CAUSING OR PREVENTING AN UPDATE TO A NETWORK ADDRESS TRANSLATION TABLE

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 23 October 2025 has been entered. Response to Amendment Applicant’s amendment filed 01 October 2025 amends claims 1, 11, and 17. Applicant’s amendment has been fully considered and entered. Response to Arguments Applicant argues on page 12 of the response, “…the cited sections of the applied references, whether taken alone or in any reasonable combination, do not disclose at least ‘process, using a plurality of packet analysis techniques, the one or more packets to determine analysis information associated with the one or more packets, wherein the one or more processors, to process the one or more packets to determine the analysis information, are to parse the one or more packets to identify one or more portions of the one or more packets where each portion, of the one or more packets, is associated with a suspicious code pattern,’…as recited in claim 1, as amended.” This argument has been fully considered and is persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of Nam, KR 20110129020. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 3, 7-9, 11-21 are rejected under 35 U.S.C. 103 as being unpatentable over Park, U.S. Publication No. 2015/0113629, in view of Nam, KR 20110129020. Referring to claim 1, Park discloses a monitoring node 200 that includes that includes memory (Figure 7, element 703) and a processor (Figure 7, element 701), which meets the limitation of a network device comprising one or more memories and one or more processors. The monitoring node 200 receives a packet from user equipment 100 ([0093]), which meets the limitation of receiving one or more packets that are to initiate a communication session. The monitoring node 200 decapsulates the received packet ([0094] & Figure 5, step S5050), which meets the limitation of process, using a plurality of packet analysis techniques, the one or more packets to determine analysis information associated with the one or more packets. A monitoring operation is performed on the decapsulated packet in order to determine whether the packet is malicious or non-malicious ([0094] & Figure 5 step S5060), which meets the limitation of wherein the one or more processors, to process the one or more packets to determine the analysis information, determine, based on the analysis information associated with the one or more packets, whether the one or more packets are suspicious. When the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110: table 256 reads on the claimed NAT), and the packet is discarded when the packet is determined to be malicious ([0095] & Figure 5, step S5090: discarding the packet effectively prevents packet information from being included in the table), which meets the limitation of cause inclusion in a network address translation (NAT) table, based on determining that the one or more packets are not suspicious, of at least one entry associated with the one or more packets and the communication session, prevent inclusion in the NAT table, based on determining that the one or more packets are suspicious, of at least one entry associated with the one or more packets and the communication session. The packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of route, based on causing the inclusion in the NAT table when the one or more packets are not suspicious, the one or more packets to an endpoint device to facilitate establishment of the communication session. Park does not disclose that the security policy includes code patterns. Nam discloses a packet analyzer that receives packets and analyzes packet content based on code patterns specific to a policy to determine if the code is malicious (Page 4, second paragraph & second to last paragraph), which meets the limitation of wherein the one or more processors, to process the one or more packets to determine the analysis information are to parse the one or more packets to identify one or more portions of the one or more packets where each portion, of the one or more portions, is associated with a suspicious code pattern, wherein the analysis information associated with the one or more packets includes information indicating that the one or more packets exhibit at least one suspicious code pattern. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the security policies of Park to have been modified to include code patterns in order to detect malicious code hidden by websites as suggested by Nam (Page 2, last paragraph – Page 3, first paragraph). Referring to claim 3, Park describes a monitoring operation is performed in order to determine whether the packet is malicious or non-malicious ([0094] & Figure 5 step S5060), which meets the limitation of wherein a packet analysis technique, of the plurality of packet analysis techniques, is a malware detection technique, wherein the one or more processors, to process the one or more packets to determine the analysis information. The monitoring node can be forwarded the packet after a determination is made that the source address of the packet does not correspond with previously identified non-malicious addresses ([0057]), which meets the limitation of process, using the malware detection technique, the one or more packets to identify at least one endpoint associated with the one or more packets. Monitoring node analyzes the packet, determines if the packet is malicious/non-malicious, generates and transmits an informing message detailing the results of the analysis ([0057] & [0070] & [0078] & [0095]: informing message reads on the claimed information; Examiner notes that what the information “indicates” does not receive patentable weight since what the information “indicates” does not define structure, nor do such indications require steps to be performed. See MPEP 2111.04-2111.05), which meets the limitation of generate, using the malware detection technique and based on the at least one endpoint associated with the one or more packets, information indicating whether the one or more packets are associated with at least one suspicious endpoint. Referring to claim 7, Park discloses that the monitoring node analyzes the packets according to a security policy in order to determine if the packet is malicious or non-malicious ([0067]-[0068]: security policy reads on the claimed set of suspicious determination criteria; packet content matching security policy during analysis