DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/28/2021  has been entered.

Response to Arguments
Applicant's arguments filed 12/28/2021 have been fully considered but they are not persuasive.
103 Rejections – Claims 1 and 7
Applicant Asserts:  However, Miyawaki fails to teach or suggest that both of flow characteristic information (that may be associated with the discovery domain information) and the unauthorized access determined using the flow characteristic information are analyzed, in order to generate an analysis result for the firewall. On the contrary, Miyawaki discusses the detection of the unauthorized access, such that the TCP connection requests are denied for sources
associated with the unauthorized access.  In fact, Miyawaki nowhere teaches or suggests that the determination of the notification, from the firewall, of the detection of the unauthorized access is made based on any analysis of flow characteristic information (that may be
Examiner Response:  The Examiner thanks applicant representative for working to advance the prosecution of this application.  As an initial matter, applicant representative states that the claims have been amended to emphasize two pieces of information are needed for notification from the firewall. The Examiner disagrees with applicant representative that Miyawaki does not detect unauthorized access and discovery information in the formulation logic for notifications.  The point of emphasis on the previous office action (see Final Rejection) of 09/30/3031 was on the determining feature of the limitation since flow characteristics of that determined bad behavior had been previously mapped.  However, the Examiner will augment the previous cited location [0078] that teaches domain discovery information with Miyawaki to include:

 [0034] In all cases, connection source information must belong to a discovery domain. Hence, in the naming service of the iSNS server 21, a discovery operation cannot be performed for nodes which are not registered in a discovery domain. Accordingly, it is possible to determine whether connection source information registered in a discovery domain by the administrator is that of a valid user. In this embodiment, a case will be described in which a security policy is autocreated on the basis of connection source information for valid users registered in a discovery domain.

Here, the claimed ‘flow characteristic information’ is taught by Miyawaki as ‘connection source information’ as per instant specification at [0041].Claim 2Applicant Asserts: However, Miyawaki fails to teach or suggest that the valid user server SV-
1 is connected between each of the firewalls and the firewall management server (presumably equated to “second device” of Claim 2) for transferring network data between the firewall 

Examiner Response:  Respectfully, the Examiner disagrees.  Figure 1 illustrates four (4) servers, storage, and a plurality of firewalls. Miyawaki at [0024] states that the valid user server SV-1 is connection to the IP network.  All switches at least perform a routing function else it would not be designated as a switch.  Once a connection is depicted to the IP network, Miyawaki is teaching the interconnection between all systems because the routing tables in the perspective switches enable interconnections based on routing and design choices.  The Examiner maintains the rejection of claim 2 using the cited portion of the prior art of record for the above reasoning.
Claims 3, 8-16, and 18Applicant Asserts: As such, Claims 3, 8-16, and 18 are also allowable, at least by virtue of
their dependence on respective allowable independent Claims 1 and 7, and so further discussion of these claims is not necessary at this time. In summary, Applicant respectfully submits that the basis for rejecting Claims 3, 8-16, and 18 under 35 U.S.C. § 103 is addressed and that these claims are in condition for allowance.
Examiner Response:  Respectfully, the Examiner maintains the prior art rejection of Claims 3, 8-16, and 18 under 35 U.S.C. § 103 in view of the Examiner Response for independent claims 1 and 7.

Claims 4-6, 17, 19, and 20
Applicant Asserts: According to the Office Action, Claims 4-6, 17, 19, and 20 are rejected
under 35 U.S.C. § 103 as allegedly being unpatentable over Miyawaki, in view of Bright, and further in view of Mao (“Mao;” U.S. Patent Application Publication No. 2003/0065944). Applicant respectfully traverses, for the reasons presented below. Mao is not asserted to cure the deficiencies in the rejection of independent Claims 1 and 7. As such, Claims 4-6, 17, 19, and 20 are allowable at least by virtue of their dependence on respective allowable independent Claims 1 and 7, and so further discussion of these claims is not necessary at this time.

