accelerator. The specification further cites what the sub-system can be comprised of in ¶36, “In yet another embodiment, the hardware acceleration sub-system includes a decision tree co-processor, a multiply-accumulate co-processor, and a lookup table co-processor.” The specification cites what the accelerator can be comprised of in ¶63, “In the context of the present example, the hardware accelerator 600 includes a control processor 620, a main memory 622, a data memory 618, multiple co-processors (e.g., one or more decision tress processors 602, a multiply-accumulate (MAC) processor 604, a lookup table (LUT) processor 606), and corresponding data buffers 608, 612, and 616 and instruction caches 610, 614, and 615.” These citations do not clarify whether the hardware acceleration is a component in the hardware accelerator or if they are equivalent. The structure of the sub-system is unclear. 
For examination purposes, hardware acceleration sub-system is interpreted as any hardware accelerator. 
Further, claim limitation “and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: ” invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. 
Multiple processing resources are mentioned throughout the specification. For example, in ¶70, the specification cites two different processors, “For example, the stream of packets may be received by a processor of a network security device (e.g., network security device 102). Depending upon the particular implementation, the processor may be an embedded processor (e.g., embedded processor 154) of a NIC (e.g., NIC 152) or a general purpose processor (e.g., general purpose processor 104).” The specification cites multiple structures for the processing resources in ¶41, “ In the context of the present example, network security device 102 can include one or more processing resources (e.g., processor(s) 202). Processor(s) 202 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that manipulate data based on operational instructions.” It is unclear what specific structure is meant by the “processing resource” in the claim limitation. 
For examination purposes, processing resource is interpreted as any processor. 

Regarding Claim 10:
Claim 10 recites the limitation "machine-learning module".  There is insufficient antecedent basis for this limitation in the claim.  Examiner is interpreting the limitation as “machine-learning model”.
Claim 10 recites “wherein the machine-learning module comprises a decision tree based 

Regarding Claim 12:
Claim 12 recites the limitations "logistic regression module" and “neural network module”.  There is insufficient antecedent basis for these limitations in the claim.  Examiner is interpreting the limitation as “logistic regression model” and “neural network model”.
Therefore, claims 8, 10, and 12 are indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph. The dependent claims of 8, claims 9-13 and 26-31, are rejected for inheriting the deficiencies of the parent claim. 

Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 5-7 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Gomez et al. (“Ensemble network traffic classification: Algorithm comparison and novel ensemble scheme proposal”) (herein thereafter Gomez).

Regarding Claim 1:
	Gomez teaches:
A method comprising: 
receiving, by a processor of a network security device, a stream of packets representing a network flow; (“Network security device” is interpreted as any device in virtual or physical form that can perform one or more security functions as per ¶27 of the instant specifications. Gomez discloses receiving packets of a network flow in sec. 3.1.3 ¶1, “Our software takes as input network captures stored in pcap files and the number of packets to be considered to compute the statistical attributes. Our tool is able to split initial pcap files in traces that contain packets associated with each bidirectional connection flow.” The software is run on a processor as disclosed by Gomez in sec. 3.2 ¶1, “All experiments were performed in a workstation with 12 GB of memory RAM and CPU AMD A10 6800 K (4.1 Ghz). Although the CPU has four cores and Scikit-Learn allows to train models in parallel, we used only one for our experiments in order to isolate each experiment in a unique processing core.” The processor is of a network security device as the workstation used by Gomez was for the purpose of network traffic classification which is a security function as disclosed by Gomez in the Abstract, “Network Traffic Classification (NTC) is a key piece for network monitoring, Quality-of-Service management and network security.”)
determining, by the processor, metadata relating to the stream of packets; (“Metadata” is interpreted as per ¶45 of the instant specifications where it includes packet size sequence and arrival interval sequence as metadata. Gomez discloses determining metadata in sec. 3.1.3 ¶1, “Once each flow is completely stored in its corresponding trace file, they are processed to compute instances with their associated application label. The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so.” The system of Gomez is run on a processor as disclosed by Gomez in sec. 3.2 ¶1, “All experiments were performed in a workstation with 12 GB of memory RAM and CPU AMD A10 6800 K (4.1 Ghz). Although the CPU has four cores and Scikit-Learn allows to train models in parallel, we used only one for our experiments in order to isolate each experiment in a unique processing core.”) 
matching, by the processor or by a pattern matching and regular expression matching module of a hardware acceleration sub-system of the network security device, application layer payload data of one or more packets of the stream of packets against string patterns and regular expression patterns; (Gomez discloses using nDPI in sec. 3.1.3 ¶2, “For label assignment, we used a DPI tool called nDPI [25], publicly available in [26]. NDPI is able to handle encrypted traffic and is one of the most accurate open source DPI applications [27].” Deep Packet Inspection (DPI) is pattern matching as disclosed by Gomez in sec. 1 ¶3, “Deep Packet Inspection (DPI) tools have appeared to overcome the former limitations [2]. DPI tools inspect packet payloads in order to check byte strings for matches with prefixed patterns.” The system of Gomez is run on a processor as disclosed by Gomez in sec. 3.2 ¶1, “All experiments were performed in a workstation with 12 GB of memory RAM and CPU AMD A10 6800 K (4.1 Ghz). Although the CPU has four cores and Scikit-Learn allows to train models in parallel, we used only one for our experiments in order to isolate each experiment in a unique processing core.”) 
collecting, by the processor or by the hardware acceleration sub-system, statistics relating to the application layer payload data; (Gomez discloses collecting statistics relating to the payload data in sec. 3.1.3 ¶1, “The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so. The whole collection of attributes is presented at the end of this paper in Annex 1 and it includes statistics accounting for outgoing, ingoing and both directions of flows.” The system of Gomez is run on a processor as disclosed by Gomez in sec. 3.2 ¶1, “All experiments were performed in a workstation with 12 GB of memory RAM and CPU AMD A10 6800 K (4.1 Ghz). Although the CPU has four cores and Scikit-Learn allows to train models in parallel, we used only one for our experiments in order to isolate each experiment in a unique processing core.”) 
and classifying, by the processor, the network flow as being associated with a particular network service of a plurality of network services by applying a machine-learning model to the metadata, results of said matching, and the collected statistics. (Gomez discloses classifying the network flow using machine learning in the Abstract, “Machine Learning algorithms have drawn the attention of many researchers during the last few years as a promising solution for network traffic classification. […] This paper studies and compares the performance of seven popular ensemble algorithms based on Decision Trees.” Gomez discloses that the machine learning models are applied to the metadata, results of matching, and collected statistics in sec. 3.1.3 ¶1-5, “An ad-hoc developed tool of our own was developed to extract the datasets to feed the ML algorithms from the network traces. […] Once each flow is completely stored in its corresponding trace file, they are processed to compute instances with their associated application label. The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so. […].” The system of Gomez is run on a processor as disclosed by Gomez in sec. 3.2 ¶1, “All experiments were performed in a workstation with 12 GB of memory RAM and CPU AMD A10 6800 K (4.1 Ghz). Although the CPU has four cores and Scikit-Learn allows to train models in parallel, we used only one for our experiments in order to isolate each experiment in a unique processing core.”) 

