Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Acknowledgment is made of applicant's claim for foreign priority based on an application filed in Korean on November 20, 2018. It is noted, however, that applicant has not filed a certified copy of the KR10-2018-0143393 application as required by 37 CFR 1.55.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are:

a resource monitor configured to monitor resources of a network in claim 1;
a host monitor configured to receive a firewall rule of at least one host in claim 1;
a decryption unit configured to decrypt information received from the host monitor by using a secret key in claim 1;
a merge unit configured to merge the decrypted information to provide a merged firewall rule in claim 1;
a firewall deployment unit configured to deploy the merged firewall rule to a switch in claim 1;
the host, to which the public key is transmitted, is configured to transmit a firewall rule of the host to the host monitor through a data plane in claim 2;
the host, to which the public key is transmitted, is configured to encrypt the firewall rule of the host by using the public key and transmit the encrypted firewall rule to the host monitor in  claim 3;
the host monitor is configured to periodically receive the firewall rule of the host in claim 4;
the firewall deployment unit is configured to select a switch to which the merged firewall rule is transmitted in claim 6.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 14 is  rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 14 recites a network to which the method according to claim 9. However, claim 14 failed to include any particular limitation or features that could be appraised in order to define boundary and scope of claim 14 and therefore claim 14 is rendered indefinite for lack of any particular limitation. 

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 14 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  
Claim 14 recites a network to which the method according to claim 9. Claim 14 failed to include any particular limitation that could further limit claim 9 from which it is referring to and/or depending from.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 14 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim does do not fall within at least one of the four categories of patent eligible subject matter because: Claim 14 recites a network to which the method according to claim 9, appearing to be a hybrid claim. Claim 14 does not fall within at least one of the four statutory category of invention. A network is not a process, a machine, a manufacture or composition of matter and does not fall within at least one of the four categories of patent eligible subject matter and therefore claims 14 is rejected under 35 U.S.C. 101 directed to non-statutory subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 5, 8 and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Katrekar et al. (Hereinafter referred to as Katrekar US. Pub. No.: 20180062923 A1) in view of .

As per claim 1:
Katrekar discloses an apparatus for deploying a firewall on a software-defined network (SDN) ([0019]: a managed forwarding element (MFE) is configured to perform micro-segmentation and/or network security processing such as distributed firewall rule; [0106]: To enable first-hop processing configurable by the network control system 100, each of these VMs also operates a control agent 170 and a managed forwarding element 175 (e.g., a virtual switch such as Open vSwitch).processing:
the apparatus comprising:
a public key distributor configured to transmit a public key ([00030]: the MFEs in a network implement the DNE rules, the network control system needs to distribute the keys to the MFEs in a secure manner; Use a DNE module in the gateway DCN in order to communicate with the DNE aspects of the network control system and distribute keys to the MFEs operating in the workload DCNs in its VPC; [0256]: The key manager 3015 stores encryption keys for use by the MFEs managed by the network control system 3000; The key manager specifies constructs and mechanisms to define groups of keys for manageability, and provides various security controls (e.g., access control and authentication) to access keys; the authentication mechanisms include public key infrastructure (PKI) certificates, user credentials, and/or shared secrets);
a resource monitor configured to monitor resources of a network ([0165]: An administrator can set up (via the cloud provider interface) for certain data computer nodes-DCNs 
a host monitor configured to receive a firewall rule of at least one host ([0097]: The network control system within the private datacenter includes a management plane/central control plane (MP/CCP) cluster 115 and a local controller 120 on each of numerous host machines 125; The local controller 120 exercises direct control over a set of managed forwarding elements (MFEs) 130 on the host machine. As shown, VMs (or other data compute nodes) on the host machine connect to the MFE set 130 (e.g., via a virtual network interface controller (VNIC)) in order to send and receive data traffic. Based on forwarding and configuration data received via the network control system, the MFE set 130 performs forwarding and network security (e.g., distributed firewall (DFW) rules, access control list (ACL) rules, etc.) operations on the data packets sent to and from these VMs. The MFE set may be a single managed forwarding element (e.g., a single virtual switch that performs L2, L3, and additional processing) in some embodiments, or may be a combination of various managed forwarding and security elements (e.g., a set of filters, L2 switch(es), L3 router(s), etc. that all operate within the virtualization 
a decryption unit configured to decrypt information received from the host monitor by using a secret key ([0184]: the integration bridge implements distributed firewall (DFW) rules that apply to the logical port to which the VM 1605 attaches. These rules may be specified in terms of source and/or destination MAC addresses, and may allow, drop, deny, etc. packets sent to or from these specified addresses and/or under specific conditions (e.g., connection openings), implement a combination of logging, distributed encryption rules (both encryption for outgoing packets and decryption for incoming packets); and
a firewall deployment unit configured to deploy decrypt information of the firewall rule to a switch ([0071]: The local control agents, upon receiving the rules, convert the rules into a format specific to the MFEs operating on their DCN; Use flow-based MFEs such as Open vSwitch (OVS) instances executing on the DCNs in the public datacenter VPC, in which case the local control agents convert the rules into flow entries and/or other configuration data for the OVS 

