Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
1. Claims 1 - 20 are pending. Claim 11 has been amended. Claims 1, 11 are independent. File date on 5-1-2024.
This action is in response to application amendments filed 11-19-2025.
Claim Rejections - 35 USC § 103
2. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
3. Claims 1, 4, 8 - 11, 14, 18 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Koponen et al. (US PGPUB No. 20130125230) in view of Rizwan et al. (US PGPUB No. 20200137027).
Regarding Claims 1, 11, Koponen discloses a method and an apparatus comprising:
b) obtaining a subset of rules from a collection of rules to apply to a second instance of the firewall that replaces a first instance of the firewall; c) the second instance of the firewall; (Koponen ¶ 005: provide a system that allows several different logical firewalls to be specified for several different logical networks through one or more shared firewall elements. In some embodiments, the system distributes the logical firewall for a particular logical network across several different physical machines that also host virtual machines of the particular logical network. At each of the different physical machines, a firewall element operates that may be virtualized into several different firewall instances, each implementing a different set of firewall rules for a different logical firewall.) and
d) when the second instance is available after loading the subset of rules, processing network traffic of the gateway based on the subset of rules. (Koponen ¶ 032: The firewall stores a set of rules (e.g., entered by a user), that determine whether or not the firewall drops (i.e., discards) or allows the packet through (or, in some cases, rejects the packet by dropping the packet and sending an error response back to the sender).; ¶ 125: Once a logical network has been configured, the machines (e.g., virtual machines) on that network will send and receive packets, which requires the use of the packet processing functions of both the managed switching elements and the firewall that reside on the hosts along with the virtual machines.)
Koponen does not explicitly disclose for a) receiving a command related to a configuration of a firewall, and for c) loading the subset of rules.
However, Rizwan discloses:
a) receiving a command related to a configuration of a firewall of a gateway; and for c) loading the subset of rules. (Rizwan ¶ 043: gateway 312 receives a Command 77 (master command from device manager 302 for sending commands to connected HART field instruments), the gateway processor 202 loads the firewall configuration rules 305 along with instructions for executing firewall rules engine 306 software from memory 212.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for a) receiving a command related to a configuration of a firewall, and for c) loading the subset of rules as taught by Rizwan. One of ordinary skill in the art would have been motivated to employ the teachings of Rizwan for the flexibility of a system that enables the loading of configuration rules for data processing by a firewall in a network environment. (Rizwan ¶ 043)
Furthermore, for Claim 11, Koponen discloses wherein a storage memory configured to store instructions; and a processor configured to execute the instructions and cause the processor to perform operations. (Koponen ¶ 151: Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more computational or processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions.)
Regarding Claims 4, 14, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11, further comprising:
b) wherein the collection of rules is stored on a local storage medium associated with at least one processor executing the firewall. (Koponen ¶ 109: the OVS DB daemon 867 receives configuration information from the network controller 880 and stores the configuration information in a set of databases. In some embodiments, the OVS DB daemon 867 communicates with the network controller 880 through a database communication protocol. In some cases, the OVS DB daemon 867 may receive requests for configuration information from the OVS daemon 865. The OVS DB daemon 867, in these cases, retrieves the requested configuration information (e.g., from a set of databases) and sends the configuration information to the OVS daemon 865.)
Koponen does not explicitly disclose for a) loading a rule of the collection of rules that is not identified in the subset of rules, and for c) wherein loading of rule is reported to a controller of gateway.
