DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is a reply to the request for Continued Examination (RCE) filed on 12/30/2020, in which Claim(s) 2-21 are presented for examination. Claim(s) 2, 11 and 18 are amended. Claim 1 is previously cancelled. No claim(s) are newly added.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/30/2020 has been entered.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 10/12/2020, 12/10/2020, 01/07/2021 and 01/29/2021 was filed after the mailing date of the final Office action on 07/02/2020.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Response to Arguments
Double Patenting Rejection:
Applicants’ remarks with respect to the non-provisional nonstatutory double patenting rejection over claims 1-20 of Patent 10,142,372 have been acknowledged.  The non-provisional nonstatutory double patenting rejection over claims 1-20 of Patent 10,142,372 is maintained.

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 9-12, filed 12/30/2020, regarding the U.S.C. 102 and 103 rejections of Claims 2-21 have been fully considered and are not persuasive.
Applicants argue that “None of the cited references teach, disclose, or otherwise suggest, as recited by claim 2, at least "receiving, by a server and from at least one malicious host tracker service external to a network protected by at least one packet security gateway, malicious traffic information that comprises network addresses that have been determined, by the at least one malicious host tracker service, to be associated with malicious network traffic"”. 
Applicant’s arguments have been considered but are moot in view of the new ground(s) of rejection.
Applicants further argue that “None of the cited references teach, disclose, or otherwise suggest, as recited by claim 2,… "automatically creating or altering, by the server and based on the malicious traffic information, a set of packet filtering rules."”. 
Applicant’s interpretation of the reference has been noted; however, examiner 
Besides, in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Therefore, the rejection is maintained.

Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 2-21 are non-provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over:
          Claims 1-20 of Patent 10,142,372.


Patent application No. US 10,142,372 (15/414,117)  
Instant Application No.(16/158,868) 
Claim 1. A method comprising: 

receiving, by a server and from a first computing device, a first security update comprising a first set of network addresses; 

updating, by the server, one or more rules stored in a memory of the server to include the first set of network addresses; 


receiving, by the server and from a second computing device, a second security update comprising a second set of network addresses; 

determining, by the server, that the second set of network addresses includes at least a portion of network addresses included in the first set of network addresses; 

responsive to determining that the second set of network addresses includes the at least a portion of network addresses included in the first set of network addresses: 

identifying, by the server, the at least a portion of network addresses 

identifying, by the server, at least one of the one or more rules stored in the memory of the server that specifies a range of network addresses comprising the at least a portion of network addresses included in the first set of network addresses; and 

updating, by the server, the at least one of the one or more rules to include one or more other network addresses included in the second set of network addresses; 

transmitting, by the server and to at least one packet security gateway, at least one of the one or more updated rules: 

causing executing, by the packet security gateway and on a packet by packet basis, one or more rules in time-shifted phases, wherein the executing comprises: 
executing, by the at least one packet security gateway, a first rule during a first period of time based on a first subset of network addresses: 
executing, by the at least one packet security gateway, a second rule during a second period of time based on a second subset of network addresses: and 
executing, by the at least one packet security gateway, a third rule during a third period of time based on a third subset of network addresses, 
wherein the first period of time is followed by the second period of time, 
wherein the first subset of network addresses is smaller than the second subset of network addresses, and the second subset of network addresses is smaller than the third subset of network addresses.

