DETAILED ACTION
This office action is a response to the application filed on 12/8/2023, which claims priority from the provisional application 63/386,817 filed on 12/9/2022. Claims 1-20 are pending and ready for examination.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6-8, 10-12 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Falk et al. (US 2023/0030504; provided in IDS dated 2/12/2025, hereinafter Falk) in view of Schirck (US 2021/0021622; provided in IDS dated 2/12/2025).
Regarding claim 1, Falk discloses a data diode, comprising: a first network interface circuitry, comprising: a first processing element; a first network connector, coupled to the first processing element; [Falk Figure 1 discloses a transmission device 1 in the form of a unidirectional data diode (Falk Figure 1, paragraphs 0067 and 0068). The device has a first network port P1 (a first network connector) for coupling to the first network NW1. The device includes a first detection unit 3, which is connected to the first network port (Falk Figure 1, paragraphs 0069, 0070). The device comprises a first CPU in which the first detection unit 3 is implemented (i.e. a first processing element) (Falk paragraph 0078). The first detection unit 3, the first network port P1 comprise a first network interface circuitry] and
A second network interface circuitry, comprising: a second processing element; and a second network connector, coupled to the second processing element [Falk discloses that the transmission device includes a second network port P2 (a second network connector) for coupling to the second network NW2. A second detection unit 4 (a second processing element) is connected to the second network connector (Falk Figure 1, paragraphs 0069, 0071). The device comprises a second CPU in which the second detection unit 4 is implemented (i.e. a second processing element) (Falk paragraph 0078). The second detection unit 4, the second network port P2 comprise a second network interface circuitry];
A one-way data bridge coupled between the first processing element and the second processing element that allows data flow from the first processing element to the second processing element and physically prohibits data flow from the second processing element to the first processing element [Falk discloses that the transmission device may include a gateway 6, which is placed between the first and second detection units (Falk Figure 2, paragraphs 0080 and 0081)]; and
A network tap, comprising: a first network port; a second network port [Falk discloses a system comprising a network switch 2 and transmission device 1 (Falk Figure 1, paragraphs 0076-0077). This system is similar to a network tap. An input (i.e. a first network port) of the network switch is connected to the first network to receive data from the first network (Falk paragraph 0077). A mirror port SP (i.e. a second network port) in the form of an output of the network switch 2 is connected to the first network port P1 (Falk paragraph 0077)]; and
A network switch, configured to mirror network traffic received from the first network port to both the first processing element and the second network port [Falk discloses that the network switch is arranged between the first network NW1 and the first network port P1 (Falk paragraph 0076). The mirror port SP in the form of an output of the network switch 2 is connected to the first network port P1 for the purpose of transmitting data (Falk paragraph 0077). The mirror port SP (the second network port) outputs the data from network 1 to the first unit 3 (first processing element) as disclosed in the Figures 1 and 2 (see Falk Figures 1, 2 and paragraphs 0028-0029)].
Although Falk discloses a transmission device 1 in the form of a unidirectional data diode (Falk Figure 1) which may include a gateway 6, which is placed between the first and second detection units (Falk Figure 2, paragraphs 0080 and 0081), implying a one-way data bridge; Falk does not expressly disclose the feature of the one-way data bridge that allows data flow from the first processing element to the second processing element and physically prohibits data flow from the second processing element to the first processing element.
However, in the same or similar field of invention, Schirck Figures 1-2 disclose a network traffic monitoring device 2 (similar to a data diode) which includes traffic capture component 4 and analysis component 6 (similar to a first and second processing elements) connected to each other by means of a unidirectional bus 16 (i.e. a one-way data bridge), which may prevent any information to travel from the component 6 to the component 4 (Schirck Figures 1-2, paragraph 0069. Also see paragraphs 0054-0068 and 0070-0074). Schirck also discloses that the network device may be used as a network tap as a data packet copy is provided to the analysis component, and one copy to the other network connector (Schirck paragraph 0006).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk to have the feature of the one-way data bridge that allows data flow from the first processing element to the second processing element and physically prohibits data flow from the second processing element to the first processing element; as taught by Schirck. The suggestion/motivation would have been to provide an improved network tap, and reduce consumption of network resources (Schirck paragraphs 0003 and 0009).
