SYSTEMS AND METHODS FOR HARDWARE ASSISTED INITIAL AND SUBSEQUENT EVENT DETECTION

§103 §112

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This office action is in response to Applicant’s communication filed on 11/28/2025. Claims 1-20 have been examined. Response to Arguments Applicant’s arguments, see Remarks – pages 9-16 filed on 11/28/2025, with respect to the rejection(s) of claims 1, 15 under 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of Verma. With regards to claim objection (Claim 1), Applicant amendment overcomes the claim objection. Therefore, the claim objection is withdrawn. With regards to claim objection (Claims 1, 13 ). The claims 1, 13 were not amended. Therefore, the claim objection is maintained. See claim objection below. With regards to 112 2nd rejection , the claim 12 was not amended. Therefore, the rejection is maintained. -See 112 2nd rejection below. Claim Objections Claims 1,13 are objected to because of the following informalities: With regards to claim 1, the claim recites “ the event”. The examiner suggests amending the claim to recite “an event”. With regards to claim 13, the claim recites “ accessing command by the network classification from one of … or the decrement command”. The examiner believes this is a typo. The examiner suggests amending the claim to recite “ accessing command by the network classification from one of … or the decrement command queue” Appropriate corrections are required. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 12-13, 15 -20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. With regards to claim 12, the claim recites “ the increment command”. it is unclear what the increment command is referring to because claim 1 which claim 12 depends on does not recite “ an increment command” . Therefore, the examiner is unable to determine the metes and bounds of the claim language. With regards to claim 12, the claim recites “ the decrement command” it is unclear what the decrement command is referring to because claim 1 which claim 12 depends on does not recite “ a decrement command”. Therefore, the examiner is unable to determine the metes and bounds of the claim language. With regards to claim 15, the claim recites “a network interface circuit of a network interface circuit”. It is unclear how the network interface circuit of a network interface circuit if both network interface circuits are the same. Therefore, the examiner is unable to determine the metes and bounds of the claim language. With regards to claim 18, the claim recites “ the network security appliance” It is unclear what the network security appliance is referring to because claim 18 recites “a network security appliance” and claim 15 which claim 18 depends on recites “ a network security appliance”. Therefore, the examiner is unable to determine the metes and bounds of the claim language. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1,2,4,10,11,14,15 are rejected under 35 U.S.C. 103 as being unpatentable Li et al. Publication No. CN 112819637 A (Li hereinafter) in view of Guleria et al. Publication No. US 2016/0285753 A2 ( Guleria hereinafter) further in view of Verma et al. Publication No. US 2025/0031043 A1 (Verma hereinafter) . Regarding claim 1, Li teaches a method for classifying network events into the first occurrence of the event and the subsequent occurrence of the same event (Fig.1, Page 6) the method comprising: receiving, by a network event classification circuit, a network event from a data communication network; generating, by the network event classification circuit, a transaction identifier identifying the network event (Pages 6 & 7 - S110 - obtaining the transaction identifier corresponding to the current transaction. wherein the current transaction can be the current transaction to be processed, for example, not finishing the transaction of clearing, or transaction of not finishing the deduction, and so on. the current transaction can be any consumption transaction, also can be any transaction account transaction, any transaction, any stored value transaction, including but not limited to card transaction, gateway jump transaction, application program skipping transaction, HS page jump transaction, scanning transaction and non-inductive payment transaction - . transaction identification is generated by the merchant number and order number corresponding to the current transaction ; S120, determining the transaction identification corresponding to the transaction number group based on the transaction identification). generating, by the network classification circuit, a search command including a […] transaction identifier; and executing, by the network classification circuit, the search command, wherein executing the search command includes: hashing the […]the transaction identifier with a first hash seed to yield a first memory address, and hashing the […] transaction identifier with a second hash seed to yield a second memory address; and (Page 10 – determining transaction identification corresponding to the transaction based on transaction identification, calculating each hash value corresponding to the transaction identification based on transaction identification, determining whether the current transaction satisfies the secondary control weight condition according to each hash value and transaction number set, if it satisfies; determining the execution strategy of the current transaction according to the query result of the transaction identification in the database. The embodiment of the invention realizes the secondary control of the transaction by the transaction bit array and the database; the first layer of filtering transaction through transaction number group, so that only a small amount of transaction needs database query – calculating each hash value corresponding to the transaction identifier based on the transaction identifier; determining whether the current transaction satisfies the secondary control weight condition based on the hash value and the transaction number group; if the current transaction satisfies the secondary control weight condition, determining the execution strategy of the current