DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments with respect to claim(s) are rejected under 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Applicant argued in the remark that the cited portion of Pavadai appear to discloses that flow is offloaded based on a determination by the firewall that NO POLICY applies to that flow and thus packets of those flows would not benefit from firewall inspection. Other flows continue to be forwarded to the firewall.
Examiner respectfully disagrees. Van der Merwe US 2022/0374294 disclose 0079 the offload module 512 may be configured as described herein to receive firewall rules from the firewall 504, and to deploy these firewall rules on the network flow 510 , it can be seen as the network flow has the rules as a policy , in a manner that cooperates with or bypasses the firewall and 0138 The firewall 702 may be hosted on a first processor 704 such as an x86 architecture processer, which may include a kernel space 706 hosting a client 708 that uses a first memory 710 to exchange messages with another processor), the offload message specifying the flow and the enforcement action(0079 the offload module 512 may also or instead be distributed between the host device 502
a method for distributing policy enforcement in a network (fig.5 offloads monitoring of network flows by a firewall to other networking hardware. ), comprising:
at a firewall in a network (fig.5, firewall 504):
determining that a flow matches a policy installed at the firewall, wherein the flow is associated with an enforcement action based on the matching policy installed at the firewall ( 0078 network flows 510 are described as passing “through” the firewall 504, determining a firewall action for the network flows 510 and 0081 Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection);
determining that the flow should be offloaded (0078 the offload module 512 will be responsible for each network flow associated with each connection passing through the network processor 508);
creating an offload message at the firewall ( 0079 the offload module 512 may be configured as described herein to receive firewall rules from the firewall 504, and to deploy these firewall rules on the network flow 510 in a manner that cooperates with or bypasses the firewall and 0138 The firewall 702 may be hosted on a first processor 704 such as an x86 architecture processer, which may include a kernel space 706 hosting a client 708 that uses a first memory 710 to exchange messages with another processor), the offload message specifying the flow and the enforcement action(0079 the offload module 512 may also or instead be distributed between the host device 502 );
sending the offload message specifying the determined flow and the enforcement action associated with the flow at the firewall to a network element (0079 the offload module 512 may also or instead be distributed between the host device 502 ), wherein, in response to receiving the offload message the network element:
determines that the flow specified in the offload message should be installed at the network element (0080 The host device 502 may also include an intrusion prevention system 506 executing in the user space and generally configured to detect potential threats in the network flow 510, e.g., using any of the malware or intrusion prevention);
installs the flow at the network element in association with the enforcement action specified in the offload message from the firewall;(0081 A firewall rule may be associated with one or more firewall actions. Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection, the firewall action may be communicated to the offload module 512 for use in managing one or more of the network flows 510 independently from the firewall 504)and
based on the installation of the flow at the network element, controls received traffic associated with the flow at the network element, where the traffic is controlled according to the enforcement action determined at the firewall without forwarding the traffic to the firewall (0081if the network flow 510 is identified as potentially malicious by the intrusion prevention system 506, the offload module 512 may redirect the corresponding connection back to the firewall 504 for further processing).
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-8, and 11-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Van der Merwe US 2022/0374294(hereafter Van).