Regarding claim 6, Falk and Schirck disclose the data diode of claim 1. Falk and Schirck further disclose wherein the first processing element is programmed to monitor the network traffic and send information about the network traffic to the second processing element via the one-way data bridge [Falk discloses that the first detection unit receives data transmitted from the first network and detects anomalies in the received data. The first detection unit 3 is also configured to transmit a first detection signal at least to the second detection unit 4 when anomalies are detected in the received data (i.e. monitor network traffic and send information about the network traffic to the second processing element) (Falk paragraph 0070)]. In addition, the same motivation is used as the rejection of claim 1.
Regarding claim 7, Falk discloses a network tap, comprising: a one-way data bridge having a first end and a second end that allows data flow from the first end to the second end and physically prohibits data flow from the second end to the first end [Falk discloses a system comprising a network switch 2 and transmission device 1 (Falk Figure 1, paragraphs 0076-0077). This system is similar to a network tap. Falk discloses that the transmission device may include a gateway 6, which is placed between the first and second detection units (Falk Figure 2, paragraphs 0080 and 0081)];
A first network port; a second network port [Falk discloses that an input (i.e. a first network port) of the network switch is connected to the first network to receive data from the first network (Falk paragraph 0077). A mirror port SP (i.e. a second network port) in the form of an output of the network switch 2 is connected to the first network port P1 (Falk paragraph 0077)]; and
A network switch, configured to mirror network traffic received from the first network port to both the second network port and the first end of the one-way data bridge [Falk discloses that the network switch is arranged between the first network NW1 and the first network port P1 (Falk paragraph 0076). The mirror port SP in the form of an output of the network switch 2 is connected to the first network port P1 for the purpose of transmitting data (Falk paragraph 0077). The mirror port SP (the second network port) outputs the data from network 1 to the first unit 3 (first processing element) as disclosed in the Figures 1 and 2 (see Falk Figures 1, 2 and paragraphs 0028-0029). The first unit is at first end of the gateway].
Although Falk discloses a transmission device 1 in the form of a unidirectional data diode (Falk Figure 1) which may include a gateway 6, which is placed between the first and second detection units (Falk Figure 2, paragraphs 0080 and 0081), implying a one-way data bridge; Falk does not expressly disclose the feature of a one-way data bridge having a first end and a second end that allows data flow from the first end to the second end and physically prohibits data flow from the second end to the first end.
However, in the same or similar field of invention, Schirck Figures 1-2 disclose a network traffic monitoring device 2 which includes traffic capture component 4 and analysis component 6 connected to each other by means of a unidirectional bus 16 (i.e. a one-way data bridge), which may prevent any information to travel from the component 6 to the component 4 (Schirck Figures 1-2, paragraph 0069. Also see paragraphs 0054-0068 and 0070-0074). As disclosed in the Figures 1-2, component 4 is at one end of the bus and component 6 is at the other end. Schirck also discloses that the network device may be used as a network tap as a data packet copy is provided to the analysis component, and one copy to the other network connector (Schirck paragraph 0006).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk to have the feature of a one-way data bridge having a first end and a second end that allows data flow from the first end to the second end and physically prohibits data flow from the second end to the first end; as taught by Schirck. The suggestion/motivation would have been to provide an improved network tap, and reduce consumption of network resources (Schirck paragraphs 0003 and 0009).
Regarding claim 8, Falk and Schirck disclose the network tap of claim 7. Falk and Schirck further disclose wherein the first end of the one-way data bridge comprises a first processing element [Schirck discloses that component 4 is at the first end of the unidirectional bus 16 (Schirck Figures 1-2)]. In addition, the same motivation is used as the rejection of claim 7.