Examiner Response:  Respectfully, the Examiner maintains the prior art rejection of Claims 4-6, 17, 19, and 20 under 35 U.S.C. § 103 in view of the Examiner Response for independent claims 1 and 7.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 10 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-The method of claim 9, wherein in the case of multiple firewalls comprised in said firewall, receiving the flow characteristic information reported by said multiple firewalls, and wherein said flow characteristic information is that of the network data packet that has passed the inspection by each of said multiple firewalls.  The closest the Examiner can find in the instant specification is at location [0033].  However, at the Examiner does not interpret the location as disclosing multiple firewalls in a single firewall but instead, discloses instant Figure 3.  A firewall manager in parallel communication with multiple firewalls is not the same as multiple firewalls within a single firewall as claimed.  Inserting the feature whereby multiple firewalls are in a single firewall in claim 1 and 7 constitutes new matter.  The dependent claims are also rejected by virtue of their dependency on independent claims 1 and 7.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 – 3, 7 – 16, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Miyawaki, Toui et al, US 20050210291 A1, September 22, 2005 hereafter referred to as Miyawaki in view of Bright; David Andrew et al., US 20130152191 A1, June 13, 2013, hereafter referred to as Bright.

           As to claim 1, Miyawaki teaches a network data control system – Miyawaki [0015] FIG. 1 is a diagram showing the logical configuration of an IP-SAN comprising:
a firewall located between a first device and a second device – Miyawaki [0022] FIG. 2 shows …a plurality of servers SV-1 to SV-n, a plurality of storage devices STR-1 to STR-n, an iSNS (Internet Storage Name Server, to be referred to as iSNS server hereinafter) 21, and a firewall management server 20 are connected to an IP network. The firewall management server 20 obtains discovery domain information 29 from the iSNS server 21.  Here, the claimed ‘firewall’ is taught by Miyawaki as ‘firewall 23’ co-located with ‘iSNS Server 21.  The claimed ‘first device’ is taught by Miyawaki as ‘iSNS Server 21.  The claimed ‘second device’ is taught by Miyawaki as ‘Firewall Management Server 20’) to extract flow characteristic information of network data communicated between said first device and said second device - Miyawaki [0041 and 0042] since at ‘41 The various management information that is exchanged between the distributed firewall manager 27 and the firewalls 23 will be referred to simply as management information since at ‘42 the administrator is informed of a management information classification indicating unauthorized access, information regarding the source of the unauthorized connection Here, the claimed ‘extract’ is taught by Miyawaki as ‘exchange’ whereas the claimed ‘flow characteristic information’ is taught by Miyawaki as ‘unauthorized access’ as part of the management information.  Firewall manager 27 is hosted by the second device which is firewall management server 20); and a firewall analysis device that communicates with said firewall for receiving said flow characteristic information reported by said firewall – Miyawaki [0022 and 0039] since at ‘22 Further, a security policy based on discovery domain information 29 is autocreated by a distributed firewall manager 27 of the firewall management server 20, and this security policy is reflected in each of the firewalls 23 disposed in the IP-SAN since at ’39 A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received from the firewalls 23 (step S4), whereupon one or more, or all of the firewalls 23 under the management of the distributed firewall manager 27 are informed of the connection source information of the attacker. Here, the claimed ‘firewall analysis device’ is taught by Miyawaki as ‘distributed firewall manager 27’ whereas the claimed ‘characteristic information’ is taught by Miyawaki as ‘ unauthorized access’); analyzing the flow characteristic information and network behavior information determined by said flow characteristic information to generate an analysis result for said firewall – Miyawaki [0034 and 0073] since at ’34 In all cases, connection source information must belong to a discovery domain. Hence, in the naming service of the iSNS server 21, a discovery operation cannot be performed for nodes which are not registered in a discovery domain. Accordingly, it is possible to determine whether connection source information registered in a discovery domain by the administrator is that of a valid user.  Here, the claimed ‘flow characteristic information’ is taught by Miyawaki as ‘connection source information’ because connection sources depict IP addresses of sender/receiver as taught by the instant specification at [0045] since at ‘73 a determination is made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received by one or a plurality of the firewalls 23.  Here, the claimed ‘network behavior’ is taught by Miyawaki as ‘unauthorized access’ whereas the claimed ‘analysis result’ is taught by Miyawaki as ‘determination is made’); and
on the basis of said analysis result determining control instruction to be sent to said firewall – Miyawaki [0072] Referring back to FIG. 10, security policy allocation to the firewalls 23 is performed, whereupon an access control start request is issued),
wherein said control instruction is used to control said network data passing through said firewall – Miyawaki [0076] …hence, even upon access by an attacker in which all of the iSCSI name, portal information, MAC address, and so on have been spoofed, the access can be denied as unauthorized access. WHILE MIYAWAKI SUGGESTS analyzing traffic flow information BRIGHT TEACHES analyzing traffic flow information – Bright [0015] Some firewalls also examine packets to determine what application has established the connection, or act as a proxy device by processing and forwarding selected network requests between a protected user and external networked computers. Firewalls often use "signatures" or other characteristics of undesired traffic to detect and block traffic that is deemed harmful or that is otherwise undesired.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Miyawaki Firewall Management Server 20 to include the signature and pattern recognition logic of Bright.  Miyawaki control information is suggestive of flow characteristics by using terms such as port ID and port connection.   However, Miyawaki is silent on the forensics of the traffic itself.  Bright solves this problem and provides for traffic analysis on characteristics such as the signature of the traffic.  Miyawaki would be motivated to include the explicit logic for signature and pattern recognition to prevent the inadvertent business and personal traffic inflow as taught by Miyawaki at location [0003]).