transaction according to the query result of the transaction identification in the database – See Page 18 – Note: the examiner interprets search command as equivalent to the database query that is generated and executed using the transaction id by hashing the transaction id that yield to hashing values in bit array ( memory) for that transaction id). generating a classification of the network event based at least in part upon a first value accessed from a memory at the first memory address and a second value accessed from the memory at the second memory address Page 18 - step 2, determining the Bloom filter corresponding to the transaction identification based on the first hash value of the transaction identification and the consistency hash ring. step 3, based on Bloom filter determining transaction identification corresponding to the transaction number group. step 4, calculating each hash value based on hash function corresponding to the Bloom filter; determining the bit position corresponding to the transaction bit group based on each hash value. step 5, judging whether the bit position corresponding to the transaction number group is 1; if not, executing step 6; if yes, executing step 7. step 6, performing transaction processing to the current transaction. step 7, according to the transaction identification judging database query whether there is transaction identification corresponding transaction record, -it can directly determine transaction identification corresponding to the transaction number group based on the transaction identification. Page 4 - if the database does not include the transaction record corresponding to the transaction identification, then determining the current transaction is the first transaction, transaction processing the current transaction, and transaction record corresponding to the transaction processing, storing the transaction record and the transaction identification associated to the database). However, Li does not explicitly teach a network event classification circuit of a network interface circuit and using the subset of transaction identifier. generating, by the network classification circuit, a search command including a subset of the transaction identifier; and executing, by the network classification circuit, the search command, hashing the subset of the transaction identifier with a first hash seed to yield a first memory address, and hashing the subset of the transaction identifier with a second hash seed to yield a second memory address; transmitting the classification to a network security appliance, wherein the network security appliance performs one or more processes using the classification. Guleria teaches generating, by the network classification circuit, a search command including a subset of the transaction identifier; and executing, by the network classification circuit, the search command, hashing the subset of the transaction identifier with a first hash seed to yield a first memory address, and hashing the subset of the transaction identifier with a second hash seed to yield a second memory address (¶ 0045 ¶0046 Packet classification involves executing a lookup in memory to classify the packet by determining which flow entry in the forwarding tables best matches the packet based upon the match structure, or key, of the flow entries. It is possible that many flows can correspond to a packet; in this case the system is typically configured to determine one flow from the many flows according to a defined scheme ( e.g. selecting a first flow entry that is matched. when the flow identification is computed with a hash function of a key associated with the packet ( e.g., CRC-32), a portion of the hash value (flow identification) is used to access the learn table. In a non-limiting example, the flow identification (e.g., a hash value computed with CRC-32) is 32 bits hash value, and 8 bits of these 32 bits are used to access the learn table element. – See Also ¶ 0052, ¶ 0066 – Note: the examiner interprets the subset of transaction id as the first portion of the flow id. Also examiner interprets the search command as equivalent to lookup command that is generated and executed in memory using the portion of flow id). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Guleria. The motivation for doing so is to allow system to provide techniques which avoid sending multiple requests to the control plane in order to learn the same flow and to avoid delays in the processing of new flow entries ( ¶ 0004 – Guleria). Verma teaches a network event classification circuit of a network interface circuit, receiving by a network event classification circuit a network event from a data communication network, transmitting the classification to a network security appliance, wherein the network security appliance performs one or more processes using the classification (Fig.2 &3, Fig.8, ¶ 0261 – selective intelligent enforcement and/or selective offloading in mobile networks using a Smart NIC in accordance with some embodiments – ¶0262 -At 802, monitoring network traffic in a core mobile network using a Smart Network Interface Card (NIC) of a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications is performed. smart NIC can include a data processing unit (DPU). ¶0263 - the meta information associated with the new session can be extracted using the smart NIC of the network element in the core mobile network by performing inspection of packet forwarding control protocol (PFCP) messages, application programming interfaces (APis), and/or syslog messages. ¶0264 -applying selective intelligent enforcement and/or selective intelligent offloading is performed using the Smart NIC of the network element if the extracted meta information associated with the new session matches a selective intelligent enforcement policy and/or a selective intelligent offload policy. For example, the selective intelligent enforcement (SIE) policy and/or selective intelligent offloading (SITO) policy – ¶0065 - If the S-NSSAI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 214 – Note: DPU within Smart NIC classify network traffic using SITO policy and if it matches, send classified traffic to firewall to apply security). