VERIFYING ENCRYPTION OF DATA TRAFFIC

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Arguments Applicant’s arguments, see 7-9, filed 11/20/2025, with respect to the rejection(s) of claim(s) 1, 2, 4-6, 8-15, and 17-21 under 35 U.S.C. 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 4-6 and 8 are rejected under 35 U.S.C. 103 as being unpatentable Schat (U.S. PGPub. No. 20200387601) (hereinafter "Schat"), and further in view of Kollmyer et al (U. S. PGPub. No. 7,165,175 B1), and Gopshetin et al (U. S. PGPub. No. 2010/0299302 A1) (hereinafter “Gopshetin”), Conte et al. (U. S. Pat. No. 8,799,671 B2) (hereinafter “Conte”); and further in view of Edwards et al. (U. S. Pat. No. 8,874,926 B1) (“hereinafter “Edwards”) Regarding claim 1, Schat teaches: an integrated circuit (IC) device comprising: (Schat: [0017] In another embodiment, an IC device includes a bus interface, a processor and memory that stores computer readable instructions, which when executed by the processor and memory circuit, implements, monitoring activity on the bus interface of the IC device, wherein the bus interface is connectable to a bus on a system that communicatively couples the IC device to at least one other IC device on the system), a first IC (Schat: [0042], the first IC device (IC1) 102-1 is configured to transmit data off of the PCB and to receive data onto the PCB via); a second IC configured to exchange data with the first IC over a data bus, wherein the data is expected to be encrypted (Schat: [0042], As depicted in FIG. 1, each IC device has a bus interface 106-1-106-3 that is configured to support communications on the corresponding bus, e.g., 104-1-104-3); and a data guard circuit coupled to the data bus, the data guard circuit configured to (Schat: [0048], the bus interface is connectable to a bus on the PCB that communicatively couples the IC device to at least one other IC device on the PCB): monitor the data on the data bus (Schat: [0047], provides for Trojans can be detected by observing the data traffic at the bus interface of an IC device that is connected to other IC devices on a PCB. detecting a system- level Trojan on a system such as a PCB involves monitoring activity on the bus interface of an IC device, [0053], The activity that is monitored by the activity monitor may include activity related to the data transmitted on a bus of the PCB as monitored through a bus interface of the IC device); Schat does not explicitly disclose: And comprises payload data distributed across different packets; receive data format information associated with the data and a data pattern configuration, wherein the data format information and the data pattern information are received separately from the data on the data bus; determine which portion of the data on the data bus correspond to the payload data based on the data format information wherein the data format information indicates whether the data on the bus includes only the payload data or the payload data together with non-payload data and identifies location of the payload data within the packets; identify a statistical data pattern in the payload data based on the data pattern configuration, Wherein the data pattern configuration describes one or more features by which the statistical data pattern can be identified; determine that the data is not encrypted based on the statistical data pattern and a configurable threshold and generate a notification based upon the determination that the payload data is not encrypted; However, in an analogous art, Kollmyer teaches: And comprises payload data distributed across different packets (Kollmyer: [Col 4, lines 41-55], (19) Data packets can be typically divided into two parts, the header and the payload parts. The header is the portion of the packet that includes routings or other configuration information. The payload is the portion of the data packet that is just the data of interest, in exemplary case: multimedia content. For example, in a network packet, the header contains data for use by network routers in delivering the packet to its final destination, as well as other data about the packet such as size and formatting information. In an exemplary RTP packet, the header contains channel information as well as other information needed by the player to direct the RTP (media content) payload. Some complex packets may contain multiple headers and diverse non-payload information and will be referred to herein as the non-payload part); receive data format information associated with the data and a data pattern configuration (Kollmyer: [Col 8, lines 26-32], What the systems and methods of the invention do is parse the network and actually look at the data format, encrypting only the portion of the data that contains, in the exemplary case, multimedia content (=data pattern information, as it often contains repeating patterns or trends within its various elements like audio, video, images, and text, which can be analyzed to extract meaningful insights through data mining techniques). Selectivity of the data to be encrypted is based on the format of the data sent, which the EB recognizes and responds to appropriately) wherein the data format information and the data pattern information are received separately from the data on the data bus (Kollymyer: Examiner interpreting that data format information and data pattern information can be received separately because Kollymyer disclose that data packet is divided into two parts in order to transmit the data more efficiently across a network. Therefore Kollymyer teaches in [Col 4, lines 41-55], (19) Data packets can be typically divided into two parts, the header and the payload parts. The header is the portion of the packet that includes routings or other configuration information (=data format information is typically located in the header part of a data packet; the header contains metadata about the data, including information about its format). The payload is the portion of the data packet that is just the data of interest, in exemplary case: multimedia content (=data pattern information, as it often contains repeating patterns or trends within its various elements like audio, video, images, and text, which can be analyzed to extract meaningful insights through data mining techniques); determine which portion of the data on the data bus correspond to the payload data based on the data format information (Kollmyer : [Col 5, lines 18-24], an encryption bridge that examines, parses and selectively encrypts only the payload (e.g. Media content) portion of the data, leaving the non-payload portion intact such that the data can cross firewalls…[Col 8, lines 18-33], provides certain portions of the data are encrypted and other portions of the data are not or do not need to be encrypted…actually look at the data format, encrypting only the portion of the data that contains, in the exemplary case, multimedia content. Selectivity of the data to be encrypted is based on the format of the data sent… [Col 9, lines 4-15], The firewall looks at the non-payload part including but not limited to size, routing and header data. If the non-payload part data identify the data stream as a reply to a user request, then firewall determines that the data stream is not malicious in origin and will not prevent it from going through. However, if the firewall is unable to parse the non-payload part or does not recognize the non-payload part than the data will be blocked from passing through…), wherein the data format information indicates whether the data on the bus includes only the payload data or the payload data together with non-payload data (Kollmyer : [Col 8, lines 18-33], provides certain portions of the data are encrypted and other portions of the data are not or do not need to be encrypted…actually look at the data format, encrypting only the portion of the data that contains, in the exemplary case, multimedia content. Selectivity of the data to be encrypted is based on the format of the data sent… [Col 9, lines 4-15], The firewall looks at the non-payload part including but not limited to size, routing and header data. If the non-payload part data identify the data stream as a