Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action

Claim(s) 1-2, 4-12 and 14-20 is/are pending in this office action.
Claim(s) 1, 11 and 20 is/are amended.
No claim(s) is/are new.
Claim(s) 3 and 13 is/are cancelled.
Claim(s) 1-2, 4-12 and 14-20 is/are rejected. Claim(s) 3 and 13 is/are cancelled. 

Response to Arguments
Applicant’s arguments, see pp. 8-11, filed 03-24-2021, with respect to the rejection(s) of claim(s) 1-2, 4-12 and 14-20 under 35 USC 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of US Patent Publication No. 2014/0325588 issued to Jalan et al. in view of US Patent Publication No. 2018/0034681 issued to Shima et al. and in view of US Patent Publication No. 2013/0263245 issued to Sun et al. and in further view of US Patent No. 6,374,359 issued to Shrader et al.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6, 8-12, 16, 18 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Publication No. 2014/0325588 issued to Jalan et al. in view of US Patent Publication No. 2018/0034681 issued to Shima et al. and in view of US Patent Publication No. 2013/0263245 issued to Sun et al. and in further view of US Patent No. 6,374,359 issued to Shrader et al.

Regarding claim 1, Jalan teaches a system for TCP fast open support in a proxy device, the system comprising: 
at least one circuit associated with the proxy device (¶24, a SYN packet is sent from a client device to a server, in an attempt to establish a network connection with that server; ¶60, symmetric network topology may place the network device in line with the flow of traffic between the server and client device, such that all communications between the server and client device pass through the network device, to confirm network establishment, see ¶67); and
the proxy device serving data traffic between the at least one client and a plurality of server (¶67, network device receiving 715 an ACK packet from the client device to confirm the establishment of a network connection between the network device and the client device).
Jalan does not explicitly indicate receive, from at least one client device, at least one SYN packet to establish a connection with at least one server, the at least one SYN packet 
However, Shima teaches receive, from at least one client device, at least one SYN packet to establish a connection with at least one server, the at least one SYN packet being associated with at least one client device and including a cookie (¶41-45, client 12 that stores the cookies received from the server 14 does not transmit a SYN packet to the server 14 even when the application program calls the connect function; [t]hereafter, when the application program calls the transmit function, the client 12 transmits to the server 14 a SYN packet that includes the stored cookies and a packet constituting at least part of the transmission target data.; see also ¶3-6), the cookie being preliminarily provided to the at least one client device by the at least one circuit during establishing a preceding connection between the at least one server and the at least one client device (¶41, FIG. 2B takes place when another TCP connection is established between the client 12 and the server 14 following the data transmission shown in FIG. 2A, for example. The data transmission shown in FIG. 2B also takes place when a TCP connection is again established between the client 12 and the server 14 after the earlier TCP connection therebetween was broken; ¶43, when the application program calls the transmit function, the client 12 transmits to the server 14 a SYN packet that includes the stored cookies and a packet constituting at least part of the transmission target data).
Therefore it would have been obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor to include preliminarily providing a cookie for client’s request to reestablish a connection with the server as taught in Shima’s transmission control method to process requests from client by supporting the TCP fast open protocol to enable permitted transmissions (Shima, see ¶35-37).
Jalan does not explicitly indicate validate the cookie, at least one data plane communicatively coupled to the at least one circuit and configured to:  if the result of the 
However, Sun teaches validate the cookie (¶24 - SYN cookie is a calculated TCP sequence number and is put in the TCP SYN+ACK packet; ¶25 - security gateway verifies the TCP sequence number in TCP ACK packet from the sender (processing block 107) and determines if the TCP sequence number matches the SYN cookie; ¶26 - first security gateway confirms the TCP sequence number in the TCP ACK packet matches the SYN cookie),
at least one data plane communicatively coupled to the at least one circuit and configured to: 
if the result of the validation is positive, initiate, based on the at least one SYN packet, a connection between the at least one client device and at least one server (¶24-27, 35 -  first security gateway confirms the TCP sequence number in the TCP ACK packet matches the SYN cookie, confirming the TCP handshaking is from a valid sender, then processing logic in the first security gateway (or a second separate security gateway) initiates another three-way TCP handshaking between a second security gateway and the destination server (processing block 109) and thereafter packets are passed between the sender and the destination server via the second security gateway) of the plurality of servers (¶28 - destination servers (one or more networks)).
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor to include field programmable gate array hardware as taught in Sun’s distributed TCP SYN flood protection system that can process request to establish connections (Sun, see ¶31).
Jalan modified does not explicitly indicate the validating the cookie including:  acquiring, based on the at least on SYN packet, a first Internet Protocol (IP) address associated with the at least one client device; decrypting the cookie to obtain a second IP address; and matching the 
However, Shrader teaches the validating the cookie including:
acquiring, based on the at least on SYN packet, a first Internet Protocol (IP) address associated with the at least one client device (Shrader:  Col. 7 ll. 03-05 – cookie validated based on cookie IP address; Col. 7 ll. 33-35 – cookie value sent back in the HTTP header);
decrypting the cookie to obtain a second IP address (Shrader:  Col. 7 ll. 20-32 and Col. 7 ll. 50-67 - suggests decryption using the corresponding key pair to determine if IP address match between the client IP address and that accompanied with the Web transaction); and
matching the first IP address and the second IP address (Shrader:  Col. 7 ll. 16-65, more specifically Col. 7 ll. 53-65 – suggest we can validate encrypted cookies by at least matching the IP addresses, wherein the IP address included in the encrypted cookie and  it needs to be decrypted before comparing with the IP address in the request). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve Jalan’s system for network access control in the same field of endeavor to include the secure/encrypted cookies taught in Shrader to encrypt the cookies included in the SYN messages, that way the client cannot modify the given cookie and then provide modified cookies to help perform an SYN message attack (Shrader, see Col. 7 ll. 10-15).