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Verma. The motivation for doing so is to allow system to effectively and efficiently apply inspection to selected users ( Verma – ¶0030). Regarding claim 2, Li further teaches performing, by a processing resource, a network process using at least the classification of the network event (Page 4 - if the current transaction does not satisfy the secondary control weight condition, then performing transaction processing to the current transaction - if the database does not include the transaction record corresponding to the transaction identification, the determining the current transaction is the first transaction, transaction processing the current transaction, and generating transaction record corresponding to the transaction processing, storing the transaction record and the transaction identification associated to the database). Regarding claim 4, Li does not explicitly teach wherein the memory is organized into a plurality of tables, wherein the subset of the transaction identifier is a first subset of the transaction identifier, and wherein the method further comprises: enabling, by the network classification circuit, a memory table of the plurality of tables, wherein the memory table is selected based at least in part on a second subset of the transaction identifier. However, Guleria teaches a memory is organized into a plurality of tables, wherein the subset of the transaction identifier is a first subset of the transaction identifier, and wherein the method further comprises: enabling, by the network classification circuit, a memory table of the plurality of tables, wherein the memory table is selected based at least in part on a second subset of the transaction identifier (¶ 0030 - Packet classification involves executing a lookup in memory to classify the packet by determining which flow entry in the forwarding tables best matches the packet based upon the match structure, or key, of the flow entries – ¶ 0039 - Upon receipt of a packet of a flow of packets at the network device, it is determined, based on an identification of the flow, whether the packet has a corresponding forwarding table entry within a set of one or more forwarding tables of the network device. If the packet is determined not to have any corresponding forwarding table entry (i.e., the packet belongs to an unknown flow, which is to be inserted in a forwarding table), a flow learning element is retrieved from a flow learning table using a first portion of the flow identification. A second portion of the flow identification for the received packet is used to determine whether the flow of the packet is currently being learnt. In response to determining that the second portion matches a sub-element of the retrieved flow learning element - ¶ 0049 – 0052 Alternatively if the second portion of the flow identification does not match any sub-element of the flow learning element 520 which has a "used" bit set, this means that the flow is not being learnt by the forwarding device and an entry needs to be inserted in the flow learning table 500 See Also – ¶ 0069). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Guleria. The motivation for doing so is to allow system to provide techniques which avoid sending multiple requests to the control plane in order to learn the same flow and to avoid delays in the processing of new flow entries ( ¶ 0004 – Guleria). Regarding claim 10, Li further teaches wherein generating the classification of the network event based at least in part upon a first value accessed from a memory at the first memory address and a second value accessed from the memory at the second memory address includes: determining that both the first value and the second value are zero; and indicating that the classification of the network event indicates an initial occurrence based at least in part on the determination that both the first value and the second value are zero (Page - 9 the secondary control weight condition comprises: the bit value of the bit associated with each hash value is equal to the preset bit value. Exemplary, the preset bit value can be 1, if the bit value of the bit associated with each hash value is equal to 1, then determining the current transaction satisfies the secondary control weight condition, namely, the current transaction is the processed transaction; if the bit value associated with each hash value exists bit value of O bit, then determining that the current transaction does not satisfy the secondary control weight condition, namely, the current transaction is the transaction of the first processing). Regarding claim 11, Li further teaches wherein generating the classification of the network event based at least in part upon a first value accessed from a memory at the first memory address and a second value accessed from the memory at the second memory address includes: determining that at least one of the first value and the second value is greater than zero; and indicating that the classification of the network event indicates a subsequent occurrence based at least in part on the determination that at least one of first value and the second value is greater than zero(Page - 9 the secondary control weight condition comprises: the bit value of the bit associated with each hash value is equal to the preset bit value. Exemplary, the preset bit value can be 1, if the bit value of the bit associated with each hash value is equal to 1, then determining the current transaction satisfies the secondary control weight condition, namely, the current transaction is the processed transaction; if the bit value associated with each hash value exists bit value of O bit, then determining that the current transaction does not satisfy the secondary control weight condition, namely, the current transaction is the transaction of the first processing). Regarding claim 14, Li further teaches wherein the network event is a network packet (Pages 6 & 7 - S110, obtaining the transaction identifier corresponding to the current transaction. wherein the current transaction can be the current