    PNG
    media_image1.png
    600
    513
    media_image1.png
    Greyscale

        As to claim 2, the combination of Miyawaki and Bright teaches the system of claim 1, wherein said firewall comprises:
               multiple firewalls deployed in a distributed manner and communicating respectively with the firewall analysis device – Miyawaki [0011] FIG. 1 is a diagram showing the logical configuration of an IP-SAN,  Here, the claimed ‘multiple firewalls’ are taught by Miyawaki as ‘firewalls 23);
               a router connected between each of said multiple firewall and said second device for transferring said network data between said second device and each of said multiple firewalls – Miyawaki [0022] FIG. 2 shows an example of an IP-SAN which is the subject of the present invention. A plurality of servers SV-1 to SV-n, a plurality of storage devices STR-1 to STR-n, an iSNS (Internet Storage Name Server, to be referred to as iSNS server.  Here, the claimed ‘router’ is taught by Miyawaki as ‘Sv-1 to SV-n because they are switches that perform a routing function);and
               an exchanger connected between each of said multiple firewalls and said first device for transferring said network data between each of said multiple firewalls and said first device – Miyawaki [0025] FIG. 3 shows an example of the physical configuration of the first embodiment shown in FIG. 1. The HBAs 22, 24 and the CHA 25 comprise memory which is managed by a CPU, a TCP/IP offload engine (to be referred to as TOE hereinafter), and a bus I/F, and they are connected to the IP network via their respective ports 40, 41, 44. Here, the claimed ‘exchanger’ is taught by Miyawaki as ‘IP network’ whereas the claimed ‘multiple firewalls’ is taught by Miyawaki as ‘HBAs 22, 24, and CHA 25 reflective of figure 1).

