Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
In the correspondence filed on 08/22/2022, claims 1-5, 8-13 and 16-20 have been amended. Claims 1-20 are currently pending for examination.
Response to Arguments
Regarding 35 U.S.C. 103(a) applicant’s arguments, see page 11 - page 16 (all), filed
08/22/2022, with respect to claims 1-20 have been fully considered.
Regarding the claim objections to claims 17 and 18, the applicant amended the claims and respectfully requested the withdrawal of the objection.
In response to applicant's argument, the objection to claims 17 and 18 have been withdrawn.
Regarding 35 U.S.C. 103 rejection of claims 1-20 the applicant argued that the references fail to disclose the amended subject matter.
In response to applicant's argument, a new round of rejection is presented in view of Yang et al. (US20160134954A1).
Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
Determining the scope and contents of the prior art.

Ascertaining the differences between the prior art and the claims at issue.

Resolving the level of ordinary skill in the pertinent art.

Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 5-7, 9-11, 13-15, 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang et al. (US20130182721A1) hereinafter Zhang in view of Yang et al. (US20160134954A1) hereinafter Yang.  
As per claim 1. A method for managing a media access control (MAC) address table maintained by a network node, the method performed by the network node and comprising: (Zhang, Fig. 2 (network node - switch), par0007 teaches a method and an apparatus for managing a MAC address table. Aging of all MAC address information in the MAC table is no longer quickened indiscriminatingly. Instead, through a manner of analyzing behavioral characteristics of an attacker and a normal user and setting an aging time discriminatingly, MAC address information of the attacker is deleted in a shortest possible time).
defining a first running time and a second running time for a timer, the first running time and the second running time being applicable for defining validity times for a MAC in the MAC address table; (Zhang, par0061-0063 teaches an aging time of the SMAC address information in the MAC address table may be prolonged, for example, from the original 20 s to 40 s according to a preset rule…..and set the aging time of the MAC address information to a shortest aging time…..it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s).
receiving a frame, (Zhang, par0089 teaches a packet receiving module 1, configured to receive a packet and obtain MAC address information carried in the packet).
applying the first running time in the timer to the MAC address of the source of the received frame, in response to a detection that an the MAC address of the destination of the received frame is missing in the MAC address table; and (Zhang, par0063-0068 teaches if the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time…. the switch judges whether the DMAC address information carried in the packet is consistent with any MAC address that is already learned in the MAC address table in the switch. If consistent, it is determined that the matching succeeds, and step S206 is performed; if not consistent, it is determined that the matching fails, and step S207 is performed….Step S206: Update the aging time of the MAC address information in the MAC address table….Step S207: If the DMAC address information fails in matching the MAC address information recorded in the MAC address table, the switch performs processing according to a conventional procedure, for example, performs broadcast…Step S208: Refresh the MAC address table, and manage the MAC address table according to the updated aging time of the MAC address information).
applying a second running time in the timer to the MAC address of the source of the received frame and in the timer to the MAC address of the destination of the received frame, (Zhang, par0061, 0066 teaches if the SMAC address information carried in the packet matches the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has been used, it is less possible that the SMAC address information is MAC address information faked by the attacker, and an aging time of the SMAC address information in the MAC address table may be prolonged, for example, from the original 20 s to 40 s according to a preset rule…. if the DMAC address information carried in the packet matches the MAC address information recorded in the MAC address table of the switch, it indicates that another node has sent a packet to the node of a DMAC address. Therefore, it is less possible that the DMAC address information is the MAC address information faked by the attacker, and the aging time of the DMAC address information in the MAC address table may be prolonged).
          Zhang does not explicitly discloses where a MAC address of a source of the received frame is present in the MAC address table; detecting whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame.
.          Yang however discloses where a MAC address of a source of the received frame is present in the MAC address table; (Yang, par0088 teaches packet switching network interface on which the MAC frame is received; if a table entry corresponding to the source MAC address exists in the MAC address forwarding table).
detecting whether a MAC address of a destination of the received frame is present in the MAC address table; (Yang, par0071 teaches step S403, performing a query on a MAC address forwarding table, and determining whether a table entry of the destination MAC address is found in the MAC address forwarding table, if the table entry of the destination MAC address is found in the MAC address forwarding table)
in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame. (Yang, par0087-0088, 0094 teaches extracting MAC frame control information from a received Media Access Control Address (MAC) frame, and establishing a MAC address forwarding table according to the MAC frame control information. The MAC frame control information includes one of a source MAC address, a destination MAC address, a virtual local area network identification and frame protocol type information, or any combination thereof, for example, may be a combination of the source MAC address, the destination MAC address…. if a table entry corresponding to the source MAC address exists in the MAC address forwarding table…. it is found that a table entry corresponding to the destination MAC address of the MAC frame exists in the MAC address table). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of where a MAC address of a source of the received frame is present in the MAC address table; detecting whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame, as taught by Yang in the method of Zhang so datacenter provides by the enterprise, application business service relevant to all kinds of information, it is also the center for data computing, switching and storing, see Yang par0003.