However, Rizwan discloses:
a) loading a rule of the collection of rules that is not identified in the subset of rules, (Rizwan ¶ 043: receives a Command 77 (master command from device manager 302 for sending commands to connected HART field instruments), the gateway processor 202 loads the firewall configuration rules 305 along with instructions for executing firewall rules engine 306 software from memory 212. The processor 202 then executes the instructions of the firewall rule engine 306.; (load configuration rule, load unidentified configuration rule)) and
c) wherein the loading of the rule is reported to a controller of the gateway. (Rizwan ¶ 019: The firewall in a wireless gateway or wireless adaptor can help to filter out unintended or undesirable configuration change or to alert control and safety systems when a configuration change occurs)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for a) loading a rule of the collection of rules that is not identified in the subset of rules, and for c) wherein loading of rule is reported to a controller of gateway as taught by Rizwan. One of ordinary skill in the art would have been motivated to employ the teachings of Rizwan for the flexibility of a system that enables the loading of configuration rules for data processing by a firewall. (Rizwan ¶ 043)
Regarding Claims 8, 18, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11, wherein the command related to a rule of the firewall is triggered autonomously without supervision by a third-party service. (Koponen ¶ 141: the user simply specifies the network topology and flow entries are automatically generated to send the packets on the logical wire between two logical forwarding elements to the firewall.; (automatic setup of configuration data (packet processing rules))
Regarding Claim 9, Koponen-Rizwan discloses he method of claim 1, wherein the command related to the rule of the firewall is triggered based on supervision of a user. (Koponen ¶ 141: the user specifies routing policies that identify which packets go to the firewall,; (manual input of configuration data (packet processing rules))
Regarding Claims 10, 20, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11.
Koponen does not explicitly disclose loading remaining rules from the collection of rules.
However, Rizwan discloses further comprising: loading remaining rules from the collection of rules after the subset of rules. (Rizwan ¶ 043: gateway 312 receives a Command 77 (master command from device manager 302 for sending commands to connected HART field instruments), the gateway processor 202 loads the firewall configuration rules 305 along with instructions for executing firewall rules engine 306 software from memory 212.; Loading configuration rules; initial or remaining))
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for loading remaining rules from the collection of rules. as taught by Rizwan. One of ordinary skill in the art would have been motivated to employ the teachings of Rizwan for the flexibility of a system that enables the loading of configuration rules for data processing by a firewall. (Rizwan ¶ 043)
Regarding Claim 19, Koponen-Rizwan discloses the apparatus of claim 11, wherein the command related to the pipeline rule of the firewall is triggered based on supervision of a user. (Koponen ¶ 141: the user specifies routing policies that identify which packets go to the firewall,; (manual input of configuration data (packet processing rules))
4. Claims 2, 3, 5, 12, 13, 15 are rejected under 35 U.S.C. 103 as being unpatentable over Koponen in view of Rizwan and further in view of Rigor et al. (US PGPUB No. 20210152520).
Regarding Claims 2, 12, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11, wherein the subset of rules are identified and trained to identify at least one prioritized rule when instantiating the second instance. (Koponen ¶ 009: these rules specify conditions which, if matched, result in either dropping or allowing the packet (similar to access control list (ACL) table entries). As an example, a user might specify that packets from a particular external IP address (or domain of IP addresses) are always dropped when destined for a particular subnet.; (special rule to be followed for a particular instance))
Koponen does not explicitly disclose rules are identified based on a machine learning (ML) model.
However, Rigor discloses wherein rules are identified based on a machine learning (ML) model. (Rigor ¶ 015: a persistent low volume attack (PLVA) firewall that detects and protects against persistent low volume attacks in addition to or in lieu of providing protections against volumetric attacks and network traffic containing malicious traffic. The PLVA firewall can be a network firewall appliance or device (i.e., specialized hardware for detecting and protecting against network attacks).)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for rules are identified based on a machine learning (ML) model as taught by Rigor. One of ordinary skill in the art would have been motivated to employ the teachings of Rigor for the flexibility of a system that enables the utilization of multiple data processing techniques such as machine learning in the generation of rules associated with a firewall. (Rigor ¶ 015)
Regarding Claim 3, Koponen-Rizwan-Rigor discloses the method of claim 2, further comprising:
a) obtaining event information pertaining to network traffic and firewall actions associated with the event information; (Koponen ¶ 089: Each query plan is a set of rules that specifies a set of join operations that are to be performed upon the occurrence of an input table event. The event processor of the rules engine 710 detects the occurrence of each such event.) and
b) sending a message including at least event information, wherein a controller is configured to store the event information. (Koponen ¶ 089: Each query plan is a set of rules that specifies a set of join operations that are to be performed upon the occurrence of an input table event. The event processor of the rules engine 710 detects the occurrence of each such event. In some embodiments, the event processor registers for callbacks with the input tables for notification of changes to the records in the input tables 715, and detects an input table event by receiving a notification from an input table when one of its records has changed.)