          As to claim 3, the combination of Miyawaki and Bright teaches the system of claim 2, wherein said firewall analysis device comprises:
          a flow information receiving module for receiving the flow characteristic information reported by at least one of the multiple firewalls – Miyawaki [0019] The distributed firewall manager 27 autocreates a security policy which permits access by connection sources having discovery domain information 29 that is registered in the iSNS server 21.  Here, the claimed ‘receiving module’ is taught by Miyawaki as ‘firewall manager 27’ because the module receives flow characteristic information whereas the claimed ‘flow characteristic information’ is taught by Miyawaki as ‘connection sources’);
          a first flow characteristic computation and decision module connected with said flow information receiving module, for analyzing the flow characteristic information reported by said at least one of the multiple firewalls to obtain said analysis result – Miyawaki [0026] The distributed firewall manager 27 exists on the disk or in the memory of the firewall management server 20. A discovery domain management program 28 and discovery domain information 29 exist on the disk or in the memory of the iSNS server 21.  Here, the claimed ‘computation/decision module’ is taught by Miyawaki as ‘discovery domain management program 28’); and, on the basis of said analysis result, determining the control instruction to be sent to each firewall – Miyawaki [0037 and 0038] since at ’37… in order to manage each of the firewalls 23 that are disposed in the IP-SAN integrally, the distributed firewall manager 27 diagnoses the communication condition of the firewalls 23 to determine whether the firewalls 23 can be contacted normally since at ’38  When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued.  Here, the claimed ‘basis’ is taught by Miyawaki as ‘diagnoses’); and
           a flow-information-decision-sending module connected with said first flow characteristic computation and decision module for sending said control instruction to the corresponding firewall – Miyawaki [0026] A discovery domain management program 28 and discovery domain information 29 exist on the disk or in the memory of the iSNS server 21.  Here, the claimed ‘sending module’ is taught by Miyawaki as ‘iSNS server 21’ because the 

          As to claim 7, claim 7 is a method that is directed to the system of claim 1. Therefore, claim 7 is rejected for reasons as set forth in claim 1.   

           As to claim 8, the combination of Miyawaki and Bright teaches the method of claim 7, wherein before receiving the flow characteristic information reported by the firewall -Miyawaki [0038] When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued (step S3).  Here, the claimed ‘before’ is taught by Miyawaki as ‘when’ because it is only at S4 where the decision is made that illegal network behavior is detected), said method comprising:
          acquiring the network data packet that passes through said firewall, wherein said network data packet comprises at least one of the following: an inward data packet that flows into intranet and an outward data packet that flows outside the intranet - Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received from the firewalls 23.  Here, the claimed ‘inward data packet’ is taught by Miyawaki as ‘has been received’ since each firewall 23 must report to security server 20); 
          inspecting contents of said network data packet according to a filtering rule of said firewall - Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23);
         filtering inspection result, to obtain the network data packet that has passed the inspection - Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23. Here, the A determination …whether or not’ since each firewall 23 must report to security server 20); and 
        extracting said flow characteristic information of the network data packet that has passed the inspection  - Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23).
         As to claim 9, the combination of Miyawaki and Bright teaches the method of claim 8, wherein said flow characteristic information includes at least
        one of the following: a source network address and a source port information which send the network data packet; a target network address and a target port information which receive the network data packet; information on the size of the network data packet; information on the header of the network data packet; information for a protocol label of the network data packet; sending-time of the network data packet and receiving-time of the network data packet – Miyawaki [0053] a third layer access control function, such as an IP address or port number, is provided between the manager of the distributed firewall managers and the respective distributed firewall managers 27).

           As to claim 10, the combination of Miyawaki and Bright teaches the method of claim 9, wherein in the case of multiple firewalls comprised in said firewall, receiving the flow characteristic information reported by said multiple firewalls, and wherein said flow characteristic information is that of the network data packet that has passed inspection by each of said multiple firewalls – Miyawaki [0054] A response packet from the firewalls 23 to the distributed firewall manager 27 may also be transmitted as a spoofed packet in a broadcast format, similar to the request packet. Upon reception of a packet addressed to the virtual originator information, the distributed firewall manager 27 must determine whether the packet is addressed to itself. Here, the claimed ‘reported’ is taught by Miyawaki as ‘response 
                 As to claim 11, the combination of Miyawaki and Bright teaches the method of claim 10, wherein said flow characteristic information and the network behavior information determined by said flow characteristic information are analyzed to obtain the analysis result and, according to said analysis result, control instructions to be sent to said firewall are determined – Miyawaki [0073] a determination is made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received by one or a plurality of the firewalls 23.  Here, the claimed ‘network behavior’ is taught by Miyawaki as ‘unauthorized access’ whereas the claimed ‘analysis result’ is taught by Miyawaki as ‘notification’), including:
            performing aggregated analysis on the flow characteristic information reported by said multiple firewalls and the network behavior information determined by the flow characteristic information reported by said multiple firewalls to obtain an aggregated analysis result - Miyawaki [0037] … in order to manage each of the firewalls 23 that are disposed in the IP-SAN integrally, the distributed firewall manager 27 diagnoses the communication condition of the firewalls 23 to determine whether the firewalls 23 can be contacted normally.  Here, the claimed ‘performing aggregated analysis’ is taught by Miyawaki as ‘diagnoses...condition’ whereas the claimed ‘analysis result’ is taught by Miyawaki as ‘contacted normally’); and
            according to said aggregated analysis result, determining control instructions to be sent to said multiple firewalls - Miyawaki [0038]… When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued).