Regarding Claim 5:
Gomez teaches “The method of claim 1” as seen above. 
Gomez further teaches: 
wherein the metadata comprises any or a combination of a packet size sequence, an arrival interval sequence, an Internet Protocol (IP) family, and a layer four protocol associated with the network flow. (Gomez discloses metadata comprising of packet size sequence and arrival interval sequence in sec. 3.1.3 ¶1, “Once each flow is completely stored in its corresponding trace file, they are processed to compute instances with their associated application label. The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so.” Gomez discloses a layer four protocol in sec. )

Regarding Claim 6:
Gomez teaches “The method of claim 1” as seen above. 
Gomez further teaches: 
wherein the metadata further comprises any or a combination of a destination port specified by the layer four protocol, Transport Layer Security (TLS) records, and TLS hello message lengths. (Gomez discloses destination port information in sec. 3.1.3 ¶2, “In other cases, some encrypted flows were identified as SSL, and port-based information was examined to distinguish between HTTPS traffic and others, as encrypted SSH connections. […] Finally, different applications and protocols were detected among the six network traces; and each application was mapped to an application group according to its protocol properties and purposes, except DNS and NTP. The application grouping was carried out according to the following protocol types: P2P includes applications as eMule, BitTorrent or eDonkey; WWW includes all HTTP and HTTPS queries to Google, Facebook, GMail and other websites; INT (INTeractive) includes protocols as SSH, Telnet, RDP and so on; Services & Control (S/C) includes network control protocols and other services as NetBios, Radius, Kerberos and so forth; Bulk includes FTP and similar protocols; Media traffic includes RTP, Skype and so on; and DB includes MsSQL, MySQL and more database applications.”)

Regarding Claim 7:
Gomez teaches “The method of claim 5” as seen above. 
Gomez further teaches: 
wherein the packet size sequence comprises sizes of the application layer payload for a predetermined number of initial packets of the network flow. (Gomez discloses packet sizes for an number of initial packets of the network flow in sec. 3.1.3 ¶1, “Our software takes as input network captures stored in pcap files and the number of packets to be considered to compute the statistical attributes. Our tool is able to split initial pcap files in traces that contain packets associated with each bidirectional connection flow. Once each flow is completely stored in its corresponding trace file, they are processed to compute instances with their associated application label. The output is a dataset that contains 77 statistics regarding number of packets, packets sizes […].”