Regarding claim 11, Jalan teaches a method for TCP fast open support in a proxy device, the method comprising: 
at least one circuit associated with the proxy device (¶24, a SYN packet is sent from a client device to a server, in an attempt to establish a network connection with that server; ¶60, symmetric network topology may place the network device in line with the flow of traffic between the server and client device, such that all communications between the server and client device pass through the network device, to confirm network establishment, see ¶67); and
the proxy device service data traffic between the at least one client and a plurality of servers (¶67, network device receiving 715 an ACK packet from the client device to confirm the establishment of a network connection between the network device and the client device).
Jalan does not explicitly indicate receiving, by at least one circuit associated with the proxy device, from at least one client device, at least one SYN packet to establish a connection with at least one server, the at least one SYN packet being associated with at least one client device and including a cookie, the cookie being generated by the at least one circuit and preliminarily provided to the at least one client device by the at least one circuit during establishing a preceding connection between the at least one server and the at least one client device.
However, Shima teaches receiving, by at least one circuit associated with the proxy device, from at least one client device, at least one SYN packet to establish a connection with at least one server, the at least one SYN packet being associated with at least one client device and including a cookie (¶41-45, client 12 that stores the cookies received from the server 14 does not transmit a SYN packet to the server 14 even when the application program calls the connect function; [t]hereafter, when the application program calls the transmit function, the client 12 transmits to the server 14 a SYN packet that includes the stored cookies and a packet constituting at least part of the transmission target data.; see also ¶3-6), the cookie being generated by the at least one circuit and preliminarily provided to the at least one client device by the at least one circuit during establishing a preceding connection between the at least one server and the at least one client device (¶41, FIG. 2B takes place when another TCP connection is established between the client 12 and the server 14 following the data transmission shown in FIG. 2A, for example. The data transmission shown in FIG. 2B also takes place when a TCP connection is again established between the client 12 and the server 14 after the earlier TCP connection therebetween was broken; ¶43, when the application program calls the transmit function, the client 12 transmits to the server 14 a SYN packet that includes the stored cookies and a packet constituting at least part of the transmission target data). 
Jalan does not explicitly indicate validate the cookie, initiate, based on the at least one SYN packet, the connection between the at least one client device and the at least one server of the plurality of server, at least one field-programmed gate array (FPGA); at least one data plane communicatively coupled to the at least one FPGA and configured to:  if the result of the validation of the cookie is positive:  select, based on the at least one SYN packet, at least one server selected from a list of servers; and determin
Jalan does not explicitly indicate validating, by the at least one circuit, the cookie, if the result of the validation is positive, initiating, by at least one data plane communicatively coupled to the at least one circuit and based on the at least one SYN packet, a connection between the at least one client device and at least one server of the plurality of servers.
However, Sun teaches validating, by the at least one circuit, the cookie (¶24 - SYN cookie is a calculated TCP sequence number and is put in the TCP SYN+ACK packet; ¶25 - security gateway verifies the TCP sequence number in TCP ACK packet from the sender (processing block 107) and determines if the TCP sequence number matches the SYN cookie; ¶26 - first security gateway confirms the TCP sequence number in the TCP ACK packet matches the SYN cookie), 
if the result of the validation is positive, initiating, by at least one data plane communicatively coupled to the at least one circuit and based on the at least one SYN packet, a connection between the at least one client device and at least one server (¶24-27, 35 -  first security gateway confirms the TCP sequence number in the TCP ACK packet matches the SYN cookie, confirming the TCP handshaking is from a valid sender, then processing logic in the first security gateway (or a second separate security gateway) initiates another three-way TCP handshaking between a second security gateway and the destination server (processing block 109) and thereafter packets are passed between the sender and the destination server via the second security gateway) of the plurality of servers (¶28 - destination servers (one or more networks)). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor to include field programmable gate array hardware as taught in Sun’s distributed TCP SYN flood protection system that can process request to establish connections (Sun, see ¶31).
Jalan modified does not explicitly indicate the validating the cookie including:  acquiring, based on the at least on SYN packet, a first Internet Protocol (IP) address associated with the at least one client device; decrypting the cookie to obtain a second IP address; and matching the first IP address and the second IP address.
However, Shrader teaches the validating the cookie including:
acquiring, based on the at least on SYN packet, a first Internet Protocol (IP) address associated with the at least one client device (Shrader:  Col. 7 ll. 03-05 – cookie validated based on cookie IP address; Col. 7 ll. 33-35 – cookie value sent back in the HTTP header));
decrypting the cookie to obtain a second IP address (Shrader:  Col. 7 ll. 20-32 and Col. 7 ll. 50-67 - suggests decryption using the corresponding key pair to determine if IP address match between the client IP address and that accompanied with the Web transaction); and
matching the first IP address and the second IP address (Shrader:  Col. 7 ll. 16-65, more specifically Col. 7 ll. 53-65 – suggest we can validate encrypted cookies by at least matching the IP addresses, wherein the IP address included in the encrypted cookie and  it needs to be decrypted before comparing with the IP address in the request).
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve Jalan’s system for network access control in the same field of endeavor to include the secure/encrypted cookies taught in Shrader to encrypt the cookies included in the SYN messages, that way the client cannot modify the given cookie and then provide modified cookies to help perform an SYN message attack (Shrader, see Col. 7 ll. 10-15).