As per claim 2.  Zhang and Yang disclose the method of claim 1.
           Zhang further discloses wherein at least one timer applying either the first running time or the second running time is initiated in response to a transmission of the frame by the network node.  (Zhang, par0083-0084 teaches the switch receives a packet from the port 1, where DMAC carried in the packet is MAC C, and therefore, the switch judges whether MAC C already exists in its MAC address table thereof. If exists, it is determined that the matching succeeds, and step S306 is performed. Step S306: Prolong an aging time of the DMAC address information in the MAC address table according to the preset delay rule. If the aging time of the DMAC address information in the MAC address table is already the longest aging time specified in the delay rule, the switch only refreshes the aging time of the DMAC address information without further prolonging the aging time. Meanwhile, the switch sends the packet from a port 2 corresponding to MAC C according to the information in the MAC address table).

As per claim 3.  Zhang and Yang disclose the method of claim 1.
           Zhang further discloses the method further comprising, for applying the first running time to the timer: detecting that the timer is missing for the MAC address of the source of the frame. (Zhang, par0063-0068 teaches if the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time…. the switch judges whether the DMAC address information carried in the packet is consistent with any MAC address that is already learned in the MAC address table in the switch. If consistent, it is determined that the matching succeeds, and step S206 is performed; if not consistent, it is determined that the matching fails, and step S207 is performed….Step S206: Update the aging time of the MAC address information in the MAC address table….Step S207: If the DMAC address information fails in matching the MAC address information recorded in the MAC address table, the switch performs processing according to a conventional procedure, for example, performs broadcast…Step S208: Refresh the MAC address table, and manage the MAC address table according to the updated aging time of the MAC address information).

As per claim 5.  Zhang and Yang disclose the method of claim 1.
           Zhang further discloses wherein the first running time is defined to be shorter than the second running time. (Zhang, par0076 teaches step S302: Prolong an aging time of the SMAC address information in the MAC address table according to a preset delay rule. More specifically, the preset delay rule is presetting at least two aging times with increasing duration. When the MAC address information carried in the packet matches the MAC address table, the switch updates the aging time of the MAC address information in the MAC address table until the MAC address information has a longest aging time in the preset delay rule, where the updated aging time of the MAC address information is longer than the aging time [first running time is defined to be shorter than the second running time] before the update).

As per claim 6.  Zhang and Yang disclose the method of claim 1.
            Zhang further discloses wherein the first running time and the second running time are distinguishable from each other. (Zhang, par0087 teaches all MAC address information learned for a first time is regarded as being sent by a suspected attacker, and aging times of such MAC address information in the MAC address table are set to be the shortest; when the MAC address information is learned or used for a second time, the suspicion is reduced, and the aging time of the MAC address information is prolonged. According to the method for managing a MAC address table provided in the present invention, through a manner of setting the aging time of the MAC address information discriminatingly, MAC address information of the attacker is deleted in a shortest possible time without affecting MAC address information of a normal user node).
 