Regarding Claim 21:
Gomez teaches “The method of claim 1” as seen above. 
Gomez further teaches: 
wherein the metadata includes at least one of: a packet size sequence; an arrival interval sequence; an internet protocol (IP) family; a layer four protocol associated with the network flow; a destination port specified by a layer four protocol associated with the network flow; and a packet size sequence including a size of an application layer payload. (Gomez discloses metadata comprising of packet size sequence and arrival interval sequence in sec. 3.1.3 ¶1, “Once each flow is completely stored in its corresponding trace file, they are processed to compute instances with their associated application label. The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so.” Gomez discloses a layer four protocol in sec. )

Regarding Claim 22:
Gomez teaches “The method of claim 1” as seen above. 
Gomez further teaches: 
wherein the statistics are specific to information included within the application layer payload data. (Gomez discloses collecting statistics relating to the payload data in sec. 3.1.3 ¶1, “The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so. The whole collection of attributes is presented at the end of this paper in Annex 1 and it includes statistics accounting for outgoing, ingoing and both directions of flows.”  Examiner notes that this is included “within” application payload data, as it is data regarding properties of the payloads.  For example, the “number of packets” of payloads, while not the inner contents of the payloads, is still “payload data” regarding the payloads.)


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez in view of Zhou et al. (“Practical evaluation of encrypted traffic classification based on a combined method of entropy estimation and neural networks”)  (herein thereafter Zhou). 

Regarding Claim 2:
Gomez teaches “The method of claim 1” as seen above. 
Gomez further teaches: 
wherein the machine learning model comprises one or more of a decision tree model, [a logistic regression model, and a neural network model.] (Gomez discloses machine learning models being based on decision trees in the Abstract, “Machine Learning algorithms have drawn the attention of many researchers during the last few years as a promising solution for network traffic classification. […] This paper studies and compares the performance of seven popular ensemble algorithms based on Decision Trees.”)
Gomez does not teach a logistic regression model or a neural network model. Gomez does not teach “wherein the machine learning model comprises one or more of a decision tree model, a logistic regression model, and a neural network model.”
Zhou teaches:
wherein the machine learning model comprises one or more of a decision tree model, a logistic regression model, and a neural network model. (Zhou discloses a logistic regression model, neural network model, and a random forest model (which is based on decision trees) in sec. 1 ¶4, “We investigated and evaluated numerous flow features for encrypted traffic classification using four traditional machine learning  methods—support  vector  machines  (SVM),  random  forest  (RF),  naïve  Bayes,  and  logistic  regression—and  a  neural  network  (NN).”)
Gomez, Zhou, and the instant application are analogous art because they are all directed to encrypted network traffic classification.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez to include the logistic regression model and neural network model taught by Zhou. One would be motivated to do so to improve performance, as suggested by Zhou (Zhou sec. 5 ¶1: “Finally, we concluded that our combined approach out-performed all the other naïve machine learning methods on the “ISCX VPN-NonVPN/ISCX-Tor-NonTor-2017” traffic dataset in the traffic classification,” sec. 4.2 ¶2: “The criteria of the TP rate, FP rate, precision, and recall for classification have been greatly improved, with some metrics nearly 30 percentage points up, which proved the effectiveness of our approach in traffic applications.” ).

Regarding Claim 3:
Gomez in view of Zhou teaches “The method of claim 2” as seen above. 
Gomez further teaches: 
wherein an output layer of the machine learning model outputs a classification of the network flow based on a highest score among predetermined confidence classification scores associated with the decision tree model, the logistic regression model, and the neural network model. (Gomez discloses an ensemble algorithm based on decision trees that outputs classification based on a highest score amongst confidence scores (i.e. posterior probabilities) in sec. 3.4 ¶1-2, “Ensemble classifiers are learning algorithms composed by multiple base estimators along with training and classification strategies to make final decisions [33–39]. Since DTs yield satisfactory results in NTC ([1,3,4]), we have selected the CART DT algorithm, provided by the Scikit-learn library, as base estimator for the ensemble structures. […] Finally, unknown samples are classified according to the estimate of the posterior probability for each class: given an unknown sample, the class whose posterior probability is maximum is assigned to that sample.”)
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gomez with the teachings of Zhou for at least the same reasons as discussed above in claim 2.

Claims 4 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez  in view of Wei (“Design and Implementation of a Lightweight Intrusion Detection and Prevention System”)  (herein thereafter Wei). 

Regarding Claim 4:
Gomez teaches “The method of claim 1” as seen above. 
Gomez does not teach “wherein the network security device is also operable to perform intrusion detection functionality and wherein the pattern matching and regular expression matching module is shared by network traffic classification functionality and the intrusion detection functionality.”
 Wei teaches:
wherein the network security device is also operable to perform intrusion detection functionality and wherein the pattern matching and regular expression matching module is shared by network traffic classification functionality and the intrusion detection functionality. (Wei discloses in the Abstract, “This paper proposes a lightweight intrusion detection and prevention method, based on nDPI, adopting common network packet capture means for design and implementation of a lightweight intrusion detection and prevention system.”)
Gomez, Wei, and the instant application are analogous art because they are all directed to pattern matching of network traffic.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez to include the intrusion detection taught by Wei. One would be motivated to do so to efficiently respond to detected abnormal network protocol, as suggested by Wei (Wei sec. 5 ¶1: “For the power business, the intrusion detection and prevention functions are combined into one, and a lightweight intrusion detection and prevention system is proposed. […] Experiments done by authoritative organization show that the schemes proposed can reduce false positive rate and false negative rate compared existing methods. That has relatively high reference value for network traffic monitoring, protocol analysis and response handling of abnormal terminals.”).

