Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is a reply to the application filed on 10/24/2024 with preliminary amendment filed on 03/10/2025, in which, claim(s) 21-40 are presented for examination, with claims 21, 31, and 36 being independent. Claims 1-20 are canceled.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 03/10/2025, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.
Drawings
The drawings filed on 10/24/2024 are accepted by The Examiner.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filing date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 21-40 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
Claims 1-21 of Patent 12,132,709.
Although the conflicting claims are not identical, they are not patentably distinct from each other because claims 21-40 are anticipated by claims 1-21 of Patent 12,132,709.
Patent No. 12,132,709 (17/532,128)
Instant Application No. (18/925,829)
Claim 1. A method comprising:
providing a first path for network traffic through a firewall on a host device;
providing a second path for the network traffic that bypasses the firewall through an offload module, the offload module configured to receive a valid state for the network traffic from the firewall, to bypass the firewall for a network flow having the valid state, and to return the network flow to the firewall when the network flow does not match the valid state;
directing the network flow including one or more packets along the first path to the firewall;
applying one or more firewall rules to the network flow with the firewall;
in response to determining with the firewall that the network flow is permitted by the one or more firewall rules, communicating to the offload module (a) the valid state for the network flow including one or more properties of headers for packets in the network flow, and (b) an instruction for the offload module to handle the packets for the network flow along the second path subject to the valid state; and
in response to determining with the offload module that the network flow handled by the offload module on the second path does not match the valid state, invalidating a state stored by the offload module as corresponding to the network flow and returning the network flow to the first path through the firewall.
Claim 21. A method comprising:
providing a first path for network traffic through a firewall on a host device;
providing a second path for the network traffic that bypasses the firewall through an offload module, the offload module configured to receive a valid state for the network traffic from the firewall, and to bypass the firewall for a network flow having the valid state;
receiving the network flow including one or more packets along the first path to the firewall;
applying one or more firewall rules to the network flow with the firewall; and
in response to determining with the firewall that the network flow is permitted by the one or more firewall rules, communicating to the offload module (a) the valid state for the network flow including one or more properties of headers for packets in the network flow, and (b) an instruction for the offload module to handle the packets for the network flow along the second path subject to the valid state.
Claim 31. A method comprising:
providing a first path for network traffic through a firewall on a host device;
providing a second path for the network traffic through an offload module, the offload module configured bypass the firewall for a network flow having a valid state for handling by the offload module; and
receiving the network flow on the second path at the offload module; and
in response to determining that the network flow does not match the valid state, transferring the network flow from the second path through the offload module to the first path through the firewall on the host device for processing according to a group of firewall rules.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claims 21 and 27-30 are rejected under 35 U.S.C. 103 as being unpatentable over Li Li (US 2012/0170581 A1) in view of Lee et al. (US 2020/0336458 A1).
Regarding Claim 21, Li discloses A method comprising:
providing a first path for network traffic through a firewall on a host device ([0003], “traffic associated with a particular device or group of devices may be required to pass through a firewall”, [0008], “wherein the first path includes the local policy node”);
providing a second path for the network traffic that bypasses the firewall through an offload module, the offload module configured to receive a valid state for the network traffic from the firewall, and to bypass the firewall for a network flow having the valid state ([0008], “a second path through the network system, wherein the second path includes the local policy node and the local proxy node”, [0022], “local policy node 130 may include a firewall”, [0027], “As can be seen by traffic path 195, traffic between endpoint 180, on VLAN A, and endpoint 178, on VLAN B, may bypass local policy device 130”);
receiving the network flow including one or more packets along the first path to the firewall ([0008], “a first packet destined for the local endpoint is forwarded along a first path through the network system, wherein the first path includes the local policy node”, [0022], “local policy node 130 may include a firewall”);
applying one or more firewall rules to the network flow with the firewall ([0026], “certain policies (i.e. firewall rules) are enforced depending on the type of traffic”); and
in response to determining with the firewall that the network flow is permitted by the one or more firewall rules, communicating to the offload module (b) an instruction for the offload module to handle the packets for the network flow along the second path subject to the valid state ([0008], “a second path through the network system, wherein the second path includes the local policy node and the local proxy node”, [0022], “local policy node 130 may include a firewall”, [0027], “As can be seen by traffic path 195, traffic between endpoint 180, on VLAN A, and endpoint 178, on VLAN B, may bypass local policy device 130”).
Li does not explicitly teach but Lee teaches
(a) the valid state for the network flow including one or more properties of headers for packets in the network flow ([0008], “a header which includes a flag for identifying the management data transmission datagram and a transmission direction and a tag for integrity verification as to whether the management data transmission datagram is valid”, [0049], “datagram packet”),
Li and Lee are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee with the disclosure of Li. The motivation/suggestion would have been to providing a communication channel for secure management (Lee, Abstract).
Regarding Claim 27, the combined teaching of Li and Lee teaches
wherein the offload module includes a kernel space process on the host device (Li, [0022], “local policy node 130 may include a firewall and/or a load balancer.”, [0036], “FIG. 3 illustrates an exemplary network node 300”).