transaction to be processed, for example, not finishing the transaction of clearing, or transaction of not finishing the deduction, and so on. the current transaction can be any consumption transaction, also can be any transaction account transaction, any transaction, any stored value transaction, including but not limited to card transaction, gateway jump transaction, application program skipping transaction, HS page jump transaction, scanning transaction and non-inductive payment transaction - transaction identification is generated by the merchant number and order number corresponding to the current transaction ; S120, determining the transaction identification corresponding to the transaction number group based on the transaction identification). Regarding claim 15, Li teaches a network event classification device, (Fig.1, Page 6) the device comprising: a network interface circuit of a network interface circuit, a network event from a data communication network; a network processor configured to generate a transaction identifier identifying the network event; (Pages 6 & 7 - S110 - obtaining the transaction identifier corresponding to the current transaction. wherein the current transaction can be the current transaction to be processed, for example, not finishing the transaction of clearing, or transaction of not finishing the deduction, and so on. the current transaction can be any consumption transaction, also can be any transaction account transaction, any transaction, any stored value transaction, including but not limited to card transaction, gateway jump transaction, application program skipping transaction, HS page jump transaction, scanning transaction and non-inductive payment transaction - . transaction identification is generated by the merchant number and order number corresponding to the current transaction ; S120, determining the transaction identification corresponding to the transaction number group based on the transaction identification). generate a search command including a [..] transaction identifier; and execute the search command, wherein executing the search command includes: hashing [..] the transaction identifier with a first hash seed to yield a first memory address, and hashing [..] the transaction identifier with a second hash seed to yield a second memory address; (Page 10 – determining transaction identification corresponding to the transaction based on transaction identification, calculating each hash value corresponding to the transaction identification based on transaction identification, determining whether the current transaction satisfies the secondary control weight condition according to each hash value and transaction number set, if it satisfies; determining the execution strategy of the current transaction according to the query result of the transaction identification in the database. The embodiment of the invention realizes the secondary control of the transaction by the transaction bit array and the database; the first layer of filtering transaction through transaction number group, so that only a small amount of transaction needs database query – calculating each hash value corresponding to the transaction identifier based on the transaction identifier; determining whether the current transaction satisfies the secondary control weight condition based on the hash value and the transaction number group; if the current transaction satisfies the secondary control weight condition, determining the execution strategy of the current transaction according to the query result of the transaction identification in the database. See Also Page 18). generating a classification of the network event based at least in part upon a first value accessed from a memory at the first memory address and a second value accessed from the memory at the second memory address Page 18 - step 2, determining the Bloom filter corresponding to the transaction identification based on the first hash value of the transaction identification and the consistency hash ring. step 3, based on Bloom filter determining transaction identification corresponding to the transaction number group. step 4, calculating each hash value based on hash function corresponding to the Bloom filter; determining the bit position corresponding to the transaction bit group based on each hash value. step 5, judging whether the bit position corresponding to the transaction number group is 1; if not, executing step 6; if yes, executing step 7. step 6, performing transaction processing to the current transaction. step 7, according to the transaction identification judging database query whether there is transaction identification corresponding transaction record, -it can directly determine transaction identification corresponding to the transaction number group based on the transaction identification. Page 4 - if the database does not include the transaction record corresponding to the transaction identification, then determining the current transaction is the first transaction, transaction processing the current transaction, and transaction record corresponding to the transaction processing, storing the transaction record and the transaction identification associated to the database). However, Li does not explicitly teach using the subset of transaction identifier. generate a search command including a subset of the transaction identifier; and execute the search command includes, hashing the subset of the transaction identifier with a first hash seed to yield a first memory address, and hashing the subset of the transaction identifier with a second hash seed to yield a second memory address transmitting the classification to a network security appliance, wherein the network security appliance performs one or more processes using the classification Guleria teaches generate a search command including a subset of the transaction identifier; and execute the search command includes, hashing the subset of the transaction identifier with a first hash seed to yield a first memory address, and hashing the subset of the transaction identifier with a second hash seed to yield a second memory address (¶ 0045 ¶0046 Packet classification involves executing a lookup in memory to classify the packet by determining which flow entry in the forwarding tables best matches the packet based upon the match structure, or key, of the flow entries. It is possible that many flows can correspond to a packet; in this case the system is typically configured to determine one flow from the many flows according to a defined scheme ( e.g. selecting a first flow entry that is matched. when the flow identification is computed with a hash function of a key associated with the packet ( e.g., CRC-32), a portion of the hash value (flow identification) is used to access the learn table. In a non-limiting example, the flow identification (e.g., a hash value computed with CRC-32) is 32 bits hash value, and 8 bits of these 32 bits are used to access the learn table element. – See Also ¶ 0052, ¶ 0066 - Note: the examiner interprets the subset of transaction id as the first portion of the flow id). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Guleria. The motivation for doing so is to allow system to provide techniques which avoid sending multiple requests to the control plane in order to learn the same flow and to avoid delays in the processing of new flow entries ( ¶ 0004 – Guleria). Verma teaches a network interface circuit of a network interface circuit, a network event from a data communication network, transmitting the classification to a network security appliance, wherein the network security appliance performs one or more processes using the classification (Fig.2 &3, Fig.8, ¶ 0261 – selective intelligent enforcement and/or selective offloading in mobile networks using a Smart NIC in accordance with some embodiments – ¶0262 -At 802, monitoring network traffic in a core mobile network using a Smart Network Interface Card (NIC) of a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications is performed. smart NIC can include a data processing unit (DPU). ¶0263 - the meta information associated with the new session can be extracted using the smart NIC of the network element in the core mobile network by performing inspection of packet forwarding control protocol (PFCP) messages, application programming interfaces (APis), and/or syslog messages. ¶0264 -applying selective intelligent enforcement and/or selective intelligent offloading is performed using the Smart NIC of the network element if the extracted meta information associated with the new session matches a selective intelligent enforcement policy and/or a selective intelligent offload policy. For example, the selective intelligent enforcement (SIE) policy and/or selective intelligent offloading (SITO) policy – ¶0065 - If the S-NSSAI to IP mappings match a selective intelligent enforcement (SIE) policy rule, then the security platform initiates/sets up a new session for this flow and instructs the Smart NIC (e.g., Smart NIC 204 implemented using a Smart NIC, DPU, UPF, or similar device) to send the traffic associated with this flow to the security platform (e.g., NGFW 202) to apply security (e.g., L7 security) as shown at 214 – (DPU within Smart NIC classify network traffic using SITO policy and if it matches, send classified traffic to firewall for to apply security). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Verma. The motivation for doing so is to allow system to effectively and efficiently apply inspection to selected users ( Verma – ¶0030). Claims 3,16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Lan et al. Publication No. US 2021/0303984 A1 ( Lan hereinafter) Regarding claim 3, Li does not explicitly teach wherein the network process is selected from a group consisting of: a denial of service attack detection process, and a network transaction logging process. However, Lan teaches wherein the network process is selected from a group consisting of: a denial of service attack detection process, and a network transaction logging process (¶0044 - The network security device may reside within the particular network that it is protecting, or network security may be provided as a service with the network security device residing in the cloud. Non-limiting examples of security functions include. intrusion detection, denial of service attack (DoS) detection, logging), It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Lan. The motivation for doing so is to allow system to classify encrypted network traffic data ( ¶ 0002 – Lan). Regarding claim 16, Li does not explicitly teach wherein the device is implemented as a network interface card, and wherein the network interface card includes a first general purpose processor configured to interface with a second general purpose processor of a network security appliance. However, Lan teaches device is implemented as a network interface card, and wherein the network interface card includes a first general purpose processor configured to interface with a second general purpose processor of a network security appliance (¶ 0037 - Fig.1B – device is implemented as NIC and NIC includes processor configured to interface with second processor of network security device 102). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Lan. The motivation for doing so is to allow system to classify encrypted network traffic data ( ¶ 0002 – Lan). Regarding claim 17, Li further teaches perform a network process using at least the classification of the network event (Page 4). However, Li does not does not explicitly teach wherein the second general purpose processor is communicably coupled to a non-transitory computer readable medium having stored therein instructions which when executed by the second general purpose processor causes the second general purpose processor to wherein the network process is selected from a group consisting of: a denial of service attack detection process, and a network transaction logging process Lan teaches wherein the second general purpose processor is communicably coupled to a non-transitory computer readable medium having stored therein instructions which when executed by the second general purpose processor causes the second general purpose processor to perform a network