reads on the claimed subset of the set of suspicious determination criteria), which meets the limitation of identify a set of suspicious determination criteria, and determine, based on the analysis information associated with the one or more packets, that at least a subset of the set of suspicious determination criteria are satisfied, and determine, based on determining that at least subset of the set of suspicious determination criteria are satisfied, that the one or more packets are suspicious. Referring to claim 8, Park discloses that the monitoring node analyzes the packets according to a security policy in order to determine if the packet is malicious or non-malicious ([0067]-[0068]: security policy reads on the claimed set of suspicious determination criteria; packet content matching security policy during analysis reads on the claimed subset of the set of suspicious determination criteria), which meets the limitation of identify a set of suspicious determination criteria, and determine, based on the analysis information associated with the one or more packets, that at least a subset of the set of suspicious determination criteria are not satisfied, and determine, based on determining that at least subset of the set of suspicious determination criteria are not satisfied, that the one or more packets are not suspicious. Referring to claim 9, Park discloses that when the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110: table 256 reads on the claimed NAT) such that the packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of wherein causing inclusion, in the NAT table, of the at least one entry causes the communication session to be initiated. Referring to claim 11, Park discloses a monitoring node 200 that receives a packet from user equipment 100 ([0093]), which meets the limitation of receive one or more packets that are to initiate a communication session. The monitoring node 200 decapsulates the received packet ([0094] & Figure 5, step S5050), which meets the limitation of process, using a plurality of packet analysis techniques, the one or more packets to determine analysis information associated with the one or more packets. A monitoring operation is performed on the decapsulated packet in order to determine whether the packet is malicious or non-malicious ([0094] & Figure 5 step S5060), which meets the limitation of wherein the one or more instructions, that cause the network device to process the one or more packets to determine the analysis information, determine, based on the analysis information associated with the one or more packets, whether the one or more packets are suspicious. When the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110: table 256 reads on the claimed NAT: storing in the mapping table represents an update) and the packet is discarded when the packet is determined to be malicious ([0095] & Figure 5, step S5090: discarding the packet effectively prevents packet information from being included in the table), which meets the limitation of cause based on determining that the one or more packets are not suspicious, an update to a network address translation (NAT) table, prevent inclusion in the NAT table, based on determining that the one or more packets are suspicious, of at least one entry associated with the one or more packets and the communication session. The packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of route, based on causing the update to the NAT table when the one or more packets are not suspicious, the one or more packets to an endpoint device to facilitate establishment of the communication session. Park does not disclose that the security policy includes code patterns. Nam discloses a packet analyzer that receives packets and analyzes packet content based on code patterns specific to a policy to determine if the code is malicious (Page 4, second paragraph & second to last paragraph), which meets the limitation of wherein the one or more processors, to process the one or more packets to determine the analysis information are to parse the one or more packets to identify one or more portions of the one or more packets where each portion, of the one or more portions, is associated with a suspicious code pattern, wherein the analysis information associated with the one or more packets includes information indicating that the one or more packets exhibit at least one suspicious code pattern. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the security policies of Park to have been modified to include code patterns in order to detect malicious code hidden by websites as suggested by Nam (Page 2, last paragraph – Page 3, first paragraph). Referring to claim 12, Park discloses that the monitoring node analyzes the packets according to a security policy in order to determine if the packet is malicious or non-malicious ([0067]-[0068]: security policy reads on the claimed set of suspicious determination criteria; packet content matching security policy during analysis reads on the claimed subset of the set of suspicious determination criteria), which meets the limitation of determine, based on the analysis information associated with the one or more packets, that at least a subset of the set of suspicious determination criteria are satisfied. Referring to claim 13, Park discloses that the monitoring node analyzes the packets according to a security policy in order to determine if the packet is malicious or non-malicious ([0067]-[0068]: security policy reads on the claimed set of suspicious determination criteria; packet content matching security policy during analysis reads on the claimed subset of the set of suspicious determination criteria), which meets the limitation of determine, based on the analysis information associated with the one or more packets, that at least a subset of the set of suspicious determination criteria are not satisfied. Referring to claim 14, Park discloses that when the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110: table 256 reads on the claimed NAT) such that the packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of cause, in the NAT table, of the at least one entry associated with the one or more packets and the communication session. Referring to claim 15, Park discloses that the packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of route the one or more packets to another network device to cause the other network device to update the NAT