Koponen does not explicitly disclose for b) train the ML model.
However, Rigor discloses wherein for b) train the ML model. (Rigor ¶ 029: The address or client list may be provided to the PLVA firewall or derived by the PLVA firewall, for example, via prior history, information sharing, training, machine learning or other automated techniques.; ¶ 015: a persistent low volume attack (PLVA) firewall that detects and protects against persistent low volume attacks in addition to or in lieu of providing protections against volumetric attacks and network traffic containing malicious traffic. The PLVA firewall can be a network firewall appliance or device (i.e., specialized hardware for detecting and protecting against network attacks).)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for b) train the ML model as taught by Rigor. One of ordinary skill in the art would have been motivated to employ the teachings of Rigor for the flexibility of a system that enables the utilization of multiple data processing techniques such as machine learning in the generation of rules associated with a firewall. (Rigor ¶ 015)
Regarding Claims 5, 15, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11.
Koponen does not explicitly disclose filtering malicious traffic from network traffic using the subset of rules.
However, Rigor discloses wherein processing the network traffic comprises: filtering malicious traffic from the network traffic using the subset of rules. (Rigor ¶ 015: a persistent low volume attack (PLVA) firewall that detects and protects against persistent low volume attacks in addition to or in lieu of providing protections against volumetric attacks and network traffic containing malicious traffic. The PLVA firewall can be a network firewall appliance or device (i.e., specialized hardware for detecting and protecting against network attacks).)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for filtering malicious traffic from network traffic using the subset of rules as taught by Rigor. One of ordinary skill in the art would have been motivated to employ the teachings of Rigor for the flexibility of a system that enables the utilization of multiple data processing techniques such as machine learning in the generation of rules associated with a firewall. (Rigor ¶ 015)
Regarding Claim 13, Koponen-Rizwan-Rigor discloses the apparatus of claim 12, wherein the processor is configured to:
a) obtain flow information pertaining to network traffic associated with the first instance; (Koponen ¶ 089: Each query plan is a set of rules that specifies a set of join operations that are to be performed upon the occurrence of an input table event. The event processor of the rules engine 710 detects the occurrence of each such event.) and
b) send a message including at least flow information to a controller of the gateway, wherein the controller is configured to store the flow information. (Koponen ¶ 089: Each query plan is a set of rules that specifies a set of join operations that are to be performed upon the occurrence of an input table event. The event processor of the rules engine 710 detects the occurrence of each such event. In some embodiments, the event processor registers for callbacks with the input tables for notification of changes to the records in the input tables 715, and detects an input table event by receiving a notification from an input table when one of its records has changed.)
Koponen does not explicitly disclose for b) train the ML model.
However, Rigor discloses wherein for b) train the ML model. (Rigor ¶ 029: The address or client list may be provided to the PLVA firewall or derived by the PLVA firewall, for example, via prior history, information sharing, training, machine learning or other automated techniques.; ¶ 015: a persistent low volume attack (PLVA) firewall that detects and protects against persistent low volume attacks in addition to or in lieu of providing protections against volumetric attacks and network traffic containing malicious traffic. The PLVA firewall can be a network firewall appliance or device (i.e., specialized hardware for detecting and protecting against network attacks).)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for b) train the ML model as taught by Rigor. One of ordinary skill in the art would have been motivated to employ the teachings of Rigor for the flexibility of a system that enables the utilization of multiple data processing techniques such as machine learning in the generation of rules associated with a firewall. (Rigor ¶ 015)
5. Claims 6, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Koponen in view of Rizwan and further in view of Fischer et al. (US PGPUB No. 20060023716).
Regarding Claims 6, 16, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11.
Koponen does not explicitly disclose firewall is terminated when all flows in the first instance are drained.