As per claim 7.  Zhang and Yang disclose the method of claim 6.
           Zhang further discloses wherein the first running time and the second running time are made distinguishable from each other by defining the first running time and the second running time not to overlap each other by value. (Zhang, par0062-0063 teaches Step S204: Write the SMAC address information into the MAC address table, and set the aging time of the MAC address information to a shortest aging time. If the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period [time not to overlap each other by value], and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s).

As per claim 9. A network node for managing a media access control (MAC) address table, the network node comprising: (Zhang, Fig. 2 (network node - switch), par0007 teaches a method and an apparatus for managing a MAC address table. Aging of all MAC address information in the MAC table is no longer quickened indiscriminatingly. Instead, through a manner of analyzing behavioral characteristics of an attacker and a normal user and setting an aging time discriminatingly, MAC address information of the attacker is deleted in a shortest possible time).
at least one processor; and at least one memory, in communication with the at least one processor and having computer program code, the computer program code configured to, upon execution by the at least one processor, cause the network node to: (Zhang, Fig. 2, par0055, 0057 teaches Step S200: A switch [processor, memory]receives packets, where the packets include a packet sent by a normal user node and a packet sent by an attacker…..Step S201: The switch obtains [program code] the SMAC and/or DMAC carried in the packet from the received packet, performs steps S202 to S204 according to the obtained SMAC, and performs steps S205 to S207 according to the obtained DMAC).
define a first running time and a second running time for a timer, the first running time and the second running time being applicable for defining validity times for a MAC address in the MAC address table; (Zhang, par0061-0063 teaches an aging time of the SMAC address information in the MAC address table may be prolonged, for example, from the original 20 s to 40 s according to a preset rule…..and set the aging time of the MAC address information to a shortest aging time…..it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s).
receive a frame, (Zhang, par0089 teaches a packet receiving module 1, configured to receive a packet and obtain MAC address information carried in the packet).
apply the first running time in the timer defined for the MAC address of the source of the received frame, in response to a detection that the MAC address of the destination of the received frame is missing in the MAC address table; and (Zhang, par0063-0068 teaches if the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time…. the switch judges whether the DMAC address information carried in the packet is consistent with any MAC address that is already learned in the MAC address table in the switch. If consistent, it is determined that the matching succeeds, and step S206 is performed; if not consistent, it is determined that the matching fails, and step S207 is performed….Step S206: Update the aging time of the MAC address information in the MAC address table….Step S207: If the DMAC address information fails in matching the MAC address information recorded in the MAC address table, the switch performs processing according to a conventional procedure, for example, performs broadcast…Step S208: Refresh the MAC address table, and manage the MAC address table according to the updated aging time of the MAC address information).
apply a second running time in the timer to the MAC address of the source of the received frame and in the timer to the MAC address of the destination of the received frame, (Zhang, par0061, 0066 teaches if the SMAC address information carried in the packet matches the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has been used, it is less possible that the SMAC address information is MAC address information faked by the attacker, and an aging time of the SMAC address information in the MAC address table may be prolonged, for example, from the original 20 s to 40 s according to a preset rule…. if the DMAC address information carried in the packet matches the MAC address information recorded in the MAC address table of the switch, it indicates that another node has sent a packet to the node of a DMAC address. Therefore, it is less possible that the DMAC address information is the MAC address information faked by the attacker, and the aging time of the DMAC address information in the MAC address table may be prolonged).
           Zhang does not explicitly discloses where a MAC address of a source of the received frame is present in the MAC address table; detect whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame.
.          Yang however discloses where a MAC address of a source of the received frame is present in the MAC address table; (Yang, par0088 teaches packet switching network interface on which the MAC frame is received; if a table entry corresponding to the source MAC address exists in the MAC address forwarding table).
detect whether a MAC address of a destination of the received frame is present in the MAC address table; (Yang, par0071 teaches step S403, performing a query on a MAC address forwarding table, and determining whether a table entry of the destination MAC address is found in the MAC address forwarding table, if the table entry of the destination MAC address is found in the MAC address forwarding table)
in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame. (Yang, par0087-0088, 0094 teaches extracting MAC frame control information from a received Media Access Control Address (MAC) frame, and establishing a MAC address forwarding table according to the MAC frame control information. The MAC frame control information includes one of a source MAC address, a destination MAC address, a virtual local area network identification and frame protocol type information, or any combination thereof, for example, may be a combination of the source MAC address, the destination MAC address…. if a table entry corresponding to the source MAC address exists in the MAC address forwarding table…. it is found that a table entry corresponding to the destination MAC address of the MAC frame exists in the MAC address table). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of where a MAC address of a source of the received frame is present in the MAC address table; detect whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame, as taught by Yang in the network node of Zhang so datacenter provides by the enterprise, application business service relevant to all kinds of information, it is also the center for data computing, switching and storing, see Yang par0003.