table. Examiner notes that the “to cause” limitation represents intended use. A recitation of the intended use of the claimed invention must result in a structural difference between the claimed invention and the prior art in order to patentably distinguish the claimed invention from the prior art. If the prior art structure is capable of performing the intended use, then it meets the claim. Referring to claim 16, Park discloses that the packet is discarded when the packet is determined to be malicious ([0095] & Figure 5, step S5090), which meets the limitation of drop the one or more packets. Referring to claim 17, Park discloses a monitoring node 200 that receives a packet from user equipment 100 ([0093]), which meets the limitation of receiving, by a network device, a packet associated with initiating a communication session. The monitoring node 200 decapsulates the received packet ([0094] & Figure 5, step S5050), which meets the limitation of processing, by a network device, the packet to determine analysis information associated with the packet. A monitoring operation is performed on the decapsulated packet in order to determine whether the packet is malicious or non-malicious ([0094] & Figure 5 step S5060), which meets the limitation of wherein processing the packet to determine analysis information, comprises parsing the packet to identify one or more portions of the packet wherein each portion, of the one or more portions, [is associated with a suspicious code pattern], determining, by the network device and based on the analysis information associated with the packet, whether the packet is suspicious. When the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110: table 256 reads on the claimed NAT: storing in the mapping table represents an update) and the packet is discarded when the packet is determined to be malicious ([0095] & Figure 5, step S5090: discarding the packet effectively prevents packet information from being included in the table), which meets the limitation of causing, by the network device and based on determining that the packet is not suspicious, an update to a network address translation (NAT) table, preventing, by the network device, inclusion in the NAT table, based on determining that the one or more packets are suspicious, of at least one entry associated with the packets and the communication session. The packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of routing, by the network device and based on causing the update to the NAT table when the one or more packet are not suspicious, the one or more packets to an endpoint device to facilitate establishment of the communication session. Park does not disclose that the security policy includes code patterns. Nam discloses a packet analyzer that receives packets and analyzes packet content based on code patterns specific to a policy to determine if the code is malicious (Page 4, second paragraph & second to last paragraph), which meets the limitation of wherein the processing the packet to determine the analysis information comprises parsing the one or more packets to identify one or more portions of the packet where each portion, of the one or more portions, is associated with a suspicious code pattern, wherein the analysis information associated with the packet includes information indicating that the packet exhibits at least one suspicious code pattern. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the security policies of Park to have been modified to include code patterns in order to detect malicious code hidden by websites as suggested by Nam (Page 2, last paragraph – Page 3, first paragraph). Referring to claim 18, Park discloses that when the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110: table 256 reads on the claimed NAT) such that the packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of causing inclusion, in the NAT table, of the at least one entry associated with the packet. Referring to claim 19, Park discloses that the packet having the transformed address is transmitted to the intended destination through a communication channel ([0096] & Figure 5 step S5120), which meets the limitation of wherein routing the packet to the endpoint device causes the updated to the NAT table. Referring to claim 20, Park discloses that the packet is discarded when the packet is determined to be malicious ([0095] & Figure 5, step S5090), which meets the limitation of dropping the packet. Referring to claim 21, Park discloses that when the packet is determined to be malicious, the packet is discarded ([0095] & Figure 5, step S5090), which meets the limitation of drop the one or more packets. Claims 2 are rejected under 35 U.S.C. 103 as being unpatentable over Park, U.S. Publication No. 2015/0113629, in view of Nam, KR 20110129020, and further in view of Hamada, WO 2015/194604. Referring to claim 2, Park describes a monitoring operation is performed in order to determine whether the packet is malicious or non-malicious ([0094] & Figure 5 step S5060). Park does not disclose application specific monitoring. Hamada discloses receiving packets and extracting packet data that includes an application identifier and port information (Page 6, second to last paragraph – Page 7, first paragraph), which meets the limitation of wherein a packet analysis technique, of the plurality of packet analysis techniques, is an application identification technique, wherein the one or more processors, to process the one or more packets to determine the analysis information are to process, using the application identification technique, the one or more packets to identify an application associated with the one or more packets. Communications can be blocked if the communications are destined for specific ports and specific applications (Page 11, last paragraph), which meets the limitation of generate, using the application identification technique and based on the application associated with the one or more packets, information indicating whether the application is associated with one or more ports. