DETERMINING SECURITY ACTIONS AT POLICY-ENFORCEMENT POINTS USING METADATA REPRESENTING A SECURITY CHAIN FOR A DATA FLOW

DETAILED ACTION This Office Action is with regard to the most recent papers filed 1/22/2026. Response to Arguments On pages 10-17, Applicant argues the priority of the instant application. However, as presented in the Priority section, below, the brief disclosure relevant to the instant claims (top of page 9 to the first paragraph of page 10 of 63/516,448) does not appear to provide the level of detail of the instant claims (which presents 14 unique claims spanning six pages). Examples are presented below of how the claims provide details beyond that of the provisional application, though they are not all listed as the independent claims (e.g. claim 1) is no longer supported. On pages 17-19 of Applicant’s response, Applicant argues the rejection of claim 1 under 35 USC 102. Applicant argues that Guichard does not provide a “tamper-resistant proof of completed security processing” and “does not disclose an ‘attestation’ framework.” With regard to the “tamper-resistant proof,” this would appear to be directed towards the amended portions of claim 1, where the attestations are “cryptographically verifiable” and are verified, where such arguments are moot based on the new ground of rejection necessitated by Applicant’s argument. It also appear that Applicant is arguing that “attestation” has some specific meaning that is not appreciated in the rejection. However, attestation is taken to be some statement of something. In this case, the attestation is a statement that the processing was done. If Applicant intends for an “attestation framework” to be present with specific details, the instant claims should be amended to reflect the full scope of what Applicant intends “attestation” to be. Accordingly, the claims stand rejected for the reasons provided below. Priority Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 119e as follows: The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA 35 U.S.C. 112, except for the best mode requirement. See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994). The disclosure of the prior-filed application, Application No. 63/516,448, fails to provide adequate support or enablement in the manner provided by 35 U.S.C. 112(a) or pre-AIA 35 U.S.C. 112, first paragraph for one or more claims of this application. In response to the Office Action mailed 10/22/2025, Applicant provides a listing of claims with corresponding mappings to the provisional application. However, the provisional application would need to disclose the subject matter in as much detail as provided in the instant claims, where it does not appear that the brief disclosure of 63/516,448 relating to the instant claims provides such details. For instance, with regard to claim 1, “signed” does not necessarily mean “cryptographic secure information,” or that the signing is necessarily verified as part of determining the security operations. Further, the metadata is in the flow, itself, where “out-of-band” would appear to be separate from the data flow. Claim 2 specifically parses the metadata from the flow, which would not be “out-of-band,” as in the provisional. Claim 3 provides item (iii), where the provisional does not appear to provide for security criteria. For each claim, the level of detail within the instant claim would need to be supported in the provisional application, where such level of detail does not appear to be provided for. Based on the amendments and the above, the effective filing date is taken to be 7/22/2024. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-4, 6-18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 2014/0362857 (Guichard) in view of US 2019/0199533 (Boutnaru). With regard to claim 1, Guichard discloses a method of processing data flows through policy-enforcement points of a network fabric, the method comprising: receiving, at a first policy-enforcement point, a data flow comprising data packets and metadata, wherein the metadata comprises one or more attestations of the one or more security operations, the one or more attestations being generated by one or more upstream policy-enforcement points (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Service chains can be realized to perform a range of functions, including security functions (security functions, when applied, would be enforcing some security policy, making the nodes performing such functions policy-enforcement points in as much detail as required by the instant claim). Guichard proposes the use of metadata to provide information for forwarding the packet through the service chain, which includes information to determine a service action to perform, how to forward the packet through the network to ensure performance of the service chain, etc., where such information is updated as the packet progresses through the service chain providing information on functions of the service chain that have been performed and still need to be performed.); determining, based on the metadata, which security operations have been performed on which of the data packets of the data flow to generate a determination result (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Actions can be determined based on progress through the service chain indicated by the metadata.); and applying, based on the determination result, one or more security actions to the data flow (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Actions in the service chain are performed.). Guichard fails to disclose, but Boutnaru teaches that the attestations are cryptographically verifiable, and that the determining includes verifying the one or more cryptographically verifiable attestations (Boutnaru: Paragraph [0041]. Portions of the header that are not expected to change (e.g. security operations that were already performed of Guichard) can be hashed and signed, and thus would be “cryptographically verifiable.”). Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to have the fields of Guichard be cryptographically verifiable to prevent malicious actors from modifying the data, which, in the case of Guichard, would prevent the malicious actor from bypassing functions from being performed, thus ensuring the integrity of the system. With regard to claim 2, Guichard teaches parsing the metadata from the data flow; and determining which attestations in the metadata are associated (i) with which of the data packets and (ii) with which predefined security operations (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Specific operations would need to be performed on each packet, with the operations being defined in the security chain, where the metadata provides information on the operations that were performed.). With regard to claim 3, Guichard teaches the one or more security actions include: (i) allowing the first subset of data packets through the first policy-enforcement point based on whether the one or more security operations satisfy one or more security criteria, (ii) performing one or more additional security operations on the first subset of data packets when the one or more security operations performed do not satisfy the one or more security criteria, and/or (iii) determining the one or more security criteria upon which the one or more security actions for the first subset of data packets depends, the one or more security criteria being based on a source and/or a destination of the first subset of data packets (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Additional actions from the chain can be performed based on context data, which would indicate that the actions from the service chain were not yet performed. As a note, the instant claim provides the functionalities in the alternative, where only one is needed to teach the instant claim, as a whole, where Guichard at least discloses (ii).). With regard to claim 4, Guichard teaches that the one or more security actions include: determining that one or more additional security operations are required for the first subset of data packets to be allowed into a workload; and performing, at the first policy-enforcement point, the one or more additional security operations on some of the first subset of data packets and dropping a remainder of the first subset of data packets, depending on available processing resources at the first policy-enforcement point (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Additional actions from the chain can be performed based on context data, which would indicate that the actions from the service chain were not yet performed. Further, in Guichard, it appears that there would be the remainder would have zero packets, as the assumption is that there are enough processing resources to process all of the packets thus providing that there does not need to be any dropped packets. For clarity, Applicant should clearly require that based on the available processing resources at the first policy-enforcement point, one or more remaining packets of the first subset of data packets are dropped (thus requiring that the number of remainder packets is a non-zero number).). With regard to claim 6, Guichard teaches performing, at the first policy-enforcement point, an other security operation on the data flow; determining, based on the metadata, that the other security operation is not necessary for the first subset of data packets, wherein: the one or more security actions includes omitting the first subset of data packets from the data packets on which the first policy-enforcement point performs the other security operation (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Lacking detail of what the other security operation is versus the security action, where claim 3 provides that the security operation may simply be allowing the traffic (e.g. forwarding), Guichard provides that members of the service chain can simply forward the packet when their function is not required for the specific chain (thus performing a “security action”), while they would have some other operations that could have been performed if needed.). With regard to claim 7, Guichard teaches determining that the other security operation is not necessary for the first subset of data packets is based, at least partly, on determining that the other security operation is redundant of the one or more security operations (Guichard: Abstract and Paragraphs [0013], [0047] to [0048] and [0002]. Based on the disclosure of Guichard, if an operation in a service chain was performed, it would not be performed again, even when passing through a node that performs the same operation.). With regard to claim 8, Guichard fails to teach, but knowledge possessed by one of ordinary skill in the art at the time of filing teaches wherein determining that the other security operation is not necessary for the first subset of data packets is based, at least partly, on determining that: the other security operation is not necessary based on an identity of a user that originated the first subset of data packets, the identity of the user being securely attested to in the metadata, the other security operation is not necessary based on an identity of an application that originated the first subset of data packets, the identity of the application being securely attested to in the metadata, the other security operation is not necessary based on a protocol, a source address, a source port, a destination address, and/or a destination port of the first subset of data packets, and/or the other security operation is not necessary based on a trust zone to which the first policy-enforcement point allows entrance of the data flow (More specifically, Official Notice is taken that the use of information on traffic, such as the protocol, source address/port, and/or destination address/port to determine if different security operations are needed was well-known to one of ordinary skill in the art. As a note, the instant claim would allow such to be determined when determining the function chain to be performed on the packet, as opposed to having the node, itself, collect the information and make the determination.). Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to utilize some of the traffic information to determine security operations required, such that the network can behave in the way that the users and/or admins intend. For instance, whitelisting would utilize source or destination information to bypass certain security operations, while rules to define what protocols the a filter should apply to were known in the art. With regard to claim 9, Guichard fails to disclose expressly, but knowledge possessed by one of ordinary skill in the art teaches determining security vulnerabilities of a workload; determining security criteria for the workload based on the security vulnerabilities, wherein: the one or more security actions include determining whether a data packet of the data flow is allowed into the workload based on the metadata indicating that the one or more security operations performed on the data packet satisfy the security criteria (More specifically, Official Notice is taken that when determining security policies, taking into account the security vulnerabilities and requirements of the destination was well-known to one of ordinary skill in the art.). Accordingly, it would have been obvious to one of ordinary skill in the art to determine the security vulnerabilities of the workload (endpoint) and use this to only allow packets that have completed any required functions of the security chain to progress to the endpoint to ensure that the security function chain is appropriate for the endpoint, and to ensure that packets only reach the destination after completing the chain, thus ensuring that the appropriate level of security is applied to all traffic. With regard to claim 10, Guichard teaches wherein the first policy-enforcement point is is a firewall, an extended Berkley packet filter (eBPF), a data processing unit (DPU), or a program called in response to an operating system hook (Guichard: Abstract. Devices perform the functions, where the broad scope of DPU would include such devices.). With regard to claim 11, Guichard teaches that the first policy-enforcement point is: (a) a policy-enforcement point at a boundary of a trust zone, (b) a final policy-enforcement point before a workload, (c) a policy-enforcement point at a tunnel endpoint of an encapsulation protocol or a virtual network; or (d) a policy-enforcement point at a boundary of a network (Guichard: Paragraph [0031]. The term “workload” would appear to refer to the destination of the packet, where the end of the service chain would be the last one before the destination, with the destination performing some work (whether related to the remainder of the claim or not). If Applicant intends workload to have some specific meaning or relationship to other elements, the instant claim should be amended to reflect such.). With regard to claim 12, Guichard teaches that the metadata is added to the data flow by one or more other policy-enforcement points along a path of the data flow, and the one or more other policy-enforcement points include a firewall, an extended Berkley packet filter (eBPF), or a data processing unit (DPU) (Guichard: Abstract. Devices perform the functions, where the broad scope of DPU would include such devices.). With regard to claim 13, Guichard teaches the one or more security operations include a web application firewall (WAF) function, a layer three (L3) firewall function, a layer seven (L7) firewall function, deep packet inspection, anomaly detection, cyber-attack signature detection, packet filtering, or an intrusion prevention system function (Guichard: Paragraph [0014]. The functions can include at least a deep packet inspection.). With regard to claim 14, Guichard teaches that the metadata is encoded in one or more transport layer security (TLS) extension fields, in one or more headers of Internet protocol (IP) packet, in one or more optional Internet protocol version 6 (IPv6) extension headers, or one or more headers of an encapsulation protocol (Guichard: Paragraph [0013] and Abstract. The information can be included in a header and encapsulated, where lacking detail of what constitutes an “encapsulation protocol,” a protocol that allows for such encapsulation would be within the scope of such a protocol.). With regard to claims 15-18 and 20, the instant claims are similar to claims 1-4, and 6, and are rejected for similar reasons. Claim Rejections - 35 USC § 103 Claim(s) 5 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Guichard in view of Boutnaru, and further in view of US 2021/0281514 (Guo). With regard to claim 5, Guichard fails to teach, but Guo teaches the one or more security actions include: determining, for future data packets of the data flow, a load balancing that includes a division of the one or more additional security operations between the first policy-enforcement point and upstream nodes of the network fabric that are upstream the data flow from the first policy-enforcement point; and signaling, to the upstream nodes, the division of the one or more additional security operations (Guo: Paragraph [0082]. Data can be received from nodes later in a path, where such data is used to make load balancing decisions. When combined with Guichard, such telemetry data would serve to divide any functions performed by the point with another point (as traffic would be balanced between the two for the function).). Accordingly, it would have been obvious to one of ordinary skill in the art at the time of filing to provide upstream signals to divide the function with additional nodes to ensure the efficient execution of such functions based on current telemetry data by routing future traffic to different nodes based on the load that each of the nodes can handle (thus not overburdening a single path). With regard to claim 19, the instant claim is similar to claim 5, and is rejected for similar reasons. Conclusion Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to SCOTT B CHRISTENSEN whose telephone number is (571)270-1144. The examiner can normally be reached Monday through Friday, 6AM to 2PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, John Follansbee can be reached at (571) 272-3964. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. SCOTT B. CHRISTENSEN Examiner Art Unit 2444 /SCOTT B CHRISTENSEN/Primary Examiner, Art Unit 2444