Regarding Claim 25:
Gomez teaches “The method of claim 1” and “wherein the classifying yields a classification” as seen above. 
Gomez does not teach “wherein the method further comprises: reporting, by the processor, the classification.”
 Wei teaches:
wherein the network security device is also operable to perform intrusion detection functionality and wherein the pattern matching and regular expression matching module is shared by network traffic classification functionality and the intrusion detection functionality. (Wei discloses in Page 436 Section 3.2, “This system performs secondary development of the nDPI source code, and adds an identifiable protocol type to the power-specific service, and alerts the abnormal protocol, and notifies the subsequent response processing module to timely process the connection that generates the abnormal protocol.”  Here, Wei discloses notification of a potential intrusion, and thus reports it for further processing.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the teachings of Gomez and Wei for at least the reasons recited in Claim 4.

Claims 8, 11, 13, and 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez in view of Ni et al. (“Advancing Network Function Virtualization Platforms with Programmable NICs”) (herein thereafter Ni) and Burger et al. (US10452995B2) (herein thereafter Burger). 

Regarding Claim 8:
Claim 8 is a product claim, corresponding to method claim 1. The only difference is that claim 8 recites a hardware acceleration sub-system, processing resource, and a non-transitory computer-readable medium. 
Gomez teaches:
A network security device comprising: (“Network security device” is interpreted as any device in virtual or physical form that can perform one or more security functions as per ¶27 of the instant specifications. Gomez discloses the device used in sec. 3.2 ¶1, “All experiments were performed in a workstation with 12 GB of memory RAM and CPU AMD A10 6800 K (4.1 Ghz). Although the CPU has four cores and Scikit-Learn allows to train models in parallel, we used only one for our experiments in order to isolate each experiment in a unique processing core.” The device disclosed by Gomez was for the purpose of network traffic classification (i.e. a security function) as per the Abstract, “Network Traffic Classification (NTC) is a key piece for network monitoring, Quality-of-Service management and network security.” Thus, Gomez teaches a network security device.) 
Gomez does not teach a “a hardware acceleration sub-system configured to.” 
Ni teaches:
a hardware acceleration sub-system configured to: (Examiner notes that “hardware acceleration sub-system” is interpreted as any system with hardware accelerators. Ni discloses hardware accelerators in sec. II. B ¶2, “In this work we consider the Agilio SmartNICs, developed by Netronome [1]. A SmartNIC, also called a programmable NIC, allows engineers to build networking accelerator or dataplane applications into the NIC hardware [15]. […] While traditional network cards have only basic control plane functionalities, the SmartNICs also have over 60 hardware accelerators for deep packet inspection (DPI) which support hash, cryptography, statistics, and more.”)
Gomez, Ni, and the instant application are analogous art because they are all directed to processors used for classification.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez to include the hardware acceleration sub-system as taught by Ni. One would be motivated to do so to improve performance and reduce consumption of resources, as suggested by Ni (Ni Abstract: “Our evaluation shows several use cases for smart NICs, which improve performance significantly while reducing resource consumption and providing strong isolation.”).
Neither Gomez nor Ni explicitly teach “a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to.”
Burger teaches:
a processing resource; and a non-transitory computer-readable medium, coupled to the processing resource, having stored therein instructions that when executed by the processing resource cause the processing resource to: (Burger discloses non-transitory computer readable medium in col. 5 lines 25-36, “Any of the storage resources described herein, or any combination of the storage resources, may be regarded as a computer readable medium. […] However, the specific terms “computer readable storage medium” and “computer readable medium device” expressly exclude propagated signals per se, while including all other forms of computer readable media.” Burger discloses in col 29 lines 10-14, “Packet processing component 2904 may be implemented with one or computer processors with memory store instructions, or dedicated logic gate arrays implemented, for example, in an FPGA or on an ASIC, or other similar device.”) 
The system of Gomez in view of Ni, Burger, and the instant application are analogous art because they are all directed to network traffic classification.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez in view of Ni to include the non-transitory computer readable medium as taught by Burger. One would be motivated to do so to efficiently use resources and increase speed without increasing power consumption, as suggested by Burger (Burger col. 15-16 lines 50-3: “Third, data processing system 102 integrates acceleration plane 106 without imposing large additional power requirements, e.g., in view of the above-described manner in which local acceleration components may be integrated with existing server unit components. Fourth, data processing system 102 provides an efficient and flexible mechanism for allowing host components to access any acceleration resources provided by hardware acceleration plane 106, e.g., without narrowly pairing host components to specific fixed acceleration resources, and without burdening the host components with managing hardware acceleration plane 106 itself. Fifth, data processing system 102 provides an efficient mechanism for managing acceleration resources by intelligently dispersing these resources within hardware plane 106, thereby: (a) reducing the overutilization and underutilization of resources (e.g., corresponding to the “stranded capacity” problem); (b) facilitating quick access to these services by consumers of these services; (c) accommodating heightened processing requirements specified by some consumers and/or services, and so on.”).
The rest of the limitations of claim 8 are rejected for the same reasons as claim 1.