Regarding claim 10, Falk and Schirck disclose the network tap of claim 8. Falk and Schirck further disclose regarding a first network connector, coupled to the first processing element [Falk discloses that the device has a first network port P1 (a first network connector) for coupling to the first network NW1. The device includes a first detection unit 3, which is connected to the first network port (Falk Figure 1, paragraphs 0069, 0070). The device comprises a first CPU in which the first detection unit 3 is implemented (i.e. a first processing element) (Falk paragraph 0078)]. In addition, the same motivation is used as the rejection of claim 8.
Regarding claim 11, Falk and Schirck disclose the network tap of claim 7. Falk and Schirck further disclose wherein the second end of the one-way data bridge comprises a second processing element [Schirck discloses that component 6 (a second processing element) is at the second end of the unidirectional bus 16 (Schirck Figures 1-2)]. In addition, the same motivation is used as the rejection of claim 7.
Regarding claim 12, Falk and Schirck disclose the network tap of claim 11. Falk and Schirck further disclose regarding a second network connector, coupled to the second processing element [Falk discloses that the transmission device includes a second network port P2 (a second network connector) for coupling to the second network NW2. A second detection unit 4 (a second processing element) is connected to the second network connector (Falk Figure 1, paragraphs 0069, 0071). The device comprises a second CPU in which the second detection unit 4 is implemented (i.e. a second processing element) (Falk paragraph 0078)]. In addition, the same motivation is used as the rejection of claim 11.
Regarding claim 16, Falk discloses a method of tapping a network, comprising: receiving network traffic by a first network port [Falk discloses a system comprising a network switch 2 and transmission device 1 (Falk Figure 1, paragraphs 0076-0077). This system is similar to a network tap. An input (i.e. a first network port) of the network switch is connected to the first network to receive data from the first network (Falk paragraph 0077)];
Sending the network traffic from the first network port to a network switch; mirroring the network traffic by the network switch to both a first processing element of a data diode and a second network port [Falk discloses that the transmission device 1 may be in the form of a unidirectional data diode (Falk Figure 1, paragraphs 0067 and 0068). The device includes a first detection unit 3, which is connected to the first network port (Falk Figure 1, paragraphs 0069, 0070). The device comprises a first CPU in which the first detection unit 3 is implemented (i.e. a first processing element) (Falk paragraph 0078). Falk discloses that the network switch is arranged between the first network NW1 and the first network port P1 (Falk paragraph 0076), and the input (i.e. a first network port) of the network switch is connected to the first network to receive data from the first network (sending network traffic to a network switch) (Falk paragraph 0077). A mirror port SP (i.e. a second network port) in the form of an output of the network switch 2 is connected to the first network port P1 (Falk paragraph 0077). The mirror port SP (the second network port) outputs the data from network 1 to the first unit 3 (first processing element of data diode) as disclosed in the Figures 1 and 2 (see Falk Figures 1, 2 and paragraphs 0028-0029)]; and
Sending the network traffic or information about the network traffic from the first processing element of the data diode to a second processing element of the data diode via a one-way data bridge that physically prohibits data flow from the second processing element to the first processing element [Falk discloses that the transmission device may include a gateway 6, which is placed between the first and second detection units (Falk Figure 2, paragraphs 0080 and 0081)].
Although Falk discloses a transmission device 1 in the form of a unidirectional data diode (Falk Figure 1) which may include a gateway 6, which is placed between the first and second detection units (Falk Figure 2, paragraphs 0080 and 0081), implying a one-way data bridge; Falk does not expressly disclose the feature of a one-way data bridge that physically prohibits data flow from the second processing element to the first processing element.
However, in the same or similar field of invention, Schirck Figures 1-2 disclose a network traffic monitoring device 2 (similar to a data diode) which includes traffic capture component 4 and analysis component 6 (similar to a first and second processing elements) connected to each other by means of a unidirectional bus 16 (i.e. a one-way data bridge), which may prevent any information to travel from the component 6 to the component 4 (Schirck Figures 1-2, paragraph 0069. Also see paragraphs 0054-0068 and 0070-0074). Schirck also discloses that the network device may be used as a network tap as a data packet copy is provided to the analysis component, and one copy to the other network connector (Schirck paragraph 0006).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk to have the feature of a one-way data bridge; Falk does not expressly disclose the feature of a one-way data bridge that physically prohibits data flow from the second processing element to the first processing element; as taught by Schirck. The suggestion/motivation would have been to provide an improved network tap, and reduce consumption of network resources (Schirck paragraphs 0003 and 0009).
