DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Receipt is acknowledged of certified copies of papers required by 37 CFR 1.55.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1-17 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-12 of copending Application No. 16/922,232 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the both inventions describe methods for intrusion detection in a computer network involving the use of comparison of set point values for the detection of whether or not a an actual value is comparable to a set point value. 
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Claim 1-17 provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-12 of copending Application No. 16/921,375 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the both inventions describe methods for intrusion detection in a computer network involving the use of comparison of set point values for the detection of whether or not a an actual value is comparable to a set point value. 
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are:  computing unit in claim 12,  counting unit in claim 14.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.
EXAMINER’S NOTE: hardware switch unit, hardware filter and computing device are NOT being interpreted under 35 U.S.C. 112(f). 
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 12, and 17  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the computing device" in line 15.  There is insufficient antecedent basis for this limitation in the claim.
Claim 12 recites the limitation "the computing unit" in line 16.  There is insufficient antecedent basis for this limitation in the claim.
Claim 17 recites the limitation "the computing device" in line 18.  There is insufficient antecedent basis for this limitation in the claim.
EXAMINER’S NOTE: It appears applicant is using “computing device” and “computing unit” interchangeably in the independent claim. It is recommended to the applicant to recite “computing device” for consistency with the claim language and specification (for example, the applicant recites “computing device” in spec and drawings and does not use “computing unit”).
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim1, 12 and 17 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. 
Regarding claim 1, 12, and 17, the applicant recites that the determination is performed “without an evaluation of information from the data packet by the computing device” which not enabling as the applicant fails to describe in the specification and/or claim language how the evaluation and comparison are performed independently for the intrusion detection. Is the evaluation being performed by another component of the system and implemented by the computing device? Is there a completely separate component performing the evaluation? It is unclear to the examiner how the determination of the intrusion detection is performed if it is not being evaluated at some point by a component in the system.  
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s)  1-6, 9, 11-15, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mondaeev et al (US 2008/0201772) in view of Murali (US 2019/0059055). 
Regarding claims 1, 12, and 17, Mondaeev et al discloses a method for intrusion detection in a computer network, a non-transitory computer-readable memory medium on which is stored a computer program for intrusion detection in a computer network, the computer program, when executed by a computer, causing the computer to perform or control steps, and a device for intrusion detection in a computer network, comprising: a system on a chip system, which includes a hardware switch unit (packet processor), a hardware filter (NID system), and a computing device for the intrusion detection, wherein the system on a system chip system, method and non-transitory computer-readable memory medium are configured to [0029, 0036, 0039, 0042]:
receive a data packet at an input of the hardware switch unit (packet processor) [0032]; 
Please note that in this example packet processor 10 performs deep packet inspection by receiving a data packet 35 (a data packet) at a Media Access Control (MAC)reception (Rx) unit 50. The MAC Rx unit 50 (an input) may then propagate each packet to a NIDS hardware component 52. The MAC Tx unit 54 may also direct some of the packets marked by the NIDS hardware component 52 to a NIDS software component 56. The NIDS software component 56 may be Snort, Clam Antivirus, or similar software stored in a non-volatile memory (not shown) and running on a processor of the packet processor 10 (a hardware switch unit). 
compare, by the hardware filter, an actual value from a field of the data packet with a setpoint value for values from the field, the field including data link layer data or network layer data [0010, 0045, 0031];
Please note that a data stream for unauthorized data comprises comparing a data segment to a first set of patterns stored in a content-addressable memory.” 440031 and 0045: Fig. 1 shows data packet 35 include a header 37 and a payload 39 that belong to flow 29; where operator configures parameters in view of size, access speed. 40041-0042 and 0045: Fig. 3 shows packet descriptor 100 associated with the data packet 35. In one embodiment, the first-stage hardware filter 72 of the NID 70 generates the packet descriptor 100 and sets a first-stage filter flag 102. The first-stage hardware filter 72 may execute direct comparisons between stored patterns and the incoming or outgoing data patterns. The policy switch inspects the TCP/IP and UDP/IP, or transport and network layer. The policy switch 80 may further update several fields of the packet descriptor 100 to indicate, via a bitmask 104, to which of the flows 25-29 the data packet 35 belongs (i.e. conveys information about network-layer protocol, etc.). 
determine, by the hardware switch unit, a value for a counter as a function of a register result of the comparison [0035, 0038, 0064];
Please note that in this example a character counter 290 may maintain a current count of bytes as the sliding window 270 moves along the data packet 35. The character counter 290 may report the current count to the required pattern logic list 282 at each clock cycle. Because some of the rules retrieved from the rule list 276 may include character counting logic, the DPI engine 160 may occasionally apply the value reported the character counter 290 to the required pattern list 280
However, Mondaeev et al does not expressly disclose but Murali discloses: 
determine, by the computing unit, a result of the intrusion detection as a function of the value of the counter in the hardware switch unit and independently of information from the data packet, without an evaluation of information from the data packet by the computing device [0021-0028]
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Mondaeev et al by determining values outside the computing device, for the purpose of cross correlating values for intrusion detection, based upon the beneficial teachings provided by Murali, see for example [0026].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Regarding claim 2, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the value of the counter is incremented when a deviation between the actual value and the setpoint value is present [0043-0046, 0049, 0058-0059];
Please note that in this example the TCAM of the NID implements a pattern matching stage that compares the selected portions of the data packets with one or more patterns. 