process using at least the classification of the network event, and wherein the network process is selected from a group consisting of: a denial of service attack detection process, and a network transaction logging process (Fig.1B, ¶ 0037, ¶ 0027 - The network security device may reside within the particular network that it is protecting, or network security may be provided as a service with the network security device residing in the cloud. Non-limiting examples of security functions include. intrusion detection, denial of service attack (DoS) detection, logging It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Lan. The motivation for doing so is to allow system to classify encrypted network traffic data ( ¶ 0002 – Lan). Regarding claim 18, Li does not explicitly teach device is imbedded into a network security appliance, and where the network processor is coupled to a general purpose processor of the network security appliance However, Lan teaches wherein the device is imbedded into a network security appliance, and where the network processor is coupled to a general purpose processor of the network security appliance(¶ 0031 - Fig.1A – device is imbedded in to network security device 102 , and the network processor 112 is coupled to general purpose processor 104). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Lan. The motivation for doing so is to allow system to classify encrypted network traffic data ( ¶ 0002 – Lan). Regarding claim 19, Li further teaches perform a network process using at least the classification of the network event (Page 4). However, Li does not does not explicitly teach wherein the general purpose processor is communicably coupled to a non-transitory computer readable medium having stored therein instructions which when executed by the general purpose processor causes the general purpose processor to: wherein the network process is selected from a group consisting of: a denial of service attack detection process, and a network transaction logging process Lan teaches wherein the general purpose processor is communicably coupled to a non-transitory computer readable medium having stored therein instructions which when executed by the general purpose processor causes the general purpose processor to: perform a network process using at least the classification of the network event, and wherein the network process is selected from a group consisting of: a denial of service attack detection process, and a network transaction logging process (Fig.1B, ¶ 0037, ¶ 0027 - The network security device may reside within the particular network that it is protecting, or network security may be provided as a service with the network security device residing in the cloud. Non-limiting examples of security functions include. intrusion detection, denial of service attack (DoS) detection, logging It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Lan. The motivation for doing so is to allow system to classify encrypted network traffic data ( ¶ 0002 – Lan). Claims 5,20 are rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Chen et al. Publication No. US 2011/0069632 A2 ( Chen hereinafter) Regarding claim 5, Li further teaches wherein the classification of the network event indicates an initial occurrence (page 3 - if the database does not include the transaction record corresponding to the transaction identification, then determining the current transaction is the first transaction, transaction processing the current transaction, and generating transaction record corresponding to the transaction processing, storing the transaction record and the transaction identification associated to the database). However, Li does not explicitly teach executing, by the network classification circuit, an increment command, wherein executing the increment command includes: incrementing the first value at the first memory address and incrementing the second value at the second memory address. Chen teaches executing, by the network classification circuit, an increment command, wherein executing the increment command includes: incrementing the first value at the first memory address and incrementing the second value at the second memory address (¶ 0044 - For each first packet, an identifier for the flow is presented to the hash-function set of the current bloom filter. Each hash function in the set maps the flow identifier to a counter in the counter array of the current bloom filter. Whenever a flow identifier is mapped to a counter, the counter value is incremented by one- ¶ 0045 - Note that it is possible for two or more different hash functions in a single hash-function set to map a particular flow identifier to the same counter. In that case, the counter will be incremented once for each such hash function. Nevertheless, for a well-constructed bloom filter, there will be at least one counter that is mapped to by only a single hash function for a particular flow identifier and therefore incremented only once for that flow identifier in the current interval.). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Chen. The motivation for doing so is to allow system to track and monitor of long-duration network-data flows in a network ( ¶ 0002 – Chen). Regarding claim 20, Li further teaches wherein the classification of the network event indicates an initial occurrence (page 3 - if the database does not include the transaction record corresponding to the transaction identification, then determining the current transaction is the first transaction, transaction processing the current transaction, and generating transaction record corresponding to the transaction processing, storing the transaction record and the transaction identification associated to the database). However, Li does not explicitly teach wherein the network processor is further configured to: execute an increment command, wherein executing the increment command includes: incrementing the first value at the first memory address and incrementing the second value at the second memory address. Chen teaches wherein the network processor is further configured to: execute an increment command, wherein executing the