Regarding Claim 11:
Gomez in view of Ni and Burger teach “The network security device of claim 8,” as seen above. 
Burger further teaches:
wherein the hardware acceleration sub-system includes a decision tree co-processor, a multiply-accumulate co-processor, and a lookup table co-processor. (Examiner notes that a co-processor is merely a supplementary processor that performs specialized functions separate to the main CPU. Burger teaches hardware acceleration components being implemented by processors in col. 5-6 lines 65-3, “Each hardware acceleration component, on the other hand, may correspond to hardware logic for implementing functions, such as a field-programmable gate array (FPGA) device, a massively parallel processor array (MPPA) device, a graphics processing unit (GPU), an application-specific integrated circuit (ASIC), a multiprocessor System-on-Chip (MPSoC), and so on.” Burger discloses a decision tree co-processor in col. 1 lines 18-22, “According to a first aspect, a method is provided for processing on an acceleration component a machine learning classification model. The machine learning classification model includes a plurality of decision trees, the decision trees including a first amount of decision tree data.” Burger discloses a multiply-accumulate component in col. 49 lines 3-6, “FIG. 58 shows an implementation of a neural engine 5802, which includes a […], a multiply-accumulate component 5812, […].” Examiner notes that as per ¶66 of the instant specifications, the lookup table co-processor supports vector lookup table extension instructions such as sigmoid and tanh. Burger discloses that the acceleration components do functions such as sigmoid and tanh in col 48 lines 35-44, “Acceleration component die 5706 includes a parallel array of neural engines […]. In an implementation, each of neural engines (5712, 5714, 5716, . . . , 5718, 5720) includes logic to compute dot-products, derivatives, errors and non-linear functions (e.g., sigmoid, hyperbolic tangent, etc.).”)
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gomez in view of Ni with the teachings of Burger for at least the same reasons as discussed above in claim 8.

Regarding Claim 13:
Gomez in view of Ni and Burger teach “The network security device of claim 8,” as seen above. 
Ni further teaches:
wherein the hardware acceleration sub-system and the processing resource are implemented within a network interface card of the network security device. (Ni discloses that the hardware accelerators are implemented in a SmartNIC or Smart Network Interface Card in sec. II. B ¶2, “In this work we consider the Agilio SmartNICs, developed by Netronome [1]. A SmartNIC, also called a programmable NIC, allows engineers to build networking accelerator or dataplane applications into the NIC hardware [15]. […] While traditional network cards have only basic control plane functionalities, the SmartNICs also have over 60 hardware accelerators for deep packet inspection (DPI) which support hash, cryptography, statistics, and more.)
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gomez with the teachings of Ni for at least the same reasons as discussed above in claim 8.


Regarding Claim 26:
Gomez in view of Ni and Burger teaches “The network security device of claim 8” as seen above. 
Gomez further teaches: 
wherein the metadata includes at least one of: a packet size sequence; an arrival interval sequence; an internet protocol (IP) family; a layer four protocol associated with the network flow; a destination port specified by a layer four protocol associated with the network flow; and a packet size sequence including a size of an application layer payload. (Gomez discloses metadata comprising of packet size sequence and arrival interval sequence in sec. 3.1.3 ¶1, “Once each flow is completely stored in its corresponding trace file, they are processed to compute instances with their associated application label. The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so.” Gomez discloses a layer four protocol in sec. )

Regarding Claim 27:
Gomez in view of Ni and Burger teaches “network security device of claim 8” as seen above. 
Gomez further teaches: 
wherein the statistics are specific to information included within the application layer payload data. (Gomez discloses collecting statistics relating to the payload data in sec. 3.1.3 ¶1, “The output is a dataset that contains 77 statistics regarding number of packets, packets sizes, inter-arrival packet times, TCP windows and so. The whole collection of attributes is presented at the end of this paper in Annex 1 and it includes statistics accounting for outgoing, ingoing and both directions of flows.”  Examiner notes that this is included “within” application payload data, as it is data regarding properties of the payloads.  For example, the “number of packets” of payloads, while not the inner contents of the payloads, is still “payload data” regarding the payloads.)

Claims 9 and 30-31 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez  in view of Ni, Burger, and Wei. 

