Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04-08-2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


The term "at least one machine-readable storage medium of claim 1, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance" in claims 2, 9 and 16 is a relative term which renders the claim indefinite.  The term "may" is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper time-wise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 26, 31 – 49 of U.S. Patent No. 10587576 in view of Moisand et al (US Pub. #: 8339959), hereafter Moisand.
Instant Continuation App. 16797360
Patent No. 10587576
1. At least one machine-readable, non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor of an SDN controller, cause the at least one processor to perform operations comprising: configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow between the first node and the second node; receiving one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determining one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; and providing the one or more flow table entries to update the one or more flow table(s) of the one or more SDN switches to provide a second route between the first node and the second node.
2. The at least one machine-readable storage medium of claim 1, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance.
3. The at least one machine-readable storage medium of claim 1, wherein the first route bypasses the security appliance; the one or more security policies indicate the data flow is to be scanned by the security appliance; and the second route traverses through the security appliance.
4. The at least one machine-readable storage medium of claim 1, wherein the security appliance is integrated with the SDN controller.
5. The at least one machine-readable storage medium of claim 1, wherein the SDN controller is remote from the security appliance.
6. The at least one machine-readable storage medium of claim 1, wherein the operations further comprise: transmitting, to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow, wherein the TCP information comprises one or more of the following:(a) TCP Sequence number of a client flow; (b) TCP Acknowledgment number of the client flow; (c) TCP Sequence number of a server flow; and (d) TCP Acknowledgment number of the server flow.
7. The at least one machine-readable storage medium of claim 6, wherein the operations further comprise: calculating an offset based on the TCP information; and transmitting the offset to the one of the one or more SDN switches.
8. An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising: at least one memory element; and one or more SDN controllers coupled to the at least one memory element, wherein the one or more SDN controllers are configured to configure a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow between the first node and the second node; receive one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determine one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; and provide the one or more flow table entries to update the one or more flow table(s) of the one or more SDN switches to provide a second route between the first node and the second node.
9. The apparatus of claim 8, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance.
10. The apparatus of claim 8, wherein the first route bypasses the security appliance; the one or more security policies indicate the data flow is to be scanned by the security appliance; and the second route traverses through the security appliance.
11. The apparatus of claim 8, further including: the security appliance.
12. The apparatus of claim 8, wherein the apparatus is remote from the security appliance.
13. The apparatus of claim 8, wherein the one or more SDN controllers are further configured to transmit to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow, and the TCP information comprises one or more of the following:(a) TCP Sequence number of a client flow; (b) TCP Acknowledgment number of the client flow; (c) TCP Sequence number of a server flow; and (d) TCP Acknowledgment number of the server flow.
14. The apparatus of claim 13, wherein the one or more SDN controllers are further configured to calculate an offset based on the TCP information; and transmit the offset to the one of the one or more SDN switches.
15. A method for providing network security in a software defined network (SDN) environment, implemented by an SDN controller, the method comprising: configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow between the first node and the second node; receiving one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determining one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; and providing the one or more flow table entries to update the one or more flow table(s) of the one or more SDN switches to provide a second route between the first node and the second node.
16. The method of claim 15, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance.
17. The method of claim 15, wherein the first route bypasses the security appliance; the one or more security policies indicate the data flow is to be scanned by the security appliance; and the second route traverses through the security appliance.
18. The method of claim 15, wherein the security appliance is integrated with the SDN controller.
19. The method of claim 15, further comprising: transmitting, to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow, wherein the TCP information comprises one or more of the following:(a) TCP Sequence number of a client flow; (b) TCP Acknowledgment number of the client flow; (c) TCP Sequence number of a server flow; and (d) TCP Acknowledgment number of the server flow.
20. The method of claim 19, further comprising: calculating an offset based on the TCP information; and transmitting the offset to the one of the one or more SDN switches.
26. (Currently Amended) At least one machine readable non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor, cause the at least one processor to perform operations comprising: providing control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the providing the control logic comprises configuring a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance; receiving one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance; in response to receiving the one or more security policies, reconfiguring the control logic using the one or more SDN controllers according to the one or more security policies to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance; providing an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the following layers: (1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; and adding an offset based on Transport Control Protocol (TCP) information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.  