As per claim 10.  Zhang and Yang disclose the network node of claim 9.
           Zhang further discloses wherein the computer program code is further configured to initiate at least one timer applying either the first running time or the second running time in response to a transmission of the frame by the network node.  (Zhang, par0083-0084 teaches the switch receives a packet from the port 1, where DMAC carried in the packet is MAC C, and therefore, the switch judges whether MAC C already exists in its MAC address table thereof. If exists, it is determined that the matching succeeds, and step S306 is performed. Step S306: Prolong an aging time of the DMAC address information in the MAC address table according to the preset delay rule. If the aging time of the DMAC address information in the MAC address table is already the longest aging time specified in the delay rule, the switch only refreshes the aging time of the DMAC address information without further prolonging the aging time. Meanwhile, the switch sends the packet from a port 2 corresponding to MAC C according to the information in the MAC address table).

As per claim 11.  Zhang and Yang disclose the network node of claim 9.
           Zhang further discloses the computer program code is further configured, for applying the first running time to the timer, to: detect that the timer is missing for the media access control, MAC address of the source of the frame. (Zhang, par0063-0068 teaches if the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time…. the switch judges whether the DMAC address information carried in the packet is consistent with any MAC address that is already learned in the MAC address table in the switch. If consistent, it is determined that the matching succeeds, and step S206 is performed; if not consistent, it is determined that the matching fails, and step S207 is performed….Step S206: Update the aging time of the MAC address information in the MAC address table….Step S207: If the DMAC address information fails in matching the MAC address information recorded in the MAC address table, the switch performs processing according to a conventional procedure, for example, performs broadcast…Step S208: Refresh the MAC address table, and manage the MAC address table according to the updated aging time of the MAC address information).


As per claim 13.  Zhang and Yang disclose the network node of claim 9.
           Zhang further discloses wherein the first running time is defined to be shorter than the second running time. (Zhang, par0076 teaches step S302: Prolong an aging time of the SMAC address information in the MAC address table according to a preset delay rule. More specifically, the preset delay rule is presetting at least two aging times with increasing duration. When the MAC address information carried in the packet matches the MAC address table, the switch updates the aging time of the MAC address information in the MAC address table until the MAC address information has a longest aging time in the preset delay rule, where the updated aging time of the MAC address information is longer than the aging time [wherein the first running time is defined to be shorter than the second running time] before the update).

As per claim 14.  Zhang and Yang disclose the network node of claim 9.
            Zhang further discloses wherein the first running time and the second running time are distinguishable from each other. (Zhang, par0087 teaches all MAC address information learned for a first time is regarded as being sent by a suspected attacker, and aging times of such MAC address information in the MAC address table are set to be the shortest; when the MAC address information is learned or used for a second time, the suspicion is reduced, and the aging time of the MAC address information is prolonged. According to the method for managing a MAC address table provided in the present invention, through a manner of setting the aging time of the MAC address information discriminatingly, MAC address information of the attacker is deleted in a shortest possible time without affecting MAC address information of a normal user node).
 
As per claim 15.  Zhang and Yang disclose the network node of claim 14.
           Zhang further discloses wherein the first running time and the second running time are made distinguishable from each other by defining the first running time and the second running time not to overlap each other by value. (Zhang, par0062-0063 teaches Step S204: Write the SMAC address information into the MAC address table, and set the aging time of the MAC address information to a shortest aging time. If the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period [time not to overlap each other by value], and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s).