           As to claim 12, the combination of Miyawaki and Bright teaches the method of claim 11, wherein according to said aggregated analysis result, said control instructions to be sent to said multiple firewalls are determined - Miyawaki [0038]… When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued), including:
           determining whether the flow characteristic information of the network data packet that has passed the inspection by each of said multiple firewalls matches predefined flow characteristics - Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received from the firewalls 23; and
         in the situation that the flow characteristic information of the network data packet that has passed the inspection of each said firewall matches the predefined flow characteristics, said control instruction will be sent to the corresponding firewall, wherein said control instruction is used to control said firewall to implement predefined operations that correspond to said predefined flow characteristics on the network data packet that has passed said firewall - Miyawaki [0038] When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued).  

          As to claim 13, the combination of Miyawaki and Bright teaches the method of claim 12, wherein according to said aggregated analysis result, the control instructions to be sent to said multiple firewalls are determined - Miyawaki [0038]… When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued), including:
           according to the flow characteristic information of the network data packet that has passed the inspection by each of said multiple firewalls, determining the network behavior information of the network data packet that has passed the inspection by each of said multiple firewalls – Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received from the firewalls 23.  Here, the claimed ‘network behavior’ is taught by Miyawaki as ‘unauthorized access’ because illegal attempts to access the network constitutes network behavior);
             determining whether the network behavior information of the network data packet that has passed the inspection by each of said multiple firewalls matches a predefined network behavior rule – Miyawaki [0039 and 0048] since at ‘39 whereupon one or more, or all of the firewalls 23 under the management of the distributed firewall manager 27 are informed of the connection source information of the attacker since at ’48 access permission is granted in advance to a node which is confirmed as being registered as a valid user but is not yet registered in a discovery domain, and so on. Here, the claimed ‘predefined’ is taught by Miyawaki as ‘registered’); and
          in the situation that the network behavior information of the network data packet that has passed the inspection by each of said multiple firewalls matches the predefined network behavior rule, sending said control instruction to the corresponding firewall, wherein said control instruction is used to control said firewall to implement the predefined operation that corresponds to said predefined network behavior on the network data packet that passes through said firewall – Miyawaki [0038] When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued).

          As to claim 14, the combination of Miyawaki and Bright teaches the method of claim 10, wherein before receiving the flow characteristic information reported by said multiple firewalls - Miyawaki [0038] When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued (step S3).  Here, the claimed ‘before’ is taught by Miyawaki as ‘when’ because normal operational setup happens then after start operations users attempt network access which flow information determines that illegal network behavior is detected), said method comprising:
             determining whether the flow characteristic information of the network data packet that has passed the inspection by each said firewall matches predefined flow characteristics - Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received from the firewalls 23; and
            in the situation that the flow characteristic information of the network data packet that has passed the inspection of each of said multiple firewalls matches the predefined flow characteristics, controlling said firewall to implement predefined operations that
corresponds to said predefined flow characteristics on the network data packet that has passed said firewall – Miyawaki [0039 and 0048] since at ‘39 whereupon one or more, or all of the firewalls 23 under the management of the distributed firewall manager 27 are informed of the connection source information of the attacker since at ’48 access permission is granted in advance to a node which is confirmed as being registered as a valid user but is not yet registered in a discovery domain, and so on. Here, the claimed ‘predefined’ is taught by Miyawaki as ‘registered’).