Claims 2, 13, 17 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Falk in view of Schirck, and further in view of Sufleta (US 2017/0214566).
Regarding claim 2, Falk and Schirck disclose the data diode of claim 1. Falk and Schirck further disclose wherein the network tap further comprises: a relay switch, connected between the first network port and the network switch, configured to pass network traffic from the first network port to the second network port upon a power loss by the data diode [Schirck discloses that the device may include a fail-safe circuit comprising a relay switch configured to guide the signals from connector 12 to 14 (Schirck Figure 4, paragraph 0090)].
Falk and Schirck do not expressly disclose the feature of the relay switch configured to pass network traffic from the first network port to the second network port upon a power loss by the data diode.
However, in the same or similar field of invention, Sufleta discloses an example of network switch appliance in a power loss state where bypass switches 126a-b are configured such that the switching component 124 is bypassed (i.e. passing network traffic from the one network port to other network port during power loss) (Sufleta Figure 3C, paragraph 0046).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk and Schirck to have the feature of the relay switch configured to pass network traffic from the first network port to the second network port upon a power loss by the data diode; as taught by Sufleta. The suggestion/motivation would have been to improve monitoring reliability and avoid network interruptions (Sufleta paragraph 0002).
Regarding claim 13, Falk and Schirck disclose the network tap of claim 7. Falk and Schirck further disclose regarding a relay switch, connected between the first network port and the network switch, configured to pass network traffic from the first network port to the second network port upon a power loss by the network tap [Schirck discloses that the device may include a fail-safe circuit comprising a relay switch configured to guide the signals from connector 12 to 14 (Schirck Figure 4, paragraph 0090)].
Falk and Schirck do not expressly disclose the feature of the relay switch configured to pass network traffic from the first network port to the second network port upon a power loss by the network tap.
However, in the same or similar field of invention, Sufleta discloses an example of network switch appliance in a power loss state where bypass switches 126a-b are configured such that the switching component 124 is bypassed (i.e. passing network traffic from the one network port to other network port during power loss) (Sufleta Figure 3C, paragraph 0046).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk and Schirck to have the feature of the relay switch configured to pass network traffic from the first network port to the second network port upon a power loss by the network tap; as taught by Sufleta. The suggestion/motivation would have been to improve monitoring reliability and avoid network interruptions (Sufleta paragraph 0002).
Regarding claim 17, Falk and Schirck disclose the method of claim 16. Falk and Schirck do not expressly disclose regarding disconnecting the network switch from the second network port upon power loss.
However, in the same or similar field of invention, Sufleta discloses an example of network switch appliance in a power loss state where bypass switches 126a-b are configured such that the switching component 124 is bypassed (similar to disconnecting the network switch from the second power port) (Sufleta Figure 3C, paragraph 0046).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk and Schirck to have the feature of disconnecting the network switch from the second network port upon power loss; as taught by Sufleta. The suggestion/motivation would have been to improve monitoring reliability and avoid network interruptions (Sufleta paragraph 0002).
Regarding claim 19, Falk and Schirck disclose the method of claim 16. Falk and Schirck further disclose wherein sending the network traffic from the first network port to the network switch comprises: sending the network traffic from the first network port to a relay switch coupled to both the network switch and the second network port; sending the network traffic from the relay switch to the network switch while power is on to the relay switch; and sending the network traffic from the relay switch to the second network port upon loss of power by the relay switch [Schirck discloses that the device may include a fail-safe circuit comprising a relay switch configured to guide the signals from connector 12 to 14 (Schirck Figure 4, paragraph 0090)].