As per claim 1, Van der Merwe disclose a method for distributing policy enforcement in a network (fig.5 offloads monitoring of network flows by a firewall to other networking hardware), comprising:
at a firewall in a network (fig.5, firewall 504):
determining that a flow matches a policy installed at the firewall, wherein the flow is associated with an enforcement action based on the matching policy installed at the firewall ( 0078 network flows 510 are described as passing “through” the firewall 504, determining a firewall action for the network flows 510 and 0081 Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection);
determining that the flow should be offloaded (0078 the offload module 512 will be responsible for each network flow associated with each connection passing through the network processor 508);
creating an offload message at the firewall ( 0079 the offload module 512 may be configured as described herein to receive firewall rules from the firewall 504, and to deploy these firewall rules on the network flow 510 in a manner that cooperates with or bypasses the firewall and 0138 The firewall 702 may be hosted on a first processor 704 such as an x86 architecture processer, which may include a kernel space 706 hosting a client 708 that uses a first memory 710 to exchange messages with another processor), the offload message specifying the flow and the enforcement action(0079 the offload module 512 may also or instead be distributed between the host device 502 );
sending the offload message specifying the determined flow and the enforcement action associated with the flow at the firewall to a network element (0079 the offload module 512 may also or instead be distributed between the host device 502 ), wherein, in response to receiving the offload message the network element:
determines that the flow specified in the offload message should be installed at the network element (0080 The host device 502 may also include an intrusion prevention system 506 executing in the user space and generally configured to detect potential threats in the network flow 510, e.g., using any of the malware or intrusion prevention);
installs the flow at the network element in association with the enforcement action specified in the offload message from the firewall;(0081 A firewall rule may be associated with one or more firewall actions. Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection, the firewall action may be communicated to the offload module 512 for use in managing one or more of the network flows 510 independently from the firewall 504)and
based on the installation of the flow at the network element, controls received traffic associated with the flow at the network element, where the traffic is controlled according to the enforcement action determined at the firewall without forwarding the traffic to the firewall (0081if the network flow 510 is identified as potentially malicious by the intrusion prevention system 506, the offload module 512 may redirect the corresponding connection back to the firewall 504 for further processing).
As per claim 2. Van discloses The method of claim 1, wherein the determination that the flow matches the traffic control policy is based on L4 or higher packet inspection ([0117] When the system receives a packet from a network port on the NPU, the FP offload module processes it first. The FP offload module may perform various validity checks on the L2, L3 and L4 headers in the packet. If any of these checks fail or if the packet corresponds to a type of traffic that does not qualify for offload such as broadcast or multicast traffic, the FP offload module sends the packet to the host system for processing by the firewall. And 0129 packet inspection that was performed by the IPS module).
As per claim 3. Van discloses The method of claim 1, wherein determining that the flow should be offloaded comprises selecting the flow from a set of flows at the firewall based on an offload metric (0078 An offload module 512 may execute on the network processor, and may communicate with the firewall 504 through one or more application programming interfaces (indicated generally by an arrow 514) so that the firewall 504 can redirect network flows 510 to the network processor 508 ).
As per claim 4. Van discloses the method of claim 3, wherein the offload metric is based on an amount of traffic associated with the flow ( 0089 a set of abstract cached, i.e. amount of traffic, mappings of traffic to operations (“flow cache”), a mirror copy of networking stack state which the offload module synchronizes with the network stack, mechanisms in the networking stack to select traffic that can reliably be mapped to operations, an interface (API) for programming and querying flow cache and the mirrored networking state in the offload module and to invalidate and/or update that cached state with that of the networking stack, an interface (API) for the offload module to deliver traffic that misses the flow cache to the networking stack ).
As per claim 5. Van discloses The method of claim 1, wherein the offload message is sent only to the network element ( 0088 the system may generally support firewall offload from a host Linux system to a Network Processor Unit (NPU)).
As per claim 6. Van discloses The method of claim 5, wherein sending the offload message comprises: determining an IP address of the network element associated with the flow at the firewall ( 0134] If the connection entry indicates that NAT should be performed for a packet, the offload module will modify the contents of the packet to possibly overwrite IP source/destination address, L4 source/destination port depending on whether DNAT and/or SNAT is to be performed. In case the microflow action is to send the packet to IPS, offload applies DNAT to the packet, recomputing L3 and L4 checksums in the headers before it sends the packet to IPS. SNAT on the other hand is applied to the packet before it is sent out on the network (and after it is received from IPS if it had been sent to IPS earlier). If the microflow action is “IPS”); and publishing the offload message to subscribers associated with the IP address in a publisher/subscriber message framework (0138 the firewall 702 may be any of the firewalls described herein, and may have an architecture for offloading certain traffic management functions and/or network flows to a network processing unit or the like associated with the firewall 702).