Regarding Claim 9:
Gomez in view of Ni and Burger teach “The network security device of claim 8,” as seen above. 
Gomez, Ni, and Burger do not teach “wherein the instructions that when executed by the processing resource further cause the processing resource to:  make use of the results of pattern matching and regular expression matching to detect intrusion”
Wei teaches:
wherein the instructions that when executed by the processing resource further cause the processing resource to: make use of the results of pattern matching and regular expression matching to detect intrusion (Wei discloses using nDPI for intrusion detection in the Abstract, “This paper proposes a lightweight intrusion detection and prevention method, based on nDPI, adopting common network packet capture means for design and implementation of a lightweight intrusion detection and prevention system.” nDPI consists of pattern matching as disclosed by Gomez in sec. 1 ¶3, “Deep Packet Inspection (DPI) tools have appeared to overcome the former limitations [2]. DPI tools inspect packet payloads in order to check byte strings for matches with prefixed patterns.”)
The system taught by Gomez in view of Ni and Burger, Wei, and the instant application are analogous art because they are all directed to pattern matching of network traffic.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez in view of Ni and Burger to include the intrusion detection taught by Wei. One would be motivated to do so to efficiently respond to detected abnormal network protocol, as suggested by Wei (Wei sec. 5 ¶1: “For the power business, the intrusion detection and prevention functions are combined into one, and a lightweight intrusion detection and prevention system is proposed. […] Experiments done by authoritative organization show that the schemes proposed can reduce false positive rate and false negative rate compared existing methods. That has relatively high reference value for network traffic monitoring, protocol analysis and response handling of abnormal terminals.”).

Regarding Claim 30:
Gomez in view of Ni and Burger teaches “The network security device of claim 8” as seen above. 
Gomez in view of Ni and Burger does not teach “wherein the hardware acceleration sub- system is further configured to make use of the results of pattern matching and regular expression matching to detect intrusion.”
 Wei teaches:
wherein the hardware acceleration sub- system is further configured to make use of the results of pattern matching and regular expression matching to detect intrusion. (Wei discloses in the Abstract, “This paper proposes a lightweight intrusion detection and prevention method, based on nDPI, adopting common network packet capture means for design and implementation of a lightweight intrusion detection and prevention system.”)
It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the teachings of Wei with Gomez, Ni, and Burger for at least the reasons recited in Claim 9.

Regarding Claim 31:
Gomez in view of Ni and Burger teaches “The network security device of claim 8” and “wherein the classifying yields a classification” as seen above. 
Gomez in view of Ni and Burger does not teach “wherein the instructions that when executed by the processing resource further cause the processing resource to: reporting the classification.”
 Wei teaches:
wherein the instructions that when executed by the processing resource further cause the processing resource to: reporting the classification. (Wei discloses in Page 436 Section 3.2, “This system performs secondary development of the nDPI source code, and adds an identifiable protocol type to the power-specific service, and alerts the abnormal protocol, and notifies the subsequent response processing module to timely process the connection that generates the abnormal protocol.”  Here, Wei discloses notification of a potential intrusion, and thus reports it for further processing.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to combine the teachings of Wei with Gomez, Ni, and Burger for at least the reasons recited in Claim 9.

Claims 10 and 12 is rejected under 35 U.S.C. 103 as being unpatentable over Gomez  in view of Ni, Burger, and Masadeh et al. (“Input-Conscious Approximate Multiply-Accumulate (MAC) Unit for Energy-Efficiency”) (herein thereafter Masadeh). 

Regarding Claim 10:
Gomez in view of Ni and Burger teach “The network security device of claim 8,” as seen above.
Burger further teaches:
wherein the machine-learning module comprises a decision tree based, [a logistic regression,] and a neural network. (Examiner notes that “module” is interpreted to be model. Burger discloses a decision tree model in col. 1 lines 18-22, “According to a first aspect, a method is provided for processing on an acceleration component a machine learning classification model. The machine learning classification model includes a plurality of decision trees, the decision trees including a first amount of decision tree data.” Burger discloses that a deep neural network (DNN) in col. 48 lines 30-34, “FIG. 57 illustrates an implementation of an acceleration component 5702 configured to perform forward propagation and backpropagation stages of a DNN. Acceleration component 5702 includes an acceleration component die 5706 and a memory stack 5708 disposed on an interposer 5710.” Examiner notes that the combination with Masadeh teach this limitation.)
Gomez, Ni, and Burger do not teach logistic regression. Gomez, Ni, and Burger do not teach “wherein the machine-learning module comprises a decision tree based module, a logistic regression module, and a neural network module.”
Masadeh teaches: 
wherein the machine-learning module comprises [a decision tree based module,] a logistic regression module, [and a neural network module]. (Examiner notes that “module” is interpreted to be model. Examiner notes that the combination with Masadeh teach this limitation. Masadeh discloses logistic regression in the Abstract, “We evaluate the effectiveness of the proposed AxMAC units on two image processing applications, i.e., image blending and filtering, and a logistic regression classification application.”)
The system taught by Gomez in view of Ni and Burger, Masadeh, and the instant application are analogous art because they are all directed to classification using hardware acceleration.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez in view of Ni and Burger to include the logistic regression taught by Masadeh. One would be motivated to do so to reduce power and energy consumption, as suggested by Masadeh (Masadeh Abstract: “ In this paper, we present a novel FPGA implementation for input-aware energy-efficient 8-bit approximate MAC (AxMAC) unit that reduces its power consumption by: performing multiplication operation approximately, or approximating the input operands then replacing multiplication by a simple shift operation. We propose an input-aware conditional block to bypass operands multiplication by (1) zero forwarding for zero-value operands, (2) judiciously approximating 43.8% of inputs into power-of-2 values, and (3) replacing the multiplication of power-of-2 operands by a simple shift operation. Experimental results show that these simplification techniques reduce delay, power and energy consumption with an acceptable quality degradation.”).