        As to claim 15, the combination of Miyawaki and Bright teaches the method of claim 10, wherein before receiving the flow characteristic information reported by said multiple firewalls - Miyawaki [0038] When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued (step S3).  Here, the claimed ‘before’ is taught by Miyawaki as ‘when’ because normal operational setup happens then after start operations users attempt network access which flow information determines that illegal network behavior is detected), said method comprising:
           according to the flow characteristic information of the network data packet that has passed the inspection by each of said multiple firewalls, determining the network behavior information of the network data packet that has passed inspection by each of said multiple firewalls – Miyawaki [0039] A determination is then made as to whether or not notification of the detection of unauthorized access in the respective locations of the firewalls 23 has been received from the firewalls 23.  Here, the claimed ‘network behavior’ is taught by Miyawaki as ‘unauthorized access’ because illegal attempts to access the network constitutes network behavior);
          determining whether the network behavior information of the network data packet that has passed the inspection by each said firewall matches a predefined network behavior rule – Miyawaki [0039 and 0048] since at ‘39 whereupon one or more, or all of the firewalls 23 under the management of the distributed firewall manager 27 are informed of the connection source information of the attacker since at ’48 access permission is granted in advance to a node which is confirmed as being registered as a valid user but is not yet registered in a discovery domain, and so on. Here, the claimed ‘predefined’ is taught by Miyawaki as ‘registered’); and
            in the situation that said network behavior information matches said predefined network behavior rule – Miyawaki [0037] the distributed firewall manager 27 diagnoses the communication condition of the firewalls 23 to determine whether the firewalls 23 can be contacted normally, controlling each of said multiple firewalls to implement a predefined operation that corresponds to said predefined network behavior on the network data packet that passes through said firewall  -  Miyawaki [0038] When normal communication has been confirmed, the security policy of FIG. 5 is transmitted to each of the firewalls 23 (security policy allocation), and an access control start request is issued (step S3). If contact cannot be made with the firewalls 23 due to a communication defect, the administrator is notified of the defect (step S8), and the processing is interrupted.  Here, the claimed ‘controlling’ is taught by Miyawaki as ‘start request’ whereas the claimed ‘predefined network behavior’ is taught by Miyawaki as ‘normal communication’ whereas the claimed ‘predefined operation’ is taught by Miyawaki as ‘notified’ because an alert by the administrator is a pre-defined operation).

            As to claim 16, the combination of Miyawaki and Bright teaches the method of claim 12, wherein said predefined flow characteristics include at least one of the following: frequency for receiving/sending the network data packet, size of the network data packet, header information load limit for the network data packet, and degree of matching of content of the network data packet – Miyawaki [0054] When the distributed firewall manager 27 communicates with another node, originator information (IP address, port number, and so on) attached to the header information of a request packet (management packet) may be spoofed as virtual originator information set in advance for the distributed firewall manager 27 and transmitted in a unicast or multicast format).

             As to claim 18, the combination of Miyawaki and Bright teaches the method of claim 12, wherein said predefined operations include at least one of the following: forwarding  network data packets, discarding network data packets, and blocking network data packets – Miyawaki [0010] a security policy can be autocreated on the basis of discovery domain information.  Here, the claimed ‘predefined operations’ is taught by Miyawaki .
 
Claims 4 – 6, 17, and 19 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Miyawaki and Bright in view of Mao, Yu Ming et al, US 20030065944, April 3, 2003, hereafter referred to as Mao.