receiving, by a server and from at least one malicious host tracker service external to a network protected by at least one packet security gateway, malicious traffic information that comprises network addresses that have been determined, by the at least one malicious host tracker service, to be associated with malicious network traffic; 
automatically creating or altering, by the server and based on the malicious traffic information, a set of packet filtering rules, wherein each packet filtering rule of the set of packet filtering rules comprises: 
one or more packet matching criteria comprising a corresponding set of network addresses, and 
one or more corresponding packet transformation functions; 
transmitting, to the at least one packet security gateway, the set of packet filtering rules, wherein the at least one packet security gateway is configured to use the set of packet filtering rules to filter a first packet; 
receiving, by the server and from a service other than the at least one malicious host 
identifying, by the server, a first packet filtering rule based on determining that: 
a second set of network addresses, corresponding to the first packet filtering rule of the set of packet filtering rules, includes at least one first network address of the first set of network addresses; and 
the second set of network addresses does not include at least one second network address of the first set of network addresses; and 
based on the identifying: 
updating, by the server, the set of packet filtering rules by modifying the first packet filtering rule to include the at least one second network address; and 
transmitting, by the server and to the at least one packet security gateway, the updated set of packet filtering rules, wherein the at least one packet security gateway is configured to use the updated set of packet filtering rules to filter a second packet. 



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 2-3, 5-7, 9-12, 14, 16-19 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Beauvais et al. (US 2013/0081102 A1) in view of Horman et al. (US 2012/0311693 A1) further in view of David K. Ahn (US 2011/0055916 A1) and further in view of Zhao et al. (US 2013/0212639 A1).
Regarding Claims 2, 11 and 18, Beauvais discloses
receiving, by a server and from at least one malicious host tracker service, malicious traffic information ([0020], “a computer system (server) 102, which runs a software-based security policy creation and maintenance tool 104”, “Security policy creation and maintenance tool 104 receives first, second and third specifications sets, which are a (a malicious host tracker) service flow specification set 106, a service placement specification set 108, and a device address specification set 110, respectively” as malicious traffic information) and a network protected by at least one packet security gateway ([0022], “A packet filtering device 114 (i.e. the packet security gateway) in system 100 receives security policy 112 and uses the security policy 112 to filter packets being sent from one or more source computer devices”, [0036]); 
automatically creating or altering, by the server and based on the malicious traffic information, a set of packet filtering rules ([0034], “tool 104 (see FIG. 1) combines service flow specification set 106 (see FIG. 1), service placement specification set 108 (see FIG. 1), and device address specification set 110 (see FIG. 1) by mapping the aforementioned specification sets to packet filtering rule statements”, [0035], “automatically generates packet filtering rules (i.e., security policy 112 in FIG. 1) based on the combined specification sets”, [0022], “A packet filtering device 114 (e.g., a firewall)”. It is well known in the art that firewall is used to handle malicious traffic in the network (Derek Anderson, 2013/0227674, [0011] and Ogg et al. 2013/0227672, [0024]), wherein each packet filtering rule of the set of packet filtering rules comprises: 
a corresponding set of network addresses ([0035], “Each packet filtering rule of the generated packet filtering rules specifies a source network address or a range of network address or a range of destination network addresses”), and 
transmitting, to the at least one packet security gateway, the set of packet filtering rules, wherein the at least one packet security gateway is configured to use the set of packet filtering rules to filter a first packet ([0036], “In step 214, tool 104 (see FIG. 1) outputs to a computer file the packet filtering rules generated in step 212”, “tool 104 (see FIG. 1) automatically sends the computer file that includes the packet filtering rules to packet filtering device 114 (i.e. the packet security gateway)”); and 