increment command includes: incrementing the first value at the first memory address and incrementing the second value at the second memory address (¶ 0044 - For each first packet, an identifier for the flow is presented to the hash-function set of the current bloom filter. Each hash function in the set maps the flow identifier to a counter in the counter array of the current bloom filter. Whenever a flow identifier is mapped to a counter, the counter value is incremented by one- ¶ 0045 - Note that it is possible for two or more different hash functions in a single hash-function set to map a particular flow identifier to the same counter. In that case, the counter will be incremented once for each such hash function. Nevertheless, for a well-constructed bloom filter, there will be at least one counter that is mapped to by only a single hash function for a particular flow identifier and therefore incremented only once for that flow identifier in the current interval.). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Chen. The motivation for doing so is to allow system to track and monitor of long-duration network-data flows in a network ( ¶ 0002 – Chen). Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Chen further in view of Carter et al. Publication No. US 2013/0170067 A1 (Carter hereinafter) Regarding claim 6, Li does not explicitly teach when a search command corresponding to either the first memory address or the second memory address has not been received for a defined period, executing, by the network classification circuit, a decrement command, wherein executing the decrement command includes: decrementing the first value at the first memory address and the second value at the second memory address. However, Carter teaches when a search command corresponding to either the first memory address or the second memory address has not been received for a defined period, executing, by the network classification circuit, a decrement command, wherein executing the decrement command includes: decrementing the first value at the first memory address and the second value at the second memory address (Claim 4 -measure an elapsed time since a last disk access command was received over the control interface; if said elapsed time exceeds a predetermined elapsed time and said value stored in the token storage element is greater than a predetermined value, decrement said value stored in the token storage element -¶ 0029 - The hard disk drive 100 may then evaluate one or more token values tied to the resources that might be impacted -The token values may be evaluated in several different ways in different embodiments. In some embodiments, there is a single token value for a given resource. See Also ¶ 0033). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Carter. The motivation for doing so is to allow system to decrement values stored in storage element (Carter – ¶ 0029). Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Chen further in view of Carter further in view of Panwar et al. Patent No. US 7,966,442 B1 ( Panwar hereinafter) Regarding claim 7, Li does not explicitly teach wherein the defined period is user programmable However, Panwar teaches defined period is user programmable (Col.10, lines 1-10 -an administrator may set the update period to one day or one hour). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Panwar. The motivation for doing so is to allow user to set the period for tracking purposes. Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Chen further in view of Verplanken et al. Publication No. US 2021/0124694 A1 ( Verplanken hereinafter) Regarding claim 8, Li does not explicitly teach as part of the executing the increment command, queuing, by the network classification circuit, a decrement command However, Verplanken teaches as part of the executing the increment command, queuing, by the network classification circuit, a decrement command (¶ 0009 - in which when an increment request to increment the at least one counter is pending, the cache control circuitry is configured to prioritize the pending increment request in preference over a decrement request to decrement the at least one counter- ¶ 0015 - when an increment request to increment the at least one counter is pending, prioritizing the pending increment request in preference over a decrement request to decrement the at least one counter – ¶ 0031 - FIG. 9 is a flow diagram illustrating a method for allocating decrement requests to a decrement request buffer – ¶ 0043 - if two decrement/increment requests can be carried out per processing cycle, the cache control circuitry may delay the decrement request until a cycle in which either no increment requests are being processed, or only one increment request is being processed). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Verplanken. The motivation for doing so is to allow system to prioritize the pending increment request in preference over a decrement request to decrement the at least one counter (¶ 0015 - Verplanken) Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Chen further in view of Verplanken further in view of Aybay et al. Publication No. US 2020/0127912 A1 ( Aybay hereinafter). Regarding claim 9, Li does not explicitly teach determining, by the network classification circuit, a time expiration of the decrement command; and based at least in part on the time expiration, executing, by the network classification circuit, the decrement command, wherein executing the decrement command includes: decrementing the first value at the first memory address and the second value at the second memory address. However, Aybay teaches determining, by the network classification circuit, a time expiration of the decrement command; and based at least in part on the time expiration, executing, by the network classification circuit, the decrement command, wherein executing the decrement command includes: decrementing the first value at the first memory address and the second value at the second memory address (¶0016 - the second logic module can be configured to decrement multiple flow state values stored within the memory based on a second algorithm ( or set of conditions) – ¶0036 - The flow state timing module 220 is configured to decrement ( e.g., decrement at a single memory location) one or more flow state values 22 when the flow state value(s) 22 are selected by the flow state timing module 220 based on sequential processing through the flow state values 22 stored at given memory locations within the memory 240. For example, a first flow state value (from the flow state values 22) at a first memory location from the memory 240 can be selected based on sequential processing through the memory locations of the memory 240 - ¶0059 - some embodiments, the sequential processing through the memory locations of the memory 240 can be based on various time periods. For example, the flow state timing module 220 can be configured to decrement a flow state value at one or more of the memory locations after a specified time period (e.g., a 2 millisecond) has expired. The specified time period can be referred to as a wait time period or as a decrement wait time period). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Aybay. The motivation for doing so is to allow system to prioritize the pending increment request in preference over a decrement request to decrement multiple flow state values stored within the memory based on set of conditions (¶ 0016 - Aybay) Claims 12,13 are rejected under 35 U.S.C. 103 as being unpatentable over Li in view of Guleria further in view of Verma further in view of Verplanken further in view of Heo et al. Publication No. US 2021/0374131 A1 ( Heo hereinafter) Regarding claim 12, Li does not explicitly teach wherein the search command is stored in a search command queue, the increment command is stored in an increment command queue, and the decrement command is stored to a decrement command queue. However, Verplanken teaches the increment command is stored in an increment command queue, and the decrement command is stored to a decrement command queue ( ¶ 0098- The cache control circuitry 102 prioritizes pending increment requests to any of the counters stored in the SRAM over the decrement requests stored in the decrement request buffer 110, for example by waiting until a processing cycle in which no increment requests are executed ( e.g. a cycle in which no allocations to the cache are made) to process the next decrement request in the decrement request buffer 110. It should be noted that increment requests to any of the stored counters are prioritized over decrement requests to any of the stored counters, even if the decrement request is to another one of the stored counters, rather than merely prioritizing increment requests to a given counter over decrement requests to that same counter). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Verplanken. The motivation for doing so is to allow system to prioritize the pending increment request in preference over a decrement request to decrement the at least one counter (¶ 0015 - Verplanken) However, Li in view of Verplanken does not explicitly teach wherein the search command is stored in a search command queue Heo teaches search command is stored in a search command queue (¶ 0065 - The command queue 110 sequentially stores search commands) It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li in view of Verplanken to include the teachings of Heo. The motivation for doing so is to allow the system to store search commands in command queue for processing ( Heo – ¶ 0065). Regarding claim 13, Li does not explicitly teach wherein accessing a command by the network classification circuit from one of the search command queue, the increment command queue, or the decrement command is based upon a priority algorithm, and wherein the priority algorithm causes all commands in the increment command queue to be executed before any command in either the search command queue or the decrement command queue. However, Verplanken teaches wherein accessing a command by the network classification circuit from one of the search command queue, the increment command queue, or the decrement command is based upon a priority algorithm, and wherein the priority algorithm causes all commands in the increment command queue to be executed before any command in either the search command queue or the decrement command queue (¶ 0009 - in which when an increment request to increment the at least one counter is pending, the cache control circuitry is configured to prioritize the pending increment request in preference over a decrement request to decrement the at least one counter – ¶ 0037 -Prioritizing requests to increment the counters over requests to decrement the counters allows the performance of the system to be further improved - ¶ 0098- The cache control circuitry 102 prioritizes pending increment requests to any of the counters stored in the SRAM over the decrement requests stored in the decrement request buffer 110, for example by waiting until a processing cycle in which no increment requests are executed ( e.g. a cycle in which no allocations to the cache are made) to process the next decrement request in the decrement request buffer 110. It should be noted that increment requests to any of the stored counters are prioritized over decrement requests to any of the stored counters, even if the decrement request is to another one of the stored counters, rather than merely prioritizing increment requests to a given counter over decrement requests to that same counter). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Li to include the teachings of Verplanken. The motivation for doing so is to allow system to prioritize the pending increment request in preference over a decrement request to decrement the at least one counter (¶ 0015 - Verplanken). Conclusion Applicant's amendment necessitated the new grounds of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to YOUNES NAJI whose telephone number is (571)272-2659. The examiner can normally be reached Monday - Friday 8:30 AM -5:30 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar A Louie can be reached on (571) 270-1684. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /YOUNES NAJI/Primary Examiner, Art Unit 2445