27-30. (Canceled)  
31. (Previously Presented) The at least one machine readable storage medium of Claim 26, wherein: the control logic comprises logic for determining one or more flow table entries for configuring flow table(s) of the one or more SDN switches.  
32. (Previously Presented) The at least one machine readable storage medium of Claim 26, wherein: the security appliance is integrated with the one or more SDN controllers; and the one or more SDN controllers are integrated with or communicably connected to the one or more SDN switches.  
33. (Previously Presented) The at least one machine readable storage medium of Claim 26, wherein: the security appliance is communicably connected to the one or more SDN controllers remote from the security appliance; and the one or more SDN controllers are integrated with or communicably connected to the one or more SDN switches.  
34. (Currently Amended) The at least one machine readable storage medium of Claim 26, wherein at least one of the one or more SDN switches is configured to rewrite one or more fields of packets of the network traffic to indicate to the security appliance a switch port or security zone a packet was originally received at and/or to direct the packets to bypass the security appliance.  
35. (Previously Presented) The at least one machine readable storage medium of Claim 26, wherein: the first node is a client, the second node is a server, and the security appliance comprises a proxy that terminates the data flow; the one or more security policies comprise information indicating that the data flow is allowed and/or the data flow no longer needs to traverse through the proxy; and the second route is through a particular one of the one or more SDN switches, and the second route bypasses the proxy.  
36. (Currently Amended) The at least one machine readable storage medium of Claim [[26]] 3 wherein the operations further comprise: transmitting, by the one or more SDN controllers to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow in response to receiving the information indicating that the data flow is allowed, wherein the TCP information comprises one or more of the following:(a) TCP Sequence of client flow; (b) TCP Ack of client flow; (c) TCP Sequence of server flow; and (d) TCP Ack of server flow.  
37. (Currently Amended) The at least one machine readable storage medium of Claim [[26]] 3 wherein: the particular one of the one or more SDN switches is configured to calculate [[an]] the offset based on the TCP information and to add the offset to TCP Sequence and TCP Ack numbers as packets are passed through the one of the one or more SDN switches.  
38. (Currently Amended) The at least one machine readable storage medium of Claim 26, wherein: the one or more security policies indicate the particular amount of network traffic; and the particular amount of network traffic is measurable by a particular number of units of data, a particular number of bytes, or a particular number of protocol data units as measured at any one of the Open Systems Interconnection layers.  
39. (Previously Presented) The at least one machine readable storage medium of Claim 26, wherein: providing the control logic comprises configuring security zones in the SDN environment for carrying network traffic, wherein the security zones provide different levels of security for network and data access; the one or more security policies comprise information which adds, removes, and/or modifies the security zones; and reconfiguring the control logic comprises reconfiguring, using the one or more SDN controllers, the security zones according to the one or more security policies.  
40. (Previously Presented) The at least one machine readable storage medium of Claim 26, wherein: the one or more security policies comprise information indicating that a host belongs to a particular security zone; and reconfiguring the control logic comprises (1) adding, using the one or more SDN controllers, the particular security zone to the SDN environment, and/or (2) adding, using the one or more SDN controllers, the host to the particular security zone, in response to receiving the one or more security policies.  
41. (Currently Amended) At least one machine-readable, non- transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions when executed by at least one processor cause the at least one processor to perform operations comprising: receiving one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers; in response to receiving the one or more flow table entries, reconfiguring the one or more flow tables according to the flow table entries in accordance with one or more security policies, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of a security appliance, or removal of [[a]] the security appliance; routing or switching the network traffic, based on the one or more flow tables; receiving, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for a data flow; and adding an offset based on the TCP information to TCP Sequence and TCP Ack numbers as packets are passed through the SDN switch.  
42. (Currently Amended) The at least one machine-readable, non- transitory storage medium of Claim 41, wherein the operations further comprise: rewriting one or more fields of packets of the network traffic to indicate to the security appliance a switch port or security zone [[the]] a packet was originally received at and/or to direct the packets to bypass the security appliance according to the one or more flow tables.  