Regarding Claim 12:
Gomez in view of Ni and Burger teach “The network security device of claim 11,” as seen above. 
Burger further teaches:
wherein the multiply-accumulate co-processor is shared by [the logistic regression module and] the neural network module. (Examiner notes that the “neural network module” is interpreted to be a neural network model. Burger discloses that a deep neural network (DNN) in col. 48 lines 30-34, “FIG. 57 illustrates an implementation of an acceleration component 5702 configured to perform forward propagation and backpropagation stages of a DNN. Acceleration component 5702 includes an acceleration component die 5706 and a memory stack 5708 disposed on an interposer 5710.” Fig. 57 shows neural engines as part of the implementation of the deep neural network and Fig. 58 shows the multiply-accumulate component within the neural engine. 

    PNG
    media_image1.png
    931
    552
    media_image1.png
    Greyscale

    PNG
    media_image2.png
    620
    786
    media_image2.png
    Greyscale

	Burger does not teach logistic regression. Burger does not teach “wherein the multiply-accumulate co-processor is shared by the logistic regression module [and the neural network module.]”
	Masadeh teaches:
wherein the multiply-accumulate co-processor is shared by the logistic regression module [and the neural network module.] (Masadeh discloses in the Abstract, “The Multiply-Accumulate Unit (MAC) is an integral computational component of all digital signal processing (DSP) architectures and thus has a significant impact on their speed and power dissipation. […] We evaluate the effectiveness of the proposed AxMAC units on two image processing applications, i.e., image blending and filtering, and a logistic regression classification application.”)
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gomez in view of Ni and Burger with the teachings of Masadeh for at least the same reasons as discussed above in claim 10.

Claims 23-24 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez in view of Shire et al. (“Malware Squid: A Novel IoT Malware Traffic Analysis Framework Using Convolutional Neural Network and Binary Visualisation”)  (herein thereafter Shire). 

Regarding Claim 23:
Gomez teaches “The method of claim 1” as seen above. 
Gomez does not teach “wherein the statistics comprise: a frequency of characters occurring within the application layer payload data”
Shire teaches
wherein the statistics comprise: a frequency of characters occurring within the application layer payload data  (Shire, Page 73 Section 4.3, discloses: “As can be seen in Fig. 7, the different types of malware have distinctive features to differentiate them. Whereas normal traffic can be spotted by their more even distribution of ASCII characters or colours across an image, most of the malware samples follow the same pattern of having more predominance of black (Null Bytes) or white areas (Spaces) in their samples, however, the DDOS is an exception with its extremely high frequency of Control characters”)
Gomez, Shire, and the instant application are analogous art because they are all directed to encrypted network traffic classification.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez to include the character frequency analysis taught by Shire. One would be motivated to do so to improve identification of potentially harmful malware, as suggested by Shire (Shire, Page 73 Section 4.3: “As can be seen in Fig. 7, the different types of malware have distinctive features to differentiate them.” ).

Regarding Claim 24:
Gomez teaches “The method of claim 1” as seen above. 
Gomez does not teach “wherein the statistics comprise: a frequency of character ranges occurring within the application layer payload data”
Shire teaches
wherein the statistics comprise: a frequency of character ranges occurring within the application layer payload data  (Shire, Page 73 Section 4.3, discloses: “As can be seen in Fig. 7, the different types of malware have distinctive features to differentiate them. Whereas normal traffic can be spotted by their more even distribution of ASCII characters or colours across an image, most of the malware samples follow the same pattern of having more predominance of black (Null Bytes) or white areas (Spaces) in their samples, however, the DDOS is an exception with its extremely high frequency of Control characters”.  Here, Shire discloses a “range” of characters (null and space)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shire with Gomez for at least the reasons recited in Claim 23.

Claims 28-29 are rejected under 35 U.S.C. 103 as being unpatentable over Gomez in view of Ni, Burger, further in view of Shire et al. (“Malware Squid: A Novel IoT Malware Traffic Analysis Framework Using Convolutional Neural Network and Binary Visualisation”)  (herein thereafter Shire). 

