DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Arguments
Applicant's arguments filed 08/04/2022 have been fully considered and they are persuasive and as such, a second Non-Final Response office action is presented with newly found prior Art combined with previously presented prior Art. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 5, 10-14, 18, 21-25, and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Ansari (US 20080320585 A1) in view of Dusi (US 20160205072 A1).
Regarding Claim 1, 14

Ansari teaches: 

A method for filtering packets, the method comprising: receiving a plurality of packets, by a network element, each packet of the plurality of packets comprising a source address field (¶43 filter the attack packets, fig. 2 receiving an incoming packet at a router ¶13 The flow-id or a flow is defined by the combination of a source IP address, a destination IP address, a source port, and a destination port); and 

for each one packet of the plurality of received packets, processing the one packet in the network element receiving the one packet, by performing the following: modifying the source address field of the one packet to comprise at least an identifier of a flow to which the one packet belongs, the identifier comprising a flow-based signature of the one packet (¶50 The flow-id can be replaced by the hash of the source IP address, the destination IP address, the source port, and the destination port (flow based signature)); 

Ansari does not teach: 

determining, based at least in part on the identifier of the flow to which the one packet belongs, whether another packet of the flow to which the one packet belongs has previously been processed; 

performing an operation on the one packet, the operation including dropping the one packet, based on another packet of the flow to which the one packet belongs having previously been processed; and 

passing the one packet on for further processing based on another packet of the flow to which the packet belongs not having previously been processed.

Dusi teaches: 

determining, based at least in part on the identifier of the flow to which the one packet belongs, whether another packet of the flow to which the one packet belongs has previously been processed (¶42 upon detection of a duplicate packet it can be dropped, since the packet has already been analyzed ¶86 filters to keep compact state information for all flows within the aggregate of traffic such as whether or not the current packet is the next one in the flow in terms of actual sequence number, next step is to immediately perform deep packet inspection analysis on a per-packet basis every time an in-order packet for a given flow is received. The deep packet inspection analysis may either process the packet and conclude that it is an already processed one so it is has rules to handle it (previously been processed) or it can find a signature match or conclude that the analysis of the packet payload returns only a partial match and thus wait for the next packet to proceed with the inspection); 

performing an operation on the one packet, the operation including dropping the one packet, based on another packet of the flow to which the one packet belongs having previously been processed (¶42 upon detection of a duplicate packet it can be dropped, since the packet has already been analyzed, the duplicate packet is also of no interest and in case of a total match the action has already be performed and therefore performing the same action again is not necessary anymore); and 

passing the one packet on for further processing based on another packet of the flow to which the packet belongs not having previously been processed (¶58 The deep packet inspection engine thus performs inspection on-the-fly, i.e. flow inspection is performed as soon as packets belonging to the flow are received. Flow analysis is performed as soon as the next in-order packet of that flow has entered the system 1).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari in light of Dusi in order to provide a deep packet inspection engine that thus performs inspection on-the-fly, i.e. flow inspection as soon as packets belonging to the flow are received (Dusi ¶58).


Regarding Claims 5, 18

Ansari teaches:

The method according to claim 1 and wherein at least the processing the one packet is performed by a network element (¶50 detection system code (network element) uses the flow id field available in ns2 to implement the per-flow logic. The flow-id can be replaced by the hash of the source IP address, the destination IP address, the source port, and the destination port),

Regarding Claims 25, 26

Ansari teaches:

The method according to claim 1 and wherein the flow-based signature comprises one of the following: 

a hash of the following fields of the one packet: source IP (SIP) (¶50 The flow-id can be replaced by the hash of the source IP address, the destination IP address, the source port, and the destination port); 

destination IP (DIP); 

protocol type; 

source port (SPORT); and 

destination port (DPORT); 

SIP of the one packet; 

SIP of the one packet concatenated with SPORT of the one packet; 

a hash of the entirety of the packet; and 

a hash of the following fields: DIP of the one packet; 

protocol type of the one packet; SPORT of the one packet; 

DPORT of the one packet; and 

a sequence number of the one packet.



Regarding Claim 10, 21

Ansari-Dusi teaches:

The method according to claim 1.