43. (Currently Amended) The at least one machine-readable, non- transitory storage medium of Claim 41, wherein the receiving the TCP information is performed in response to receiving information indicating that the data flow is allowed, and the TCP information comprises one or more of the following: (e) TCP Sequence of client flow; (f) TCP Ack of client flow; (g) TCP Sequence of server flow; and (h) TCP Ack of server flow.  
44. (Currently Amended) The at least one machine-readable, storage medium of Claim 43, wherein the operations further comprise: calculating, at the SDN switch, the offset based on the TCP information.  
45. (Currently Amended) The at least one machine-readable, storage medium of Claim 41, wherein: the one or more security policies from the security appliance indicate network traffic for a particular number of bytes of network traffic can bypass the security appliance or the particular number of bytes of network traffic is to traverse the security appliance; and the operations further comprise: receiving from the one or more SDN controllers one or more flow entries conditioned on the particular number of bytes of network traffic or a number of units of data as measured at any one of the Open Systems Interconnection layers; and routing network traffic, after the particular number of bytes of network traffic has bypassed the security appliance, back to the security appliance.  
46. (Currently Amended) An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising: at least one memory element; at least one processor coupled to the at least one memory element; and one or more SDN controllers that, when executed by the at least one processor, [[is]] are configured to provide control logic by one or more SDN controllers, wherein routing of network traffic using one or more SDN switches in the SDN environment is controlled by the control logic, the control logic configures a first route between a first node and a second node in the SDN environment for carrying network traffic of a data flow, and the first route traverses through a security appliance; receive one or more security policies for the SDN environment at the one or more SDN controllers, wherein the one or more security policies indicate a particular amount of network traffic can bypass the security appliance or the particular amount of network traffic is to traverse the security appliance; in response to receiving the one or more security policies, reconfigure the control logic using the one or more SDN controllers according to the one or more security policies, to provide a second route between the first node and the second node, wherein the second route bypasses the security appliance; provide an entry for a flow table to, (1) after the particular amount of network traffic has bypassed the security appliance, route subsequent network traffic through the security appliance or, (2) after routing the particular amount of network traffic through the security appliance, route the subsequent network traffic such that the security appliance is bypassed, wherein the security appliance scans packet(s) in the data flow at one or more of the ATTORNEY DOCKET NUMBERPATENT APPLICATION 04796-1165US (P60963US)14/911,576 Confirmation No. 7996 10 following layers: (1) physical layer, (2) data link layer, (3) network layer, (4) transport layer, (5) session layer, (6) presentation layer, or (7) application layer; and add an offset based on Transport Control Protocol information for a data flow to TCP Sequence and TCP Ack numbers as packets are passed through at least one of the one or more SDN switches.  
48. (Currently Amended) An apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising: at least one memory element; at least one processor coupled to the at least one memory element; and a SDN switching module that, when executed by the at least one processor, is configured to receive one or more flow table entries for one or more flow tables for routing or switching network traffic at a SDN switch from one or more SDN controllers; in response to receiving the one or more flow table entries, reconfigure the one or more flow tables according to the flow table entries in accordance with one or more security policies, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of a security appliance, or removal of [[a]] the security appliance; route or switch the network traffic, based on the one or more flow tables; receive, from the one or more SDN controllers at the SDN switch, Transport Control Protocol (TCP) information for a data flow; and add an offset based on the TCP information to TCP Sequence and TCP Ack numbers as packets are passed through the SDN switch.  
49. (Currently Amended) The apparatus of Claim 48, wherein the SDN switching module is further configured to rewrite one or more fields of packets of the network traffic to indicate to the security appliance [[the]] a switch port or security zone a packet was originally received at and/or to direct the packets to bypass the security appliance according to the one or more flow tables.

