Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsRed Hat Inc. › 18088003
Last updated: April 18, 2026
Application No. 18/088,003

NETWORKING OVERHEAD REDUCTION FOR ENCRYPTED VIRTUAL MACHINES

Final Rejection §103
Filed
Dec 23, 2022
Examiner
KIM, EUI H
Art Unit
2453
Tech Center
2400 — Computer Networks
Assignee
Red Hat Inc.
OA Round
4 (Final)
49%
Grant Probability
Moderate
5-6
OA Rounds
3y 4m
To Grant
99%
With Interview

Interview Optional

+52.9% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 156 resolved cases, 2023–2026

Examiner Intelligence

KIM, EUI H View full profile →
Grants 49% of resolved cases
49%
Career Allow Rate
76 granted / 156 resolved
-9.3% vs TC avg
Strong +53% interview lift
Without
With
+52.9%
Interview Lift
resolved cases with interview
Typical timeline
3y 4m
Avg Prosecution
28 currently pending
Career history
184
Total Applications
across all art units

Statute-Specific Performance

§101
10.5%
-29.5% vs TC avg
§103
65.9%
+25.9% vs TC avg
§102
10.4%
-29.6% vs TC avg
§112
7.1%
-32.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 156 resolved cases

Office Action

§103
DETAILED ACTION This office action is in response to the amendments filed on 11/26/2025. Claims 1, 7-8 and 15 are amended. Claims 13-14 are cancelled. Claims 1-12, 15-20 are presented for examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to the 35 USC 103 rejections to the claims filed on 11/26/2025 in Remarks pg. 6-9 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Applicant further argues in essence: [a] “Applicant's claim 1, as amended, further recites "determining, by the VM, whether the data packet is encrypted based on determining that the identified network connection is associated with an encryption option indicating data encryption." This amendment is supported, for example, by paragraph 0042 of the subject application. The Patent Office asserts that this limitation, prior to the amendment herein, is disclosed at paragraph 0027 of Kumar (Office Action, p. 4). Applicant respectfully disagrees. Paragraph 0023 of Kumar discloses that an SVM 111 "determines whether the outgoing data packet is for a new SSL session or for an existing SSL session." Nowhere does Kumar "determine whether" a data packet is encrypted. Kumar simply determines whether to send the packet via "a new SSL session or for an existing SSL session." There is no determination whether the packet is encrypted. The determination in Kumar relates to which of two different SSL sessions to use, not that of whether the packet is encrypted.” Pg. 7, “Claim 8 contains many of the limitations discussed herein with regard to claim 1 and should thus be allowable for at least the same reasons.” Pg. 8 In response to [a], while examiner relies upon a different combination of references for claims 1 and 15, examiner maintains Kumar for that of Claim 8 for at least "determining, by the VM, whether the data packet is encrypted based on determining that the identified network connection is associated with an encryption option indicating data encryption.". Claim 8 is on the receiving side of the packet rather than sending, and on reception of the packet, Kumar discloses decryption of the packet: Kumar: determine, by the VM, whether the data packet is encrypted based on determining that the specified network connection is associated with an encryption option indicating that the data packet is encrypted (Kumar: para.0003 “For example, an application configured to use SSL encryption establishes a secure connection with a server encrypts data using a shared secret negotiated during the establishment of the secure connection, and sends encrypted data to the destination server.” para.0034 “At block 240, SVM 111 determines whether the incoming data packet is for establishing a new SSL session or associated with an existing SSL session.” Para.0037 “At block 255, when the incoming data packet is for an existing SSL session, SVM 111 decrypts the data packet.” It can be determined that the packet is associated with an SSL encryption option, i.e. the packet is encrypted). After determining the packet is encrypted based on determining the packet is associated with an existing SSL session, therefore indicating the packet is encrypted. Further, Kumar discloses actually decrypting the packet after this step. Therefore Kumar is relied upon for the rejection of claim 8, explained in more detail below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 4, 15, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1). Regarding Claim 1, Wang discloses A method comprising: receiving, by a virtual machine (VM) running on a host computer system, a request to send a data packet to a specified recipient via a network (Wang: col. 8 lines 1-18 “At 445 in FIG. 4, VM1 131 may generate packets “P1” and “P2” that are destined for VM2 132. At 450, when packets “P1” and “P2” reach NIC driver 155, VM1 131 may examine their destination address information and search buffer map 181 for an entry matching (VLAN ID=10, MAC-2, IP-2) associated with VM2 132.” The VM operating on Host 110 in Fig. 1, receives a request to send a packet to a destination address, i.e. specified recipient, via a network VLAN 10 during step 445 of Fig. 4.), identifying, by the VM, a network connection to the specified recipient (Wang: col. 8 lines 1-18 “At 445 in FIG. 4, VM1 131 may generate packets “P1” and “P2” that are destined for VM2 132. At 450, when packets “P1” and “P2” reach NIC driver 155, VM1 131 may examine their destination address information and search buffer