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the network traffic monitoring of Park to have included application specific monitoring as described in Hamada in order to block suspicious communication until it can be determined that the communication is normal as suggested by Hamada (Page 11, last paragraph). Claims 4 are rejected under 35 U.S.C. 103 as being unpatentable over Park, U.S. Publication No. 2015/0113629, in view of Nam, KR 20110129020, and further in view of Yang, CN 107872456. Referring to claim 4, Park discloses that the monitoring node analyzes the packets according to a security policy in order to determine if the packet is malicious or non-malicious ([0067]-[0068]), which meets the limitation of wherein a packet analysis technique, of the plurality of packet analysis techniques, is an intrusion and detection technique, wherein the one or more processors, to process the one or more packets to determine the analysis information are to process, using the intrusion and detection technique, the one or more packets to determine [at least one pattern associated with the one or more packets]. Monitoring node analyzes the packet, determines if the packet is malicious/non-malicious, generates and transmits an informing message detailing the results of the analysis ([0057] & [0070] & [0078] & [0095]: informing message reads on the claimed information; Examiner notes that what the information “indicates” does not receive patentable weight since what the information “indicates” does not define structure, nor do such indications require steps to be performed. See MPEP 2111.04-2111.05), which meets the limitation of generate, using the intrusion and detection technique and [based on the at least one pattern associated with the one or more packets], information indicating whether the one or more packets exhibit at least one suspicious pattern. Park does not suggest that the security policy utilizes patterns for the analysis. Yang discusses packet analysis that utilizing a security policy that includes pattern matching (Page 10, first paragraph), which meets the limitation of process, using the intrusion and detection technique, the one or more packets to determine at least one pattern associated with the one or more packets. An alarm or record log can be created in response to the results of the analysis (Page 10, first paragraph), which meets the limitation of generate, using the intrusion and detection technique and based on the at least one pattern associated with the one or more packets, information indicating whether the one or more packets exhibit at least one suspicious pattern. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the security policy of Park to have been modified to include pattern matching in order to provide a complete analysis of the packet as suggested by Yang (Page 10, first paragraph). Claims 5 are rejected under 35 U.S.C. 103 as being unpatentable over Park, U.S. Publication No. 2015/0113629, in view of Nam, KR 20110129020, and further in view of Mu, CN 111935108. Referring to claim 5, Park discloses that the monitoring node analyzes the packets according to a security policy in order to determine if the packet is malicious or non-malicious ([0067]-[0068]), which meets the limitation of wherein a packet analysis technique, of the plurality of packet analysis techniques, is a packet rate determination technique, wherein the one or more processors, to process the one or more packets to determine the analysis information are to process, using the packet rate determination technique, the one or more packets to determine [a packet rate associated with the one or more packets]. Monitoring node analyzes the packet, determines if the packet is malicious/non-malicious, generates and transmits an informing message detailing the results of the analysis ([0057] & [0070] & [0078] & [0095]: informing message reads on the claimed information; Examiner notes that what the information “indicates” does not receive patentable weight since what the information “indicates” does not define structure, nor do such indications require steps to be performed. See MPEP 2111.04-2111.05), which meets the limitation of generate, using the intrusion and detection technique and [based on the packet rate associated with the one or more packets], information indicating whether the packet rate associated with the one or more packets exceed a packet rate threshold. Park does not disclose that the security policy includes packet rate thresholds. Mu discloses data packet analysis that utilizes a policy to compare flow rate to a preset threshold (Page 9, third paragraph), which meets the limitation of process, using the packet rate determination technique, the one or more packets to determine a packet rate associated with the one or more packets. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the security policy of Park to have been modified to include packet rate thresholds in order to provide determine load pressure as suggested by Mu (Page 9, last paragraph). Claims 10 are rejected under 35 U.S.C. 103 as being unpatentable over Park, U.S. Publication No. 2015/0113629, in view of Nam, KR 20110129020, and further in view of Roskind, U.S. Publication No. 2015/0127853. Referring to claim 10, Park discloses that when the packet is determined to not be malicious, the source address of the packet is transformed and stored along with the source address in an address mapping table 256 ([0096] & Figure 5, steps S5070-5110). Park does not disclose that entries in the address mapping table are deleted after a threshold period of time elapses with no additional packets in the communication session. Roskind disclose the monitoring of a temporary address included in an NAT for a particular period of time constituting a timeout window ([0026]), which meets the limitation of determine that no additional packet associated with the communication session has been communicated for a threshold period of time. Once the timeout window has elapsed and no additional packets are received, the temporary address is removed from the NAT ([0026]), which meets the limitation of cause, based on determining that no additional packet associated with the communication session has been communicated for the threshold period of time, the at least one entry to be removed from the NAT table. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the entries in the address mapping table to be deleted after a threshold period of time elapses with no additional packets in the communication session because the mapping table only has a finite number of available entries and removal of unused entries from the mapping table would allow for reuse of the entries as suggested by Roskind ([0026]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /BENJAMIN E LANIER/ Primary Examiner, Art Unit 2437