Patent No. 10587576 reads on the claimed concept continuation App. 16797360 but is not explicit about receiving one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determining one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies;
However, the analogous art Moisand teaches receiving one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determining one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; (Cols. 2, 3 lines 64-67, 1-5, 21-26: security plane creates dynamic filters and directs the forwarding plane to install the dynamic filters providing services: Quality of Service (QoS) actions, marking, queuing, rate limiting, packet mirroring, routing as well as security-oriented actions like flow blocking, Network Address Translation (NAT), sequence number adjustment, (col. 6 lines 46-49) insertion and removal of filters into flow tables and the like; col. 6 lines 6-19: flow control unit of forwarding plane (comprises switch fabric) reads packet header and looks-up the one or more flow tables of dynamic or static filters according to the security policies in the security plane to configure packet flow path and (col. 6 lines 46-54) dynamically configures filters into the flow tables of the forwarding plane switch fabric).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Patent No. 10587576 to include the idea of providing security policies and determining a route based on them it as taught by Moisand so that the network device using such streamlined packet forwarding exhibits lower latency and higher capacity than conventional network devices (col. 3 lines 47-50).

Claim Rejections - 35 USC § 101 (Abstract Idea)
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


8.	Claims 1 – 20 is / are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more analyzed according to 2019 Revised Patent Subject Matter Eligibility Guidance (“2019 PEG”). The claim recites using configuring a first path between two nodes, receiving security policies and configuring one or more flow tables of switches and provide a second path between the two nodes.
Step 1: The claims 1, 8 and 15 do fall into one of the four statutory categories of method and system claims. Nevertheless the claims still is/are considered as abstract idea for the following prongs and reasons.
Step 2A: Prong 1: The limitation of claims 1, 8 and 15 recites: configuring a first path between two nodes, receiving security policies and configuring one or more flow tables of switches and provide a second path between the two nodes, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the human organized way and / or with pen and paper without a generic computer. Except for words ‘machine-readable, non-transitory storage medium having instructions…’, there is nothing in the claim element precludes the step from practically being performed in human organized way and/or with pen and paper. 
For example, the claimed concept is akin to providing trusted air travelers to bypass security checks while normal travelers to traverse the security check point, where the security check point is configured with security protocols according to threat perceptions. 
Dependent claims 2 – 6, 9 – 13 and 16 – 19 which in turn recite which path traverses through the security appliance and which path bypasses, whether SDN controller is remote or integrated into the security appliance is/are mere structural addendums and are other steps that could be performed by human manually with/without need for a computer.  If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in an human organized way but for the recitation of generic computer components, then it falls within the “certain methods of organizing human activities” grouping of abstract ideas and can be done manually. Accordingly, the claim recites an abstract idea.
Prong 2: This judicial exception is not integrated into a practical application. In particular, the claims do not recite any additional element to perform beyond routine steps of configuring a first path between two nodes, receiving security policies and configuring one or more flow tables of switches and provide a second path between the two nodes. The steps are recited at a high-level of generality (i.e., as generic terms performing generic computer functions (spec. [0126]) such that it amounts no more than mere instructions to apply the exception using generic computer components). Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. Therefore the claims is directed to an abstract idea.
Step 2B: The claims does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, configuring a first path between two nodes, receiving security policies and configuring one or more flow tables of switches and provide a second path between the two nodes amounts to no more than mere instructions to apply the exception using a generic computer terms. Mere instructions to apply an exception using a generic computer components cannot provide an inventive concept. The claims is / are not patent eligible. Therefore all the corresponding dependent claims 2 – 6, 9 – 13 and 16 – 19 are also rejected for the same rationale. However, dependent claims 7, 14 and 20 are not considered abstract and are considered patent eligible.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 6, 8 – 13 and 15 – 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moisand et al (US Pub. #: 8339959), hereafter Moisand and Narayanan et al (US Pub. #: 20130223442), hereinafter Narayanan.
