Notice of Pre-AIA or AIA Status
present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is in response to the amendments filed 02/12/2026. Claims 1, 11 and 20 have been amended. Claims 1-20 are pending and have been considered below.
Priority
18/823,339 filed 09/03/2024 claims priority from provisional application 63639236, filed 04/26/2024.
Drawings
The drawings filed on 09/03/2024 are accepted.
Specification
The amendments to the specification filed on 02/12/2026 are accepted.
Information Disclosure Statement
The information disclosure statement (IDS) submitted 02/12/2026 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Applicant’s arguments, with respect to “Specification Objections”, remarks page 7 have been fully considered and are persuasive. The objection has been withdrawn in light to the amendments to the specification.
Applicant’s arguments, with respect to “Double Patenting”, remarks page 7 have been fully considered and are persuasive. The objection has been withdrawn in light to the amendments to the claims.
Applicant’s arguments, with respect to “$ 103 rejection”, remarks pages 7-9 with respect to newly amended independent claims have been fully considered but are moot in of the new ground of rejection .
Applicant’s arguments, with respect to “Priority”, remarks page 10 have been fully considered and are persuasive. The objection has been withdrawn.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 5, 9-11, 15, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chan et al. U.S. 2017/0359447 A1 in view of Zaghloul et al. 2017/0181037 A1 in further view of Zhang et al W.O.2023/207547 A1 (U.S. 2025/0055832 A1 used for translation).
Claim 1: Chan et al. teaches a method to perform packet processing associated with one or more policies (par.14, a system for creating Internet Protocol address based network policy (IPP) by using domain name based network policies (DNNTPs) is disclosed), the method comprising:
receiving a packet at a network device that includes a traffic aware policy engine (TAPE)(network policy engine)(par.48, network policy engine 506 is used to enforce network policy, including IPP. network policy engine 506 is a standalone network device, is capable of enforcing network policy and route traffic from its LAN to its WAN and vice versa and communicates with IPPND 501 through datagram, packet, bus, OSI layer 2, OSI layer 3, Ethernet, IP, and/or any other communications protocols.);
accessing the policy that specifies at least one of how traffic flows through the network or how traffic is processed within the network (par.56, 48, network Enforcement or policy engine 506 then enforces one or more IPPs provided by IPP storage 505 against network traffic.),
Chan et al. fails to teach, however Zaghloul et al. in the same field of endeavor teaches
determining, based at least in part on the policy, processing to perform on the packet at the network device using the TAPE (par.7, 16, determining at least one policy to apply to the traffic flow based on the traffic monitoring conditions, packet properties and the application identifier); and
performing the processing on the packet at the network device using the TAPE (par.49,52 The processor 165 is configured to inspect all data plane traffic in real-time, and apply policy or enforcement to the traffic, for example, steering traffic, shaping traffic, marking or blocking traffic, count traffic, or simply pass traffic).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Zaghloul et al. in order to provide the ability to inspect all data plane traffic in real-time, and apply policy or enforcement to the traffic, as suggested by Zaghloul et al. abstract.
the combination fails to teach, however Zhang et al. in the same field of endeavor teaches
traffic aware policy that enforces a policy that spans different network layers that include at least a second data link layer and s seventh application layer, wherein a network includes other traffic aware policy engines deployed on other network devices; wherein the policy integrates the different network layers that include the at least the second data link layer, and the seventh application layer (par.100, 119-120, the application layer traffic filtering process is seven-layer traffic filtering process. The seven-layer traffic filtering process refers to the seventh layer application layer of the Open System Interconnection Reference Model (OSI). According to the application layer Use business rules to identify and filter traffic data. Par.28-29 further teaches the forwarding the traffic data to an application layer detector by a network bridge connected to the host includes: [0029] receiving the traffic data transmitted by the second network interface of the host by the fourth network interface of the network bridge connected to the host, and invoking a packet forwarding function of the network bridge so as to forward the traffic data to the application layer detector);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Zhang et al. in order to provide the ability to prevent mistake or abnormality of a network protection strategy, as suggested by Zhang et al. par.51.