Katrekar does not explicitly disclose the firewall rule of the at least one host is encrypted by the public key.  Lichtenberg, in analogous art however, discloses  the firewall rule of the at least one host is encrypted by the public key ([Column 1: lines 58-60]: Securely loading encrypted customer security rule sets on an application firewall operating at an entry point to a computing service environment;  [Column 2: lines 55-62]: Decrypting encrypted customer security rules 112 in volatile computer memory 104 for use by an application firewall 108; A  server 102 (e.g., a computing instance) that hosts an application firewall 108, a data storage service 110 having a shared data store 122 containing encrypted customer security rules 112, and a key management service 114 used to manage customer encryption keys 116 and to allow access to the customer encryption keys 116 via cross-account security roles created by customers using an identity and access management system; [Column 3: lines 25-33]: Encrypt a customer security rule using a customer encryption key 116 managed by the key management service 114, the key management service 114 may be a managed service used to create customer encryption keys 116 using symmetric or asymmetric key cryptography and control access to the customer encryption keys 116 using cross-account security roles created via an identity and access management system. A customer encryption key 116 may be used to encrypt customer security 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the firewall rule of the at least one host disclosed by Katrekar to include the firewall rule of the at least one host is encrypted by the public key. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to for securely loading encrypted customer security rule sets on an application firewall operating at an entry point to a computing service environment .that utilizes the customer security rule sets to monitor network traffic associated with customer applications executing in a computing service environment as suggested by Lichtenberg (Column 1: lines 58-63).

Katrekar and Lichtenberg do not explicitly disclose a merge unit configured to merge the decrypted information to provide a merged firewall rule. Tang, in analogous art however, discloses a merge unit configured to merge the decrypted information to provide a merged firewall rule ([0004]: ACLs are typically implemented, or enforced, by a network device known as firewall; Firewalls are often a combination of software and hardware that receives a packet and 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of decrypted information of the firewall rule disclosed by Katrekar and Lichtenberg to include a merge unit 


As per claim 4:
Katrekar discloses wherein the host monitor is configured to periodically receive the firewall rule of the host ([0017] The PCM of some embodiments polls this data repository regularly to identify any new DCNs created in its VPC; [0079]: The MFE on the DCN gets provisioned with the correct set of configuration rules. This may occur at any time of day).

As per claim 5:
Katrekar discloses wherein the merged firewall rule is integrated with a flow rule of the switch, or is the same as the flow rule of the switch ([0071]: use flow-based MFEs such as Open vSwitch (OVS) instances executing on the DCNs in the public datacenter VPC, in which case the local control agents convert the rules into flow entries and/or other configuration data for the OVS instance).


Katrekar discloses wherein the merged firewall rule for any one host is placed on only one switch ([0071]: distributes these rules (-DFW rules) to the local control agents operating to control the MFEs; the local control agents, upon receiving the rules, convert the rules into a format specific to the MFEs operating on their DCN and use flow-based MFEs such as Open vSwitch (OVS) instances executing on the DCNs in the public datacenter VPC); [0075]: Constrain the DCNs attached to a given logical switch to a single VPC in the private datacenter, or multiple VPCs within the same datacenter that are peered in order to operate similarly to a single VPC (although this logical switch may be logically connected through a logical router to a logical switch implemented in another VPC or another datacenter)

Claims 9-12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Katrekar et al. (Hereinafter referred to as Katrekar US. Pub. No.: 20180062923 A1) in view of Tang et al. (Hereinafter referred to as Tang, US. Pub. No.: US 20030188192 A1).

As per claim 9:
Katrekar discloses a method for deploying a firewall on a software-defined network (SDN) ([0068]: operate network controllers and managed forwarding elements inside virtual machines (VMs) or other data compute nodes (DCNs) operating in the public datacenter, in order to enforce network security and forwarding rules for packets sent to and from those DCNs, the public datacenter(s) provide tenants with one or more isolated sets of resources (i.e., data compute nodes) over which the tenant has control, also referred to as virtual private clouds (VPCs), the 
gathering firewall rules of at least two hosts ([0071]: a managed forwarding element (MFE) is inserted into the datapath between the workload application and the network interface of the DCN, identify the MFEs in the VPC that require each rule received from the central controller, and distributes these rules to the local control agents operating to control the MFEs-the rules being work security processing such as distributed firewall rule-DFW rules);
transmitting the firewall rule to only a selected switch ([0071]: distributes these rules (-DFW rules) to the local control agents operating to control the MFEs; the local control agents, upon receiving the rules, convert the rules into a format specific to the MFEs operating on their DCN and use flow-based MFEs such as Open vSwitch (OVS) instances executing on the DCNs in the public datacenter VPC); [0075]: Constrain the DCNs attached to a given logical switch to a single VPC in the private datacenter, or multiple VPCs within the same datacenter that are peered in order to operate similarly to a single VPC (although this logical switch may be logically connected through a logical router to a logical switch implemented in another VPC or another datacenter); and 
wherein the switch, to which the firewall rule is transmitted, is selected as switches that maximize a total data traffic reduced in the network ([0089-0090]: Because this traffic (in both directions) does not pass through the gateway, any service chaining, intrusion detection, north-south firewall rules, logging, etc. is performed at the MFE operating on the workload VM.; For load balancing, distributed internal NAT allows the use of existing load balancing features of the cloud provider across different workload VMs).