map 181 for an entry matching (VLAN ID=10, MAC-2, IP-2) associated with VM2 132.” The VM identifies the network connection to the recipient, VLAN ID=10); storing the data packet in a shared memory buffer of the host computer system (Wang: col. 8 lines 1-18 “ At 455, based on the matching entry added at block 435, VM1 131 may access TX packet buffer 210 (TX-1-2) to store or write packets “P1” and “P2” in shared memory location 252 that is mapped to both TX packet buffer 210 (TX-1-2) and RX packet buffer 220 (RX-1-2).” In Fig. 4 step 455, the packet is stored in shared memory of the host 252 in Fig. 2), wherein the shared memory buffer is accessible to the specified recipient (Col. 8 line 66-col. 9 line 7 “At 470 in FIG. 4, in response to detecting second notification 469 from virtual switch 116, VM2 132 may access RX packet buffer 220 (RX-1-2) to receive packets “P1” and “P2,”” the recipient VM has access to the shared memory buffer via buffer 220 that is mapped to the shared memory location. ); and sending, to the specified recipient, an address of the shared memory buffer in lieu of the data packet (Wang: col. 8 lines 63-65 “Second notification 469 may identify sections with respective indices k=0 and k=1 of RX packet buffer 220 from which the packets are accessible by the recipient.” Fig. 4 step 469 sends to the recipient the locations within the shared memory buffer are sent instead of the packet itself.). However Wang does not explicitly disclose the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system; determining, by the VM, whether the data packet is encrypted based on determining that the identified network connection is associated with an encryption option indicating data encryption; responsive to determining that the data packet is encrypted, storing the data packet in a shared memory buffer of the host computer system Eckert discloses determining, by the VM, whether the data packet is encrypted based on determining that the identified network connection is associated with an encryption option indicating data encryption (Eckert: para.0063-0065 “At block 701, the initiator receives a socket connection request for a destination. … At block 704, the method 700 determines whether the destination is reachable via the ACP network.…At block 705, the method 700 determines whether the application has already performed encryption on the packet, such as TLS and/or dTLS.” para.0066 “Method 700 allows the transport shim to forgo intercepting connections and performing transparent encryption for applications that are known to already use sufficient end-to-end encryption (for example via a TLS/dTLS library like OpenSSL). This may be achieved through configuration or by recognizing that the application links against the encryption library. It should be noted that applications that are not aware of different VRFs in network devices can often accept connections from multiple VRFs. Method 700 ensures the transport shim will only perform encryption if the connection is between LS-ACP VRFs, and hence between two LS-ACP compliant nodes. This allows the system to provide the best possible security depending on the constraints of the devices involved.” It can be determined by the transport shim 440 in fig. 4 that the application link is associated with end to end application encryption based on a connection request, therefore determining that any packet received for that link is already encrypted.); responsive to determining that the data packet is encrypted, transmitting the packet (Eckert: para.0050 “the LS-ACP VRF 420 may receive a request from a source application 412 to initiate a connection with a remote network node. In other words, the LS-ACP VRF 420 receives the packet for transmission toward the remote network node as processed by the transport shim 440 via initiator 441.” After establishing the connection, including the steps of Fig. 7 above, any packet received is determined to already have been encrypted, and the packet is transmitted to its destination.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang with Eckert in order to incorporate determining, by the VM, whether the data packet is encrypted based on determining that the identified network connection is associated with an encryption option indicating data encryption; responsive to determining that the data packet is encrypted, transmitting the packet, and apply this to the communication method of Wang wherein the shared memory is used to store the packet for later retrieval. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of balanced security and network performance (Eckert: para.0004), which is a concern also addressed in Wang (Fig. 4 464) However Wang-Eckert does not explicitly disclose the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system. Kaplan discloses the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system (Kaplan: para.0018 “Using the techniques described herein, the encryption module of the memory controller is employed to cryptographically protect the information of each VM from access by the hypervisor or by other executing VMs. ” Each VM comprises cryptographically protected memory that is not accessible by other VMs and hypervisors.) Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang-Eckert with Kaplan in order to incorporate the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security in the virtual system (Kaplan: para.0018). Regarding Claim 4, Wang-Eckert-Kaplan discloses claim 1 as set forth above. Wang further discloses storing a header along with the data packet in the shared memory buffer (Wang: col. 8 lines 1-18 “ At 455, based on the matching entry added at block 435, VM1 131 may access TX packet buffer 210 (TX-1-2) to store or write packets “P1” and “P2” in shared memory location 252 that is mapped to both TX packet buffer 210 (TX-1-2) and RX packet buffer 220 (RX-1-2).” In Fig. 4 step 455, the packet is stored in shared memory of the host 252 in Fig. 2. The whole packet is stored in the shared memory, therefore the header is stored with the data packet. Col. 8 lines 45-64 packet header.). Regarding Claim 15 and 18, it teaches all of the same steps as claim 1 and 4 but in A non-transitory machine-readable storage medium including instructions that, when accessed by a processing device of a host computer system, cause the processing device to (Wang: col. 11 lines 10-23), therefore the supporting rationale for the rejection to claim 1 and 4 applies equally as well to that of claim 15 and 18. Claim(s) 2, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Makishima et al. (hereinafter Makishima, US 2011/0317199 A1). Regarding Claim 2, Wang-Eckert-Kaplan discloses claim 1 as set forth above. Wang further discloses wherein the encryption option is represented by an indication in a socket data structure associated with the identified network connection (Wang: para.0063 “At block 701, the initiator receives a socket connection request for a destination. Specifically, the initiator in the transport shim receives the connection request from an application, which may operate in a network management plane. The connection request may indicate the destination node in terms of a physical network address (e.g., an IP and/or Media Access Control (MAC) address) or an VRF address in the LS-ACP network. At block 703, the initiator determines whether the request is directed to an ASP VRF or is employing a physical address” para.0066 “Method 700 allows the transport shim to forgo intercepting connections and performing transparent encryption for applications that are known to already use sufficient end-to-end encryption (for example via a TLS/dTLS library like OpenSSL). This may be achieved through configuration or by recognizing that the application links against the encryption library. It should be noted that applications that are not aware of different VRFs in network devices can often accept connections from multiple VRFs. Method 700 ensures the transport shim will only perform encryption if the connection is between LS-ACP VRFs, and hence between two LS-ACP compliant nodes.” The socket data structure associated with the request is checked to determine the encryption option associated with the network connection.). However Wang-Eckert-Kaplan does not explicitly disclose wherein the encryption option is represented by a flag in a socket data structure associated with the identified network connection. Makishima discloses wherein the encryption option is represented by a flag in a socket data structure associated with the identified network connection (Makishima: para.0029 “The SSL registration flag shows whether the SSL encryption communication is set to be enabled or disabled on the print setting screen shown in FIG. 3. If the SSL registration flag is set to be TRUE, this shows that the SSL encryption communication is set to be enabled. In the first embodiment, the registered print job for which the SSL registration flag is set to be TRUE is called a registered SSL print job. If the SSL registration flag is set to be FALSE, this shows that the SSL encryption communication is set to be disabled.” A flag is set in the SSL registration flag for encrypted communication.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Wang-Eckert-Kaplan with Makishima in order to incorporate wherein the encryption option is represented by a flag in a socket data structure associated with the identified network connection. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security (Makishima: para.0029). Regarding Claim 16 it does not teach nor further define over the limitations of claim 2, therefore the support rationale for the rejection of claim 2 applies equally as well to that of claim 16. Claim(s) 3, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Caldarale et al. (hereinafter Cal, US 2022/0027179 A1). Regarding Claim 3, Wang-Eckert-Kaplan discloses claim 1 as set forth above. However Wang-Eckert-Kaplan does not explicitly disclose automatically activating the encryption option for a network connection created by an operating system having an encryption function. Cal discloses automatically activating the encryption option for a network connection created by an operating system having an encryption function (Cal: para.0032 “A secure sandbox 508 provide an execution environment for a service. A Host OS 530 creates the secure sandbox 508 as an isolated execution environment for the service, isolated from other secure sandboxes and from execution threads in the Host OS 530. These secure sandboxes 508 are also referred to as containers. In the NativeX system, a user utility or application executing on the Guest OS 540 wants to see any utility or application executing on the Host OS 530 as if it were executing natively in the Guest OS 530 itself. Thus, the boxes on the left above the Guest OS 540 (running on the Guest OS 540) correspond to the boxes on the right in the secure sandbox 508 (running on the Host OS 530).” Para.0034 “The NativeX Loader 604 includes configuration information to access a secure tunnel 624 (“Stunnel”) to create an encrypted communication path between the Guest OS 640 and the Host OS 630.” The Host OS and Guest OS both contain a native infrastructure in Fig. 5-6. A tunnel is between the two nativex elements in the guest os and the host os via an encrypted communication path created by one of the OS.