           As to claim 4, the combination of Miyawaki and Bright teaches the system of claim 3.  The COMBINATION OF MIYAWAKI AND BRIGHT DO NOT TEACH wherein said firewall further comprises:
           a flow-filtering-engine module used in the case of acquiring a network data packet passing through said each of said multiples firewall and, on the basis of a filtering rule of  each of said multiple firewalls, to inspect contents of said network data packet and to filter the inspection result to obtain a network data packet that has passed the inspection; and
         a flow-characteristic-extracting module, connected with said flow-filtering-engine module for extracting said flow characteristic information of the network data packet that has passed the inspection, HOWEVER, IN AN ANALAGOUS ART MAO TEACHES
        a flow-filtering-engine module used in the case of acquiring a network data packet passing through said each multiple firewall and, on the basis of a filtering rule of said each multiple firewall, to inspect the contents of said network data packet and to filter the inspection result to obtain a network data packet that has passed the inspection; - Mao [0037] Security controller 204 includes a screening engine 240. Screening engine 240 examines each packet received from a respective port 202 and determines whether security screening is to be performed. Here, the claimed ‘flow-filtering-engine module’ is taught by Mao as ‘screening engine 240’) and
         a flow-characteristic-extracting module, connected with said flow-filtering-engine module for extracting said flow characteristic information of the network data packet that has passed the inspection – Mao [0040] Firewall controller 278 extracts packets from second portion 217 of storage element 208. Firewall controller 278 oversees the distribution of packets within the firewall device as well as the coordination among the respective engines. Each packet is evaluated and processed in accordance with policies based on one or more considerations.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Miyawaki and Bright with the features of Mao.  Miyawaki teaches a firewall manager 27 residing in firewall server 20 and Bright teaches his nodes 4 and 5 execute an intrusion protection system.  While the combination of Miyawaki and Bright is suggestive of the modularizing filtering and extraction functions Mao is explicit in teaching the functions and means by which the firewall executes filter and extraction features.  Miyawaki motivation stems from the desire ensure business and personal information is not converged in a multi-firewall application as taught by Miyawaki at location [0003]).

           As to claim 5, the combination of Miyawaki, Bright, and Mao teaches the system of claim 4, wherein said multiple firewall also comprise:
           a second flow characteristic computation and decision module, connected with said flow-characteristic-extracting module for determining, on the basis of said flow characteristic information of the network data packet obtained through filtering by said flow-filtering-engine module, a pre-defined operation to be implemented by each of said multiple firewalls on the network data packet that passes through said firewall; and
         a flow-information-receiving/sending module, connected respectively with said second flow characteristic computation and decision module and the flow information receiving module of said firewall analysis device for sending the flow characteristic information of the network data packet that has passed said firewall based on the decision of said second flow characteristic computation and decision module, to the flow information receiving module in said firewall analysis device – Mao [0034] One or more of switches 106 are configured to enforce security domain constraints. For example, one or more of switches 106 is configured as an L2 firewall enabled security switch (hereinafter "security switch").  Here, a second switch provides the same features as cited above for claim 5 whereby Mao teaches at locations [0037 and 0040] repeats these features as a second device. The same rational for combing Mao with the combination of Miyawaki and Bright in claim 5 applies here).
           As to claim 6, the combination of Miyawaki, Bright, and Mao teaches the system of claim 5, wherein each said multiple firewall also comprises:
          a forwarding-back-to-source module connected with said first flow characteristic computation and decision module, for forwarding the network data packet that is decided, by said first flow characteristic computation and decision module, to pass each of said multiple firewalls – Mao [0041] packets that are to be forwarded (e.g., pass the inspection) are prepared as appropriate… the packets may be returned to the second portion 217 of storage element 208 and marked as having been screened); and
        a flow-information-forwarding-management module, connected to said forwarding-back-to-source module, for providing to said forwarding-back-to-source module – Mao [0041] screened packets are forwarded to a queue for processing by L2 controller 230, a target network address) and a target port information of the network data packet that passes through the firewall  – Mao [0041]  Screened packets are then processed by L2 controller 230 and switched to an appropriate output port in accordance with conventional L2 processing protocols). The rationale to combine Mao with the combination of Miyawaki and Bright in Claim 4 applies here.

           As to claim 17, the combination of Miyawaki, Bright, and Mao teaches the method of claim 13, wherein said predefined network behavior rule is used to define at least one of the following information: frequency for receiving/sending the network data packet, size of the network data packet, similarity of header information for the network data packet, and degree of matching of content of the network data packet – Mao [0037] Screening engine 240 compares the security zone identifier associated with the packet being processed (determined from the identification of the egress port from the MAC table using the destination MAC address in the header of the packet being processed) with the security zone identifier associated with the port on which the packet was received in the device. Based on the comparison, screening engine 240 can determine whether the packet is destined for another zone (i.e., constitutes intra-zone or inter-zone communication). The same rational for combing Bright with Miyawaki with Mao in claim 4 applies here).
          