Regarding claim 2, Jalan teaches the system of claim 1.
Jalan modified does not explicitly indicate wherein the at least one circuit includes a field-programmed gate array.
However, Sun teaches wherein the at least one circuit includes a field-programmed gate  (¶22 - a process for TCP SYN flood attack protection. The process is performed by processing logic that may comprise hardware (circuitry, dedicated logic, etc.); hardware circuitry is equivalent to FPGA). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor to include field programmable gate array hardware as taught in Sun’s distributed TCP SYN flood protection system that can process request to establish connections (Sun, see ¶31).
The method of claim 12 is rejected for the same reasons set forth in the system of claim 2. 

Regarding claim 6, Jalan teaches the system of claim 1.
Jalan modified does not explicitly indicate wherein the at least one circuit configured to validate the cookie is further configured to: determine that the at least one SYN packet includes a cookie request; and in response to the determination: generate, based on the at least one SYN packet, a new cookie; and send a SYN-ACK packet to the at least one client, the SYNACK packet including the new cookie.
However, Sun teaches wherein the at least one circuit configured to validate the cookie is further configured to: 
determine that the at least one SYN packet includes a cookie request (¶23 - a first security gateway receives a TCP SYN packet from the sender); and 
in response to the determination: 
generate, based on the at least one SYN packet, a new cookie (¶24 - processing logic in the first security gateway calculates a SYN cookie (processing block 103) and replies with a TCP SYN+ACK packet with the SYN cookie); and 
send a SYN-ACK packet to the at least one client, the SYNACK packet including the new cookie (¶24 - SYN cookie is a calculated TCP sequence number and is put in the TCP SYN+ACK packet). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor as Sun’s system for distributed TCP SYN flood protection to include establishing a connection using the SYN packet for the three way handshake to approve that the sender is valid and ensures a secure gateway for the devices to connect (Sun, see ¶26-31).
The method of claim 16 is rejected for the same reasons set forth in the system of claim 6. 