Claim 11: Chan et al. teaches a system (a system for creating Internet Protocol address based network policy (IPP) by using domain name based network policies (DNNTPs) is disclosed), comprising:
a network that includes network devices (Fig.1, par.45);
wherein the policy that specifies at least one of how traffic flows through the network, or how traffic is processed within the network (par.56, 48, network Enforcement or policy engine 506 then enforces one or more IPPs provided by IPP storage 505 against network traffic),
one or more processors (par.48, 107); and
non-transitory computer-readable medium storing a set of instructions, the set of instructions when executed by the one or more processors cause processing to be performed (par, 107, embodiments of the disclosure can be represented as a computer program product stored in a machine-readable medium (also referred to as a computer-readable medium, a processor-readable medium, or a computer usable medium having a computer-readable program code embodied therein) comprising:
receiving a packet at a network device that includes the(TAPE)( network policy engine)(par.48, network policy engine 506 is used to enforce network policy, including IPP. network policy engine 506 is a standalone network device, is capable of enforcing network policy and route traffic from its LAN to its WAN and vice versa and communicates with IPPND 501 through datagram, packet, bus, OSI layer 2, OSI layer 3, Ethernet, IP, and/or any other communications protocols.);
Chan et al fails to teach, however Zaghloul et al. in the same field of endeavor teaches
determining, based at least in part on the policy, processing to perform on the packet at the network device (par.7, 16, determining at least one policy to apply to the traffic flow based on the traffic monitoring conditions, packet properties and the application identifier); and
performing the processing on the packet at the network device using the TAPE (par.49,52 The processor 165 is configured to inspect all data plane traffic in real-time, and apply policy or enforcement to the traffic, for example, steering traffic, shaping traffic, marking or blocking traffic, count traffic, or simply pass traffic).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al. with the additional features of Zaghloul et al. in order to provide the ability to inspect all data plane traffic in real-time, and apply policy or enforcement to the traffic, as suggested by Zaghloul et al. abstract.
the combination fails to teach, however Zhang et al. in the same field of endeavor teaches
wherein at least a portion of the network devices include a traffic aware policy engine (TAPE) that enforces a policy that spans different network layers that include at least a second data link layer and a seventh application layer, wherein the policy that specifies at least one of how traffic flows through the network, or how traffic is processed within the network, wherein the policy integrates the different network layers that include the at least the second data link layer, and the seventh application layer (par.100, 119-120, the application layer traffic filtering process is seven-layer traffic filtering process. The seven-layer traffic filtering process refers to the seventh layer application layer of the Open System Interconnection Reference Model (OSI). According to the application layer Use business rules to identify and filter traffic data. Par.28-29 further teaches the forwarding the traffic data to an application layer detector by a network bridge connected to the host includes: [0029] receiving the traffic data transmitted by the second network interface of the host by the fourth network interface of the network bridge connected to the host, and invoking a packet forwarding function of the network bridge so as to forward the traffic data to the application layer detector);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Zhang et al. in order to provide the ability to prevent mistake or abnormality of a network protection strategy, as suggested by Zhang et al. par.51.
Claim 20 : Chan et al. teaches a non-transitory computer-readable medium comprising instructions that when executed, cause one or more processors to perform operations including (par.107, he instructions stored on the machine-readable medium can be executed by a processor or other suitable processing device, and can interface with circuitry to perform the described tasks):
accessing a policy that specifies at least one of how traffic flows through a network, or how traffic is processed within the network (par.56, 48, network Enforcement or policy engine 506 then enforces one or more IPPs provided by IPP storage 505 against network traffic
receiving a packet at a network device that includes a traffic aware policy engine (TAPE)( network policy engine)(par.48, network policy engine 506 is used to enforce network policy, including IPP. network policy engine 506 is a standalone network device, is capable of enforcing network policy and route traffic from its LAN to its WAN and vice versa and communicates with IPPND 501 through datagram, packet, bus, OSI layer 2, OSI layer 3, Ethernet, IP, and/or any other communications protocols.);;
Chan et al. fails to teach, however Zaghloul et al. in the same field of endeavor teaches
determining, based at least in part on the policy, processing to perform on the packet at the network device(par.7, 16, determining at least one policy to apply to the traffic flow based on the traffic monitoring conditions, packet properties and the application identifier); and
performing the processing on the packet at the network device using a traffic aware policy engine (TAPE) associated with the network device (par.49,52 The processor 165 is configured to inspect all data plane traffic in real-time, and apply policy or enforcement to the traffic, for example, steering traffic, shaping traffic, marking or blocking traffic, count traffic, or simply pass traffic)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Zaghloul et al. in order to provide the ability to inspect all data plane traffic in real-time, and apply policy or enforcement to the traffic, as suggested by Xie et al abstract.
the combination fails to teach, however Zhang et al. in the same field of endeavor teaches
traffic aware policy that enforces a policy that spans different network layers that include at least a second data link layer and the seventh application layer, wherein the policy integrates the different network layers that include the at least the second data link layer, and the seventh application layer (par.100, 119-120, the application layer traffic filtering process is seven-layer traffic filtering process. The seven-layer traffic filtering process refers to the seventh layer application layer of the Open System Interconnection Reference Model (OSI). According to the application layer Use business rules to identify and filter traffic data. Par.28-29 further teaches the forwarding the traffic data to an application layer detector by a network bridge connected to the host includes: [0029] receiving the traffic data transmitted by the second network interface of the host by the fourth network interface of the network bridge connected to the host, and invoking a packet forwarding function of the network bridge so as to forward the traffic data to the application layer detector);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Zhang et al. in order to provide the ability to prevent mistake or abnormality of a network protection strategy, as suggested by Zhang et al. par.51.