           As to claim 19, the combination of Miyawaki, Bright, and Mao teaches the method of claim 18, wherein said predefined operation is to forward the network data packet – Mao [0021] A packet switched communication system is provided that includes L2 switch and firewall functionality. The packet switched communication system acts as an IEEE 802.1Q VLAN L2 conventional switch forwarding/filtering based on MAC-address for all intra-zone communications.  Here, the claimed ‘predefined operation’ is taught by Mao as ‘switch forwarding/filtering’ because the switch is configured to forward packets, hence a configuration is a predefinition), said method also including: 
          if said network data packet is the inward data packet, then controlling the corresponding firewall to forward said inward data packet to said intranet according to a pre-configured target network address and target port information – Mao [0040 and 0048] since at ‘40 …After the inspection, packets can be forwarded in the network or dropped as appropriate. In one implementation, packets that are to be forwarded (e.g., pass the inspection) are prepared as appropriate.  Here, the claimed ‘intranet’ is taught by Mao as the “intra-zone” depicted in Figure 1 since at ‘48 …When L2 controller 230 is available, packets are fetched and processed to determine a port to which the packet should be forwarded. L2 controller 230 evaluates the MAC address associated with the packet, and using MAC table 235, determines a port for routing. After processing by the L2 controller 230, the packet is forwarded to an appropriate link into switch fabric 220 for routing to a determined output port 202); and
          if said network data packet is the outward data packet, then controlling the corresponding firewall to forward said outward data packet out according to the source network address and the source port information included in the network data packet that has been received by said intranet – Mao [0044 and 0048] since at ‘44 For inter-zone traffic, standard firewall inspections (including policy inspection, TCP stateful inspection, etc. as described above) are performed for each incoming packet. In all cases, the egress interface is determined by the learned destination MAC address on the interface since at ’48 …When L2 controller 230 is available, packets are fetched and processed to determine a port to which the packet should be forwarded. L2 controller 230 evaluates the MAC address associated with the packet, and using MAC table 235, determines a port for routing. After processing by the L2 controller 230, the packet is forwarded to an appropriate link into switch fabric 220 for routing to a determined output port 202).   It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Miyawaki and Bright with Mao to incorporate Mao L2 switching engine that is operable to immediately route to a port all intra-zone packets passing through the L2 device using a table of MAC addresses and corresponding ports, and only route to a port inter-zone packets that are retained after the inspection by the firewall engine.  The combination of Miyawaki and Bright do not explicitly teach private servers connected to implement an intranet.  Mao solves this problem and provides the switch fabric to provide secure communications to virtual private networks and 

           As to claim 20, the combination of Miyawaki, Bright, and Mao teaches the method of claim 19, wherein when said predefined operation is to block the network data packet, said method including:
           in the case of controlling said firewall to block the network data packet being sent to the target network address or to the target port information, controlling said firewall to block the network data packet coming from said target network address or said target port information – Miyawaki [0033] a set consisting of a single piece or a plurality of pieces of unique information relating to a node (an initiator or a target), typified by an iSCSI name, portal information, and so on, will be referred to as connection source information (access source information). In this embodiment, the term connection source information indicates a pair consisting of an iSCSI name and portal information; and

in the case of controlling said firewall to block the network data packet sent from the source network address or to the source port information, controlling said firewall to block the network data packet to be sent to the source network address or the source port information - Miyawaki [0076] Determinations as to whether an access source is valid or not can be performed using a combination of unique information, such as an iSCSI name, portal information, and MAC address allocated directly to the access source device, and a firewall ID, which is an identifier allocated by the distributed firewall manager to identify each firewall individually; and, hence, even upon access by an attacker in which all of the iSCSI name, portal information, MAC address, and so on have been spoofed, the access can be denied as unauthorized access). The same rational for combing Bright with Miyawaki with Mao in claim 19 applies here).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 24911/19/2022


/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491