As per claim 17.  A communication system comprising: (Zhang, Fig1, Fig. 2 (network node - switch), par0055 teaches Step S200: A switch receives packets, where the packets include a packet sent by a normal user node and a packet sent by an attacker. Each of such packets carries SMAC and/or DMAC address information of the packet).
a network node that manages a media access control (MAC) address table, the network node comprising: (Zhang, Fig. 2 (network node - switch), par0007 teaches a method and an apparatus for managing a MAC address table. Aging of all MAC address information in the MAC table is no longer quickened indiscriminatingly. Instead, through a manner of analyzing behavioral characteristics of an attacker and a normal user and setting an aging time discriminatingly, MAC address information of the attacker is deleted in a shortest possible time).
at least one processor; and at least one memory, in communication with the at least one processor and having computer program code stored therein,  the computer program code configured to, upon execution by the at least one processor, cause the network node to: (Zhang, Fig. 2, par0055, 0057 teaches Step S200: A switch [processor, memory]receives packets, where the packets include a packet sent by a normal user node and a packet sent by an attacker…..Step S201: The switch obtains [program code] the SMAC and/or DMAC carried in the packet from the received packet, performs steps S202 to S204 according to the obtained SMAC, and performs steps S205 to S207 according to the obtained DMAC).
define a first running time and a second running time for a timer, the first running time and the second running time being applicable for defining validity times for a MAC address in the MAC address table; (Zhang, par0061-0063 teaches an aging time of the SMAC address information in the MAC address table may be prolonged, for example, from the original 20 s to 40 s according to a preset rule…..and set the aging time of the MAC address information to a shortest aging time…..it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s).
receive a frame, (Zhang, par0089 teaches a packet receiving module 1, configured to receive a packet and obtain MAC address information carried in the packet).
apply the first running time in the timer defined for the MAC address of the source of the received frame, in response to a detection that the MAC address of the destination of the received frame is missing in the MAC address table; and (Zhang, par0063-0068 teaches if the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time…. the switch judges whether the DMAC address information carried in the packet is consistent with any MAC address that is already learned in the MAC address table in the switch. If consistent, it is determined that the matching succeeds, and step S206 is performed; if not consistent, it is determined that the matching fails, and step S207 is performed….Step S206: Update the aging time of the MAC address information in the MAC address table….Step S207: If the DMAC address information fails in matching the MAC address information recorded in the MAC address table, the switch performs processing according to a conventional procedure, for example, performs broadcast…Step S208: Refresh the MAC address table, and manage the MAC address table according to the updated aging time of the MAC address information).
apply a second running time in the timer to the MAC address of the source of the received frame and in the timer to the MAC address of the destination of the received frame, (Zhang, par0061, 0066 teaches if the SMAC address information carried in the packet matches the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has been used, it is less possible that the SMAC address information is MAC address information faked by the attacker, and an aging time of the SMAC address information in the MAC address table may be prolonged, for example, from the original 20 s to 40 s according to a preset rule…. if the DMAC address information carried in the packet matches the MAC address information recorded in the MAC address table of the switch, it indicates that another node has sent a packet to the node of a DMAC address. Therefore, it is less possible that the DMAC address information is the MAC address information faked by the attacker, and the aging time of the DMAC address information in the MAC address table may be prolonged).
           Zhang does not explicitly discloses where a MAC address of a source of the received frame is present in the MAC address table; detect whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table  in addition to the entry in the MAC address table of the MAC address of the source of the received frame.
           Zhang does not explicitly discloses where a MAC address of a source of the received frame is present in the MAC address table; detect whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame.
.          Yang however discloses where a MAC address of a source of the received frame is present in the MAC address table; (Yang, par0088 teaches packet switching network interface on which the MAC frame is received; if a table entry corresponding to the source MAC address exists in the MAC address forwarding table).
detect whether a MAC address of a destination of the received frame is present in the MAC address table; (Yang, par0071 teaches step S403, performing a query on a MAC address forwarding table, and determining whether a table entry of the destination MAC address is found in the MAC address forwarding table, if the table entry of the destination MAC address is found in the MAC address forwarding table)
in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table in addition to the entry in the MAC address table of the MAC address of the source of the received frame. (Yang, par0087-0088, 0094 teaches extracting MAC frame control information from a received Media Access Control Address (MAC) frame, and establishing a MAC address forwarding table according to the MAC frame control information. The MAC frame control information includes one of a source MAC address, a destination MAC address, a virtual local area network identification and frame protocol type information, or any combination thereof, for example, may be a combination of the source MAC address, the destination MAC address…. if a table entry corresponding to the source MAC address exists in the MAC address forwarding table…. it is found that a table entry corresponding to the destination MAC address of the MAC frame exists in the MAC address table). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of where a MAC address of a source of the received frame is present in the MAC address table; detect whether a MAC address of a destination of the received frame is present in the MAC address table; in response to a detection that the MAC address of the destination of the received frame is present in the MAC address table  in addition to the entry in the MAC address table of the MAC address of the source of the received frame, as taught by Yang in the network node of Zhang so datacenter provides by the enterprise, application business service relevant to all kinds of information, it is also the center for data computing, switching and storing, see Yang par0003.