Claim 1: Moisand teaches at least one machine-readable, non-transitory storage medium having instructions stored thereon for providing network security in a software defined network (SDN) environment, wherein the instructions, when executed by at least one processor of an [SDN] controller, cause the at least one processor to perform operations comprising (Figs. 1 and 4): configuring a first route between a first node and a second node in the [SDN] environment for carrying network traffic of a data flow between the first node and the second node; (Cols. 5, 6 lines 65-67, 1-10 Fig. 5: the source IP and destination IP addresses are used by the flow tables in the routing engines within the routers to configure a first route path between the source and destination devices (col. 7 lines 18-40));
receiving one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; (Cols. 2, 3 lines 64-67, 1-5, 21-26: security plane creates dynamic filters and directs the forwarding plane to install the dynamic filters providing services: Quality of Service (QoS) actions, marking, queuing, rate limiting, packet mirroring, routing as well as security-oriented actions like flow blocking, Network Address Translation (NAT), sequence number adjustment, (col. 6 lines 46-49) insertion and removal of filters into flow tables and the like);
determining one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; (col. 6 lines 46-57: the security plane dynamically configures filters into the flow tables of the forwarding plane switch fabric and the forwarding plane switch fabric reads packet header and looks-up the one or more flow tables of dynamic or static filters according to the security policies in the security plane to configure packet flow path and (col. 6 lines 6-19));
and providing the one or more flow table entries to update the one or more flow table(s) of the one or more SDN switches to provide a second route between the first node and the second node. (cols. 11, 12 lines 65-67, 1-19: service cards update flow filter table to add new filters to flow filter table. When flow control unit directs the packets to one of the service cards which processes them to determine that the packets can be subsequently processed on a second path of forwarding engine to the destination address).
Moisand teaches the inventive concept but is silent on SDN controller in a SDN environment.
However, the analogous art Narayanan teaches SDN controller in a SDN environment. ([0028, Fig. 1] SDN controller provides visibility into the switching paths of the network traffic through macroflow sub-plane and microflow sub-plane via flow-based SDN switching device and permits the switching paths to be modified and controlled).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 2: the combination of Moisand and Narayanan teaches the at least one machine-readable storage medium of claim 1, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance. (Moisand: col. 1 lines 47-51: the service cards security policies of the firewall comprises two forwarding paths, a first path for processing a first packet of a newly established flow and a second path for inspecting and forwarding subsequent packets associated with a pre-existing flow and (col. 2 lines 41-43) but subsequent packets utilize a "fast path" that bypasses the (firewall) service cards and instead directly utilizes the forwarding plane of the high-end routing components).
Claim 3: the combination of Moisand and Narayanan teaches the at least one machine-readable storage medium of claim 1, wherein the first route bypasses the security appliance; the one or more security policies indicate the data flow is to be scanned by the security appliance; and the second route traverses through the security appliance. (Moisand: col. 12 lines 3-12: service card processes the packet and determines that the packet flow is a trusted packet flow that can be subsequently processed on the fast path within forwarding engine and bypass the service plane; col. 6 lines 41-45: service card security policies determines that the packet requires further processing and directs the packet on slow path within the security plane (col. 19 lines 54-58)).
Claim 4: the combination of Moisand and Narayanan teaches the at least one machine-readable storage medium of claim 1, wherein the security appliance is integrated with the SDN controller. (Narayanan: [0043] flow-based routing module includes a security device and links between an SDN agent operating on the flow-based routing module and an SDN controller).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 5: the combination of Moisand and Narayanan teaches the at least one machine-readable storage medium of claim 1, wherein the SDN controller is remote from the security appliance. (Narayanan: [0028] SDN controller provides visibility into the switching paths through macroflow and microflow sub-planes and permits the switching paths to be modified and controlled remotely).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 6: the combination of Moisand and Narayanan teaches the at least one machine-readable storage medium of claim 1, wherein the operations further comprise: transmitting, to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow, wherein the TCP information comprises one or more of the following:(a) TCP Sequence number of a client flow; (b) TCP Acknowledgment number of the client flow; (c) TCP Sequence number of a server flow; and (d) TCP Acknowledgment number of the server flow. (Moisand: col. 10 lines 26-29: forwarding component includes TCP packet sequence number adjustments and (col. 16 lines 27-29) firewalls adjusts TCP packet sequence numbers within the TCP headers of TCP packets and processing packets according to security policies in service cards).  