Regarding claim 3, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the counter is a hardware counter in a register of the hardware switch unit [0035, 0038, 0064];
Please note that in this example the character counter may report the current count to the required pattern logic list at each clock cycle.
Regarding claim 4, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the hardware filter includes a Ternary Content Addressable Memory in which a mask for the setpoint value is stored, the actual value being compared in the comparison with the mask stored in the Ternary Content Addressable Memory [0043-0046, 0049, 0058-0059];
Please note that in this example the TCAM of the NID implements a pattern matching stage that compares the selected portions of the data packets with one or more patterns. 
Regarding claim 5, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the setpoint value characterizes a hardware address from a memory of the hardware switch unit, the actual value being determined at the input or the output as a function of data from a hardware address field of the data packet [0044-0055];
Please note that in this example packet descriptor may contain packet information such as the address of the packet in the memory buffer (a hardware address from a memory of the hardware switch unit) and the length of the packet, several auxiliary fields related to NID processing, etc. The policy switch may further update several fields of the packet descriptor to indicate, via a bitmask, to which of the flows the data packet belongs. 
Regarding claim 6, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the setpoint value characterizes a Medium Access Control address from a memory of the hardware switch unit, the actual value being determined at the input or the output as a function of data from a Medium Access Control address field of the data packet [0032];
Please note that in this example the packet processor performs deep packet inspection by first receiving a packet at as MAC reception unit. Thus the NIDS is hardware component is responsible for pre-processing and the NIDS software component is responsible for post-processing of data. The component is responsible for post-processing of data. The components together form a network intrusion detection (NID) system. The NIDS hardware component and the NIDS software component may interact via a dedicated memory location such as a register (a Medium Access Control address from a memory of the hardware switch unit).
Regarding claim 9, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al does not expressly disclose but Murali further discloses wherein presence of a deviation is detected in the result when the hardware filter establishes the data packet at the input or the output has an unknown Ethertype, or a false checksum, or a false packet length, or a false packet structure
Please note that in this example the preamble detector having
an accumulator with a length equal to a PLCP template used for the cross-correlation, the accumulator forming an accumulated sum of each value of the linear array of values, the accumulated sum having a peak value which is compared to a threshold during a first interval equal to a first plurality of PLCP intervals, where the threshold over the first interval is set for a false packet detection rate greater than 1% and less than 50%. 
The motivation to combine is the same as disclosed in point (34). 
Regarding claim 11, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses analyzing a content of the data packet when a need is detected based on the value for the counter [0077];
Please note that in this example one or more components of the NID system 70 may implement a byte test operation checking whether the decimal equivalent of a particular byte is greater than a predefined value or smaller than the predefined value.
Regarding claim 13, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the computing device is microprocessor or microcontroller [0067];
Please note that in this example the non-memory, or logical components of the NID system may be provided as an application-specific integrated circuit (ASIC), as several electronic components working in cooperation with a dedicated microprocessor. 
Regarding claim 14, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the device includes a counting unit, which is configured to increment the value of the counter when a deviation between the actual value and the setpoint value is present or exceeds a threshold value[0043-0046, 0049, 0058-0059];
Please note that in this example the TCAM of the NID implements a pattern matching stage that compares the selected portions of the data packets with one or more patterns. 
Regarding claim 15, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein the counter is a hardware counter in a register of the device [0035, 0038, 0064];
Please note that in this example the character counter may report the current count to the required pattern logic list at each clock cycle.
Claim(s)  7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mondaeev et al (US 2008/0201772) in view of Murali (US 2019/0059055) and in further view of Schroder (US 10,701,002). 
Regarding claim 7, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al a and Murali do not expressly disclose but Schroder further discloses wherein the setpoint value characterizes a Virtual Local Area Network, the setpoint value being determined from a memory of the hardware switch unit, the actual value being determined as a function of data, which characterize an association of the data packet at the input or the output, with a Virtual Local Area Network [column 2 lines 65-67, column 3 lines 1-6, column 7 lines 54-61];
Please note that in this example a network device receives a multicast packet from a computer network and stores the multicast packet in one or more memory cells of the network device. A packet processor of the network device processes the multicast packet (or a related data structure) to determine two or more physical or virtual egress ports of the network device from which a copy of the multicast packet is to be transmitted and to generate corresponding packet descriptors for the respective copies”. The network device 100 includes multiple processors, for example, a receive processor, packet processor, and transmit processor. In some scenarios, an egress port 105 receives two or more packet descriptors corresponding to the packet 160, for example, to transmit a copy of the packet 160 on different virtual local area networks (VLANs)’.