Regarding Claim 28, the combined teaching of Li and Lee teaches
wherein the offload module includes a process executing on a network processing unit for the network traffic (Li, [0022], “local policy node 130 may include a firewall and/or a load balancer.”, [0036], “FIG. 3 illustrates an exemplary network node 300”).
Regarding Claim 29, the combined teaching of Li and Lee teaches
managing the one or more firewall rules from a threat management facility for an enterprise network (Li, [0003], “many enterprise networks may specify various security policies for application to traffic within the network. According to such policies, traffic associated with a particular device or group of devices may be required to pass through a firewall”).
Regarding Claim 30, the combined teaching of Li and Lee teaches
wherein the firewall is a kernel process executing on the host device (Li, [0022], “local policy node 130 may include a firewall and/or a load balancer.”, [0036], “FIG. 3 illustrates an exemplary network node 300”).
Claims 22-23 and 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Li Li (US 2012/0170581 A1) in view of Lee et al. (US 2020/0336458 A1) further in view of Emmerich et al. (US 2009/0113531 A1).
Regarding Claim 22, the combined teaching of Li and Lee does not explicitly teach but Emmerich teaches
invalidating the state of the network flow at the offload module, and returning the network flow to the first path through the firewall ([0032], “the connection between is or should be closed…disables (i.e. invalidates) the login key for that login name (block 322), thus ensuring that the password generated for that session and connection will no longer be valid”),
Li, Lee and Emmerich are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Emmerich with the combined teaching of Li and Lee. The motivation/suggestion would have been to provide an improved system and method of distributing connection requests among a pool of secure servers (Emmerich, [0005]).
Regarding Claim 23, the combined teaching of Li, Lee and Emmerich teaches
in response to determining with an intrusion prevention system executing in a user space on the host device that the network flow handled by the offload module presents a security risk, remediating the network flow (Emmerich, [0032], “If the session ends and the connection between is or should be closed…disables the login key for that login name (block 322), thus ensuring that the password generated for that session and connection will no longer be valid”).
Regarding Claim 25, the combined teaching of Li, Lee and Emmerich teaches
wherein remediating the network flow includes disconnecting the network flow (Emmerich, [0032], “If the session ends and the connection between is or should be closed…disables the login key for that login name”).
Regarding Claim 26, the combined teaching of Li, Lee and Emmerich teaches
wherein remediating the network flow includes remediating a source or a destination of the network flow (Emmerich, [0032], “If the session ends and the connection between is or should be closed…disables the login key for that login name”, i.e. remediating the source).
Claim 24 is rejected under 35 U.S.C. 103 as being unpatentable over Li Li (US 2012/0170581 A1) in view of Lee et al. (US 2020/0336458 A1) further in view of Emmerich et al. (US 2009/0113531 A1) and further in view of Harris et al. (US 2016/0173510 A1).
Regarding Claim 24, the combined teaching of Li, Lee and Emmerich does not explicitly teach but Harris teaches
wherein remediating the network flow includes scanning the network flow for malicious code ([0058], “the remedial action facility may interact with the received information and may perform various actions on a client requesting access to a denied network location. The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client facility”),
Li, Lee, Emmerich and Harris are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Harris with the combined teaching of Li, Lee and Emmerich. The motivation/suggestion would have been to improved techniques for threat detection in an enterprise network (Harris, [0002]).
Claims 31-36 and 39 are rejected under 35 U.S.C. 103 as being unpatentable over Li Li (US 2012/0170581 A1) in view of Ahmad et al. (US 2013/0227670 A1).
Regarding Claim 31, Li discloses A method comprising:
providing a first path for network traffic through a firewall on a host device ([0003], “traffic associated with a particular device or group of devices may be required to pass through a firewall”, [0008], “wherein the first path includes the local policy node”);
providing a second path for the network traffic through an offload module, the offload module configured bypass the firewall for a network flow having a valid state for handling by the offload module ([0008], “a second path through the network system, wherein the second path includes the local policy node and the local proxy node”, [0022], “local policy node 130 may include a firewall”, [0027], “As can be seen by traffic path 195, traffic between endpoint 180, on VLAN A, and endpoint 178, on VLAN B, may bypass local policy device 130”); and
receiving the network flow on the second path at the offload module ([0008], “a second path through the network system, wherein the second path includes the local policy node and the local proxy node”, [0027], “As can be seen by traffic path 195, traffic between endpoint 180, on VLAN A, and endpoint 178, on VLAN B, may bypass local policy device 130”);
Li does not explicitly teach but Ahmad teaches
in response to determining that the network flow does not match the valid state, transferring the network flow from the second path through the offload module to the first path through the firewall on the host device for processing according to a group of firewall rules ([0146], “Service aggregator 210 may send the traffic to firewall device 1440…Traffic that has been allowed by firewall device 1440 may be returned to service aggregator 210”)
Li and Ahmad are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ahmad with the disclosure of Li. The motivation/suggestion would have been to offer a particular security service (Ahmad, [0090]).