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang-Eckert-Kaplan with Cal in order to incorporate automatically activating the encryption option for a network connection created by an operating system having an encryption function. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of secure communication (Cal: para.0034). Regarding Claim 17, it does not teach nor further define over the limitations of claim 3, therefore the supporting rationale for the rejection to claim 3 applies equally as well to that of claim 17. Claim(s) 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Yonemoto et al. (hereinafter Yonemoto, US 2007/0195767 A1). Regarding Claim 5, Wang-Eckert-Kaplan discloses claim 4 as set forth above. However Wang-Eckert-Kaplan does not explicitly disclose wherein the header includes information regarding the address of the shared memory buffer. Yonemoto discloses wherein the header includes information regarding the address of the shared memory buffer (Yonemoto: para.0083 “The internal packet generator 15 generates an internal packet by attaching a fixed-length internal header, which includes the address and length of the data part stored in the shared buffer 14, to the Ethernet frame header.” A location within the shared buffer that the data part is stored is attached to the header.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang-Eckert-Kaplan with Yonemoto in order to incorporate wherein the header includes information regarding the address of the shared memory buffer. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of easier locating of the data from a packet queue (Yonemoto: para.0083-0083). Claim(s) 6-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Haghighat et al. (hereinafter Hagh, US 2021/0263779 A1). Regarding Claim 6, Wang-Eckert-Kaplan discloses claim 1 as set forth above. However, Wang-Eckert-Kaplan does not explicitly disclose wherein storing the data packet in the shared memory buffer further comprises: copying the data packet from a private memory of the virtual machine to the shared memory buffer. Hagh further discloses wherein storing the data packet in the shared memory buffer further comprises: copying the data packet from a private memory of the virtual machine to the shared memory buffer (Hagh: para.0217-218 “That is, since the instructions may be designed to operate with hardware privileges (which are even greater than kernel privileges), and thus the execution of the function has the right to copy data from the container of one function to the container of another function. ..In some embodiments, shared memory 843 may provide a way of communication by letting the two functions 841, 842 share a memory segment for copying the content of data exchanged between the two functions 841, 842. Just before the callee function is invoked, for example, parameters passed by the caller function may be copied from the caller into the shared memory. After the callee is returned, a response/JSON object content may be copied from the shared memory to the caller. The synchronization may happen naturally via the call and return instructions.” The packets are copied and stored in shared memory between the containers of a caller and callee. See also para.1150-1151. ). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang-Eckert-Kaplan with Hagh in order to incorporate wherein storing the data packet in the shared memory buffer further comprises: copying the data packet from a private memory of the virtual machine to the shared memory buffer, and apply this concept to the storing of the packets in Wang-Eckert-Kaplan One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security by having the applications have encrypted memory locations (Hagh: Para.1145-1147) Regarding Claim 7, Wang-Eckert-Kaplan -Hagh discloses claim 6 as set forth above. However Wang-Eckert-Kaplan does not explicitly disclose wherein the private memory is an encrypted memory Hagh further discloses wherein the private memory is an encrypted memory (Hagh: para.1141 “Total Memory Encryption (TME) may encrypt a platform's entire memory (e.g., various cache levels) with a single key. TME may be enabled through a BIOS configuration and/or other software, and may help ensure that all data (e.g., customer credentials, encryption keys, and other IP or personal information) in the memory is encrypted on the external memory bus. Thus, if an application and/or CPU requests data from the memory, the data may be encrypted and then later decrypted after transmission.” Para.1145-1147 “MK-TME allows virtual machines (VMs) and containers to be cryptographically isolated from each other in memory with separate encryption keys. In a multi-tenant cloud environment, such an isolation is advantageous when sensitive data is being processed by a customer….Thus, MK-TME may be used to isolate/compartmentalize functions from one another by encrypting the memory region assigned to each function with a different encryption key.” Any and all memory is encrypted via TME, and MK-TME allows each container to be individually encrypted, further Fig. 49C, and para.1150-1151 discloses individually encrypted memory regains for shared memory regions. Any of the above encryption methods show the private memory of a virtual machine being encrypted.