Claim 8: Moisand teaches an apparatus for providing network security in a software defined network (SDN) environment, the apparatus comprising: at least one memory element; and one or more SDN controllers coupled to the at least one memory element (Figs. 1 and 4), wherein the one or more [SDN] controllers are configured to configure a first route between a first node and a second node in the [SDN] environment for carrying network traffic of a data flow between the first node and the second node; receive one or more security policies for the [SDN] environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determine one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; and provide the one or more flow table entries to update the one or more flow table(s) of the one or more SDN switches to provide a second route between the first node and the second node. (Cols. 5, 6 lines 65-67, 1-10 Fig. 5: the source IP and destination IP addresses are used by the flow tables in the routing engines within the routers to configure a first route path between the source and destination devices (col. 7 lines 18-40); Cols. 2, 3 lines 64-67, 1-5, 21-26: security plane creates dynamic filters and directs the forwarding plane to install the dynamic filters providing services: Quality of Service (QoS) actions, marking, queuing, rate limiting, packet mirroring, routing as well as security-oriented actions like flow blocking, Network Address Translation (NAT), sequence number adjustment, (col. 6 lines 46-49) insertion and removal of filters into flow tables and the like; col. 6 lines 46-57: the security plane dynamically configures filters into the flow tables of the forwarding plane switch fabric and the forwarding plane (comprising switch fabric) reads packet header and looks-up the one or more flow tables of dynamic or static filters according to the security policies in the security plane to configure packet flow path and (col. 6 lines 6-19); cols. 11, 12 lines 65-67, 1-19: service cards update flow filter table to add new filters to flow filter table. When flow control unit directs the packets to one of the service cards which processes them to determine that the packets can be subsequently processed on a second path of forwarding engine to the destination address).
Moisand teaches the inventive concept but is silent on SDN controller in a SDN environment.
However, the analogous art Narayanan teaches SDN controller in a SDN environment. ([0028, Fig. 1] SDN controller provides visibility into the switching paths of the network traffic through macroflow sub-plane and microflow sub-plane via flow-based switching device and permits the switching paths to be modified and controlled).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 9: the combination of Moisand and Narayanan teaches the apparatus of claim 8, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance. (Moisand: col. 1 lines 47-51: the service cards security policies of the firewall comprises two forwarding paths, a first path for processing a first packet of a newly established flow and a second path for inspecting and forwarding subsequent packets associated with a pre-existing flow and (col. 2 lines 41-43) but subsequent packets utilize a "fast path" that bypasses the (firewall) service cards and instead directly utilizes the forwarding plane of the high-end routing components).
Claim 10: the combination of Moisand and Narayanan teaches the apparatus of claim 8, wherein the first route bypasses the security appliance; the one or more security policies indicate the data flow is to be scanned by the security appliance; and the second route traverses through the security appliance. (Moisand: col. 12 lines 3-12: service card processes the packet and determines that the packet flow is a trusted packet flow that can be subsequently processed on the fast path within forwarding engine and bypass the service plane; col. 6 lines 41-45: service card security policies determines that the packet requires further processing and directs the packet on slow path within the security plane (col. 19 lines 54-58)).
Claim 11: the combination of Moisand and Narayanan teaches the apparatus of claim 8, further including: the security appliance. (Narayanan: [0043] flow-based routing module includes a security device and links between an SDN agent operating on the flow-based routing module and an SDN controller).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 12: the combination of Moisand and Narayanan teaches the apparatus of claim 8, wherein the apparatus is remote from the security appliance. (Narayanan: [0028] SDN controller provides visibility into the switching paths through macroflow and microflow sub-planes and permits the switching paths to be modified and controlled remotely).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 13: the combination of Moisand and Narayanan teaches the apparatus of claim 8, wherein the one or more SDN controllers are further configured to transmit to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow, and the TCP information comprises one or more of the following:(a) TCP Sequence number of a client flow; (b) TCP Acknowledgment number of the client flow; (c) TCP Sequence number of a server flow; and (d) TCP Acknowledgment number of the server flow. (Moisand: col. 10 lines 26-29: forwarding component includes TCP packet sequence number adjustments and (col. 16 lines 27-29) firewalls adjusts TCP packet sequence numbers within the TCP headers of TCP packets and processing packets according to security policies in service cards).  
