DETAILED ACTION
The following claims are pending in this office action: 1-20
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Drawings
The drawings filed on 02/05/2020 accepted.  
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 4 and 7-33 are rejected under 35 U.S.C. 112(b), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claims 4 and 7-33 recites the limitation “a flow state associated with the flow” (claim 4, ln. 31, pg. 50; and claim 8, ln. 12, pg. 51). It is unclear if “a flow state associated with the flow” is referring to the prior instance of “a flow state associated with the flow” (claim 1, ln. 16, pg. 50) or if it is a new instance of a flow state.   If “a flow state” is referring the earlier instance examiner suggests changing the limitation to “the flow state”.  
Claims 7-33 recites the limitation “an entry associated with the flow” (claim 7, ln. 5, pg. 51).  
Claim 10 recites the limitation “the least recently used entry” (claim 10, ln. 19, pg. 51).  This limitation lacks antecedent basis.  Examiner suggests changing the limitation to “a least recently used entry”.
Claim 19-23 and 24-25 recites the limitation “a respective identifier” (claim 19, ln. 14-15, pg. 52; claim 24, ln. 35, pg. 52).  It is unclear if “a respective identifier” is referring to the prior instance of “an identifier” (claim 1, ln. 6, pg. 50) or if it is a new instance of an identifier.   If “a respective identifier” is referring the earlier instance examiner suggests changing the limitation to “the identifier”.  
Claim 23 recites the limitation “the entry” (claim 23, ln. 14-15, pg. 52).  It is unclear if “the entry” is referring to the prior instance of “a lookup entry” (claim 1, ln. 7, pg. 50), “an entry associated with the flow” (claim 1, ln. 10, pg. 50) or a different instance.    If “an entry” is referring the earlier instance of “a lookup entry” examiner suggests changing the limitation to “the lookup entry” or “the lookup entry in the plurality of lookup entries”.  
Claim 24-25 recites the limitation “a lookup entry” (claim 23, ln. 14-15, pg. 52).  It is unclear if “a lookout entry” is referring to the prior instance of “a lookup entry” (claim 1, ln. 7, pg. 50).    If “a lookup entry” is referring the earlier instance of “a lookup entry” examiner suggests changing the limitation to “the lookup entry”.  
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 36 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
Claims 36 does not fall within at least one of the four categories of patent eligible subject matter because, using the broadest reasonable interpretation, the claim is directed to signals or software per 
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1-37 are rejected under 35 USC § 102 as being anticipated by Duan et al., "LightBox: Full-Stack Protected Stateful Middlebox at Lightning Speed"; ArXiv.org: Cryptography and Security, August 2018 [retrieved 2022-01-19]; retrieved from the Internet <URL: https://arxiv.org/abs/1706.06261v2> (hereinafter “Duan”). 

As per claim 1, Duan teaches a computer-implemented method for facilitating stateful processing of a middlebox module implemented in a trusted execution environment, the computer-implemented method comprising: ([Duan, para. 2 of sec. 1, pg. 1; Fig. 2, pg. 3; para. 1 of subsec. 2.1, pg. 3] LightBox is disclosed, a system that implements a process for stateful processing of a middlebox module in a trusted execution environment by means of a SGX-enabled computing infrastructure) (a) determining, based on an identifier, from a lookup module ([para. 3 of subsec. 4.2, pg. 8] an FID [an identifier] is searched in a lkup_table [a lookup module]) in the trusted execution environment ([para. 1 of subsec. 4.1, pg. 8; para. 2 of sec. 1, pg. 1] the lookup table is located in the enclave, and the enclave is a trusted execution environment), whether a lookup entry of a flow and corresponding to the identifier exists; ([Fig. 5, pg. 7; para. 3 of subsec. 4.2, pg. 8] first, the lkup_table is searched to find if a hit of a lookup entry corresponding to the FID exists)
(b) if it is determined that the lookup entry corresponding to the identifier exists, determining, based on the lookup entry, whether an entry associated with the flow is arranged inside the trusted execution environment or outside the trusted execution environment; and ([Duan, para. 3 of subsec. 4.2, pg. 8; Fig. 5, pg. 7] if a hit is generated [lookup entry corresponding to the identifier exists], decide whether the entry is in the flow cache or a store entry by checking the memory location of the state pointer.   [Para. 1 of subsec. 4.1, pg. 8] the flow cache is in the enclave [arranged inside the execution environment] the store entry is in untrusted memory [arranged outside the trusted execution environment])
(c) if it is determined that the entry associated with the flow is outside the trusted execution environment, caching, in a cache in the trusted execution environment, the entry associated with the flow and corresponding to the identifier ([Duan, para. 3 of subsec. 4.2, pg. 8] if the entry is in a store entry [arranged outside the trusted execution environment] the entry is swapped with the least recently used cache entry [caching in a cache] that is located in the enclave [in the trusted execution environment]) to facilitate provision of a flow state associated with the flow to the middlebox module. ([para. 1 of subsec. 4.1, pg. 8; para. 3 of subsec. 4.2, pg. 8] lkup_table allows [facilitates] fast lookup [provision] of flow states by returning a flow state cached.  [Fig. 2, pg. 3] flow states are returned to the stateful processing component of the middlebox module)