As per claim 18.  Zhang and Yang disclose the network node of claim 9.
           Zhang further discloses A communication system comprising: at least one network node according to claim 9. (Zhang, Fig. 2, par0007 teaches a method and an apparatus [communication system] for managing a MAC address table. Aging of all MAC address information in the MAC table is no longer quickened indiscriminatingly. Instead, through a manner of analyzing behavioral characteristics of an attacker and a normal user and setting an aging time discriminatingly, MAC address information of the attacker is deleted in a shortest possible time).

As per claim 20.  Zhang and Yang disclose the network node of claim 10.
           Zhang further discloses the network node further caused, for applying the first running time to the timer, to: detect that the timer is missing for MAC address of the source of the frame. (Zhang, par0063-0068 teaches if the SMAC address information carried in the packet does not match the MAC address information recorded in the MAC address table of the switch, it indicates that the MAC address information has not been used in a time period, and may be MAC address information faked by the attacker. Therefore, its aging time is set to a shortest aging time…. the switch judges whether the DMAC address information carried in the packet is consistent with any MAC address that is already learned in the MAC address table in the switch. If consistent, it is determined that the matching succeeds, and step S206 is performed; if not consistent, it is determined that the matching fails, and step S207 is performed….Step S206: Update the aging time of the MAC address information in the MAC address table….Step S207: If the DMAC address information fails in matching the MAC address information recorded in the MAC address table, the switch performs processing according to a conventional procedure, for example, performs broadcast…Step S208: Refresh the MAC address table, and manage the MAC address table according to the updated aging time of the MAC address information).

Claims 4, 8, 12, 16 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang in view of Yang, and further in view of Sun et al. (US20090182854A1) hereinafter Sun.  
As per claim 4.  Zhang and Yang disclose the method of claim 1.
          Zhang and Yang do not explicitly disclose the method further comprising, for applying the first running time to the timer: detecting that a value of the timer defined for the MAC address of the source of the frame in the MAC address table is within the first running time.
.          Sun however discloses the method the method further comprising, for applying the first running time to the timer: detecting that a value of the timer defined for the MAC address of the source of the frame in the MAC address table is within the first running time. (Sun, par0034 teaches it is likely that the switch is under attack, so the switch will decrease the timeout value  of unverified MAC address learned [within the first running time] on P1 by 50% (i.e., a configurable value). Now, all the newly learned unverified MAC address from P1 will have a timeout value of 150 s, so that they can age out quickly to make room for legitimate MAC addresses. When the number of unverified MAC addresses keeps growing to a second configurable threshold (e.g., penalty-threshold 2), the timeout value is decreased by another 50% to make the corresponding unverified MAC address timeout even faster. If the attack stops or goes milder, the number of unverified MAC addresses should decrease because older invalid unverified MAC addresses will age out. When the number is lower than either penalty-threshold, the timeout value for unverified MAC learned on that port will be restored to the value used before that penalty-threshold was exceeded). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of the method further comprising, for applying the first running time to the timer: detecting that a value of the timer defined for the MAC address of the source of the frame in the MAC address table is within the first running time, as taught by Sun in the method of Zhang and Yang so port security functions to prevent MAC table over-flow by allowing the MAC addresses that are allowed for a particular port of an Ethernet switch, frames that are originated from addresses other than the configured address(es) are dropped, see Sun par0005.

