DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/15/2020 has been entered.

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments concerning automatically performing a DPI (i.e., the cited prior art) versus selectively performing DPI responsive to a determination (i.e., “in response to determining that a particular rule, of the one or more partially matched rules, includes the additional elements that require additional information that is not included in the firewall input data from the header of the data packet”) have been found persuasive, and as such, a new ground(s) of rejection is made in view of Kapoor (US 20120240185 A1).
However, it is noted that the Parekh reference includes parsing header data (e.g., Col. 2, Ll. 60-67 and Col. 6, Ll. 47-52 of Parekh). Further, the Rolette reference likewise comprises parsing header data in a first stage of analysis (e.g., [0017] of Rolette).

Double Patenting
In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and 
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over at least claims 1, 5, 8, 12, 15, and 19 of copending Application No. 15/868,789 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the copending application are considered to anticipate those of instant application. For instance, refer to at least the bolded portions of the below exemplary co-pending claim, which are considered to be sufficiently similar to the exemplary claim of instant application. 
Instant Application
Copending Application No. 15/868,789
1. (Currently Amended) A method for a hypervisor to implement rule processing and enforcement for interleaved Layer 4[[;]]z Layer 7 and verb-based rulesets[[j], the method comprising: receiving stream data intercepted along a data path; identifying a data packet in the stream data; parsing the data packet to extract firewall input data from a packet header of the data packet; determining whether one or more rules include elements that at least partially match the firewall input data from a header of the data packet, wherein each of the elements comprises a value to be compared with a corresponding value associated with the data packet and wherein a partial match occurs when at least a subset of the elements matches the corresponding values of the firewall input data; and in response to determining that the one or more rules include elements that at least partially match the firewall input data from the header of the data packet: determining whether any of the one or more partially matched rules include additional elements that require additional information that is not included in the firewall input data from the header of the data packet; in response to determining that a particular rule, of the one or more partially matched rules, from the header of the data packet: performing at least partial deep packet inspection (DPI) on the data packet to determine whether additional information obtained from a payload of the data packet from the partial DPI matches the additional elements; and in response to determining that the firewall input data from the header of the data packet along with the additional information from the payload of the data packet satisfies all elements included in the particular rule, performing an action associated with the particular rule on the data packet, wherein the action is one of: a drop action or a pass action, wherein the pass action causes transmitting the data packet toward a destination of the data packet.
) A method for a hypervisor to implement mechanisms for Layer 7 context accumulation for enforcing Layer 4, Layer 7, and verb-based rules, the method comprising: receiving stream data intercepted along a data path; identifying a data packet in the stream data; parsing the data packet to determine whether the data packet includes a plurality of Layer 7 headers; in response to determining that the data packet includes the plurality of Layer 7 headers: for each Layer 7 header of the plurality of Layer 7 headers: determining content of the data packet that is identified by an identifier included in a Layer 7 header; parsing the content to extract firewall input data from the content; determining whether one or more rules include elements that at least partially match the firewall input data, wherein each of the elements comprises a value to be compared with a corresponding value associated with the data packet and wherein a partial match occurs when at least a subset of the elements matches the corresponding values of the firewall input data; in response to determining that the one or more rules include elements that at least partially match the firewall input data: determining that a particular rule, of the one or more partially matched rules, includes additional  that require additional information that is not included in the firewall input data; based on determining that the particular rule includes additional elements that require additional information that is not included in the firewall input data, selecting to perform a deep packet inspection (DPI) on the content to determine whether additional information obtained from the DPI matches the additional elements.

Claim 5. The method of Claim 1, wherein performing the DPI on the content to determine whether at least the portion of the additional information is found in the content comprises: performing a partial DPI on the content to determine whether at least a first portion of the additional information is found in the content; in response to determining that no first portion of the additional information is found in the content by performing the partial DPI: performing a full DPI to determine whether at least a second portion of the additional information is found in the content; and in response to determining that at least the second portion of the additional information is found in the content: extracting additional input data, that corresponds to the second portion of the additional information, from the content.


Claim 15 is likewise rejected in view of claims 15 and 19 of the copending application.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Parekh (US 7,257,833 B1) in view of Rolette (US 2014/0153435 A1), Bansal (US 2017/0005986 A1), and Kapoor (US 2012/0240185 A1).