Regarding Claim 28:
Gomez in view of Ni and Burger teaches “The network security device of claim 8,” as seen above.
Gomez in view of Ni and Burger does not teach “wherein the statistics comprise: a frequency of characters occurring within the application layer payload data”
Shire teaches
wherein the statistics comprise: a frequency of characters occurring within the application layer payload data  (Shire, Page 73 Section 4.3, discloses: “As can be seen in Fig. 7, the different types of malware have distinctive features to differentiate them. Whereas normal traffic can be spotted by their more even distribution of ASCII characters or colours across an image, most of the malware samples follow the same pattern of having more predominance of black (Null Bytes) or white areas (Spaces) in their samples, however, the DDOS is an exception with its extremely high frequency of Control characters”)
The system taught by Gomez in view of Ni and Burger, Shire, and the instant application are analogous art because they are all directed to encrypted network traffic classification.
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the network security device disclosed by Gomez in view of Ni and Burger to include the character frequency analysis taught by Shire. One would be motivated to do so to improve identification of potentially harmful malware, as suggested by Shire (Shire, Page 73 Section 4.3: “As can be seen in Fig. 7, the different types of malware have distinctive features to differentiate them.” ).

Regarding Claim 29:
Gomez in view of Ni and Burger teaches “The network security device of claim 8,” as seen above.
Gomez in view of Ni and Burger does not teach “wherein the statistics comprise: a frequency of character ranges occurring within the application layer payload data”
Shire teaches
wherein the statistics comprise: a frequency of character ranges occurring within the application layer payload data  (Shire, Page 73 Section 4.3, discloses: “As can be seen in Fig. 7, the different types of malware have distinctive features to differentiate them. Whereas normal traffic can be spotted by their more even distribution of ASCII characters or colours across an image, most of the malware samples follow the same pattern of having more predominance of black (Null Bytes) or white areas (Spaces) in their samples, however, the DDOS is an exception with its extremely high frequency of Control characters”.  Here, Shire discloses a “range” of characters (null and space)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Shire with the combination of Gomez, Ni, and Burger for at least the reasons recited in Claim 28.

Prior Art of Record
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
McGrew et al. (US 2020/0120107 A1) discloses in [0038] “In general, security process 248 may execute one or more machine learning-based classifiers to classify encrypted traffic in the network” and in [0057]:  “For instance, features such as inter-packet timing and packet size may help classifier 402 to determine the nature of the traffic flow.”  McGrew also discloses character frequency in [0139]:  “For example, validation engine 408 may calculate the entropy at a specific index of the packet data over a substring of length n starting at that index. The features can be computed with Shannon's information entropy as follows … where pc is the frequency of character c in the X [i:i+n] substring”
Memon et al. (US 2007/0088845 A1) discloses in [0030]:  “Referring back to block 230, the content-independent flow characteristics might include at least one of (A) a number of packets in the flow, (B) a number of bytes in the flow, (C) inter-packet arrival time, (D) packet sizes, (E) distribution of inter-packet arrival times, (F) distribution of packet sizes, (G) time-to-live values, (H) time-to-live value distributions, (I) sequence number, (J) distribution of sequence numbers, (K) acknowledgement numbers, (L) distribution of acknowledgement numbers, (M) identification numbers, (N) distribution of identification numbers, (O) fragmentation offsets, (P) distribution of fragmentation offsets, (Q) window sizes, and (R) distribution of window sizes. Such information might be processed to determine other content-independent flow characteristics such as, for example, (A) streaming or not (e.g., based on whether the packet sizes are constant or not, and packet inter-arrival times), (B) interactive session or not (e.g., based on packet inter-arrival time distribution), etc.”
Anderson et al. (“Identifying Encrypted Malware Traffic with Contextual Flow Data”) discloses on Page 41 Section 5.3.1:  “Features based on observable metadata, such as the sequence of packet lengths and inter-arrival times, were used, and were modeled as Markov chains.”  Anderson, End of Page 38 into Page 39, discloses:  “We examined two more metrics on the FQDNs: the percentage of numerical characters and the percentage of non-alphanumeric characters. In contrast to previous work [9], we found that the benign DNS responses had a higher percentage of numerical characters…”
Zhou et al. (“Practical evaluation of encrypted traffic classification based on a combined method of entropy estimation and neural networks”) discloses on Page 311 Abstract:  “We propose using traffic packet’s sizes, packet's inter-arrival time, and direction as the neural network's input.”  Zhou, Page 313 Table 1, discloses:  “Ni stands for the frequency of character i, and HN (U) represents the average information entropy using the MLE method.”
	 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEONARD A SIEGER whose telephone number is (571)272-9710. The examiner can normally be reached M-F 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ann Lo can be reached on (571) 272-9767. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/L.A.S./Examiner, Art Unit 2126       
/ANN J LO/Supervisory Patent Examiner, Art Unit 2126