However, Fischer discloses wherein the first instance of the firewall is terminated when all flows in the first instance are drained, wherein the second instance becomes available before all flows in the first instance are drained. (Fischer ¶ 048: provides a mechanism and method for blocking data in a respective transmit FIFO from being output to a network and draining the data from the MAC data path connected to the transmit FIFO, (first instance data flows drained, first firewall instance terminated; second instance started before first instance terminated))
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for firewall is terminated when all flows in the first instance are drained as taught by Fischer. One of ordinary skill in the art would have been motivated to employ the teachings of Fischer for the flexibility of a system that enables the termination of a firewall instance by draining all data flows. (Fischer ¶ 048)
6. Claims 7, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Koponen in view of Rizwan and further in view of Talur et al. (US Patent No. 11,652,848).
Regarding Claims 7, 17, Koponen-Rizwan discloses the method of claim 1 and the apparatus of claim 11.
Koponen does not explicitly disclose a size of the collection of rules is greater than an amount of memory available.
However, Talur discloses wherein a size of the collection of rules is greater than an available amount of memory available to the gateway in user space. (Talur col 25: consider a scenario in which the bottleneck resource at a particular logical partition is the amount of memory needed to store the networking configuration information (security rules, mappings between IVNs and security groups/VNIs, etc.) at each SRPN of the partition, while memory does not appear to be a bottleneck at one or more other logical partitions. Recall that the configuration information may be replicated at each SRPN of the partition in at least some embodiments. If servers with larger memories are not available for the SRPNs, any new SRPN added to the partition may suffer from the same memory bottleneck, since it too would have to store the same amount of configuration information in the same amount of memory as the other SRPNs.)
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Koponen for a size of the collection of rules is greater than an amount of memory available as taught by Talur. One of ordinary skill in the art would have been motivated to employ the teachings of Talur for the flexibility of a system that enables a determination of available memory in the processing of firewall configuration information within a network environment. (Talur col 25)
Response to Amendments
7. Applicant’s arguments have been fully considered but they were not persuasive.
A. Claim 11 has been amended and no designation of being “Currently Amended” appears at the heading for Claim 11.
B. The 101 Rejection for Claims 11 - 20 is withdrawn due to claim amendments to add a memory to the claimed invention.
C. Applicant argues on page 8 of Remarks: ... "obtaining a subset of rules from a collection of rules to apply to a second instance of the firewall that replaces a first instance of the firewall.".
The Examiner respectfully disagrees. Rizwan discloses the application of a set of configuration rules and then the execution of the instructions generating a new instance of a firewall. The generated firewall instance replaces the original firewall instance. (Rizwan ¶ 043: the gateway processor 202 loads the firewall configuration rules 305 along with instructions for executing firewall rules engine 306 software from memory 212. The processor 202 then executes the instructions of the firewall rule engine 306.)
D. Applicant argues on page 8 of Remarks: ... Koponen teaches different firewall instances with different rules, each of these firewall instances is for a different logical network.
The Examiner respectfully disagrees. Rizwan discloses the application of a set of configuration rules and then the execution of the instructions generating a new instance of a firewall. The generated firewall instance replaces the original firewall instance. (Rizwan ¶ 043: the gateway processor 202 loads the firewall configuration rules 305 along with instructions for executing firewall rules engine 306 software from memory 212. The processor 202 then executes the instructions of the firewall rule engine 306.)
E. Applicant argues on page 9 of Remarks: ... Claim 11 while different in scope includes similar limitations to Claim 1 and should therefore be allowable for the same reasons asserted above.
Independent claim 11 contains similar limitations as independent claim 1. Responses against independent claim 1 also answer current arguments against independent claim 11.
F. Applicant argues on page 9 of Remarks: ... claims 2-10, 12-20 should also be allowable at least by virtue of their dependency on allowable independent claims.
Responses to arguments against independent claims also answer current arguments against dependent claims.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F: 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joon H Hwang can be reached at 571-272-4036. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KYUNG H SHIN/ 1-8-2026Primary Examiner, Art Unit 2447