As per claim 2, Duan teaches claim 1.  
Duan also teaches (d) if it is determined that the entry associated with the flow is inside the trusted execution environment, arranging the corresponding entry associated with the flow to the front of the cache.  ([Duan, Algorithm 2, pg. 8; para. 3 of subsec. 4.2, pg. 8] if the entry is in the flow cache [inside the trusted execution environment], then entry is raised to the front [arrange to the front] of the flow cache)

As per claim 3, Duan teaches claim 2.  
Duan also teaches wherein arranging the corresponding entry to the front of the cache includes updating a pointer to the entry associated with the flow.  ([Duan, para. 4 of subsec. 4.1, pg. 8; para. 3 of Subsec. 4.2, pg. 8] the corresponding entry in the flow cache is allocated within the cache by manipulating [updating] the head pointer [a pointer to the entry] to make the corresponding entry the head of the list)

As per claim 4, Duan teaches claim 2.  
Duan also teaches (e) if it is determined that the lookup entry corresponding to the identifier does not exist, caching, in the cache in the trusted execution environment, the entry associated with the flow and corresponding to the identifier ([Duan, para. 3 of subsec. 4.2, pg. 8] if the lookup table generates a miss, the corresponding entry associated with the flow and corresponding to the identifier is treated as a new one: the entry is created in the store entry, and then swapped with the least recently used cache entry) to facilitate provision of a flow state associated with the flow to the middlebox module.  ([para. 1 of subsec. 4.1, pg. 8; para. 3 of subsec. 4.2, pg. 8] lkup_table allows [facilitates] fast lookup [provision] of flow states by returning a flow state cached.  [Fig. 2, pg. 3] flow states are returned to the stateful processing component of the middlebox module)

As per claim 5, Duan teaches claim 1.  
Duan also teaches prior to step (a), extracting the identifier from an input packet. ([Duan, Algorithm 2, pg. 8; para. 3 of subsec. 4.2, pg. 8] the input, and a requirement of returning the state of the flow is providing an fid extracted from an input packet, and so is a step prior to step c)

As per claim 6, Duan teaches claim 1.  
Duan also teaches after step (c), providing the flow state associated with the flow to the middlebox module for processing.  ([Duan, Algorithm 2, pg. 8] at the end of flow tracking algorithm [after step c] the flow state associated with the flow to the middlebox module is returned.  [Fig. 2, pg. 3] flow states are returned to the stateful processing component of the middlebox module)

As per claim 7, Duan teaches claim 4.  
Duan also teaches wherein step (b) comprises: determining, based on the lookup entry, whether an entry associated with the flow is arranged in a flow cache module inside the trusted execution environment or in a flow store module outside the trusted execution environment.  ([Duan, para. 3 of subsec. 4.2, pg. 8; Fig. 5, pg. 7] whether the entry is in the flow cache or a store entry is decided by checking the memory location of the state pointer by the lookup entry.   [Para. 1 of subsec. 4.1, pg. 8] the flow cache is a flow cache module in the enclave [arranged inside the trusted execution environment] the store entry is a flow store module in untrusted memory [arranged outside the trusted execution environment])


Duan also teaches wherein step (c) comprises: caching, in the flow cache module in the trusted execution environment, the entry associated with the flow and corresponding to the identifier ([Duan, para. 3 of subsec. 4.2, pg. 8] if the entry is in a store entry the entry is swapped with the least recently used cache entry [caching in a cache] in the flow cache [a flow cache module] that is located in the enclave [in the trusted execution environment]) to facilitate provision of a flow state associated with the flow to the middlebox module.  ([Para. 1 of subsec. 4.1, pg. 8; para. 3 of subsec. 4.2, pg. 8] lkup_table allows [facilitates] fast lookup [provision] of flow states by returning a flow state cached.  [Fig. 2, pg. 3] flow states are returned to the stateful processing component of the middlebox module)