reply to a user request, then firewall determines that the data stream is not malicious in origin and will not prevent it from going through. However, if the firewall is unable to parse the non-payload part or does not recognize the non-payload part than the data will be blocked from passing through…), and identifies location of the payload data within the packets (Kollmyer: [Col 3, lines 59-60], Every TCP/IP packet has a header containing the IP address of the sender. [Col 8, lines 18-31], provides certain portions of the data are encrypted and other portions of the data are not or do not need to be encrypted. What the systems and methods of the invention do is parse the network and actually look at the data format, encrypting only the portion of the data that contains, in the exemplary case, multimedia content. Selectivity of the data to be encrypted is based on the format of the data sent, which the EB recognizes and responds to appropriately); It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Schat’s method of transmitting collected data, monitoring data traffic by applying Kollmyer’s method of recognizing the payload data by looking at the data format and data pattern. The motivation is determining that the data stream is not malicious in origin and will not prevent it from going through and selectively encrypting and decrypting different portions of data sent over a network (Kollmyer: [Col 1, lines 11-12]). The combination of Schat in view of Kollmyer does not explicitly disclose: identify a statistical data pattern in the payload data based on the data pattern configuration, Wherein the data pattern configuration describes one or more features by which the statistical data pattern can be identified; determine that the data is not encrypted based on the statistical data pattern and a configurable threshold and generate a notification based upon the determination that the payload data is not encrypted; However, in an analogous art, Gopshtein teaches: identify a statistical data pattern in the payload data based on the data pattern configuration (Gopshtein: [0022] FIG. 4 is a flow chart of a method of discovering network traffic in accordance with an embodiment of the disclosure. In general, communication packets are read, such as through the use of a network sniffer, and compared to a defined plurality of data patterns. [0024], If the matched data pattern is not an exact data pattern at box 438, i.e., it is a statistical data pattern, the process proceeds to box 442 to determine whether a threshold number of statistical data pattern matches has occurred at box 442. If a threshold number of statistical data pattern matches has not occurred at box 442, the process proceeds to box 436 to obtain communication packets from a next communication transaction. If a threshold number of statistical data pattern matches has occurred at box 442, the source computing device is deemed to be running the application or service corresponding to the matched statistical data pattern, and the source computing device is associated with that corresponding application or service at box 440), Wherein the data pattern configuration describes one or more features by which the statistical data pattern can be identified (Gopshtein: [0019] Applicant has observed known network traffic and has identified data patterns occurring in communication transactions, either in the request or the request/response pair, that might be used in the various embodiments. Table 1 lists example data patterns and their corresponding application or service. Table 1 further identifies whether Applicant deemed the data pattern to be exact or statistical); A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer by applying the well-known technique as disclosed by Gopshtein of identifying statistical data pattern and determining whether a threshold number of statistical data pattern. The motivation is to configuration of traffic monitoring application to monitor the desired traffic (Gopshtein: [Abstract]). The combination of Schat in view of Kollmyer and Gopshtein does not explicitly disclose: determine that the data is not encrypted based on the statistical data pattern and a configurable threshold; and generate a notification based upon the determination that the payload data is not encrypted; However, in an analogous art, Conte teaches: determine that the payload data is not encrypted (Conte: [Col 2, lines 24-26], The encryption status of the data is intended to refer to whether the data is encrypted or unencrypted. [Col 7, lines 8-15], identify the file type may include reading…information encoded in the file, and/or metadata (=Examiner Note: the data file includes metadata pf information encoded in the file is the payload data) associated with the file. The process may recognize data files 764 and 765 as being file types (text files and picture files, respectively) that are likely to be unencrypted. Data files 764 and 765 may be marked as unencrypted (their status stored in a table kept in memory 722, for instance)) based on the statistical data pattern (Conte: [Col 4, lines 27-31], calculate the frequency of occurrence of each individual data value in the file (block 206). This frequency data is used to calculate the Shannon entropy (examiner is interpreting that Shannon entropy relies on statistical patterns) of the data (block 208). The Shannon entropy is a measure of the amount of order in data. [Col 4, lines 53-57], A statistical test as to Whether the frequency profile differs from a typical text file or a simple query as to whether certain possible values in the data are missing may be able to indicate whether a file is an unencrypted text file) and a configurable threshold (Conte: [Col 4, lines 62-64], If the entropy value is below (or fails to exceed) the predetermined threshold, the process will output that the data file is unencrypted (block 214). [Col 5, lines 64-67], The method may further include comparing the calculated value with a threshold value to determine whether the data file read from the data source is encrypted or unencrypted (block 508)) and generate a notification based upon the determination that the payload data is not encrypted (Conte: [Col 5, lines 46-48], Compressible files are likely to have not been encrypted, and are flagged (=notification) and/or output as unencrypted (block 312)). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer and Gopshtein by applying the well-known technique as disclosed by Conte of determining whether data is encrypted on unencrypted and generating flag to the files which have not been encrypted as unencrypted. The motivation is to determine whether the file is encrypted or unencrypted, and encrypting files that are determined to be unencrypted (Conte: [Absract]). Schat in view of Kollmyer and Gopshtein, Conte does not explicitly teach: wherein the second IC is configured to stop exchanging data with the first IC based on the notification that the data is not encrypted. However, in an analogous art, Edwards teaches: wherein the second IC is configured to stop exchanging data with the first IC based on the notification that the data is not encrypted (Edward: [Col 5, lines 19-23], an unexpected difference in a system integrity check measurement may indicate an intruder, and sending controller 110 may stop sending data across communication bus 130 in response to an indication of an intruder) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer and Gopshtein, Conte by applying the well-known technique as disclosed by Edward of If the hashed authentication signature or authentication bit within a received octet are not valid, holds the communication. The motivation is to protect/prevent encrypted data accessible by unauthorized oscilloscope acquisition and data access patterns might be correlated to system behavior to leak information (Edward: [Col 1, lines 45-46]). Regarding claim 4, Schat in view of Kollmyer, Gopshtein, Conte and Edward teaches: The device of claim 1 (see rejection of claim 1 above), wherein the first IC is a controller circuit, the second IC is a bus interface circuit, and the data format information is used to indicate the payload data for a set of