Regarding claim 8, Jalan teaches the system of claim 1.
Jalan modified does not explicitly indicate wherein the data plane is configured to determine if the at least one SYN packet includes an application data.
However, Sun teaches wherein the data plane is configured to determine if the at least one SYN packet includes an application data (¶24 - calculated TCP sequence number is a hash or other cryptographic function of a timestamp and IP header information; ¶29 - time state information includes application type information). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor as Sun’s system for distributed TCP SYN flood protection to include application data in the form of session information and run-time state information including application type information (Sun, see ¶29).

Regarding claim 9, Jalan teaches the system of claim 8.
Jalan modified does not explicitly indicate wherein the data plane is further configured to select, based on the at least one SYN packet, the at least one server selected form a list of servers.
 (¶33 - I/O device verifies a connection is from a legitimate sender, either the I/O device or the process device performs a TCP three-way handshaking with the destination server to establish another TCP connection to the destination server. The decision of where to perform the TCP handshaking could depend on the workload or the computing resources of the I/O and process devices). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor as Sun’s system for distributed TCP SYN flood protection to include distributing security functions for increasing the performance and stability of the gateway (Sun, see ¶35).
The method of claim 18 is rejected for the same reasons set forth in the system of claim 9. 

Regarding claim 10, Jalan teaches the system of claim 8.
Jalan modified does not explicitly indicate wherein the data plane is further configured to deliver the application data to the at least one server.
However, Sun teaches wherein the data plane is further configured to deliver the application data to the at least one server (¶29 -  session information includes a source IP address, destination IP address, port number, source port indication, and destination port indication. In one embodiment, the session information also includes information indicating the incoming interface/port (upon which packet a session is recorded), information indicating the outgoing interface/port (upon which a packet is sent after performing security processing has been applied to it), TCP sequence number, and routing domain. In one embodiment, the run-time state information includes application type information; ¶33 - I/O device verifies a connection is from a legitimate sender, either the I/O device or the process device performs a TCP three-way handshaking with the destination server to establish another TCP connection to the destination server). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor as Sun’s system for distributed TCP SYN flood protection to include field programmable gate array hardware as taught in Sun’s distributed TCP SYN flood protection system that can process request to establish connections (Sun, see ¶31).

Regarding claim 19, Jalan teaches the method of claim 11.
Jalan modified does not explicitly indicate determining, by the data plane, that the at least one SYN packet includes an application data.
However, Sun teaches determining, by the data plane, that the at least one SYN packet includes an application data (¶24 - calculated TCP sequence number is a hash or other cryptographic function of a timestamp and IP header information; ¶29 - time state information includes application type information); and delivering the application data to the at least one server (¶29 - session information includes a source IP address, destination IP address, port number, source port indication, and destination port indication. In one embodiment, the session information also includes information indicating the incoming interface/port (upon which packet a session is recorded), information indicating the outgoing interface/port (upon which a packet is sent after performing security processing has been applied to it), TCP sequence number, and routing domain. In one embodiment, the run-time state information includes application type information; ¶33 - I/O device verifies a connection is from a legitimate sender, either the I/O device or the process device performs a TCP three-way handshaking with the destination server to establish another TCP connection to the destination server). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention (Sun, see ¶33).

Claims 4, 5, 7, 14, 15, 17, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Publication No. 2014/0325588 issued to Jalan et al. in view of in view of US Patent Publication No. 2018/0034681 issued to Shima et al. and in view of US Patent Publication No. 2013/0263245 issued to Sun et al. and in view of US Patent No. 6,374,359 issued to Shrader et al. and in further view of US Patent Publication No. 2005/0240989 issued to Kim et al.