As per claim 7. Van discloses the method of claim 1, further comprising: maintaining a flow session associated with the flow at the firewall (0134 the IPS module updates the universal session table entry corresponding connection entry in the host system Linux Contrack. This then results in an SP2FP API call to the FP that will in turn update the IPS verdict stored in the FP connection entry ); and renewing the flow session when a heartbeat message is received from the network element([0063] The threat detection tools 314 may be any of the threat detection tools, algorithms, techniques or the like described herein, or any other tools or the like useful for detecting threats or potential threats within an enterprise network. This may, for example, include signature based tools, behavioral tools, machine learning models, and so forth. In general, the threat detection tools 314 may use event data provided by endpoints within the enterprise network, as well as any other available context such as network activity, heartbeats, and so forth to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network. In one aspect, the threat detection tools 314 may usefully integrate event data from a number of endpoints (including, e.g., network components such as gateways, routers and firewalls) for improved threat detection in the context of complex or distributed threats. The threat detection tools 314 may also or instead include tools for reporting to a separate modeling and analysis platform 318, e.g., to support further investigation of security issues, creation or refinement of threat detection models or algorithms, review and analysis of security breaches).
As per claim 8. Van discloses The method of claim 7, wherein the network element: maintains a hit counter associated with the installed flow, updates the hit counter based on the traffic associated with the flow and a heartbeat interval, and sends heartbeat messages to the firewall based on the hit counter (0108] Packet retransmit counter (for maximum packet retransmit tracking) [0109] FIN tracking information in case connection termination on the FP is enabled for bulk connection handover optimization [0110] Source and Destination NAT configuration [0111] IPS verdict (cut-thru or drop) [0112] PCIe VF identifier that connects to the IPS instance [0113] Connection traffic stats ).
As per claim 11. Van discloses the method of claim 1, wherein the firewall comprises multiple firewall instances (0043 on a given compute instance 12, 14, 18, a version of a client firewall may be required to be running and installed. If the required version is installed but in a disabled state, the policy violation may prevent access to data or network resources).
As per clam 12. Van discloses a network element, comprising: a processor; a non-transitory computer readable medium, comprising instructions for:
receiving an offload message specifying a flow and an enforcement action, wherein the offload message specifying the flow and the enforcement action was created at a firewall based on an association of the flow with the enforcement action according to a matching policy installed at the firewall wherein the enforcement action was determined at a firewall ( ( 0079 the offload module 512 may be configured as described herein to receive firewall rules from the firewall 504, and to deploy these firewall rules on the network flow 510 in a manner that cooperates with or bypasses the firewall and 0138 The firewall 702 may be hosted on a first processor 704 such as an x86 architecture processer, which may include a kernel space 706 hosting a client 708 that uses a first memory 710 to exchange messages with another processor), the offload message specifying the flow and the enforcement action(0079 the offload module 512 may also or instead be distributed between the host device 50);
determining that the flow should be installed at the network element based on the offload message (0079 the offload module 512 may also or instead be distributed between the host device 502 0080 The host device 502 may also include an intrusion prevention system 506 executing in the user space and generally configured to detect potential threats in the network flow 510, e.g., using any of the malware or intrusion prevention );
storing the flow in association with the enforcement action specified in the offload message (0081 A firewall rule may be associated with one or more firewall actions. Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection, the firewall action may be communicated to the offload module 512 for use in managing one or more of the network flows 510 independently from the firewall 504 );
determining received traffic is associated with the flow (0080 The host device 502 may also include an intrusion prevention system 506 executing in the user space and generally configured to detect potential threats in the network flow 510, e.g., using any of the malware or intrusion prevention ); and
applying the enforcement action to the received traffic to control the received traffic at the network element without forwarding traffic to the firewall (0081if the network flow 510 is identified as potentially malicious by the intrusion prevention system 506, the offload module 512 may redirect the corresponding connection back to the firewall 504 for further processing ).
As per claim 13. Van discloses The network element of claim 12, wherein the instructions further comprise instructions for updating a hit counter based on the received traffic (0108] Packet retransmit counter (for maximum packet retransmit tracking) [0109] FIN tracking information in case connection termination on the FP is enabled for bulk connection handover optimization [0110] Source and Destination NAT configuration [0111] IPS verdict (cut-thru or drop) ).
As per claim 14. Van discloses The network element of claim 12, wherein the instructions further comprise instructions for sending a heartbeat message to the firewall based on the hit counter, wherein the heartbeat message identifies the flow and is sent in a datapath (0063] The threat detection tools 314 may be any of the threat detection tools, algorithms, techniques or the like described herein, or any other tools or the like useful for detecting threats or potential threats within an enterprise network. This may, for example, include signature based tools, behavioral tools, machine learning models, and so forth. In general, the threat detection tools 314 may use event data provided by endpoints within the enterprise network, as well as any other available context such as network activity, heartbeats, and so forth to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network ).