Claim 15: Moisand teaches a method for providing network security in a software defined network (SDN) environment, implemented by an [SDN] controller, the method comprising (Summary): configuring a first route between a first node and a second node in the [SDN] environment for carrying network traffic of a data flow between the first node and the second node; receiving one or more security policies for the SDN environment from a security appliance, wherein the one or more security policies specify one or more of the following: security zone(s), network access right(s), data access right(s), insertion of the security appliance, and removal of the security appliance; determining one or more flow table entries for configuring one or more flow table(s) of one or more SDN switches, according to the one or more security policies; and providing the one or more flow table entries to update the one or more flow table(s) of the one or more SDN switches to provide a second route between the first node and the second node.. (Cols. 5, 6 lines 65-67, 1-10 Fig. 5: the source IP and destination IP addresses are used by the flow tables in the routing engines within the routers to configure a first route path between the source and destination devices (col. 7 lines 18-40); Cols. 2, 3 lines 64-67, 1-5, 21-26: security plane creates dynamic filters and directs the forwarding plane to install the dynamic filters providing services: Quality of Service (QoS) actions, marking, queuing, rate limiting, packet mirroring, routing as well as security-oriented actions like flow blocking, Network Address Translation (NAT), sequence number adjustment, (col. 6 lines 46-49) insertion and removal of filters into flow tables and the like; col. 6 lines 46-57: the security plane dynamically configures filters into the flow tables of the forwarding plane switch fabric and the forwarding plane (comprising switch fabric) reads packet header and looks-up the one or more flow tables of dynamic or static filters according to the security policies in the security plane to configure packet flow path and (col. 6 lines 6-19); cols. 11, 12 lines 65-67, 1-19: service cards update flow filter table to add new filters to flow filter table. When flow control unit directs the packets to one of the service cards which processes them to determine that the packets can be subsequently processed on a second path of forwarding engine to the destination address).
Moisand teaches the inventive concept but is silent on SDN controller in a SDN environment.
However, the analogous art Narayanan teaches SDN controller in a SDN environment. ([0028, Fig. 1] SDN controller provides visibility into the switching paths of the network traffic through macroflow sub-plane and microflow sub-plane via flow-based switching device and permits the switching paths to be modified and controlled).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 16: the combination of Moisand and Narayanan teaches the method of claim 15, wherein the first route traverses through the security appliance; the one or more security policies indicate the data flow may bypass the security appliance; and the second route bypasses the security appliance. (Moisand: col. 1 lines 47-51: the service cards security policies of the firewall comprises two forwarding paths, a first path for processing a first packet of a newly established flow and a second path for inspecting and forwarding subsequent packets associated with a pre-existing flow and (col. 2 lines 41-43) but subsequent packets utilize a "fast path" that bypasses the (firewall) service cards and instead directly utilizes the forwarding plane of the high-end routing components).
Claim 17: the combination of Moisand and Narayanan teaches the method of claim 15, wherein the first route bypasses the security appliance; the one or more security policies indicate the data flow is to be scanned by the security appliance; and the second route traverses through the security appliance. (Moisand: col. 12 lines 3-12: service card processes the packet and determines that the packet flow is a trusted packet flow that can be subsequently processed on the fast path within forwarding engine and bypass the service plane; col. 6 lines 41-45: service card security policies determines that the packet requires further processing and directs the packet on slow path within the security plane (col. 19 lines 54-58)).
Claim 18: the combination of Moisand and Narayanan teaches the method of claim 15, wherein the security appliance is integrated with the SDN controller. (Narayanan: [0043] flow-based routing module includes a security device and links between an SDN agent operating on the flow-based routing module and an SDN controller).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Moisand to include the idea of using SDN environment as taught by Narayanan thus providing an adaptable, scalable solution to increased flow-based traffic on network ([0027]).