Regarding claim 20, Jalan teaches a system for TCP fast open support in a proxy device, the system comprising: 
associated with the proxy device (¶24, a SYN packet is sent from a client device to a server, in an attempt to establish a network connection with that server; ¶60, symmetric network topology may place the network device in line with the flow of traffic between the server and client device, such that all communications between the server and client device pass through the network device, to confirm network establishment, see ¶67); and 
 the proxy device serving data traffic between the at least one client and plurality of servers (¶67, network device receiving 715 an ACK packet from the client device to confirm the establishment of a network connection between the network device and the client device).
Jalan does not explicitly indicate receive, from at least one client device, at least one SYN packet to establish a connection with at least one server, the at least one SYN packet being associated with at least one client device and including a cookie, the cookie being preliminarily provided to the at least one client device by the at least one circuit during establishing a preceding connection between the at least one server and the at least one client device.
However, Shima teaches receive, from at least one client device, at least one SYN packet to establish a connection with at least one server, the at least one SYN packet being associated with at least one client device and including a cookie (¶41-45, client 12 that stores the cookies received from the server 14 does not transmit a SYN packet to the server 14 even when the application program calls the connect function; [t]hereafter, when the application program calls the transmit function, the client 12 transmits to the server 14 a SYN packet that includes the stored cookies and a packet constituting at least part of the transmission target data.; see also ¶3-6), the cookie being preliminarily provided to the at least one client device by the at least one circuit during establishing a preceding connection between the at least one server and the at least one client device (¶41, FIG. 2B takes place when another TCP connection is established between the client 12 and the server 14 following the data transmission shown in FIG. 2A, for example. The data transmission shown in FIG. 2B also takes place when a TCP connection is again established between the client 12 and the server 14 after the earlier TCP connection therebetween was broken; ¶43, when the application program calls the transmit function, the client 12 transmits to the server 14 a SYN packet that includes the stored cookies and a packet constituting at least part of the transmission target data).
Jalan does not explicitly indicate validate the cookie, initiate, based on the at least one SYN packet, the connection between the at least one client device and the at least one server of the plurality of server, at least one field-programmed gate array (FPGA); at least one data plane communicatively coupled to the at least one FPGA and configured to:  if the result of the validation of the cookie is positive:  select, based on the at least one SYN packet, at least one server selected from a list of servers; and determine that the at least one SYN packet includes an application data.
However, Sun teaches validate the cookie (¶24 - SYN cookie is a calculated TCP sequence number and is put in the TCP SYN+ACK packet; ¶25 - security gateway verifies the TCP sequence number in TCP ACK packet from the sender (processing block 107) and determines if the TCP sequence number matches the SYN cookie; ¶26 - first security gateway confirms the TCP sequence number in the TCP ACK packet matches the SYN cookie),
initiate, based on the at least one SYN packet, the connection between the at least one client device and the at least one server (¶24-27, 35 -  first security gateway confirms the TCP sequence number in the TCP ACK packet matches the SYN cookie, confirming the TCP handshaking is from a valid sender, then processing logic in the first security gateway (or a second separate security gateway) initiates another three-way TCP handshaking between a second security gateway and the destination server (processing block 109) and thereafter packets are passed between the sender and the destination server via the second security gateway) of the plurality of server (¶28 - destination servers (one or more networks)),
at least one field-programmed gate array (FPGA) (¶22 - a process for TCP SYN flood attack protection. The process is performed by processing logic that may comprise hardware (circuitry, dedicated logic, etc.); hardware circuitry is equivalent to FPGA); 
at least one data plane communicatively coupled to the at least one FPGA (¶22 - a process for TCP SYN flood attack protection. The process is performed by processing logic that may comprise hardware (circuitry, dedicated logic, etc.); hardware circuitry is equivalent to FPGA) and configured to:
if the result of the validation of the cookie is positive: 
select, based on the at least one SYN packet, at least one server selected from a list of servers (¶33 - I/O device verifies a connection is from a legitimate sender, either the I/O device or the process device performs a TCP three-way handshaking with the destination server to establish another TCP connection to the destination server. The decision of where to perform the TCP handshaking could depend on the workload or the computing resources of the I/O and process devices); and
determine that the at least one SYN packet includes an application data (¶24 - calculated TCP sequence number is a hash or other cryptographic function of a timestamp and IP header information; ¶29 - time state information includes application type information).
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor as Sun’s system for distributed TCP SYN flood protection to include field programmable gate array hardware as taught in Sun’s distributed TCP SYN flood protection system that can process request to establish connections (Sun, see ¶31).
Jalan modified does not explicitly indicate the validating the cookie including:  acquiring, based on the at least on SYN packet, a first Internet Protocol (IP) address associated with the at least one client device; decrypting the cookie to obtain a second IP address; and matching the first IP address and the second IP address.
However, Shrader teaches the validating the cookie including:
acquiring, based on the at least on SYN packet, a first Internet Protocol (IP) address associated with the at least one client device (Shrader:  Col. 7 ll. 03-05 – cookie validated based on cookie IP address; Col. 7 ll. 33-35 – cookie value sent back in the HTTP header);
decrypting the cookie to obtain a second IP address (Shrader:  Col. 7 ll. 20-32 and Col. 7 ll. 50-67 - suggests decryption using the corresponding key pair to determine if IP address match between the client IP address and that accompanied with the Web transaction); and
matching the first IP address and the second IP address (Shrader:  Col. 7 ll. 16-65, more specifically Col. 7 ll. 53-65 – suggest we can validate encrypted cookies by at least matching the IP addresses, wherein the IP address included in the encrypted cookie and  it needs to be decrypted before comparing with the IP address in the request).
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor to include the secure/encrypted cookies taught in Shrader to encrypt the cookies included in the SYN messages, that way the client cannot modify the given cookie and then provide modified cookies to help perform an SYN message attack (Shrader, see Col. 7 ll. 10-15).
Jalan modified does not explicitly indicate if the result of validation is negative:  generate a new cookie; and sending an ACK packet to the at least one client device, the ACK packet including the new cookie; and deliver at least the application data to the at least one server
However, Kim teaches if the result of validation is negative: 
generate a new cookie (Kim:  ¶ 34 - control module 320 includes a packet verifying module 321 verifying whether a received packet is valid or invalid according to a firewall rule set by an administrator, an m.SYN cookie creating module 322 creating an m.SYN cookie); and 
send an ACK packet to the at least one client device, the ACK packet including the new cookie (Kim: ¶ 34 - control module 320 includes a packet verifying module 321 verifying whether a received packet is valid or invalid according to a firewall rule set by an administrator, an m.SYN cookie creating module 322 creating an m.SYN cookie; ¶ 55 - the SYN/ACK packet sent from the server 20 to the client 10 reaches the firewall 230b prior to reaching the client 10. When the communications module 310 of the firewall 230b receives the SYN/ACK packet, the m.SYN cookie verifying module 326 of the firewall 230b is activated. The m.SYN cookie verifying module 326 acquires the ID.sub.fw from the m.SYN cookie 40, which is extracted from the acknowledgement number 56 of the SYN/ACK packet);
deliver at least the application data to the at least one server (Kim:  ¶ 54 - packet modifying module 323 of the firewall 130a replaces the ISN.sub.c of the SYN packet with the m.SYN cookie 40 and the state table updating module 324 updates the connection information of the state table t of the firewall 130a at step S30, the modified SYN packet is sent to the server 20 through the communications module).
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor with Kim’s method of sharing state between stateful inspection firewalls on MEP network to improve the system of Jalan in the same field of endeavor in order for the firewalls to receive a SYN packet sent from the client to the server and creating a modified SYN cookie to ensure the packet is valid based on the synchronized cookies (Kim, see ¶ 15-16).