As per claim 15. Van discloses The network element of claim 14, wherein the instructions further comprise instructions for resetting the hit counter based on a heartbeat interval ( 0108] Packet retransmit counter (for maximum packet retransmit tracking) [0109] FIN tracking information in case connection termination on the FP is enabled for bulk connection handover optimization [0110] Source and Destination NAT configuration [0111] IPS verdict (cut-thru or drop) [0112] PCIe VF identifier that connects to the IPS instance [0113] Connection traffic stats).
As per claim 16. Van discloses The network element of claim 15, wherein a period of the heartbeat interval is based on an age out time for a flow session on the firewall (([0063] The threat detection tools 314 may be any of the threat detection tools, algorithms, techniques or the like described herein, or any other tools or the like useful for detecting threats or potential threats within an enterprise network. This may, for example, include signature based tools, behavioral tools, machine learning models, and so forth. In general, the threat detection tools 314 may use event data provided by endpoints within the enterprise network, as well as any other available context such as network activity, heartbeats, and so forth to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network. In one aspect, the threat detection tools 314 may usefully integrate event data from a number of endpoints (including, e.g., network components such as gateways, routers and firewalls).
As per claim 17. Van discloses A non-transitory computer readable medium, comprising instruction for:
determining that traffic matches a policy installed at a firewall, wherein the flow is associated with an enforcement action based on the matching policy installed at the firewall ( 0078 network flows 510 are described as passing “through” the firewall 504, determining a firewall action for the network flows 510 and 0081 Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection and 0078 the offload module 512 will be responsible for each network flow associated with each connection passing through the network processor 508 ); establishing a flow associated with the traffic at the firewall ( 0081 A firewall rule may be associated with one or more firewall actions. Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection, the firewall action may be communicated to the offload module 512 for use in managing one or more);
determining that the flow should be offloaded; creating an offload message at the firewall, the offload message specifying the flow and the enforcement action (0079 the offload module 512 may be configured as described herein to receive firewall rules from the firewall 504, and to deploy these firewall rules on the network flow 510 in a manner that cooperates with or bypasses the firewall and 0138 The firewall 702 may be hosted on a first processor 704 such as an x86 architecture processer, which may include a kernel space 706 hosting a client 708 that uses a first memory 710 to exchange messages with another processor), the offload message specifying the flow and the enforcement action(0079 the offload module 512 may also or instead be distributed between the host device 502 );
sending the offload message specifying the determined flow and the enforcement action associated with the flow at the firewall to a network element (0079 the offload module 512 may also or instead be distributed between the host device 502 ), wherein, in response to receiving the offload message the network element:
determines that the flow specified in the offload message should be installed at the network element ( 0080 The host device 502 may also include an intrusion prevention system 506 executing in the user space and generally configured to detect potential threats in the network flow 510, e.g., using any of the malware or intrusion prevention);
installs the flow at the network element in association with the enforcement action specified in the offload message from the firewall ( 0081 A firewall rule may be associated with one or more firewall actions. Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection, the firewall action may be communicated to the offload module 512 for use in managing one or more of the network flows 510 independently from the firewall 504); and
based on the installation of the flow at the network element, controls received traffic associated with the flow at the network element, where the traffic is controlled according to the enforcement action determined at the firewall without forwarding the traffic to the firewall ( 0081 A firewall rule may be associated with one or more firewall actions. Once a particular firewall action has been identified (e.g., based on a threat environment, network connection, source and destination, and the like) for a connection, the firewall action may be communicated to the offload module 512 for use in managing one or more of the network flows 510 independently from the firewall 504 and 0081 if the network flow 510 is identified as potentially malicious by the intrusion prevention system 506, the offload module 512 may redirect the corresponding connection back to the firewall 504 for further processing).