Regarding Claim 32, the combined teaching of Li and Ahmad teaches
wherein the network flow includes one or more packets (Li, [0008], “a first packet destined for the local endpoint is forwarded”).
Regarding Claim 33, the combined teaching of Li and Ahmad teaches
wherein the group of firewall rules includes at least one rule causing a transition of the network flow from the first path to the second path (Ahmad, [0146], “Service aggregator 210 may determine that traffic received from DDOS device 1430 is to be switched to firewall device 1440 based on a policy”).
Regarding Claim 34, the combined teaching of Li and Ahmad teaches
a group of intrusion prevention rules executing on the offload module that cause a transition of the network flow from the second path to the first path (Ahmad, [0146], “Traffic that has been allowed by firewall device 1440 may be returned to service aggregator 210”).
Regarding Claim 35, the combined teaching of Li and Ahmad teaches
a group of packet validity rules executing on the offload module that cause a transition of the network flow from the second path to the first path (Ahmad, [0146], “Traffic that has been allowed by firewall device 1440 may be returned to service aggregator 210”).
Regarding Claim 36, Li discloses A system comprising:
a firewall executing on a processor in a kernel space of a host device ([0022], “local policy node 130 may include a firewall and/or a load balancer.”, [0036], “FIG. 3 illustrates an exemplary network node 300”);
an offload module executing on a hardware network processing unit, the offload module configured to receive a valid state for network traffic from the firewall, to bypass the firewall for a network flow having the valid state ([0008], “a second path through the network system, wherein the second path includes the local policy node and the local proxy node”, [0022], “local policy node 130 may include a firewall”, [0027], “As can be seen by traffic path 195, traffic between endpoint 180, on VLAN A, and endpoint 178, on VLAN B, may bypass local policy device 130”), and
Li does not explicitly teach but Ahmad teaches
return the network flow to the firewall when the network flow does not match the valid state ([0146], “Service aggregator 210 may determine that traffic received from DDOS device 1430 is to be switched to firewall device 1440 based on a policy… Service aggregator 210 may send the traffic to firewall device 1440 (item (5) in FIG. 14)”);
a first programming interface for the firewall to access the offload module to (a) provide the valid state for the network flow to the offload module, and (b) redirect the network flow from the firewall to the offload module ([0146], “Traffic that has been allowed by firewall device 1440 may be returned to service aggregator 210 (item (6) in FIG. 14)”); and
a second programming interface for the offload module to access the firewall to direct the network flow from the offload module to the firewall when the network flow does not match the valid state received from the firewall ([0146], “Service aggregator 210 may determine that traffic received from DDOS device 1430 is to be switched to firewall device 1440 based on a policy… Service aggregator 210 may send the traffic to firewall device 1440 (item (5) in FIG. 14)”).
Li and Ahmad are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Ahmad with the disclosure of Li. The motivation/suggestion would have been to offer a particular security service (Ahmad, [0090]),
Regarding Claim 39, the combined teaching of Li and Ahmad teaches
one or more firewall rules stored on the host device and accessible by the firewall for use in determining a firewall action for the network flow (Li, [0026], “certain policies (i.e. firewall rules) are enforced depending on the type of traffic”).
Claims 37-38 and 40 are rejected under 35 U.S.C. 103 as being unpatentable over Li Li (US 2012/0170581 A1) in view of Ahmad et al. (US 2013/0227670 A1) further in view of Emmerich et al. (US 2009/0113531 A1).
Regarding Claim 37, the combined teaching of Li and Ahmad does not explicitly teach but Emmerich teaches
an intrusion prevention system executing in user space of the host device the intrusion prevention system configured to detect potential threats in the network flow (Emmerich, [0032], “If the session ends and the connection between is or should be closed…disables the login key for that login name (block 322), thus ensuring that the password generated for that session and connection will no longer be valid”).
Li, Ahmad and Emmerich are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Emmerich with the combined teaching of Li and Ahmad. The motivation/suggestion would have been to provide an improved system and method of distributing connection requests among a pool of secure servers (Emmerich, [0005]).
Regarding Claim 38, the combined teaching of Li, Ahmad and Emmerich teaches
a lookup table for the hardware network processing unit, wherein the lookup table identifies one or more connections for network flows directed through the offload module using at least an Internet Protocol source and destination address, a layer 4 source and destination address, a Medium Access Controller source and destination address, and a protocol identifier (Emmerich, [0017], “used for the connection, such as by selecting from one or more tables on the database 106. The database 106 may store a list of IP addresses, names, and/or other identifiers”).
Regarding Claim 40, the combined teaching of Li, Ahmad and Emmerich teaches
a lookup table for the hardware network processing unit, wherein the lookup table is used by the offload module to apply the firewall action determined by the host device to the network flow (Emmerich, [0026-0027], “the port allocations table 302 is empty and will be populated as connections are created”).
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497