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang-Eckert-Kaplan with Hagh in order to incorporate wherein the private memory is an encrypted memory. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security by having the applications have encrypted memory locations (Hagh: Para.1145-1147). Claim(s) 8, 11-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (hereinafter Kumar, US 2018/0332078 A1) Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1). Regarding Claim 8, Kumar discloses A system comprising: a memory; and a processing device operatively coupled to the memory, the processing device to (Kumar: para.0016): receive, by a virtual machine (VM) running on a host computer system, a data packet via a specified network connection (Kumar: Fig.1-2 para.0023 “At block 205, SVM 111 receives a data packet.”. para.0026 “At block 210, SVM 111 determines if the data packet is an outgoing data packet (e.g., a data packet with a server computer as its destination) or an incoming packet, (e.g., a data packet, with an application in VM 110 as its destination).” the SVM, secure virtual machine, para.0010 “a secure virtual machine (SVM)”, receives an incoming packet), determine, by the VM, whether the data packet is encrypted based on determining that the specified network connection is associated with an encryption option indicating that the data packet is encrypted (Kumar: para.0003 “For example, an application configured to use SSL encryption establishes a secure connection with a server encrypts data using a shared secret negotiated during the establishment of the secure connection, and sends encrypted data to the destination server.” para.0034 “At block 240, SVM 111 determines whether the incoming data packet is for establishing a new SSL session or associated with an existing SSL session.” Para.0037 “At block 255, when the incoming data packet is for an existing SSL session, SVM 111 decrypts the data packet.” It can be determined that the packet is associated with an SSL encryption option, i.e. the packet is encrypted); responsive to determining that the data packet is encrypted: send the packet to the recipient application in a VM (Kumar: Fig. 2 255-260 Para.0037 “At block 255, when the incoming data packet is for an existing SSL session, SVM 111 decrypts the data packet.” Para.0038 “At block 260, SVM 111 transmits the decrypted data packet to VM 110 across communication channel 101” the packet is forwarded to the destination application on a VM 110 after being decrypted.). However Kumar does not explicitly disclose the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system ; responsive to determining that the data packet is encrypted: store the data packet in a shared memory buffer, wherein the shared memory buffer is accessible to a specified recipient; and store an address of the data packet in the encrypted memory. Wang discloses when sending a packet to a VM on the same host: store the data packet in a shared memory buffer, wherein the shared memory buffer is accessible to a specified recipient (Wang: col. 8 lines 1-18 “At 445 in FIG. 4, VM1 131 may generate packets “P1” and “P2” that are destined for VM2 132. At 450, when packets “P1” and “P2” reach NIC driver 155, VM1 131 may examine their destination address information and search buffer map 181 for an entry matching (VLAN ID=10, MAC-2, IP-2) associated with VM2 132.” The VM operating on Host 110 in Fig. 1, receives a request to send a packet to a destination address, i.e. specified recipient, via a network VLAN 10 during step 445 of Fig. 4. col. 8 lines 1-18 “ At 455, based on the matching entry added at block 435, VM1 131 may access TX packet buffer 210 (TX-1-2) to store or write packets “P1” and “P2” in shared memory location 252 that is mapped to both TX packet buffer 210 (TX-1-2) and RX packet buffer 220 (RX-1-2).” In Fig. 4 step 455, the packet is stored in shared memory of the host 252 in Fig. 2); store an address of the data packet in the memory (Wang: col. 7 lines 19-31 “At 425 in FIG. 4, virtual switch 116 may handle prior packet “P0” using conventional approach, but instruct VM1 131 and VM2 132 to use a zero-copy approach for subsequent packets. This involves allocating TX packet buffer 210 (TX-1-2) that is writable by VM1 131 and RX packet buffer 220 (RX-1-2) that is readable by VM2 132. In the example in FIG. 5, TX packet buffer 210 and RX packet buffer 220 may each have N sections that are indexed using k=0, . . . , N−1. TX packet buffer 210 and RX packet buffer 220 may be considered to be a shared packet buffer mapped to the same physical memory location. Any data that is written into TX packet buffer 210 will be readable from RX packet buffer 220 without any copying involved.” Col. 7 line 55-67 “At 435 and 440 in FIG. 4, based on instructions from virtual switch 116, VM1 131 and VM2 132 may update respective buffer maps 181-182. In the example in FIG. 5, VM1 131 may update buffer map 181 to add an entry that maps TX buffer 210 (TX-1-2) to (VLAN ID=10, MAC-2, IP-2) associated with destination VM2 132.” The VM 131 is allocated a TX packet buffer that is mapped to a physical memory location to be used in all subsequent communications, and stores in the update buffer map the address of the packets, i.e. the location of TX 1-2. Alternatively, VM 131 still receives an instruction to store packets in a particular location by the virtual switch, and is able to write data to that location for all subsequent packets, therefore if not the buffer map, the VM still records some indication of the memory location to store future packets.