Regarding claim 1, Parekh discloses: A method to implement rule processing and enforcement for interleaved Layer 4; Layer 7 and verb-based rulesets; the method comprising:
receiving stream data intercepted along a data path; 
identifying a data packet in the stream data; 
Refer to at least Col. 2, Ll. 31-35 and Ll. 60-61 of Parekh with respect to a stream of packets.
parsing the data packet to extract firewall input data from the a packet header of the data packet; 
Refer to at least Col. 2, Ll. 60-67 of Parekh with respect to extracting packet information from the packets, such as from the packet headers. 
determining whether one or more rules include elements that at least partially match the firewall input data from a header of the data packet, wherein each of the elements comprises a value to be compared with a corresponding value associated with the data packet and wherein a partial match occurs when at least a subset of the elements matches the corresponding values of the firewall input data; and 
Refer to at least Col. 3, Ll. 57-61, TABLE 1.0, Col. 9, Ll. 34-44, Col. 11, Ll. 44-51, and Col. 16, Ll. 5-34 of Parekh with respect to matching conditions to policy rules; partial matching. 
in response to determining that the one or more rules include elements that at least partially match the firewall input data from the header of the data packet: 
[automatically obtaining additional information] that is not included in the firewall input data from the header of the data packet; 
Refer to at least Col. 3, Ll. 30-35 & 47-49, Col. 5, Ll. 40-60, Col. 9, Ll. 34-44, and Col. 16, Ll. 5-34 of Parekh with respect to tiered processing of rules by associated agents, including determining partial rules matches and each tier obtaining progressively more information (typically for higher level protocols).  
performing at least [additional analysis, including at higher protocol layers] on the data packet to determine whether additional information from a payload of the data packet matches the additional elements; and 
Refer to at least Col. 5, Ll. 19-23, Col. 6, Ll. 30-37, Col. 7, Ll. 11-25, and Col. 13, Ll. 1-53 of Parekh with respect to conducting further examination of the packets of the packet stream. 
in response to determining that the firewall input data from the header of the data packet along with the additional information from the payload of the data packet satisfies all elements included in the particular rule, performing an action associated with the particular rule on the data packet, wherein the action is one of: a drop action or a pass action, wherein the pass action causes transmitting  the data packet toward a destination of the data packet.
Refer to at least the abstract, Col. 6, Ll. 43-46, Col. 7, Ll. 25-32, Col. 8, Ll. 11-12, and TABLE 1.0 of Parekh with respect to policy actions which may be taken. 
Parekh does not fully specify: for a hypervisor; determining whether any of the one or more partially matched rules also include additional elements that require additional information; in response to determining that a particular rule, of the one or more partially matched rules, also includes the additional elements that require additional information that  is not included in the firewall input data from the header of the data packet; performing at least partial deep packet inspection (DPI) on the data packet to determine whether additional information obtained from a payload of the data packet from the partial DPI matches the additional elements. However, Parekh in view of Rolette discloses: performing at least partial deep packet inspection (DPI) on the data packet to determine whether additional information obtained from the partial DPI matches the additional elements.
Refer to at least [0009], [0014]-[0019], [0021 ]-[0022], [0030], and [0036]-[0038] of Rolette with respect to multiple tiers of DPI following a 1st stage packet filtering. The multiple tiers of DPI may be divided into a plurality of portions and include one or more functions such as those in [00181 of Rolette.
Further, Parekh-Rolette in view of Kapoor discloses: determining whether any of the one or more partially matched rules also include additional elements that require additional information; in response to determining that a particular rule, of the one or more partially matched rules, also includes the additional elements that require additional information that  is not included in the firewall input data from the header of the data packet;
Refer to at least [0215] and [0408] of Kapoor with respect to performing additional analysis on packets responsive to a partial rule match and determining that additional information is needed. 
Finally, Parekh-Rolette-Kapoor in view of Bansal discloses: for a hypervisor;
Refer to at least [0091] and [0145] of Bansal with respect to a hypervisor and firewall.
The teachings of Parekh, Rolette, and Kapoor concern multistage packet analysis, and Parekh also includes mention of further examining said packets. Accordingly, these teachings are considered to be combinable. As well, the teachings of Bansal concern firewall rules and enforcement, and are likewise considered to be within the same field of endeavor and combinable.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Parekh to include multiple tiers of DPI and applicability to hypervisors because the substitution of one known element (e.g., tiered agents as per [0019] of Rolette; Parekh considers generic agents and modules which may be incorporated into known-in-the-art infrastructure) for another would have yielded predictable results to said one of ordinary skill in the art. It also would have been obvious to modify Parekh to include a specific determination of whether to perform additional analysis on partial matches for at least the purpose of increasing an efficiency of the system (i.e., see at least [0011] of Rolette with respect to the advantages of tiered packet inspection). 