Falk and Schirck do not expressly disclose the features of sending the network traffic from the relay switch to the second network port upon loss of power by the relay switch.
However, in the same or similar field of invention, Sufleta Figure 3B discloses an example of a network switch appliance in a normal operating state (i.e. a power on state) (Sufleta Figure 3B, paragraph 0045). Figure 3C discloses an example of the network switch appliance in a power loss state where bypass switches 126a-b are configured such that the switching component 124 is bypassed (similar to sending traffic from the relay to the second port upon loss of power) (Sufleta Figure 3C, paragraph 0046).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk and Schirck to have the features of sending the network traffic from the relay switch to the second network port upon loss of power by the relay switch; as taught by Sufleta. The suggestion/motivation would have been to improve monitoring reliability and avoid network interruptions (Sufleta paragraph 0002).
Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Falk in view of Schirck, and further in view of Lee et al. (US 2021/0367973, hereinafter Lee).
Regarding claim 15, Falk and Schirck disclose the network tap of claim 7. Falk and Schirck do not expressly disclose wherein the one-way data bridge comprises a photocoupler.
However, in the same or similar field of invention, Lee Figure 2 discloses an example layout of the components of a main channel of a data diode (Lee Figure 2, paragraph 0035). The main channel is comprised of two portions that communicate with each other in a one-way manner across one or more one-way data bridges that enforce one-way communication. In some embodiments, photocouplers (also known as optocouplers or optical isolators) may be used for this purpose (Lee paragraph 0037).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Falk and Schirck to have the feature of wherein the one-way data bridge comprises a photocoupler; as taught by Lee. The suggestion/motivation would have been to provide hardware enforced one-way data transfer with a secure reverse channel (Lee paragraph 0002).
Allowable Subject Matter
Claims 3, 5, 9, 14, 18 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 3 would be allowable because the closest prior art, either alone or in combination, fails to anticipate or render obvious the features of wherein the network tap further comprises: an analog switch, connected to the network switch and the second network port, configured to disconnect the second network port from the network switch upon the power loss by the data diode; in combination with all other limitations in the base claim and any intervening claims.
Claim 5 would be allowable because the closest prior art, either alone or in combination, fails to anticipate or render obvious the features of wherein the first processing element is programmed to: detect an anomaly in the network traffic; and control the network switch to stop mirroring data flow toward the second network port; in combination with all other limitations in the base claim and any intervening claims.
Claim 9 would be allowable because the closest prior art, either alone or in combination, fails to anticipate or render obvious the features of wherein the first processing element is programmed to: detect an anomaly in the network traffic; and control the network switch to stop mirroring the network traffic toward the second network port responsive to detecting the anomaly; in combination with all other limitations in the base claim and any intervening claims.
Claim 14 would be allowable because the closest prior art, either alone or in combination, fails to anticipate or render obvious the features of an analog switch, connected to the network switch and the second network port, configured to disconnect the second network port from the network switch upon a power loss by the network tap; in combination with all other limitations in the base claim and any intervening claims.
Claim 18 would be allowable because the closest prior art, either alone or in combination, fails to anticipate or render obvious the features of wherein disconnecting the network switch from the second network port upon power loss comprises: switching an analog switch from a first state to a second state upon loss of power; sending the network traffic from the network switch through the analog switch to the second network port in the first state; and disconnecting the network switch from the second network port in the second state; in combination with all other limitations in the base claim and any intervening claims.
Claim 20 would be allowable because the closest prior art, either alone or in combination, fails to anticipate or render obvious the features of detecting by the first processing element an anomaly in the network traffic received from the network switch; and interrupting data flow from the first network port to the second network port responsive to detecting the anomaly; in combination with all other limitations in the base claim and any intervening claims.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAUMIT SHAH whose telephone number is (571)272-6959. The examiner can normally be reached Monday - Friday 9 am - 6 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, EDAN ORGAD can be reached at (571) 272-7884. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAUMIT SHAH/Primary Examiner, Art Unit 2414