Dusi teaches:

The method according to claim 1 and wherein the passing the one packet on also comprises: learning the flow to which the one packet belongs as a flow which has previously been processed by recording the flow (¶42 upon detection of a duplicate packet it can be dropped, since the packet has already been analyzed ¶86 filters to keep compact state information for all flows within the aggregate of traffic such as whether or not the current packet is the next one in the flow in terms of actual sequence number, next step is to immediately perform deep packet inspection analysis on a per-packet basis every time an in-order packet for a given flow is received. The deep packet inspection analysis may either process the packet and conclude that it is an already processed one so it is has rules to handle it (previously been processed) or it can find a signature match (stored in order to search for a match) or conclude that the analysis of the packet payload returns only a partial match and thus wait for the next packet to proceed with the inspection
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari in light of Dusi in order to provide a method for analyzing a data flow (Dusi ¶22).

Regarding Claim 11, 22

Ansari-Dusi teaches:

The method according to claim 10.

Dusi teaches:

The method according to claim 10 and wherein the determining comprises determining, based at least in part, on whether the flow to which the one packet belongs is a flow which has been learned as a flow which has been previously processed (¶42 upon detection of a duplicate packet it can be dropped, since the packet has already been analyzed ¶86 filters to keep compact state information for all flows within the aggregate of traffic such as whether or not the current packet is the next one in the flow in terms of actual sequence number, next step is to immediately perform deep packet inspection analysis on a per-packet basis every time an in-order packet for a given flow is received. The deep packet inspection analysis may either process the packet and conclude that it is an already processed one so it is has rules to handle it (previously been processed) or it can find a signature match (stored in order to search for a match) or conclude that the analysis of the packet payload returns only a partial match and thus wait for the next packet to proceed with the inspection
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari in light of Dusi in order to provide a method for analyzing a data flow (Dusi ¶22).
 
Regarding Claim 12, 23

Ansari -Dusi teaches:

The method according to claim 10.

Dusi teaches:

The method according to claim 10 and also comprising removing the recording of said at least one flow as a flow which has previously been processed (¶43 a timeout is used for stored status information and/or for a stored out-of-sequence packet, wherein after a predetermined time the information and/or the stored packets are dropped).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari in light of Dusi in order to provide a method for analyzing a data flow (Dusi ¶22).

Regarding Claim 13, 24

Ansari -Dusi teaches:

The method according to claim 12.



Dusi teaches:

The method according to claim 12 and wherein the removing takes place after a time period has passed since the one flow has been recorded as a flow which has previously been processed (¶43 a timeout is used for stored status information and/or for a stored out-of-sequence packet, wherein after a predetermined time the information and/or the stored packets are dropped)
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari in light of Dusi in order to provide a method for analyzing a data flow (Dusi ¶22).



Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 1, and further in view of He (US 20160014028 A1).

Regarding Claim 8, 
Ansari -Dusi does not teach:

The method according to claim 1 and wherein the passing the one packet on for further processing comprises passing the one packet on to a router for routing .

He teaches:

The method according to claim 1 and wherein the passing the one packet on for further processing comprises passing the one packet on to a router for routing (¶41 A router acts as a packet filter when it forwards or denies packets according to ACL rules (herein simply referred to as rules). As used herein, a “rule” refers to some characteristics of a packet which is used to determine what type of action should be taken for the packet).

Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of M Ansari -Dusi in light of He  in order to determine what type of action should be taken for the packet. (He ¶41).

Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 1 above, and further in view of Gage (US 20160142321 A1).

Regarding Claims 9, 20

Ansari -Dusi does not teach:


The method according to claim 1 and wherein the identifier of a flow to which the one packet belongs is based, at least in part, on a sequence number of the one packet 

Gage teaches:

The method according to claim 1 and wherein the identifier of a flow to which the one packet belongs is based, at least in part, on a sequence number of the one packet (The information may comprise a packet flow ID identifying a particular sequence of packets, a service function chain (SFC) ID to forward a packet along a pre-defined SFC, an access point (AP) ID identifying a network AP).

Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari -Dusi in light of Gage in order to utilize flow-based packet forwarding techniques such that different traffic flows may be transported over different paths (Gage ¶3).  



Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 14 above, and further in view of Lentczner (US 20170063682 A1).

Regarding Claims 27

Ansari -Dusi does not teach:

The network element according to claim 14, wherein the packet processing circuitry determines whether another packet of the flow to which the one packet belongs has previously been processed, by a security mechanism, which is configured to apply security policies based on the source address field of received packets and the ingress port through which the packet was received.