packets being transferred over the data bus from the controller circuit to the bus interface circuit (Kollmyer: [Col 8, lines 18-27], (22) Thus, the invention provides a software bridge that examines network data passing through, parses the network data…actually look at the data format…Selectivity of the data to be encrypted is based on the format of the data sent, which the EB recognizes and responds to appropriately.) It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Schat’s method of transmitting collected data, monitoring data traffic by applying Kollmyer’s method of recognizing the payload data by looking at the data format. The motivation is for selectively encrypting and decrypting different portions of data sent over a network (Kollmyer: [Col 1, lines 11-12]). Regarding claim 5, Schat teaches: an integrated circuit (IC) device (Schat: [0017] In another embodiment, an IC device includes a bus interface, a processor and memory that stores computer readable instructions, which when executed by the processor and memory circuit, implements, monitoring activity on the bus interface of the IC device, wherein the bus interface is connectable to a bus on a system that communicatively couples the IC device to at least one other IC device on the system), comprising: a bus monitor configured to monitor data traffic on a bus between a first IC and a second IC (Schat: [0047], provides for Trojans can be detected by observing the data traffic at the bus interface of an IC device that is connected to other IC devices on a PCB. detecting a system-level Trojan on a system such as a PCB involves monitoring activity on the bus interface of an IC device, [0053], The activity that is monitored by the activity monitor may include activity related to the data transmitted on a bus of the PCB as monitored through a bus interface of the IC device); Schat does not disclose: and an output interface configured to generate a notification in response to determining that the data traffic is not encrypted as expected; However, in an analogous art, Conte disclose: and an output interface configured to generate a notification in response to determining that the data traffic is not encrypted as expected (Conte: [Col 5, lines 46-48], Compressible files are likely to have not been encrypted, and are flagged (=notification) and/or output as unencrypted (block 312)). Schat in view of Conte does not disclose: Wherein the data traffic comprises payload data distributed across different packets; wherein the configuration information is received separately from the data traffic and comprises: an indication of whether the data traffic includes only the payload data or the payload data together with non-payload data, and information identifying locations of the payload data within the packets ; However, Kollmyer teaches: Wherein the data traffic comprises payload data distributed across different packets (Kollmyer: [Col 4, lines 41-55], (19) Data packets can be typically divided into two parts, the header and the payload parts. The header is the portion of the packet that includes routings or other configuration information. The payload is the portion of the data packet that is just the data of interest, in exemplary case: multimedia content. For example, in a network packet, the header contains data for use by network routers in delivering the packet to its final destination, as well as other data about the packet such as size and formatting information. In an exemplary RTP packet, the header contains channel information as well as other information needed by the player to direct the RTP (media content) payload. Some complex packets may contain multiple headers and diverse non-payload information and will be referred to herein as the non-payload part); an indication of whether the data traffic includes only the payload data or the payload data together with non-payload data (Kollmyer : [Col 8, lines 18-33], provides certain portions of the data are encrypted and other portions of the data are not or do not need to be encrypted…actually look at the data format, encrypting only the portion of the data that contains, in the exemplary case, multimedia content. Selectivity of the data to be encrypted is based on the format of the data sent… [Col 9, lines 4-15], The firewall looks at the non-payload part including but not limited to size, routing and header data. If the non-payload part data identify the data stream as a reply to a user request, then firewall determines that the data stream is not malicious in origin and will not prevent it from going through. However, if the firewall is unable to parse the non-payload part or does not recognize the non-payload part than the data will be blocked from passing through…), and information identifying locations of the payload data within the packets (Kollmyer: [Col 3, lines 59-60], Every TCP/IP packet has a header containing the IP address of the sender. [Col 8, lines 18-31], provides certain portions of the data are encrypted and other portions of the data are not or do not need to be encrypted. What the systems and methods of the invention do is parse the network and actually look at the data format, encrypting only the portion of the data that contains, in the exemplary case, multimedia content. Selectivity of the data to be encrypted is based on the format of the data sent, which the EB recognizes and responds to appropriately); A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Conte by applying Kollmyer’s method of recognizing the location of the payload data, in order to determines that the data stream is not malicious in origin and will not prevent it from going through. The motivation is for selectively encrypting and decrypting different portions of data sent over a network (Kollmyer: [Col 1, lines 11-12]). The Schat in view of Conte Kollmyer does not explicitly disclose: wherein the configuration information is received separately from the data traffic and comprises: a configuration interface configured to receive configuration information associated with the data traffic; a data encryption verifier configured to: analyze the data traffic based on the configuration information; and determine whether the data traffic is encrypted as expected based on the analysis; However, Gopshtein teaches: wherein the configuration information is received separately from the data traffic and comprises: (Gopshtein: [0012], The header portion 214 contains information identifying the computing device responsible for generating the communication packet 212 and information identifying the intended recipient computing device, as well as other overhead information (=configuration information) related to processing of the communication packet 212. [0014] A network sniffer 328 may be used by a host device (not shown in FIG. 3) to read the information (=configuration information) of the request communication packet 322 and the response communication packet 326, from both the header portion and the data portion. This information will identify from what computing device the communication packet originated, and will contain data patterns that can be used to discover network traffic) a configuration interface configured to receive configuration information associated with the data traffic (Gopshtein: [0012], The header portion 214 contains information identifying the computing device responsible for generating the communication packet 212 and information identifying the intended recipient computing device, as well as other overhead information (=configuration information) related to processing of the communication packet 212. [0014] A network sniffer 328 may be used by a host device (not shown in FIG. 3) to read the information of the request communication packet 322 and the response communication packet 326, from both the header portion and the data portion. This information will identify from what computing device the communication packet originated, and will contain data patterns that can be used to discover network traffic) analyze the data traffic based on the configuration information (Gopshtein: [0012], The header portion 214 contains information identifying the computing device responsible