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar with Wang in order to incorporate when sending a packet to a VM on the same host: store the data packet in a shared memory buffer, wherein the shared memory buffer is accessible to a specified recipient, store an address of the data packet in the memory, such that when Kumar would forward the received packet at the SVM, it would instead use the shared memory functionality of Wang. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving packet transmission performance and throughput for VMs sharing hosts (Wang: Col. 1 line 15-30). However Kumar-Wang does not explicitly disclose the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system; store an address of the data packet in the encrypted memory. Kaplan discloses the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system (Kaplan: para.0018 “Using the techniques described herein, the encryption module of the memory controller is employed to cryptographically protect the information of each VM from access by the hypervisor or by other executing VMs. ” Each VM comprises cryptographically protected memory that is not accessible by other VMs and hypervisors.) Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar-Wang with Kaplan in order to incorporate the VM comprising an encrypted memory inaccessible to a hypervisor and to any other VMs executing on the host computer system, such that all of the memory for the VM are private, therefore also storing the location for the data packets in Wang in an encrypted memory. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security in the virtual system (Kaplan: para.0018). Regarding Claim 11, Kumar-Wang-Kaplan discloses claim 8 as set forth above. Kumar further discloses wherein the data packet comprises a header and user data, and wherein the header includes information regarding transmission of the user data (Kumar: para.0023 “For example, thin agent 116 of VM 110 intercepts the data packer and sends the intercepted data packet to SVM 111. In one embodiment, application 155A addresses the data packet for transmission to server computer 140A. Thin agent 116 intercepts the data packet prior to the data packet's transmission to server computer 140A.” the packet contains information regarding source and destination of the user data in the packet, which is stored in the header. The destination information regarding the transmission of the user data. Para.0046, para.0011 user). Regarding Claim 12, Kumar-Wang-Kaplan discloses claim 11 as set forth above. Kumar further discloses wherein, to determine whether the specified network connection is associated with the encryption option, the processing device is further to: determine, based on the header, whether the specified network connection is associated with the encryption option (Kumar: para.0027 “At block 215, SVM 111 determines whether the outgoing data packet is for a new SSL session or for an existing SSL session. For example, SVM 111 determines a source identifier and a destination identifier associated with the outgoing data packet. SVM 111 accesses a data structure storing information regarding active SSL sessions and determines if there is an active SSL session having a source identifier and a destination identifier that matches the source identifier and the destination identifier associated with the outgoing data packet. When there is a match to an existing SSL session that is active, SVM 111 can use the existing SSL session to handle the outgoing data packet and the flow proceeds to block 230. When the outgoing data packet is for a new SSL session, the flow proceeds to block 220.” It can be determined that there is an existing SSL session using the source and destination information, i.e. associated with an existing encryption option for the packet). Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (hereinafter Kumar, US 2018/0332078 A1) Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Makishima et al. (hereinafter Makishima, US 2011/0317199 A1). Regarding Claim 9, Kumar-Wang-Kaplan discloses claim 8 as set forth above. However Kumar does not explicitly disclose the encryption option is represented by a flag in a socket data structure associated with the specified network connection. Wang further discloses wherein the encryption option is represented by an indication in a socket data structure associated with the identified network connection (Wang: para.0063 “At block 701, the initiator receives a socket connection request for a destination. Specifically, the initiator in the transport shim receives the connection request from an application, which may operate in a network management plane. The connection request may indicate the destination node in terms of a physical network address (e.g., an IP and/or Media Access Control (MAC) address) or an VRF address in the LS-ACP network. At block 703, the initiator determines whether the request is directed to an ASP VRF or is employing a physical address” para.0066 “Method 700 allows the transport shim to forgo intercepting connections and performing transparent encryption for applications that are known to already use sufficient end-to-end encryption (for example via a TLS/dTLS library like OpenSSL). This may be achieved through configuration or by recognizing that the application links against the encryption library. It should be noted that applications that are not aware of different VRFs in network devices can often accept connections from multiple VRFs. Method 700 ensures the transport shim will only perform encryption if the connection is between LS-ACP VRFs, and hence between two LS-ACP compliant nodes.” The socket data structure associated with the request is checked to determine the encryption option associated with the network connection.