As per claim 18. Van discloses The non-transitory computer readable medium of claim 17, wherein the enforcement action is determined based on stateful packet inspection at the firewall (0089 a set of abstract cached, i.e. amount of traffic, mappings of traffic to operations (“flow cache”), a mirror copy of networking stack state which the offload module synchronizes with the network stack, mechanisms in the networking stack to select traffic that can reliably be mapped to operations, an interface (API) for programming and querying flow cache and the mirrored networking state in the offload module and to invalidate and/or update that cached state with that of the networking stack, an interface (API) for the offload module to deliver traffic that misses the flow cache to the networking stack ).
As per claim 19. Van discloses The non-transitory computer readable medium of claim 17, wherein sending the offload message comprises publishing the offload message in association with an identifier of the network element ( 0134] If the connection entry indicates that NAT should be performed for a packet, the offload module will modify the contents of the packet to possibly overwrite IP source/destination address, L4 source/destination port depending on whether DNAT and/or SNAT is to be performed. In case the microflow action is to send the packet to IPS, offload applies DNAT to the packet, recomputing L3 and L4 checksums in the headers before it sends the packet to IPS. SNAT on the other hand is applied to the packet before it is sent out on the network (and after it is received from IPS if it had been sent to IPS earlier). If the microflow action is “IPS”); and publishing the offload message to subscribers associated with the IP address in a publisher/subscriber message framework (0138 the firewall 702 may be any of the firewalls described herein, and may have an architecture for offloading certain traffic management functions and/or network flows to a network processing unit or the like associated with the firewall 702).
As per claim 20. Van discloses The non-transitory computer readable medium of claim 17, further comprising instructions for: maintaining a flow session associated with the flow (0134 the IPS module updates the universal session table entry corresponding connection entry in the host system Linux contrack. This then results in an SP2FP API call to the FP that will in turn update the IPS verdict stored in the FP connection entry ); and renewing the flow session when traffic associated with the flow is received at the firewall or when a heartbeat message associated with the flow is received from the network element( ([0063] The threat detection tools 314 may be any of the threat detection tools, algorithms, techniques or the like described herein, or any other tools or the like useful for detecting threats or potential threats within an enterprise network. This may, for example, include signature based tools, behavioral tools, machine learning models, and so forth. In general, the threat detection tools 314 may use event data provided by endpoints within the enterprise network, as well as any other available context such as network activity, heartbeats, and so forth to detect malicious software or potentially unsafe conditions for a network or endpoints connected to the network. In one aspect, the threat detection tools 314 may usefully integrate event data from a number of endpoints (including, e.g., network components such as gateways, routers and firewalls) for improved threat detection in the context of complex or distributed threats. The threat detection tools 314 may also or instead include tools for reporting to a separate modeling and analysis platform 318, e.g., to support further investigation of security issues, creation or refinement of threat detection models or algorithms, review and analysis of security breaches).
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 9 is rejected under 35 U.S.C. 103 as being unpatentable over Van der Merwe US 2022/0374294(hear after Van) in view of Saavedra et al US 2019/0182213.
As per claim 9. Van discloses the method of claim 1, wherein the network element(0079 the offload module 512 may also or instead be distributed between the host device 502 ) is a network edge element. But fails to disclose a network edge element.
However, Saavedra discloses a network edge element (0092 provider edge (PE) routers or their equivalent network elements sit on the edge of an MPLS network).
Van and Saavedra are both considered to be analogous to the claimed invention because they are in the same field of network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Van to incorporate the teachings of Saavedra and adding edge server to reduced latency for the data that travel in the network.
Doing so would provide faster data transfer, thereby prevent the Latency in the network.
Claim(s) 10 is rejected under 35 U.S.C. 103 as being unpatentable over Van der Merwe US 2022/0374294(hear after Van) in view Brillhart et al US 2010/0138530.
As per claim 10. Merwe discloses the method of claim 3, Merwe does not disclose wherein the network edge element is a top of rack (TOR) switch.
Brillhart discloses wherein the network edge element is a top of rack (TOR) switch(0028 server 254f located between operating servers 254e and 254g may be less preferred than a top-of-edge-rack server 254a, or another end rack server 2541).
Van and Brillhart are both considered to be analogous to the claimed invention because they are in the same field of network. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Van to incorporate the teachings of Brillhart and adding edge server to reduced latency for the data that travel in the network.
Doing so would provide faster data transfer, thereby prevent the Latency in the network.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496