for generating the communication packet 212 and information identifying the intended recipient computing device, as well as other overhead information (=configuration information) related to processing of the communication packet 212. [0014] A network sniffer 328 may be used by a host device (not shown in FIG. 3) to read the information of the request communication packet 322 and the response communication packet 326, from both the header portion and the data portion. This information will identify from what computing device the communication packet originated, and will contain data patterns that can be used to discover network traffic) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Conte and Kollmyer by applying the well-known technique as disclosed by Gopshtein of identifying of the data pattern as statistical data pattern. The motivation is to discovering network traffic (Gopshtein: [0002]). Schat in view of Conte, Kollmyer and Gopshtein does not explicitly disclose: a data encryption verifier configured to and determine whether the data traffic is encrypted as expected based on the analysis; However, Conte teaches: a data encryption verifier configured to and determine whether the data traffic is encrypted as expected based on the analysis (Conte: [Col 4, lines 58-62], (25) Next the Shannon entropy value may be compared to a predetermined threshold value (block 210). If the Shannon entropy value is above (or exceeds) the predetermined threshold, then the routine will output that the data file is encrypted (block 212)); (Conte: [Col 4, lines 62-64], If the entropy value is below (or fails to exceed) the predetermined threshold, the process will output that the data file is unencrypted (block 214)) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Conte, Kollmyer and Gopshtein by applying the well-known technique as disclosed by Conte of determining whether data is encrypted on unencrypted. The motivation is to determine whether the file is encrypted or unencrypted, and encrypting files that are determined to be unencrypted (Conte: [Absract]). The Schat in view of Conte, Kollmyer and Gopshtein does not explicitly teach: and halting the data traffic on the bus However, in an analogous art, Edward teaches: and halting the data traffic on the bus (Edward: [Col 5, lines 19-23], an unexpected difference in a system integrity check measurement may indicate an intruder, and sending controller 110 may stop sending data across communication bus 130 in response to an indication of an intruder. [Col 9, lines 48-60], 51) If the hashed authentication signature or authentication bit within a received octet are not valid, firewall logic 455 sends an abort signal to decryption logic 490. Firewall logic 455 may also cause chip 450 to send a Not-Acknowledge ("NACK") signal 497 to chip 410 (sending control module) when the hashed authentication signature is not valid. The NACK signal may be a NACK-hold signal. NACK-hold is defined as a Slave (e.g. chip 450) device signaling a NACK using the communication protocol specification, but holds that bus state for a longer period of time and or holds the communication clock line such that the Master (e.g. chip 410) interprets a Stop communication, timeout or error but ultimately ceases communication with the Slave for a predefined period of time) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify The Schat in view of Conte, Kollmyer and Gopshtein by applying the well-known technique as disclosed by Edward of If the hashed authentication signature or authentication bit within a received octet are not valid, holds the communication. The motivation is to protect/prevent encrypted data accessible by unauthorized oscilloscope acquisition and data access patterns might be correlated to system behavior to leak information (Edward: [Col 1, lines 45-46]). Regarding claim 6, The Schat in view of Conte and Kollmyer and Gopshtein and Edward teaches: The device of claim 5 (see rejection of claim 5 above), wherein the analysis of the data traffic is performed by sampling the data traffic (Gopshtein: [0022] FIG. 4 is a flow chart of a method of discovering network traffic in accordance with an embodiment of the disclosure. In general, communication packets are read (=sampling), such as through the use of a network sniffer, and compared to a defined plurality of data patterns. and wherein the analysis of the data traffic includes identifying a statistical data pattern in the sampled data traffic (Gopshtein: [0024], If the matched data pattern is not an exact data pattern at box 438, i.e., it is a statistical data pattern, the process proceeds to box 442 to determine whether a threshold number of statistical data pattern matches has occurred at box 442. If a threshold number of statistical data pattern matches has not occurred at box 442, the process proceeds to box 436 to obtain communication packets from a next communication transaction. If a threshold number of statistical data pattern matches has occurred at box 442, the source computing device is deemed to be running the application or service corresponding to the matched statistical data pattern, and the source computing device is associated with that corresponding application or service at box 440). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Conte and Kollmyer by applying the well-known technique as disclosed by Gopshtein of identifying of the data pattern as statistical data pattern. The motivation is to discovering network traffic (Gopshtein: [0002]). Regarding Claim 8, Schat in view of Conte and Kollmyer and Gopshtein and Edward teaches: The device of claim 6 (see rejection of claim 6 above), wherein identifying the statistical data pattern in the sampled data traffic is performed based on a data pattern configuration included in the configuration information (Gopshtein: [0022] FIG. 4 is a flow chart of a method of discovering network traffic in accordance with an embodiment of the disclosure. In general, communication packets are read, such as through the use of a network sniffer, and compared to a defined plurality of data patterns. [0024], If the matched data pattern is not an exact data pattern at box 438, i.e., it is a statistical data pattern, the process proceeds to box 442 to determine whether a threshold number of statistical data pattern matches has occurred at box 442. If a threshold number of statistical data pattern matches has not occurred at box 442, the process proceeds to box 436 to obtain communication packets from a next communication transaction. If a threshold number of statistical data pattern matches has occurred at box 442, the source computing device is deemed to be running the application or service corresponding to the matched statistical data pattern, and the source computing device is associated with that corresponding application or service at box 440). the data pattern configuration characterizing the statistical data pattern (Gopshtein: [0016] For various embodiments, two classes of data patterns are utilized. A first class of data patterns are data patterns that are deemed to be unique to a specific application or service. For this class of data patterns, a communication packet or transaction is deemed to be associated with a specific application or service if a single communication packet or transaction contains the data pattern. This class of data patterns will be called exact data patterns. [0017] A second class of data patterns are data patterns that would be deemed to identify a specific application or service if they were to occur in a particular threshold number of communication packets or transactions between two computing devices. Unlike exact data patterns, the threshold number is greater than one. This class of data patterns will be called statistical data patterns). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Conte and Kollmyer by applying the well-known technique as disclosed by Gopshtein of classification of the data pattern as statistical data pattern. The motivation is to discovering network traffic (Gopshtein: [0002]). Claim(s) 2, 9-15 and 17-21 are rejected under 35 U.S.C. 103 as being unpatentable Schat (U.S. PGPub. No. 20200387601) (hereinafter "Schat"), and further in view of Kollmyer et al (U. S. PGPub. No. 7,165,175 B1), and Gopshetin et al (U. S. PGPub. No. 2010/0299302 A1) (hereinafter “Gopshetin”), Conte et al. (U. S. Pat. No. 8,799,671 B2) (hereinafter “Conte”); and further in view of Edwards et al. (U. S. Pat. No. 8,874,926 B1) (“hereinafter “Edwards”); an in further view of Durham et al (U. S. PGPub. No. 2017/0185532 A1) (hereinafter “Durham”) Regarding claim 2, Schat in view of Kollmyer, Gopshtein, Conte, and Edward teaches: The device of claim 1 (see rejection of claim 1 above), wherein identifying the statistical data pattern in the payload data (Gopshtein: [0022] FIG. 4 is a flow chart of a method of discovering network traffic in accordance with an embodiment of the disclosure. In general, communication packets are read, such as through the use of a network sniffer, and compared to a defined plurality of data patterns. [0024], If the matched data pattern is not an exact data pattern at box 438, i.e., it is a statistical data pattern…), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer by applying the well-known technique as disclosed by Gopshtein of classification of the data pattern as statistical data pattern. The motivation is to discovering network traffic (Gopshtein: [0002]). The above cited combination of Schat in view of Kollmyer, Gopshtein, Conte and Edward does not explicitly disclose: However, Durham teaches: (Durham: [0053] The logic 52 may, therefore, examine program data over an amount of memory (e.g., gigabytes of memory) to determine typical patterns appearing…the logic 52 may retrieve information regarding typical patterns from storage… and then decrypted may include more zero (0) bits than one (1) bits. Thus, the logic 52 may identify that more zero (0) bits than one (1) bits are typically encountered in a cache line for program data, and use the pattern to determine whether the unencrypted data includes a random distribution of the plurality of bits), and wherein determining that the data is not encrypted is based on a comparison of a ratio of 1 bits to 0 bits with a threshold (Durham: [0052], if plaintext data (e.g., pre-encryption data) is a data block of all zeros that is encrypted to form ciphertext (e.g., post-encryption data), a change to the ciphertext may cause approximately fifty percent of the bits to change to ones (e.g., upon decryption)… and the logic 52 may determine that the corresponding plaintext data (e.g., post-decryption data) includes a bit difference (=a ratio) at approximately half the total number of bits of the data block. [0108], identifies unencrypted data including a plurality of bits that is involved in the write operation. The unencrypted data may include, for example, plaintext of a data line). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte and Edward by applying the well-known technique as disclosed by Durham of identify a bit difference of zero (0) bits and one (1) bits. The motivation is to protect the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 9, Schat in view of Kollmyer and Gopshtein and Conte and Edward teaches: The device of claim 6 (see rejection of claim 6 above), and wherein determining whether the data traffic is encrypted as expected (Conte, Col 4, lines 58-62], the Shannon entropy value may be compared to a predetermined threshold value (block 210). If the Shannon entropy value is above (or exceeds) the predetermined threshold, then the routine will output that the data file is encrypted (block 212)) Schat in view of Lai and Kollmyer and Gopshtein and Conte and Edward does not explicitly disclose below limitations, however, Durham teaches: wherein identifying the statistical data pattern in the sampled data traffic includes(Durham: [0052], if plaintext data (e.g., pre-encryption data) is a data block of all zeros that is encrypted to form ciphertext (e.g., post-encryption data), a change to the ciphertext may cause approximately fifty percent of the bits to change to ones (e.g., upon decryption)… and the logic 52 may determine that the corresponding plaintext data (e.g., post-decryption data) includes a bit difference at approximately half the total number of bits of the data block. [0108], identifies unencrypted data including a plurality of bits that is involved in the write operation. The unencrypted data may include, for example, plaintext of a data line) counting a number of bytes having a predefined byte pattern in the sampled data traffic (Durham: [0057], The logic 52 may also count a number of instances the sequence of bits (=byte pattern) appears in the unencrypted data. Additionally, the logic 52 may determine that the unencrypted data does not include a random distribution of the plurality of bits when the number of instances satisfies the threshold value.). (Durham: [0058] The logic 52 may determine whether the plurality of bits includes a pattern by identifying typical values of an instruction set (e.g., byte values “00”, “FF”, and/or “8B” in x86). In the example, the logic 52 may determine that the unencrypted data includes an uncorrupted (e.g., proper, valid, etc.) non-random instruction when the count is greater than or equal to a threshold value of 9 (=predefined byte pattern with a threshold)) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte and Edward by applying the well-known technique as disclosed by Durham of determining plurality of bits includes in pattern. The motivation is to protect the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 10, Schat in view of Kollmyer, Gopshtein, Conte, Edward and Durham teaches: The device of claim 9 (see rejection of claim 9 above), wherein the predefined byte pattern is a byte having all zeros (Durham: [0052], if plaintext data (e.g., pre-encryption data) is a data block of all zeros that is encrypted to form ciphertext (e.g., post-encryption data), a change to the ciphertext may cause approximately fifty percent of the bits to change to ones (e.g., upon decryption)… and the logic 52 may determine that the corresponding plaintext data (e.g., post-decryption data) includes a bit difference at approximately half the total number of bits of the data block. [0108], identifies unencrypted data including a plurality of bits that is involved in the write operation. The unencrypted data may include, for example, plaintext of a data line). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte, Edward by applying the well-known technique as disclosed by Durham of determine if pre-encryption data) is a data block of all zeros that is encrypted to form ciphertext. The motivation is to protect/prevent the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 11, Schat in view of Kollmyer, Gopshtein, Conte, Edward teaches: The device of claim 6 (see rejection of claim 6 above), The Schat in view of Kollmyer, Gopshtein, Conte, Edward does not explicitly disclose below limitations, however, Durham teaches: wherein identifying the statistical data pattern in the sampled data traffic includes determining a ratio of 0 bits to 1 bits in the sampled data traffic, and wherein determining whether the data traffic is encrypted as expected (Durham: [0086] The first data block (m.sub.0) may receive an initialization vector to mix with plaintext, and each successive data block (m.sub.1-m.sub.3) may be encrypted such that ciphertext from a previous data block is mixed with plaintext of a present data block before encryption. Encryption may be accomplished forward (e.g., m.sub.0 to m.sub.1 to m.sub.2 to m.sub.3) and backward (e.g., m.sub.2 to m.sub.1 to m.sub.0) to ensure that a modification of any data block's plaintext affects the ciphertext of all data blocks, and reciprocally, a modification of any data block's ciphertext affects the plaintext of all data blocks) is based on a comparison of the ratio with a threshold (Durham: [0053] The logic 52 may, therefore, examine program data over an amount of memory (e.g., gigabytes of memory) to determine typical patterns appearing at a particular frequency, including relatively common patterns, relatively obscure patterns, and so on, or combinations thereof…the logic 52 may retrieve information regarding typical patterns from storage… and