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Mondaeev et al and Murali by utilizing memory deallocation, for the purpose of adding a network device that associates packet descriptors to packets at input of VLAN, based upon the beneficial teachings provided by Schroder, see for example [column 7 lines 54-61].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Claim(s)  8, 10, and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Mondaeev et al (US 2008/0201772) in view of Murali (US 2019/0059055) and in further view of Jungck (US 2012/0218901). 
Regarding claim 8, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al and Murali do not expressly disclose but Jungck et al further discloses wherein presence of a deviation is detected in the result, either when the hardware filter at the input or the output for a tagged Virtual Logical Area Network establishes an untagged Virtual Logical Area Network data packet, or when the hardware filter at the input or the output for an untagged Virtual Logical Area Network establishes a tagged Virtual Logical Area Network Data Packet [0242-0243];
Please note that in this example the prior art discloses that through Deep Packet Inspection technology to classify flows and inspect traffic;
a database is referenced to determine appropriate virtual machine to navigate traffic to. At this point Ethernet MAC addresses will be modified to navigate traffic appropriately within the chassis and the Ethernet header will be converted to an802.1q header to include a VLAN tag which will be specified by the DPPM Blade. Upon completion of processing returned traffic will have a VLAN Tag applied by the ESX Server and transmission to either the original source MAC address or a prescribed destination will cause the packet to be directed to the appropriate DPPM for egress of the chassis. FIG. 22 shows a normal untagged Ethernet frame as it would be received by the chassis and its difference with regards to the packet that would be sent within the chassis containing a VLAN tag. 
It would have been obvious to one of ordinary skill in the art at to create the invention as claimed for the following reasons.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Mondaeev et al and Murali by transparent provisioning services, for the purpose of modifying the packets by adding deep packet in, based upon the beneficial teachings provided by Jungck, see for example [0242-0243].  These modifications would result in ease of use and increased security, both of which are obvious benefits to the skilled artisan.  Additionally, the cited references are in the field of computer security, as is the current application, and thus, are in analogous arts.  
Regarding claim 10, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein presence of a deviation is detected in the result, when: (i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or (ii) a User Datagram Protocol filter at the input or the output establishes a User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or (iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, the content of which, including time stamp, sequence number, correction field, is stored at least temporarily in a register for context information [0253];	
Please note that in this example the prior art discloses that firewall service, malicious content detection service, IDS, URLfiltering service, intrusion detection and/or prevention service, internet protocol (IPv4 to IPv6) gateway service etc. the network carrying a plurality of packet seach being transmitted by an associated source, .e.g. an end user or client device or router, proxy server, web server, etc., to at least one associated intended destination intended by the source, e.g. the destination(s) to which the packet(s)are specifically addressed, routed or otherwise directed by the source. Each of the plurality of packets includes routing data, such as Layer 2 or Layer 3 data, which is operative to cause the forwarding of the packet via the network towards the at least one intended destination. 
The motivation to combine is the same as disclosed in point (51). 
Regarding claim 16, Mondaeev et al and Murali disclose all the limitations of claims 1, 12, and 17. Mondaeev et al further discloses wherein a Ternary Content Addressable Memory, and/or an Address Translation Unit, and/or a Virtual Local Area Network Translation Unit, and/or a Dynamic Host Configuration Protocol filter, and/or a User Datagram Protocol filter and/or a Precision Time Protocol filter is provided as a hardware filter to analyze the data packet for the intrusion detection and to determine the result for the determination of the value of the counter [0253];	
Please note that in this example the prior art discloses that firewall service, malicious content detection service, IDS, URLfiltering service, intrusion detection and/or prevention service, internet protocol (IPv4 to IPv6) gateway service etc. the network carrying a plurality of packet seach being transmitted by an associated source, .e.g. an end user or client device or router, proxy server, web server, etc., to at least one associated intended destination intended by the source, e.g. the destination(s) to which the packet(s)are specifically addressed, routed or otherwise directed by the source. Each of the plurality of packets includes routing data, such as Layer 2 or Layer 3 data, which is operative to cause the forwarding of the packet via the network towards the at least one intended destination. 
The motivation to combine is the same as disclosed in point (51). 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Mammen et al (US 2008/0071779): managing multiple data flows in a content search system. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENDALL DOLLY whose telephone number is (571)270-1948. The examiner can normally be reached Monday-Thursday 8am-5pm(EST) and Friday 8am-12pm(EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENDALL DOLLY/Primary Examiner, Art Unit 2436