As per claim 8.  Zhang and Yang disclose the method of claim 1.
           Zhang further discloses wherein the first running time is defined to run from one to three seconds, and. (Zhang, par0063 teaches therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s [retransmission will be 1 to 3, this is a design choice]).
         Zhang and Yang do not explicitly disclose the second running time is defined to run from four to three hundred seconds.
.          Sun however discloses the second running time is defined to run from four to three hundred seconds. (Sun, Table5, par0025, 0027 teaches referring back to the operation 112 for starting the timer in conjunction with performing the operation 110 for adding the source MAC address to the MAC table as unverified…. If the destination MAC address is verified, the operation of 116 for changing the status of the MAC address from unverified to verified is omitted and the method continues at the operation 118 for resetting a timeout counter….. it creates an entry in the MAC table for the source MAC address of MAC1 to associate MAC1 with port p1 and sets the status of the MAC address of MAC1 as being unverified. The timeout counter for this MAC table entry is then started. The switch allows a user (e.g., system administrator) to specify default timeout values for both unverified and verified MAC addresses. In this example, the timeout values for both verified and unverified MAC addresses are. set at 300 seconds [the second time will run from run from 4 to 300, as the first time runs from 1 to 3 as disclosed by Zhang and Yang above). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of the second running time is defined to run from four to three hundred seconds, the values representing time in seconds, as taught by Sun in the method of Zhang and Yang so port security functions to prevent MAC table over-flow by allowing the MAC addresses that are allowed for a particular port of an Ethernet switch, frames that are originated from addresses other than the configured address(es) are dropped, see Sun par0005.

As per claim 12.  Zhang and Yang disclose the network node of claim 9.
          Zhang and Yang do not explicitly disclose the computer program code is further configured, for applying the first running time to the timer, to: detect that a value of the timer defined for the MAC address of the source of the frame in the MAC address table is within the first running time.
.          Sun however discloses the computer program code is further configured, for applying the first running time to the timer, to: detect that a value of the timer defined for the MAC address of the source of the frame in the MAC address table is within the first running time. (Sun, par0034 teaches it is likely that the switch is under attack, so the switch will decrease the timeout value  of unverified MAC address learned [within the first running time] on P1 by 50% (i.e., a configurable value). Now, all the newly learned unverified MAC address from P1 will have a timeout value of 150 s, so that they can age out quickly to make room for legitimate MAC addresses. When the number of unverified MAC addresses keeps growing to a second configurable threshold (e.g., penalty-threshold 2), the timeout value is decreased by another 50% to make the corresponding unverified MAC address timeout even faster. If the attack stops or goes milder, the number of unverified MAC addresses should decrease because older invalid unverified MAC addresses will age out. When the number is lower than either penalty-threshold, the timeout value for unverified MAC learned on that port will be restored to the value used before that penalty-threshold was exceeded). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of the computer program code is further configured, for applying the first running time to the timer, to: detect that a value of the timer defined for the MAC address of the source of the frame in the MAC address table is within the first running time, as taught by Sun in the network node of Zhang and Yang so port security functions to prevent MAC table over-flow by allowing the MAC addresses that are allowed for a particular port of an Ethernet switch, frames that are originated from addresses other than the configured address(es) are dropped, see Sun par0005.