Katrekar does not explicitly disclose merging the firewall rules to provide a merged firewall rule. Tang, in analogous art however, discloses merging the firewall rules to provide a merged firewall rule ([0004]: ACLs are typically implemented, or enforced, by a network device known as firewall; Firewalls are often a combination of software and hardware that receives a packet and then compares the source, destination, protocol and/or other identifiers in the packet header to determine which filter rule "correspond," or applies, to the packet;  The firewall then applies the corresponding rules to the packet in the order they are set forth in a firewall rule table; [0017]: The forwarding element 108 is connected, or networked, with a control element 120 that includes a Filter Rule Constructor (FRC) program run on one or more networked computers; [0018]: The FRC 110 receives an Access Control Listing (ACL) table 104 and a Security Information Transport Protocol (SITP) mapping table 106 and thereafter generates a graph of filter chains 114. The control element downloads the filter chain graph 114 to the forwarding element 108. The forwarding element 108 applies the filter rules embodied in the filter chains 114 to all packets received and route the packets pursuant to the identifiers in the packet headers. [0020]: The FRC 110 merges the ACL table 104, which is adapted primarily for clear packet headers, and the SITP mapping table 106, which describes how packets have certain specified identifiers should be decrypted; [0025]: The FRC can query the statistics counters that correspond the filter ID numbers referenced in the inner chain to which the outer chain 4-tuples point (which were deleted from the forwarding engine 108) (612). The results can be summarized into the aggregated firewall statistics counters (614), after which the corresponding inner chains in the control element 120 and forwarding element 108 can be deleted.  The aggregate statistics 
Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of gathered firewall rules disclosed by Katrekar to include merging the firewall rules to provide a merged firewall rule. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by the desire to enable data compute nodes (DCNs) operating in the public datacenter, in order to enforce network security and forwarding rules for packets sent to and from those DCNs as an integrated and aggregated rules and provide security assurance to companies that are hesitant to move their networks into these public datacenters as suggested by Katrekar (0002; 00004).

As per claim 10:
Tang discloses wherein a total number of the merged firewall rules does not exceed the capacity of the switch ([0025]: The FRC can then execute a procedure to harvest statistical information from the firewall (612-614). The FRC can query the statistics counters that correspond the filter ID numbers referenced in the inner chain to which the outer chain 4-tuples point (which were deleted from the forwarding engine 108) (612). The results can be summarized into the aggregated firewall statistics counters (614), after which the corresponding inner chains in the control element 120 and forwarding element 108 can be deleted. The aggregate statistics can be stored in the firewall table, or ACL table, in a location associated with the filter rule tagged with the filter ID).

As per claim 11:
Katrekar discloses wherein the merged firewall rule for any one host is placed on only one switch ([0071]: distributes these rules (-DFW rules) to the local control agents operating to control the MFEs; the local control agents, upon receiving the rules, convert the rules into a format specific to the MFEs operating on their DCN and use flow-based MFEs such as Open vSwitch (OVS) instances executing on the DCNs in the public datacenter VPC); [0075]: Constrain the DCNs attached to a given logical switch to a single VPC in the private datacenter, or multiple VPCs within the same datacenter that are peered in order to operate similarly to a single VPC (although this logical switch may be logically connected through a logical router to a logical switch implemented in another VPC or another datacenter).

As per claim 12:
Katrekar discloses wherein the gathering of the firewall rules of the at least two hosts is performed by an encryption process ([00030]: the MFEs in a network implement the DNE rules, the network control system needs to distribute the keys to the MFEs in a secure manner; Use a DNE module in the gateway DCN in order to communicate with the DNE aspects of the network control system and distribute keys to the MFEs operating in the workload DCNs in its VPC; [0256]: The key manager 3015 stores encryption keys for use by the MFEs managed by the network control system 3000; The key manager specifies constructs and mechanisms to define groups of keys for manageability, and provides various security controls (e.g., access control and 

As per claim 14:
Claim 14 is directed to a network to which the method according to claim 9 and therefore claim 14 is rejected with the rationale given above to rejected claim 9.

Allowable Subject Matter
Claims 2-3, 6-7 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is a statement of reasons for the indication of allowable subject matter: After consideration and search, the pertinent prior arts of record cited in PTO-892, either taken alone or in combination neither anticipates nor renders obvious the following features including any intervening claims provided all outside rejection has been overcome:
As per claim 2:  wherein the public key is transmitted to the switch through a control plane, and the switch is directly connected to the host, and the host, to which the public key is transmitted, is configured to transmit a firewall rule of the host to the host monitor through a data plane.
As per claim 6:  wherein the firewall deployment unit is configured to select a switch to which the merged firewall rule is transmitted, and the switch, to which the merged firewall rule is transmitted, is selected as switches that maximize a total data traffic reduced in the network.


Conclusion
The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG W KIM can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available 





/TECHANE GERGISO/             Primary Examiner, Art Unit 2494