then decrypted may include more zero (0) bits than one (1) bits. Thus, the logic 52 may identify that more zero (0) bits than one (1) bits are typically encountered in a cache line for program data, and use the pattern to determine whether the unencrypted data includes a random distribution of the plurality of bits), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte, Edward by applying the well-known technique as disclosed by Durham of determine if pre-encryption data) is a data block of all zeros that is encrypted to form ciphertext. The motivation is to protect/prevent the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 12, Schat in view of Kollmyer, Gopshtein, Durham and Edward teaches: The device of claim 6 (see rejection of claim 6 above), wherein the configuration information includes a predefined data pattern (Gopshtein: [0022] FIG. 4 is a flow chart of a method of discovering network traffic in accordance with an embodiment of the disclosure. In general, communication packets are read, such as through the use of a network sniffer, and compared to a defined plurality of data patterns (=predefined data pattern)), However, Conte teaches: and wherein determining whether the data traffic is encrypted as expected (Conte, Col 4, lines 58-62], the Shannon entropy value may be compared to a predetermined threshold value (block 210). If the Shannon entropy value is above (or exceeds) the predetermined threshold, then the routine will output that the data file is encrypted (block 212)) is based on a comparison (Durham: [0060] The logic 52 compare the instances of the typical patterns to a probability the sequences would appear in a random distribution of bits. Of note, an opportunity to encounter a pattern may be relatively high for valid plaintext, and/or a probability of random noise creating a recognizable pattern may be relatively low. In addition, the logic 52 may implement a probability function to determine whether the unencrypted data includes a random distribution of the plurality of bits). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte, Edward by applying the well-known technique as disclosed by Durham of comparing the instances of the typical patterns to a probability the sequences in order to ensuring sufficient confidentiality of final ciphertext. The motivation is to protect/prevent the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 13, Schat in view of Kollmyer, Gopshtein, Durham, Conte and Edward teaches: The device of claim 5 (see rejection of claim 5 above), wherein the analysis of the data traffic is performed by sampling the data traffic, and wherein the data encryption verifier is further configured to (Durham: [0081] The illustrated memory controller 22 further includes a verifier 66 to determine a mismatch/match between plaintext of an integrity value (e.g., a copy stored in an integrity check line) and plaintext of a data line (e.g., a portion copied of the data line), which indicates error corruption or validity of the integrity value and/or of the data line. The verifier 66 may also recognize a non-random pattern (or absence thereof) to indicate the integrity of unencrypted data. In either case, the verifier 66 may recognize that data has been restored by a bit flip operation, and the error corrector 64 may replace ciphertext with modified ciphertext corresponding to the bit operation that restored the non-random pattern, that resulted in plaintext with the largest order (e.g., patterns, etc.), and/or that resulted in a match between the integrity value (if used) and the data line) receive pre-encryption data associated with the sampled data traffic (Durham: [0023] The unencrypted data may include a plurality of bits… the plurality of bits may be translated to and/or from binary code, wherein the binary code may be executed by the cores 16, 18, may be sorted at the memory 12, may be fetched from the memory 12, and so on, or combinations thereof), wherein determining whether the sampled data traffic is encrypted as expected (Durham: [0086] The first data block (m.sub.0) may receive an initialization vector to mix with plaintext, and each successive data block (m.sub.1-m.sub.3) may be encrypted (=determined that the block data is successively encrypted) such that ciphertext from a previous data block is mixed with plaintext of a present data block before encryption. Encryption may be accomplished forward (e.g., m.sub.0 to m.sub.1 to m.sub.2 to m.sub.3) and backward (e.g., m.sub.2 to m.sub.1 to m.sub.0) to ensure that a modification of any data block's plaintext affects the ciphertext of all data blocks, and reciprocally, a modification of any data block's ciphertext affects the plaintext of all data blocks) is based on a comparison of the pre-encryption data with the sampled data traffic (Durham: [0139] …identify unencrypted data including a plurality of bits, wherein the unencrypted data is to be encrypted and stored in the memory, determine whether the unencrypted data includes a random distribution of the plurality of bits, and implement error correction by a modification to ciphertext of the unencrypted data when the unencrypted data includes a random distribution of the plurality of bits and is corrupt), wherein pre-encryption data corresponds to data that was supposed to be encrypted for output on the bus as the data traffic (Durham: [0021], The plaintext data may include pre-encryption data such as, for example, cleartext data which is to be encrypted prior to transmission and/or storage… [0139] …identify unencrypted data including a plurality of bits, wherein the unencrypted data is to be encrypted and stored in the memory, determine whether the unencrypted data includes a random distribution of the plurality of bits, and implement error correction by a modification to ciphertext of the unencrypted data when the unencrypted data includes a random distribution of the plurality of bits and is corrupt), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte, Edward by applying the well-known technique as disclosed by Durham of ensuring sufficient confidentiality of final ciphertext. The motivation is to protect/prevent the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 14, Schat in view of Kollmyer, Gopshtein, Durham, Conte and Edward teaches: The device of claim 13 (see rejection of claim 13 above), wherein the data traffic is expected to have two levels of encryption applied (Durham. [0087] Two rounds of AES may be sufficient to diffuse the bits within each data block. Thus, a current data block may wait for an immediately preceding data block to complete two rounds of AES….The intermediate ciphertext 70 may be forwarded to the AES-XTS pipeline 72 to accomplish encryption block by block (C.sub.0-C.sub.3) for ensuring sufficient confidentiality of final ciphertext (e.g., using 10 rounds). The final ciphertext may be written to the memory 12. [0088] The diffuser 26b is a type of encryptor that includes an AES-ECB pipeline 74 to generate intermediate ciphertext 76 using at least two rounds of AES…), and wherein the pre-encryption data being compared with the sampled data traffic is encrypted data having one level of encryption (Durham: [0081], a verifier 66 to determine a mismatch/match between plaintext of an integrity value (e.g., a copy stored in an integrity check line) and plaintext of a data line (e.g., a portion copied of the data line), which indicates error corruption or validity of the integrity value and/or of the data line…) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte, Edward by applying the well-known technique as disclosed by Durham of generating intermediate ciphertext using at least two rounds of AES. The motivation is to protect the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 15, the Schat in view of Kollmyer, Gopshtein, Durham, Conter and Edward teaches: The device of claim 13 (see rejection of claim 13 above), wherein the data traffic is expected to have one level of encryption applied (Durham: [0087],The final ciphertext may be written to the memory 12. [0088] The diffuser 26b is a type of encryptor that includes an AES-ECB pipeline 74 to generate intermediate ciphertext 76 using at least two