Claim 19: the combination of Moisand and Narayanan teaches the method of claim 15, further comprising: transmitting, to one of the one or more SDN switches, Transport Control Protocol (TCP) information for the data flow, wherein the TCP information comprises one or more of the following:(a) TCP Sequence number of a client flow; (b) TCP Acknowledgment number of the client flow; (c) TCP Sequence number of a server flow; and (d) TCP Acknowledgment number of the server flow. (Moisand: col. 10 lines 26-29: forwarding component includes TCP packet sequence number adjustments and (col. 16 lines 27-29) firewalls adjusts TCP packet sequence numbers within the TCP headers of TCP packets and processing packets according to security policies in service cards).  
Claims 7, 14 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Moisand and Narayanan as applied to claims above, and further in view of Alfieri et al (US Pub. #: 20040114589), hereinafter Alfieri.
Claim 7: the combination of Moisand and Narayanan teaches the at least one machine-readable storage medium of claim 6, wherein the operations further comprise: but is silent on calculating an offset based on the TCP information; and transmitting the offset to the one of the one or more SDN switches.
However, the analogous art Alfieri teaches calculating an offset based on the TCP information; and transmitting the offset to the one of the one or more SDN switches. ([0331, 361, 367] if the protocol is TCP, use the TCP offsets and add the TCP length and protocol type to the checksum… TCP checksums field in the TCP header is updated and transmitted to switches).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Moisand and Narayanan to include the idea of computing offset based on TCP information and transmitting it as taught by Alfieri so that processing units are allowed to communicate with each other or with any external computer directly using standard internet protocols ([0054]).
Claim 14: the combination of Moisand and Narayanan teaches the apparatus of claim 13, but is silent on wherein the one or more SDN controllers are further configured to calculate an offset based on the TCP information; and transmit the offset to the one of the one or more SDN switches.
However, the analogous art Alfieri teaches the one or more SDN controllers are further configured to calculate an offset based on the TCP information; and transmit the offset to the one of the one or more SDN switches. ([0331, 361, 367] if the protocol is TCP, use the TCP offsets and add the TCP length and protocol type to the checksum… TCP checksums field in the TCP header is updated and transmitted to switches).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Moisand and Narayanan to include the idea of computing offset based on TCP information and transmitting it as taught by Alfieri so that processing units are allowed to communicate with each other or with any external computer directly using standard internet protocols ([0054]).
Claim 20: the combination of Moisand and Narayanan teaches the method of claim 19, further comprising: but is silent on calculating an offset based on the TCP information; and transmitting the offset to the one of the one or more SDN switches.
However, the analogous art Alfieri teaches calculating an offset based on the TCP information; and transmitting the offset to the one of the one or more SDN switches. ([0331, 361, 367] if the protocol is TCP, use the TCP offsets and add the TCP length and protocol type to the checksum… TCP checksums field in the TCP header is updated and transmitted to switches).
Therefore it is prima facie obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combined inventions of Moisand and Narayanan to include the idea of computing offset based on TCP information and transmitting it as taught by Alfieri so that processing units are allowed to communicate with each other or with any external computer directly using standard internet protocols ([0054]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
1. Cain, Michael (US Pub. #: 5778174): Method and system for providing secured access to a server connected to a private computer network.
2. Varadhan et al (US Pub. #: 8316435): Routing device having integrated MPLS-aware firewall with virtual security system support.
3. Keohane et al (US Pub. #: 9584479): Virtual firewall load balancer.
4. Taylor et al (US Pub. #: 8438631): Method and system for providing secured access to a server connected to a private computer network.
5. Hughes et al (US Pub. #: 20130212644): NETWORK STIMULATION ENGINE.
6. Hamdi et al (US Pub. #: 20140010083): FLOW-BASED NETWORK SWITCHING SYSTEM.
7. Mao et al (US Pub. #: 5778174): Routing a packet by a device.
8. Ko et al (US Pub. #: 20100154057): SIP INTRUSION DETECTION AND RESPONSE ARCHITECTURE FOR PROTECTING SIP-BASED SERVICES.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BADRINARAYANAN /Examiner, Art Unit 2438.