Regarding claim 4, Jalan teaches the system of claim 1.
Jalan modified does not explicitly indicate wherein the at least one circuit configured to validate the cookie is further configured to:  acquire a time of generation of the cookie; and determine whether the time has expired.
However, Kim teaches wherein the at least one circuit configured to validate the cookie is further configured to: 
acquire a time of generation of the cookie (Kim:  ¶35 - a firewall identifier (hereinafter referred to as a "ID.sub.fw") i, a state table t storing connection information, a time counter c, and a secret key k. The ID.sub.fw i is a bit value identifying each of the firewalls included in the network, the state table t is the table in which the connection information of the firewall 30 is stored, and the time counter c is a bit counter that is included in the firewall 30 and increased at certain intervals; ¶ 46 - method of sharing the state between the stateful inspection firewalls 30 in accordance with the present invention, the firewalls 30, which are the subjects of the creation and verification of the m.SYN cookie 40, may be different from each other, so that T.sub.0 44 is included in the m.SYN cookie 40. The T.sub.0 44 is the least significant two bits of time.sub.org time indicated by the time counter c when the firewall 130a creates the m.SYN cookie 40, and is defined by the following Equation 1); and 
determine whether the time has expired (Kim:  ¶ 46 - With the Equation 1, the firewall 230b accurately extracts the time when the m.SYN cookie 40 is created, and can use the extracted value as an input to a hash function inspecting whether the m.SYN cookie 40 is valid). 
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor with Kim’s method of sharing state between stateful inspection firewalls on MEP network to improve the system of Jalan in the same field of endeavor in order for the firewalls to receive a SYN packet sent from the client to the server and creating a modified SYN cookie to ensure the packet is valid based on the synchronized cookies (Kim, see ¶ 15-16).
The method of claim 14 is rejected for the same reasons set forth in the system of claim 4. 