As per claim 9, Duan teaches claim 8.  
Duan also teaches wherein step (c) comprises: removing an entry from the flow cache module before or upon caching the entry associated with the flow and corresponding to the identifier in the flow cache module.  ([Duan, para. 3-4 of subsec. 4.2, pg. 8] swapping with the LSU cache entry involves moving the LSU cache_entry from the flow_cache to a temporary buffer, which occurs before the new entry is put into the freed flow_cache cell)

As per claim 10, Duan teaches claim 9.  
Duan also teaches wherein removing the entry comprise removing the least recently used entry from the flow cache module.  ([Duan, para. 4 of subsec. 4.2, pg. 8] the least recently used entry from the flow_cache is moved to a temporary buffer and then to the flow store [removed from the flow cache module])

As per claim 11, Duan teaches claim 7.  
([Duan, Algorithm 2, pg. 8; para. 3 of subsec. 4.2, pg. 8] the corresponding entry is raised to the front of the flow cache [flow cache module])

As per claim 12, Duan teaches claim 7.  
Duan also teaches wherein step (e) comprises: prior to the caching, creating a new entry associated with the identifier in the flow store module. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, a new entry associated with the identifier is created in the flow store module)

As per claim 13, Duan teaches claim 12.  
Duan also teaches moving the new entry from the flow store module to the flow cache module. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, as part of the procedure to generate a new lookup entry, the new entry is swapped [moved] from its newly created position in the flow store module to the least recently used entry in the flow cache module)

As per claim 14, Duan teaches claim 13.  
Duan also teaches checking memory safety of the new entry prior to moving the new entry. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, as part of the procedure to generate a new lookup entry, the memory safety of the new entry is checked prior to the swap)

As per claim 15, Duan teaches claim 13.  
Duan also teaches removing an entry from the flow cache module before or upon moving the new entry. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, as part of the procedure to generate a new lookup entry, the least recently used entry from the flow cache is moved to a temporary buffer [removed from the flow cache] before the newly created entry is moved to the flow cache)

As per claim 16, Duan teaches claim 15.  
Duan also teaches encrypting the entry to be removed prior to the removal; and the moving comprises moving the encrypted entry to the flow store module. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, as part of the procedure to generate a new lookup entry, the victim least recently used entry from the flow cache is encrypted before it is moved to a temporary buffer.  The moving includes moving the encrypted victim LRU entry from flow cache to the flow store)

As per claim 17, Duan teaches claim 13.  
Duan also teaches decrypting the new entry before moving the new entry. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, as part of the procedure to generate a new lookup entry, the new entry is decrypted before being moved to the freed flow cache cell)

As per claim 18, Duan teaches claim 13.  
Duan also teaches updating the lookup module upon or after moving the new entry from the flow store module to the flow cache module. ([Duan, para. 3-4 of subsec. 4.2, pg. 8] if the lookup entry does not exist, as part of the procedure to generate a new lookup entry, the corresponding lookup entry in the lookup module is updated [update the lookup module] to restore the lookup consistency after moving the new entry to the flow cache)

As per claim 19, Duan teaches claim 7.  
([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the lookup module includes a plurality of lkup_entry [lookup entries] that includes fid [a respective identifier], and a pointer [associated link] to either a cache_entry [flow cache entry in the flow cache module] or a store_entry [flow store entry in the flow store module])

As per claim 20, Duan teaches claim 19.  
Duan also teaches wherein the plurality of lookup entries includes a plurality of flow cache lookup entries and a plurality of flow store lookup entries. ([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the lookup module includes a plurality of lkup_entry [lookup entries] that includes fid [a respective identifier], and a pointer [associated link] to either a cache_entry [flow cache entry in the flow cache module] or a store_entry [flow store entry in the flow store module])

As per claim 21, Duan teaches claim 20.  
Duan also teaches wherein the number of flow cache lookup entries is smaller than the number of flow store lookup entries. ([Duan, para. 2 of subsec. 4.3.2, pg. 9] the lookup module entries for flow_cache is smaller than the number of entries for flow_store)

As per claim 22, Duan teaches claim 21.  
Duan also teaches (b) comprises: searching the plurality of flow cache lookup entries prior to searching the plurality of flow store lookup entries. ([Duan, Algorithm 2, pg. 8, para. 2 of subsec. 4.3.2, pg. 9] the entries in the lookup table for the flow cache is searched before the entries for the flow store)