As per claim 16.  Zhang and Yang disclose the network node of claim 9.
           Zhang further discloses wherein the first running time is defined to run from one to three seconds. (Zhang and Yang, par0063 teaches therefore, its aging time is set to a shortest aging time (which needs to be greater than a timeout retransmission time specified in any mainstream protocol, generally, greater than 2 s [retransmission will be 1 to 3, this is a design choice]).
         Zhang and Yang do not explicitly disclose the second running time is defined to run from four to three hundred seconds.
.          Sun however discloses the second running time is defined to run from four to three hundred seconds. (Sun, Table5, par0025, 0027 teaches referring back to the operation 112 for starting the timer in conjunction with performing the operation 110 for adding the source MAC address to the MAC table as unverified…. If the destination MAC address is verified, the operation of 116 for changing the status of the MAC address from unverified to verified is omitted and the method continues at the operation 118 for resetting a timeout counter….. it creates an entry in the MAC table for the source MAC address of MAC1 to associate MAC1 with port p1 and sets the status of the MAC address of MAC1 as being unverified. The timeout counter for this MAC table entry is then started. The switch allows a user (e.g., system administrator) to specify default timeout values for both unverified and verified MAC addresses. In this example, the timeout values for both verified and unverified MAC addresses are. set at 300 seconds [the second time will run from run from 4 to 300, as the first time runs from 1 to 3 as disclosed by Zhang and Yang above). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of the second running time is defined to run from four to three hundred seconds, as taught by Sun in the network node of Zhang and Yang so port security functions to prevent MAC table over-flow by allowing the MAC addresses that are allowed for a particular port of an Ethernet switch, frames that are originated from addresses other than the configured address(es) are dropped, see Sun par0005.

As per claim 19.  Zhang and Yang disclose the method of claim 2.
          Zhang and Yang do not explicitly disclose the method further comprising, for applying the first running time to the timer: detecting that a value of the timer defined for MAC address of the source of the frame in the MAC address table is within the first running time.
.          Sun however discloses the method further comprising, for applying the first running time to the timer: detecting that a value of the timer defined for MAC address of the source of the frame in the MAC address table is within the first running time. (Sun, par0034 teaches it is likely that the switch is under attack, so the switch will decrease the timeout value  of unverified MAC address learned [within the first running time] on P1 by 50% (i.e., a configurable value). Now, all the newly learned unverified MAC address from P1 will have a timeout value of 150 s, so that they can age out quickly to make room for legitimate MAC addresses. When the number of unverified MAC addresses keeps growing to a second configurable threshold (e.g., penalty-threshold 2), the timeout value is decreased by another 50% to make the corresponding unverified MAC address timeout even faster. If the attack stops or goes milder, the number of unverified MAC addresses should decrease because older invalid unverified MAC addresses will age out. When the number is lower than either penalty-threshold, the timeout value for unverified MAC learned on that port will be restored to the value used before that penalty-threshold was exceeded). 
          Therefore it would have been obvious to one having ordinary skill in the art before the
effective filing date of the claimed invention to provide the functionality of the method further comprising, for applying the first running time to the timer: detecting that a value of the timer defined for MAC address of the source of the frame in the MAC address table is within the first running time, as taught by Sun in the method of Zhang and Yang so port security functions to prevent MAC table over-flow by allowing the MAC addresses that are allowed for a particular port of an Ethernet switch, frames that are originated from addresses other than the configured address(es) are dropped, see Sun par0005.




Relevant Prior art
The prior art made of record and not relied upon is considered pertinent are -
• Nainar et al. (US20180248795A1) – Related art in the area of a device determines a timeout for a particular one of the MAC addresses based on traffic predicted by the machine learning-based traffic model for the particular MAC address, the device causes the particular MAC address to be timed out from one or more forwarding tables in the network based on the determined timeout.
• Junfeng et al. (CN103684920A) – Related art in the area of a method for testing MAC address ageing time of a switch and a network analyzer, the network analyzer broadcasts study frames containing source MAC addresses and destination MAC addresses through a first port of the switch.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MONISHWAR MOHAN whose telephone number is (571)272-2907. The examiner can normally be reached Monday - Thursday 7:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Trost can be reached on (571) 272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/M.M./Examiner, Art Unit 2442                                                                                                                                                                                                        
/WILLIAM G TROST IV/Supervisory Patent Examiner, Art Unit 2442