rounds of AES (=one level of encryption applied), and wherein the pre-encryption data being compared with the sampled data traffic is unencrypted data (Durham: [0051] The logic 52 may make a determination whether the unencrypted data includes a random distribution of the plurality of bits at any time. For example, the logic 52 may make the determination before data is encrypted (e.g., pre-encryption data) and/or after a fetch of the data from the memory 12 and after the decryptor 28 decrypts the data to generate the unencrypted data (e.g., post-decryption data)) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte, Edward by applying the well-known technique as disclosed by Durham of generating intermediate ciphertext using at least two rounds of AES. The motivation is to protect the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Regarding Claim 17, Schat in view of Kollmyer, Gopshtein, Conte, Edward teaches: The device of claim 5 (see rejection of claim 5 above), wherein the bus is an external bus of the first IC (Schat: [0042], all of the IC devices are physically attached to the same PCB and communicatively coupled by buses, including, for example, an Ethernet bus, a Serial Peripheral Interface (SPI) bus, and a Joint Test Action Group (JTAG) bus). Regarding Claim 18, Schat in view of Kollmyer, Gopshtein, Conte, Edward teaches: The device of claim 5 (see rejection of claim 5 above), wherein the bus is an internal bus of a system- 2 on-a-chip (SoC) that includes the first IC and the IC device (Schat: [0042] FIG. 1 depicts an example of a system in the form of a PCB 100 that includes several separate and distinct IC devices 102-1-102-6 that are connected by buses 104-1-104-3. For example, all of the IC devices are physically attached to the same PCB and communicatively coupled by buses, including, for example, an Ethernet bus, a Serial Peripheral Interface (SPI) bus, and a Joint Test Action Group (JTAG) bus). Regarding claim 19, this claim contains identical limitations found within that of claim 5 above albeit directed to a different statutory category (method medium). For this reason, the same grounds of rejection are applied to claim 19. (Conte: [Col 4, lines 62-64], If the entropy value is below (or fails to exceed) the predetermined threshold, the process will output that the data file is unencrypted (block 214)) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer and Gopshtein by applying the well-known technique as disclosed by Conte of determining whether data is encrypted on unencrypted. The motivation is to determine whether the file is encrypted or unencrypted, and encrypting files that are determined to be unencrypted (Conte: [Absract]). Schat in view of Kollmyer, Gopshtein, Conte does not explicitly teach: and halting the data traffic on the bus However, in an analogous art, Edward teaches: and halting the data traffic on the bus (Edward: [Col 5, lines 19-23], an unexpected difference in a system integrity check measurement may indicate an intruder, and sending controller 110 may stop sending data across communication bus 130 in response to an indication of an intruder. [Col 9, lines 48-60], 51) If the hashed authentication signature or authentication bit within a received octet are not valid, firewall logic 455 sends an abort signal to decryption logic 490. Firewall logic 455 may also cause chip 450 to send a Not-Acknowledge ("NACK") signal 497 to chip 410 (sending control module) when the hashed authentication signature is not valid. The NACK signal may be a NACK-hold signal. NACK-hold is defined as a Slave (e.g. chip 450) device signaling a NACK using the communication protocol specification, but holds that bus state for a longer period of time and or holds the communication clock line such that the Master (e.g. chip 410) interprets a Stop communication, timeout or error but ultimately ceases communication with the Slave for a predefined period of time) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte and Edward teaches by applying the well-known technique as disclosed by Edward of If the hashed authentication signature or authentication bit within a received octet are not valid, holds the communication. The motivation is to protect/prevent encrypted data accessible by unauthorized oscilloscope acquisition and data access patterns might be correlated to system behavior to leak information (Edward: [Col 1, lines 45-46]). Regarding Claim 20, Schat in view of Kollmyer, Gopshtein, Conte and Edward teaches: The method of claim 19 (see rejection of claim 19 above), wherein analyzing the data traffic includes identifying a statistical data pattern in the data traffic, and comparing the statistical data pattern to a threshold (Gopshtein: [0022] FIG. 4 is a flow chart of a method of discovering network traffic in accordance with an embodiment of the disclosure. In general, communication packets are read, such as through the use of a network sniffer, and compared to a defined plurality of data patterns. [0024], If the matched data pattern is not an exact data pattern at box 438, i.e., it is a statistical data pattern, the process proceeds to box 442 to determine whether a threshold number of statistical data pattern matches has occurred at box 442. If a threshold number of statistical data pattern matches has not occurred at box 442, the process proceeds to box 436 to obtain communication packets from a next communication transaction. If a threshold number of statistical data pattern matches has occurred at box 442, the source computing device is deemed to be running the application or service corresponding to the matched statistical data pattern, and the source computing device is associated with that corresponding application or service at box 440). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer by applying the well-known technique as disclosed by Gopshtein of identifying statistical data pattern and determining whether a threshold number of statistical data pattern. The motivation is to configuration of traffic monitoring application to monitor the desired traffic (Gopshtein: [Abstract]). Regarding Claim 21, Schat in view of Kollmyer, Gopshtein, Durham and Edward teaches: The method of claim 19 (see rejection of claim 19 above), wherein analyzing the data traffic includes comparing the data traffic with a predefined data pattern (Durham: [0081], a verifier 66 to determine a mismatch/match between plaintext of an integrity value (e.g., a copy stored in an integrity check line) and plaintext of a data line (e.g., a portion copied of the data line), which indicates error corruption or validity of the integrity value and/or of the data line…) or comparing the data traffic with pre-encryption data corresponding to data that was supposed to be encrypted for output on the bus as the data traffic (Durham: [0021], The plaintext data may include pre-encryption data such as, for example, cleartext data which is to be encrypted prior to transmission and/or storage. In addition, the plaintext data may include post-decryption data such as, for example, data which is the result of decryption on received and/or retrieved data. [0139] Example 1 may include an apparatus to provide memory integrity comprising memory and logic, at least partially implemented in hardware, to identify unencrypted data including a plurality of bits, wherein the unencrypted data is to be encrypted and stored in the memory, determine whether the unencrypted data includes a random distribution of the plurality of bits, and implement error correction by a modification to ciphertext of the unencrypted data when the unencrypted data includes a random distribution of the plurality of bits and is corrupt.), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte and Edward by applying the well-known technique as disclosed by Durham of identify a bit difference of zero (0) bits and one (1) bits. The motivation is to protect the memory from being vulnerable since the data may be corrupted by an adversary via an initial and/or a repeated memory corruption attack (Durham: [0002]). Claim(s) 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Schat (U.S. PGPub. No. 20200387601) (hereinafter "Schat") in view of