Claims 5 and 15: the combination teaches
wherein performing the processing includes storing the packet within a data store (Chan et al., Fig.4, item 503, par.51-503).
Claims 9 and 17: the combination teaches
wherein performing processing on the packet includes analyzing the packet to determine that the packet adheres to a specified protocol (Miriyala et al , col.6, lines 1-20, col.18, lines 1-12).
The same motivation to modify Chan et al, in view of Miriyala et al applied to claims 1 and 11 above applies here.
Claims 10 and 18: the combination teaches
wherein performing the processing on the packet includes one or more of causing IDS/IPS services to be performed, executing one or more plugins provided by a customer of the network, or performing one or more identity rules (Miriyala et al, col.11, line 50 to col.12, line 7, col.14, lines 37-55).
The same motivation to modify Chan et al, in view of Miriyala et al applied to claims 1 and 11 above applies here.
Claims 2-4, 8, 12-14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Chan et al. U.S. 2017/0359447 A1 in view of Zaghloul et al. 2017/0181037 A1 in further view of Zhang et al W.O.2023/207547 A1 (U.S. 2025/0055832 A1 used for translation) and Potlapally et al. U.S. 2022/0200972 A1.
Claims 2 and 12: the combination fails to teach, however Potlapally et al. in the same field of endeavor teaches further comprising
deploying TAPEs to network devices within the network, wherein the network devices include network virtualization devices (NVDs) that include smartNICs, and virtual interfaces that include gateways (par.31, 35).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Potlapally et al. in order to provide a virtualization engine which is configured to instantiate only one virtual machine at a time. This allows dedicated encryption per virtual machine, which can increase security, as suggested by Potlapally et al. par.39.
Claims 3 and 13: the combination teaches
wherein the network device performs the processing across any of a first physical layer, the second data link layer, a third network layer, a fourth transport layer, a fifth session layer, a sixth presentation layer, or the seventh application layer (Zhang et al. par.120-121).
The same motivation to modify Chan et al, in view of Zhang et al.. applied to claims 3 and 13 above applies here.
Claims 4 and 14: the combination teaches
wherein the network device performs a first portion of rules associated with the policy and one or more other network devices performs a second portion of the rules (Zhang et al., par. 86, 100, 120-121).
The same motivation to modify Chan et al, in view of Zhang et al. applied to claims 2 and 12 above applies here.
Claim 8: the combination fails to teach, however Potlapally et al. in the same field of endeavor teaches
wherein performing processing on the packet includes analyzing the packet to determine that the packet adheres to a specified schema (Potlapally et al, par.210-212).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Potlapally et al. in order to provide a virtualization engine which is configured to instantiate only one virtual machine at a time. This allows dedicated encryption resources per virtual machine, which can increase security, as suggested by Potlapally et al. par.39.
Claim 19: the combination fails to teach, however Potlapally et al. in the same field of endeavor teaches
wherein TAPE sits in front of control plane and a data plane associated with one or more network services(par.33, 44, 99-110).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Potlapally et al. in order to provide a virtualization engine which is configured to instantiate only one virtual machine at a time. This allows dedicated encryption resources per virtual machine 108, which can increase security, as suggested by Potlapally et al. par.39.
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chan et al. U.S. 2017/0359447 A1 in view of Zaghloul et al. 2017/0181037 A1 in further view of Zhang et al W.O.2023/207547 A1 (U.S. 2025/0055832 A1 used for translation and Krell et al. U.S. 2011/0289551 A1.
Claims 6 and 16: the combination fails to teach, however Krell et al. in the same field of endeavor teaches
wherein the policy specifies one or more Identities that are authorized to access one or more resources (par.43, 48-53).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Krell et al. in order to provide techniques of dynamically applying a control policy to a network, as suggested by Krell et al. abstract.
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Chan et al. U.S. 2017/0359447 A1 in view of Zaghloul et al 2017/0181037 A1 in further view of Zhang et al W.O.2023/207547 A1 (U.S. 2025/0055832 A1 used for translation and Nakai et al. U.S. 2007/0116285 A1.
Claims 7: the combination fails to teach, however Nakai et al. in the same field of endeavor teaches
further comprising unencrypting the packet before performing the processing, and encrypting the packet prior to transmitting the packet (par.52-55).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the disclosure of Chan et al with the additional features of Nakai et al.. in order to provide e present invention relates to a communication method for encrypting and decrypting packets, such as an Internet Protocol (IP) packets, to ensure confidentiality and efficiency of communication., as suggested by Nakai et al. abpar.1.
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
Castel et al 2019/0068650 A1 teaches A security configuration management system accesses, from two or more data sources, network data gathered from a network. .
Chandrasekaran et al. US 2022/0052936 A1 teaches A network appliance having a control plane and a data plane can process substantially every input packet at wire speed in a programmable packet processing pipeline of the data plane.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached at 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
Friday, March 27, 2026
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436