Regarding claim 2, Parekh-Rolette-Kapoor-Bansal discloses: The method of Claim 1, wherein the firewall input data includes at least Layer 1 and Layer 2 data; wherein the additional information includes at least Layer 7 header data; or at least Layer 7 payload data.
Refer to at least Col. 6, Ll. 47-49, Col. 7, Ll. 11-25, and Col. 13, Ll. 1-53 of Parekh with respect to obtaining packet information, including that of various protocol layers up to that of the Application layer. 
Refer to at least [0013], [0015], [0018], and [0035] of Rolette with respect to filtering at various combinations of protocol layers.
Refer to at least [0081] of Bansal with respect to packets associated with layers L1-L7.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 3, Parekh-Rolette-Kapoor-Bansal discloses: The method of Claim 1, wherein the partial DPI and the a full DPI are performed by a DPI engine; and wherein performing the partial DPI or performing the full DPI comprises generating a decrypted data packet by decrypting the data packet, analyzing Layer 7 data included in the decrypted data packet, and extracting Layer 7 data from the decrypted data packet; 
Refer to at least Col. 5, Ll. 19-21, Col. 7, Ll. 10-25, and FIG. 6 of Parekh with respect to the application decode engine for decoding application layer information in the packets. 
Refer to at least [0009], [0014]-[0019], [0021 ]-[0022], [0030], and [0036]-[0038] of Rolette with respect to DPI. 
and wherein performing the full DPI comprises analyzing all fields of the decrypted data packet; wherein the firewall input data includes one or more of: Layer 4 data, or Layer 7 data; wherein the one or more of: Layer 4 data or Layer 7 data is used to generate context data for determining whether the one or more rules apply to the firewall input data; 
wherein the Layer 4 data includes one or more of: a source address, a source port, a destination address, a destination port, or a protocol identifier; wherein the Layer 7 data includes one or more of: a Layer 7 protocol name, or one or more Layer 7 verbs; and wherein the one or more Layer 7 verbs include one or more of: HTTP action verbs, FTP commands, or SQL commands.
Refer to at least TABLE1.0 and TABLE 2.0 or Parekh with respect to exemplary rules and associated analysis; e.g., extracting frame, header, and data information. 
Refer to at least [0009], [0014]-[0019], [0021 ]-[0022], [0030], and [0036]-[0038] of Rolette with respect to DPI. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 4, Parekh-Rolette-Kapoor-Bansal discloses: The method of Claim 1, wherein the particular rule, of the one or more rules that at least partially match the firewall input data, includes one or more of: Layer 4-specific data, Layer 7-specific data, or Layer 4-7-specific data.
Refer to at least TABLE 1.0 of Parekh with respect to exemplary rules. 

Regarding claim 5, Parekh-Rolette-Kapoor-Bansal discloses: The method of Claim 1, further comprising: applying the one or more rules to the firewall input data to determine whether the data packet is to be transmitted toward the destination of the data packet.
Refer to at least the abstract, Col. 6, Ll. 43-46, Col. 7, Ll. 25-32, Col. 8, Ll. 11-12, and TABLE 1.0 of Parekh with respect to policy actions which may be taken. 

Regarding claims 6-7, they are rejected for substantially the same reasons as claims 1 and 5 above (i.e., the citations).

Regarding independent claim 8, it is substantially similar to independent claim 1 above, and is therefore likewise rejected.

Regarding claims 9-14, they are substantially similar to claims 2 and 4-7 above, and are therefore likewise rejected.



Regarding claims 16-20, they are substantially similar to claims 2 and 4-7 above, and are therefore likewise rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751.  The examiner can normally be reached on 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/V.S/Examiner, Art Unit 2432