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar with Wang in order to incorporate wherein the encryption option is represented by an indication in a socket data structure associated with the identified network connection. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improving packet transmission performance and throughput for VMs sharing hosts (Wang: Col. 1 line 15-30). However Kumar-Wang-Kaplan does not explicitly disclose wherein the encryption option is represented by a flag in a socket data structure associated with the identified network connection. Makishima discloses the encryption option is represented by a flag in a socket data structure associated with the specified network connection (Makishima: para.0029 “The SSL registration flag shows whether the SSL encryption communication is set to be enabled or disabled on the print setting screen shown in FIG. 3. If the SSL registration flag is set to be TRUE, this shows that the SSL encryption communication is set to be enabled. In the first embodiment, the registered print job for which the SSL registration flag is set to be TRUE is called a registered SSL print job. If the SSL registration flag is set to be FALSE, this shows that the SSL encryption communication is set to be disabled.” A flag is set in the SSL registration flag for encrypted communication.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Kumar-Wang-Kaplan with Makishima in order to incorporate the encryption option is represented by a flag in a socket data structure associated with the specified network connection. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of improved security (Makishima: para.0029). Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (hereinafter Kumar, US 2018/0332078 A1) Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Caldarale et al. (hereinafter Cal, US 2022/0027179 A1). Regarding Claim 10, Kumar-Wang-Kaplan discloses claim 8 as set forth above. However Kumar-Wang-Kaplan does not explicitly disclose wherein the processing device is further to: automatically activate the encryption option for a network connection created by an operating system having an encryption function. Cal discloses wherein the processing device is further to: automatically activate the encryption option for a network connection created by an operating system having an encryption function. (Cal: para.0032 “A secure sandbox 508 provide an execution environment for a service. A Host OS 530 creates the secure sandbox 508 as an isolated execution environment for the service, isolated from other secure sandboxes and from execution threads in the Host OS 530. These secure sandboxes 508 are also referred to as containers. In the NativeX system, a user utility or application executing on the Guest OS 540 wants to see any utility or application executing on the Host OS 530 as if it were executing natively in the Guest OS 530 itself. Thus, the boxes on the left above the Guest OS 540 (running on the Guest OS 540) correspond to the boxes on the right in the secure sandbox 508 (running on the Host OS 530).” Para.0034 “The NativeX Loader 604 includes configuration information to access a secure tunnel 624 (“Stunnel”) to create an encrypted communication path between the Guest OS 640 and the Host OS 630.” The Host OS and Guest OS both contain a native infrastructure in Fig. 5-6. A tunnel is between the two nativex elements in the guest os and the host os via an encrypted communication path created by one of the OS.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Kumar-Wang-Kaplan with Cal in order to incorporate wherein the processing device is further to: automatically activate the encryption option for a network connection created by an operating system having an encryption function. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of secure communication (Cal: para.0034). Claim(s) 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Kumar et al. (hereinafter Kumar, US 2018/0332078 A1). Regarding Claim 19, Wang-Eckert-Kaplan discloses claim 15 as set forth above. However Wang-Eckert-Kaplan does not explicitly disclose wherein, to determine whether the specified network connection is associated with the encryption option, the processing device is further to:determine, based on a header included in the data packet, whether the specified network connection is associated with the encryption option. Kumar further discloses wherein, to determine whether the specified network connection is associated with the encryption option, the processing device is further to: determine, based on a header included in the data packet, whether the specified network connection is associated with the encryption option (Kumar: para.0034 “At block 240, SVM 111 determines whether the incoming data packet is for establishing a new SSL session or associated with an existing SSL session.” Para.0037 “At block 255, when the incoming data packet is for an existing SSL session, SVM 111 decrypts the data packet. In one embodiment, SSL, engine 118 decrypts the data packets with the key(s) established during the SSL handshake process.” Para.0027 “SVM 111 accesses a data structure storing information regarding active SSL sessions and determines if there is an active SSL session having a source identifier and a destination identifier that matches the source identifier and the destination identifier associated with the outgoing data packet. When there is a match to an existing SSL session that is active, SVM 111 can use the existing SSL session to handle the outgoing data packet and the flow proceeds to block 230.” It can be determined that the packet is associated with an SSL encryption option. When determining if a packet is associated with an existing SSL, a match of the destination and source identifiers of the packet is performed, this information is stored in a header of a packet.