Regarding claim 5, Jalan teaches the system of claim 1.
Jalan modified does not explicitly indicate wherein if the result of validation of the cookie is negative, the at least one circuit is further configured to:  generate, based on the SYN packet, a new cookie; send a SYN-ACK packet to the at least one client, the SYN-ACK packet including the new cookie; receive an ACK packet from the at least one client, the ACK packet including the new cookie; and validate the new cookie.
However, Kim teaches wherein if the result of validation of the cookie is negative, the at least one circuit is further configured to: 
generate, based on the at least one SYN packet, a new cookie (Kim: ¶ 34 - control module 320 includes a packet verifying module 321 verifying whether a received packet is valid or invalid according to a firewall rule set by an administrator, an m.SYN cookie creating module 322 creating an m.SYN cookie, a packet modifying module 323 modifying the packet according to a set process, a state table updating module 324 updating a state table t according to the set process, a search module 325 searching the state table t for connection information and searching information stored in the database 330, and an m.SYN cookie verifying module 326 verifying whether m.SYN cookie is valid; m.SYN is a modified cookie and is equivalent to the generated new cookie; ¶ 38 - SYN packet is valid (`Y` at step S20), the m.SYN cookie creating module 322 creates the m.SYN cookie); 
send a SYN-ACK packet to the at least one client, the SYN-ACK packet including the new cookie (Kim: ¶ 55 - SYN/ACK packet sent from the server 20 to the client 10 reaches the firewall 230b prior to reaching the client 10. When the communications module 310 of the firewall 230b receives the SYN/ACK packet, the m.SYN cookie verifying module 326 of the firewall 230b is activated. The m.SYN cookie verifying module 326 acquires the ID.sub.fw from the m.SYN cookie 40, which is extracted from the acknowledgement number 56 of the SYN/ACK packet);
receive an ACK packet from the at least one client, the ACK packet including the new cookie (Kim:  ¶ 38 - client 10 sends a SYN packet to the firewall 130a at step S10. The firewall 130a receives the SYN packet through the communications module 310, and the packet verifying module 321 verifies whether the SYN packet is valid according to a firewall rule set by an administrator); and 
validate the new cookie (Kim:  ¶ 38 - a result of the verification, the SYN packet is not valid (`N` at step S20), and the SYN packet is discarded in the firewall 130a at step S25. If the SYN packet is valid (`Y` at step S20), the m.SYN cookie creating module 322 creates the m.SYN cookie).
(Kim, see ¶ 15-16).
The method of claim 15 is rejected for the same reasons set forth in the system of claim 5. 

Regarding claim 7, Jalan teaches the system of claim 1.
Jalan modified does not explicitly indicate wherein the data plane is further configured to manage a queue including the at least one SYN packet
However, Kim teaches wherein the data plane is further configured to manage a queue including the at least one SYN packet (Kim:  ¶ 28 - MEP network, as shown in FIG. 4, includes a client 10, a server 20, and a firewall 130a and a firewall 230b that are physically remote from each other. In this case, the firewall 130a and the firewall 230b are installed to protect the network of the client 10 from the outside thereof. The firewall 130a and the firewall 230b are stateful inspection firewalls 30, which intercept exchanged packets, extract connection information from the intercepted packets; ¶ 34 - control module 320 includes a packet verifying module 321 verifying whether a received packet is valid or invalid according to a firewall rule set by an administrator, the steps of intercepting packets to ensure they are valid and verifying a received packet is similar to a queue).
Therefore it would be obvious to one of ordinary skill in the art at the time the invention was made to improve the Jalan’s system for network access control in the same field of endeavor with Kim’s method of sharing state between stateful inspection firewalls on MEP network to improve the system of Jalan in the same field of endeavor in order for the firewalls to (Kim, see ¶ 15-16).
The method of claim 17 is rejected for the same reasons set forth in the system of claim 7. 


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CLARENCE D. MCCRAY whose telephone number is (571)270-7280 and the fax number is (571)270-8280.  The examiner can normally be reached on M - Th:  9-5pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kevin Bates can be reached on (571)-272-3980.  The fax phone number for the organization where this application or proceeding is assigned is 571-270-8280.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CLARENCE D MCCRAY/
Examiner, Art Unit 2458


/KEVIN T BATES/Supervisory Patent Examiner, Art Unit 2458