Lentczner teaches:

The network element according to claim 14, wherein the packet processing circuitry determines whether another packet of the flow to which the one packet belongs has previously been processed, by a security mechanism, which is configured to apply security policies based on the source address field of received packets and the ingress port through which the packet was received (¶30 The ACL function filters out packets by comparing information in the packet to an access control list (such as a black list of source IP addresses, or header tuples) to enforce security policies, e.g., to filter out packets known to come from spoofed IP addresses or having known signatures associated with packets associated malicious behavior, blocking packets originating from IP addresses of certain identified devices)
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari -Dusi in light of Lentczner in order for blocking packets originating from IP addresses of certain identified devices (Lentczner ¶30).


Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 27 above, and further in view of Itkin (US 20150172112 A1).


Regarding Claims 28

Ansari -Dusi does not teach:

The network element according to claim 27, wherein the packet processing 	 is configured with a link-aggregation which includes all ports from which the packet may arrive, for the packet filtering.

Itkin teaches:

The network element according to claim 27, wherein the packet processing circuitry is configured with a link-aggregation which includes all ports from which the packet may arrive, for the packet filtering (¶58  Network adapter 40 recognizes management packets sent over the LAG member ports, filters these packets out, and delivers the filtered management packets to the BMC over the sideband channel).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari -Dusi in light of Itkin in order to apply predefined or configurable traffic filters (e.g., a filter that separates between data and management traffic) to traffic received in each of the LAG member ports (Itkin ¶58).







Claims 4, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 1 above, and further in view of ROITSHTEIN (US 20150256466 A1).

Regarding Claim 4, 17

Ansari -Dusi does not teach:

The method according to claim 1 and wherein the performing an operation on the one packet comprises counting the one packet.

Roitshtein teaches:

The method according to claim 1 and wherein the performing an operation on the one packet comprises counting the one packet (¶58 packet flow 110D processed at the device 120, packet counting information is transmitted to the device 140 which is designated for counting packets in the packet flow 110D, each of the counting engines 121-151 at the devices 120-150 statistically makes a decision to transmit local packet counting information).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari -Dusi in light of Roitshtein in order to provide a method for counting packets and bytes in a distributed packet-switched system, and then statistically makes a decision to transmit local packet counting information (Roitshtein ¶58).











Claim 6, is rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 5 above, and further in view of ROITSHTEIN (US 20150256466 A1).

Regarding Claim 6, 
Ansari -Dusi teaches:

The method according to claim 5.

Ansari -Dusi does not teach:

The method according to claim 5 and wherein the network element comprises at least one of: a bridge; a router; and a switch.

Roitshtein teaches:

The method according to claim 5 and wherein the network element comprises at least one of: a bridge; a router; and a switch (¶42 the system 100A is a data center network comprised of numerous switches and servers, and the devices 120-150 are separate switch modules located in different switches).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari -Dusi in light of Roitshtein in order to provide a method for counting packets and bytes in a distributed packet-switched system, and then statistically makes a decision to transmit local packet counting information (Roitshtein ¶58).











Claims 7, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ansari -Dusi as applied to claim 5 above, and further in view of Melman (US 7933268 B1).

Regarding Claim 7, 19

Ansari -Dusi does not teach:

The method according to claim 5, and wherein: the network element comprises a bridge; and at least the processing the one packet is performed by a modified bridge pipeline.

Melman teaches:

The method according to claim 5, and wherein: the network element comprises a bridge (col 4 lines 35-55 flooding a multicast packets to all ports in bridge (network element)); and 

at least the processing the one packet is performed by a modified bridge pipeline (col 4 lines 35-55 the processing pipeline may limit the forwarding (modified bridge pipeline) to only those ports which have devices on them which want to receive the packet, col 4 lines 30-45 exemplary pipeline of FIG. 3, the Pre-Engress Engine 320 examines the decisions made in the Bridge Engine, and prepares the packet descriptor for the egress pipeline processing).
Therefore, it would have been obvious to the one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Ansari -Dusi in light of Melman in order to alleviate some problems related to multicast flooding, by providing improved methods of switching multicast data traffic (Melman col 1 lines 30-40).



Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUWATOSIN M GIDADO whose telephone number is (571)272-4227.  The examiner can normally be reached on Monday -Friday 8:00 - 4:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached on (571) 270-1684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLUWATOSIN M GIDADO/Examiner, Art Unit 2445