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine Wang-Eckert-Kaplan with that of Kumar in order to incorporate wherein, to determine whether the specified network connection is associated with the encryption option, the processing device is further to: determine, based on a header included in the data packet, whether the specified network connection is associated with the encryption option. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of secure communication between virtual machines (Kumar: para.0002). Claim(s) 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang et al. (hereinafter Wang, US 10,877,822 B1) in view of Eckert et al. (hereinafter Eckert, US 2019/0273727 A1) in view of Kaplan et al. (hereinafter Kaplan, US 2015/0248357 A1) in view of Giacomini et al. (hereinafter Gia, US 2008/0276056 A1). Regarding Claim 20, Wang-Eckert-Kaplan discloses claim 15 as set forth above. However Wang-Eckert-Kaplan does not explicitly disclose wherein the processing device is further to: save the address of the shared memory buffer. Gia further discloses wherein the processing device is further to: save the address of the shared memory buffer (Gia: para.0065 “The input stage 215 may then tell the NIC 205 through the driver 210 the address locations where the data may be stored in shared memory 220. The NIC may then write the frame data into shared memory 220. The input 225 may then place the address for the data received from the network and stored in shared memory 220 in the up queue 225.” Para.0066 “The application stage 230 may then pull the frame data from the shared memory 220 using the pointers stored in the up queue 225. Any data application may occur in the application stage 230 without limitation. Once the application stage 230 has completed its processing, the addresses associated with data that has been processed is then returned to the allocation queue 235.” While the address is allocated for the transmission of packets, the NIC, driver, and input know the address for this process, therefore has saved this location until the address has been released.). Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date to combine Wang-Eckert-Kaplan with that of Gia in order to incorporate wherein the processing device is further to: save the address of the shared memory buffer. One of ordinary skill in the art would have been motivated to combine because of the expected benefit of the NIC being able to obtain the information to be transmitted, and to forward the information it has received. (Gia: para.0065- para.0067). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kim et al. US 2009/0083756 A1 see para.0047-0048 and Fig. 5 showing socket rules for tcp connection or shared memory selection based on socket options. Xiao et al. US 2020/0387405 A1, see Fig. 2-3, para.0071-0072 step 305 wherein the application of the VM writes outgoing packets to the shared memory Brandwine et al. US 9,398,121 B1, see Fig. 4 and 5 col. 10 lines 65-col.11 lines 18for showing incoming and outgoing packets using shared memory Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to EUI H KIM whose telephone number is (571)272-8133. The examiner can normally be reached 7:30-5 M-R, M-F alternating. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 5712725863. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /EUI H KIM/ Examiner, Art Unit 2453 /KAMAL B DIVECHA/ Supervisory Patent Examiner, Art Unit 2453
Read full office action

Prosecution Timeline

Dec 23, 2022
Application Filed
Sep 18, 2024
Non-Final Rejection — §103
Dec 23, 2024
Response Filed
Apr 03, 2025
Final Rejection — §103
Jun 05, 2025
Examiner Interview Summary
Jun 05, 2025
Applicant Interview (Telephonic)
Jun 09, 2025
Response after Non-Final Action
Jul 09, 2025
Request for Continued Examination
Jul 13, 2025
Response after Non-Final Action
Aug 22, 2025
Non-Final Rejection — §103
Nov 26, 2025
Response Filed
Apr 04, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

18/115,217
Patent 12549457
CREATING DECENTRALIZED MULTI-PARTY TRACEABILITY OF SLA USING A BLOCKCHAIN
2y 5m to grant Granted Feb 10, 2026
18/407,770
Patent 12519859
DETERMINING DATA MIGRATION STRATEGY IN HETEROGENEOUS EDGE NETWORKS
2y 5m to grant Granted Jan 06, 2026
18/335,229
Patent 12506818
METHOD AND SYSTEM FOR TIME SENSITIVE PROCESSING OF TCP SEGMENTS INTO APPLICATION LAYER MESSAGES
2y 5m to grant Granted Dec 23, 2025
17/989,998
Patent 12483462
Cloud Network Failure Auto-Correlator
2y 5m to grant Granted Nov 25, 2025
17/581,621
Patent 12470606
SYSTEMS AND METHODS FOR SCHEDULING FEATURE ACTIVATION AND DEACTIVATION FOR COMMUNICATION DEVICES IN A MULTIPLE-DEVICE ACCESS ENVIRONMENT
2y 5m to grant Granted Nov 11, 2025
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

5-6
Expected OA Rounds
49%
Grant Probability
99%
With Interview (+52.9%)
3y 4m
Median Time to Grant
High
PTA Risk
Based on 156 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month