transmitting, by the server and to the at least one packet security gateway, the updated set of packet filtering rules, wherein the at least one packet security gateway is configured to use the updated set of packet filtering rules to filter a second packet ([0055], “tool 104 (see FIG. 1) outputs to a computer file the updates to the packet filtering rules”, “the updates to the packet filtering rules output to the computer file include packet filtering rules added to, deleted from and/or modified in an existing security policy (i.e., a delta set of packet filtering rules), without including unchanged packet filtering rules”, [0056], “tool 104 (see FIG. 1) automatically sends the computer file that includes the updated packet filtering rules to packet filtering device 114 (i.e. the packet security gateway)”).
Beauvais does not explicitly teach but Horman teaches
receiving, by the server and from a service other than the at least one malicious host tracker service, a first set of network addresses ([0014], “receive the IP address for a given host name”, i.e. a service other than the malicious host tracker service); 
identifying, by the server, a first packet filtering rule based on determining that: 
a second set of network addresses, corresponding to the first packet filtering rule of the set of packet filtering rules, includes at least one first network address of the first set of network addresses ([0013], “a set of firewall rules (i.e. packet filtering rules)”, [0014], “The firewall queries the name server for a record corresponding to the host name and receives the content of the record, which includes a rule for that host”); and 
the second set of network addresses does not include at least one second network address of the first set of network addresses ([0014], “indicating that the IP address for a given host name (e.g., the web server) has been updated”, i.e. the second network address not included in the set of address); and 
based on the identifying: 
updating, by the server, the set of packet filtering rules by modifying the first packet filtering rule to include the at least one second network address ([0013], “update a firewall rule corresponding to the (second network) address identified in the update notification to include the contents of the record (i.e. rule with the second network address)”, [0014], “The firewall can then associate the rule for the web server with the new IP address.”).
Beauvais and Horman are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in 
The combined teaching of Beauvais and Horman does not explicitly teach but Ahn teaches the set of packet filtering rules comprises: 
one or more packet matching criteria ([0030], “A firewall rule is defined as an n-tuple criteria and an associated action for matching packets”);
one or more corresponding packet transformation functions ([0048], “applying a (packet) transform function to each rule”).
Beauvais, Horman and Ahn are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to transmit the updated set of packet filtering rules with a rule updated including a new network address (as taught by the combined teaching of Beauvais and Horman) where the rule comprises packet matching criteria and transformation functions (as taught by Ahn). The motivation/suggestion would have been for adaptive packet filtering (Ahn, [0002]).
The combined teaching of Beauvais, Horman and Ahn does not explicitly teach but Zhao teaches
at least one malicious host tracker service external to the network ([0043], “a network side receives network security information reported by a terminal” as the malicious host tracker service which is outside the network);
malicious traffic information that comprises network addresses that have been determined, by the at least one malicious host tracker service, to be associated with malicious network traffic ([0044], “a black list of unsafe websites”, [0050], “the (network) addresses in the black list”, [0048], “The mobile terminal performs a matching process for a website address that the browser receives and/or a website address in a link on the browser according to the black list”, i.e. the malicious traffic information is determined by the malicious host tracker service as described in [0048], “if the website address matches an unsafe address in the black list, a prompt indicating that the website is unsafe”, i.e. malicious),
Beauvais, Horman, Ahn and Zhao are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to transmit the updated set of packet filtering rules with a rule updated including a new network address where the rule comprises packet matching criteria and transformation functions (as taught by the combined teaching of Beauvais, Horman and Ahn) and the malicious traffic information including network addresses associated with malicious network traffic (as taught by Zhao). The motivation/suggestion would have been for improving security level of a terminal during Internet surfing (Zhao, [0002]).