Kollmyer et al (U. S. PGPub. No. 7,165,175 B1), Gopshetin et al (U. S. PGPub. No. 2010/0299302 A1) (hereinafter “Gopshetin”) Conte et al. (U. S. Pat. No. 8,799,671 B2) (hereinafter “Conte”); and further in view of Edwards et al. (U. S. Pat. No. 8,874,926 B1) (“hereinafter “Edwards”) Regarding Claim 3, Schat in view of Kollmyer, Gopshtein and Conte teaches: The device of claim 1 (see rejection of claim 1 above), Schat in view of Kollmyer, Gopshtein, Conte does not explicitly teach: wherein a function of the second IC is disabled based on the notification that the data is not encrypted However, in an analogous art, Edward teaches: wherein a function of the second IC is disabled based on the notification that the data is not encrypted (Edward: [Col 5, lines 19-23], an unexpected difference in a system integrity check measurement may indicate an intruder, and sending controller 110 may stop sending data across communication bus 130 in response to an indication of an intruder. [Col 3, lines 48- 52], When sending controller 110 turns switch 133 ON (enabled), intrusion prevention circuit 140 becomes coupled to communication bus 130. When sending controller 110 turns switch 133 OFF (disabled), intrusion prevention circuit 140 becomes de-coupled to communication bus 130, [Col 5, lines 55-65], (29) In process block 305, an intrusion prevention circuit (e.g. intrusion prevention circuit 140) is decoupled from a communication bus (e.g. communication bus 130). Sending controller 110 may de-couple intrusion prevention circuit 140 from communication bus by disabling a switch (e.g. switch 133). While the intrusion prevention circuit is de-coupled, a bus integrity check is performed (process block 310). The bus integrity check includes measuring at least one analog characteristic of the communication bus. The intrusion prevention circuit need only be disabled (decoupled) for a short time to perform the bus integrity check). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer and Gopshtein, Conte by applying the well-known technique as disclosed by Edward of stop sending the data across communication bus by disabling the switch in order to decoupling the intrusion prevention circuit from the communication bus. The motivation is to protect/prevent encrypted data accessible by unauthorized oscilloscope acquisition and data access patterns might be correlated to system behavior to leak information (Edward: [Col 1, lines 45-46]). Regarding Claim 16, Schat in view of Kollmyer, Gopshtein, Conte teaches: The device of claim 5 (see rejection of claim 5 above), Schat in view of Kollmyer, Gopshtein and Durham does not explicitly teach: wherein a function of the second IC is disabled based on the notification that the data is not encrypted (Edward: [Col 5, lines 19-23], an unexpected difference in a system integrity check measurement may indicate an intruder, and sending controller 110 may stop sending data across communication bus 130 in response to an indication of an intruder. [Col 3, lines 48- 52], When sending controller 110 turns switch 133 ON (enabled), intrusion prevention circuit 140 becomes coupled to communication bus 130. When sending controller 110 turns switch 133 OFF (disabled), intrusion prevention circuit 140 becomes de-coupled to communication bus 130, [Col 5, lines 55-65], (29) In process block 305, an intrusion prevention circuit (e.g. intrusion prevention circuit 140) is decoupled from a communication bus (e.g. communication bus 130). Sending controller 110 may de-couple intrusion prevention circuit 140 from communication bus by disabling a switch (e.g. switch 133). While the intrusion prevention circuit is de-coupled, a bus integrity check is performed (process block 310). The bus integrity check includes measuring at least one analog characteristic of the communication bus. The intrusion prevention circuit need only be disabled (decoupled) for a short time to perform the bus integrity check). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer and Gopshtein, Conte by applying the well-known technique as disclosed by Edward of stop sending the data across communication bus by disabling the switch in order to decoupling the intrusion prevention circuit from the communication bus. The motivation is to protect/prevent encrypted data accessible by unauthorized oscilloscope acquisition and data access patterns might be correlated to system behavior to leak information (Edward: [Col 1, lines 45-46]). Claim (s) 7 is rejected under 35 U.S.C. 103 as being unpatentable over Schat (U.S. PGPub. No. 20200387601) (hereinafter "Schat") in view of Kollmyer et al (U. S. PGPub. No. 7,165,175 B1), Gopshetin et al (U. S. PGPub. No. 2010/0299302 A1) (hereinafter “Gopshetin”) and Conte et al. (U. S. Pat. No. 8,799,671 B2) (hereinafter “Conte”); and further in view of Edwards et al. (U. S. Pat. No. 8,874,926 B1) (“hereinafter “Edwards”); and further in view of KENINGTON (U. S. PGPub. No. 2021/0092702 A1) (hereinafter “Kenington”) Regarding Claim 7, Schat in view of Kollmyer, Gopshtein, Conte and Edward teaches: The device of claim 6 (see rejection of claim 6 above), wherein the configuration information indicates a size of the payload data (Kollmyer: [col 4, lines 43-55], The payload is the portion of the data packet that is just the data of interest, in exemplary case: multimedia content. For example, in a network packet, the header contains data for use by network routers in delivering the packet to its final destination, as well as other data about the packet such as size (=Size of the payload data) and formatting information. In an exemplary RTP packet, the header contains channel information as well as other information (=configuration information) needed by the player to direct the RTP (media content) payload. Some complex packets may contain multiple headers and diverse non-payload information and will be referred to herein as the non-payload part) It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Schat’s method of transmitting collected data, monitoring data traffic and sending notification to the end-user by applying Kollmyer’s method of recognizing the size of the payload data. The motivation is for selectively encrypting and decrypting different portions of data sent over a network (Kollmyer: [Col 1, lines 11-12]). The above combination of Schat in view of Kollmyer, Gopshtein, Conte and Edward does not explicitly disclose: and a sample size to use for sampling the data traffic However, in an analogous art Kenington teaches: and a sample size to use for sampling the data traffic (Kenington: [0223], provides for feeding (=sampling) data packets to processor/control system 1902 which, in turn, feeds (=sampling) payload data to network interface circuits 1901. Finally, network interface circuits 1901 appropriately encode, packetize and send the payload data on to a data network via interface 1914). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Schat in view of Kollmyer, Gopshtein, Conte and Edward by applying the well-known technique as disclosed by Kenington sampling the payload data packet. The motivation is to appropriately encode, packetize and send the payload data on to a data network via interface (Kenington: [0223]). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art. U. S. Pat. No. 8,578,486 B2 (Lifliand et al.): A method of operating a computing device that allows inspecting data that the device attempts to transmit over a network in an encrypted form for presence of malware, viruses or confidential information. The method includes intercepting a request from an application to an encryption component of an operating system to encrypt the data and acquiring encrypted data generated by the encryption component in response to the request. SSL or TLS protocol may be used for encryption. The request may be intercepted using API hooking. The data in an unencrypted form and an identifier of the encrypted data may be provided to a data inspection facility for establishing a correspondence between the unencrypted and encrypted data, using the identifier. The data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /R.D./Examiner, Art Unit 2437 /ALI S ABYANEH/Primary Examiner, Art Unit 2437