Regarding Claims 3, 12 and 19, the combined teaching of Beauvais, Horman, Ahn and Zhao teaches identifying at least two rules, of the set of packet filtering  rules, that each specify a range of network addresses comprising the at least one first network address (Ahn, [0021], “rule subset identifier/rule sorter 106 identifies two and combining the at least two rules into a rule that specifies a range of network addresses that includes network addresses specified by each of the at least two rules (Ahn, [0021], “in FIG. 2, packets that pass the filtering of rule subset A 208 are processed by processor 206, which applies rule subset B 210”, refer to Fig. 2, “Allowed packets for rule subsets A+B” indicates two rules are combined into one rule).

Regarding Claim 5, the combined teaching of Beauvais, Horman, Ahn and Zhao teaches wherein at least one packet matching criteria of the one or more packet matching criteria (Ahn, [0030], “A firewall rule is defined as an n-tuple criteria and an associated action for matching packets”) comprises network addresses associated with malicious network traffic (Zhao, [0044], “a black list of unsafe websites”, [0050], “the (network) addresses in the black list”).

Regarding Claim 6, the combined teaching of Beauvais, Horman, Ahn and Zhao teaches at least one first rule specifying a third set of network addresses for which associated packets should be forwarded to their intended destination and at least one second rule specifying that all packets associated with network addresses outside the third set of network addresses should be dropped (Ahn, Fig. 2, e.g. see output of firewalls 200, “Allowed packets for rule subset A” and “Denied packets” with addresses outside the set of address of allowed packets).

Regarding Claims 7, 14 and 21, the combined teaching of Beauvais, Horman, Ahn and Zhao teaches combining at least two of the set of packet filtering rules into a rule that specifies: a range of network addresses that includes the at least one first network address (Ahn, [0021], “rule subset identifier/rule sorter 106 identifies two rule subsets, subset A 208 and subset B 210”, “in FIG. 2, packets that pass the filtering of rule subset A 208 are processed by processor 206, which applies rule subset B 210”, refer to Fig. 2, “Allowed packets for rule subsets A+B” indicates two rules are combined into one rule)., and an additional parameter (Ahn, [0021], “A rule R usually consists of an N-tuple, most basically a 3-tuple such as "from 1.2.3.4 to 3.4.5.6 deny", [0113], “tuple a=source IP address, e.g. "1.2.3.4"” as an additional parameter).

Regarding Claims 9 and 16, the combined teaching of Beauvais, Horman, Ahn and Zhao teaches wherein the additional parameter comprises at least one of transport-layer protocol information, a source address within a specified range of source addresses, a source port within a specified range of source ports, a destination address within a specified range of destination addresses, or a destination port within a specified range of destination ports (Ahn, [0021], “A rule R usually consists of an N-tuple, most basically a 3-tuple such as "from 1.2.3.4 to 3.4.5.6 deny", [0113] tuple a=source IP address, e.g. "1.2.3.4"”).

Regarding Claims 10 and 17, the combined teaching of Beauvais, Horman, Ahn and Zhao teaches wherein at least one of the one or more packet transformation functions comprises a network protective action (Ahn, [0048], “A partitioned rule set a transform function to each rule within each disjoint group to derive a sortable key for each rule (as the network protective action). Then, the rules may be reordered within their disjoint groups using their sortable keys”).

Claims 4, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Beauvais et al. (US 2013/0081102 A1) in view of Horman et al. (US 2012/0311693 A1) further in view of David K. Ahn (US 2011/0055916 A1) and further in view of Zhao et al. (US 2013/0212639 A1) and further in view of Grimes et al. (US 2011/0154470 A1).
Regarding Claims 4, 13 and 20, the combined teaching of Beauvais, Horman, Ahn and Zhao does not explicitly teach but Grimes teaches removing duplicate network addresses from the set of packet filtering rules (Grimes, [0060], “duplicate, or remove (duplicate) IP addresses as they exist in firewall rules”).
The combined teaching of Beauvais, Horman, Ahn, Zhao and Grimes are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Grimes with the combined teaching of Beauvais, Horman, Ahn and Zhao. The motivation/suggestion would have been to manage firewall change requests for a communication network (Grimes, Abstract).

Claims 8 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Beauvais et al. (US 2013/0081102 A1) in view of Horman et al. (US 2012/0311693 A1) .
Regarding Claims 8 and 15, the combined teaching of Beauvais, Horman, Ahn and Zhao does not explicitly teach but Lee teaches wherein the additional parameter comprises at least one Session Initiation Protocol (SIP) Uniform Resource Identifier (URI) (Lee, [0053], “may use uniform resource identifiers (URLs) to identify”).
The combined teaching of Beauvais, Horman, Ahn, Zhao and Lee are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Lee with the combined teaching of Beauvais, Horman, Ahn and Zhao. The motivation/suggestion would have been to provide a new peripheral firewall system, provisioned and controlled by enterprise customers (Lee, [0007]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Examiner, Art Unit 2497