Duan also teaches wherein each of the lookup entries further include a respective swap counter and a respective timestamp indicative of a time of last access of the entry. ([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8; para. 6 of subsec. 4.2, pg. 8] entries in the lookup table contains both a swap_count – a counter to ensure freshness of state [a respective swap counter] and a time_t last_access – the last access time in seconds updated at the end of each flow tracking with etap clock [a respective timestamp indicative of a time of last access of the entry])

As per claim 24, Duan teaches claim 7.  
Duan also teaches wherein the flow cache module includes a plurality of flow cache entries, each of the flow cache entries includes a respective identifier of a lookup entry in the lookup module and respective flow state information. ([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the flow cache module includes a plurality of flow cache entries that includes *lkup: a pointer to a lookup table entry [respective identifier of a lookup entry], and the plain state of the entry/raw state data of the entry [respective flow state information])

As per claim 25, Duan teaches claim 24.  
Duan also teaches teaches wherein each of the flow cache entries further includes a first pointer identifying a previous cache entry and a second pointer identifying a next cache entry. ([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the flow cache entries includes *prev [a first pointer identifying a previous cache entry] and *next [a second pointer identifying the next cache entry], which are two pointers to implement the LRU eviction policy)

As per claim 26, Duan teaches claim 7.  
([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the flow store module includes a plurality of flow store entries which includes enc_state: which is encrypted state data of the flow store entry)

As per claim 27, Duan teaches claim 26.  
Duan also teaches wherein each of the flow store entries further include a respective authentication media access control address (MAC). ([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the flow store module includes a plurality of flow store entries which includes mac[16]: an authentication MAC of the flow store entry)

As per claim 28, Duan teaches claim 26.  
Duan also teaches wherein the flow store entries are encrypted. ([Duan, Fig. 5, pg. 7; para. 2 of subsec. 4.1, pg. 8] the flow store module includes a plurality of flow store entries which includes enc_state: which is encrypted state data of the flow store entry)

As per claim 29, Duan teaches claim 7.  
Duan also teaches wherein the flow store module is arranged in an untrusted execution environment. ([Duan, para. 3 of subsec. 4.1, pg. 8] a large pool of empty store entry [the flow store module] is allocated in untrusted memory [an untrusted execution environment])

As per claim 30, Duan teaches claim 7.  
Duan also teaches teaches wherein the flow cache module has a fixed capacity. ([Duan, para. 1 of subsec. 4.1, pg. 8] flow_cache [the flow cache module] has a fixed capacity)

As per claim 31, Duan teaches claim 30.  
Duan also teaches wherein the flow store module has a variable capacity. ([Duan, para. 1 of subsec. 4.1, pg. 8] flow_store [the flow cache module] grows as more flows are tracked)

As per claim 32, Duan teaches claim 31.  
Duan also teaches wherein the lookup module has a variable capacity. ([Duan, para. 1 of subsec. 4.1, pg. 8] lkup_table [the flow cache module] grows as more flows are tracked)

As per claim 33, Duan teaches claim 32.  
Duan also teaches wherein a capacity of the flow cache module is smaller than a capacity of the flow store module; ([Duan, para. 6 of subsec. 2.2, pg. 4] the flow cache in the enclave is small compared to the encrypted flow store in untrusted memory) and the capacity of the flow cache module is smaller than a capacity of the lookup module. ([para. 3 of subsec. 4.1, pg. 8; para. 2 of subsec. 4.3.2, pg. 9] a cache_entry uses 24 bytes per cached flow and lkup_entry uses 32 bytes per tracked flow, and the lookup table tracks all the flows of both the flow cache and the flow store, making the capacity of the lookup module greater than the capacity of the flow cache)

As per claim 34, Duan teaches claim 1.  
Duan also teaches wherein the trusted execution environment comprises a Software Guard Extension (SGX) enclave.  ([Duan, para. 2 of sec. 1, pg. 1] the enclave/trusted execution environment is an intel SGX enclave)

As per claim 35, Duan teaches claim 1.  
([Duan, para. 1 of Appendix A] the enclave [trusted execution environment] is processor reserved memory [memory initialized or provided using one or more processors])

As per claim 36, Duan teaches a system for facilitating processing of a middlebox module implemented in a trusted execution environment, the system comprise: one or more processors ([Duan, para. 2 of sec. 1, pg. 1; Fig. 2, pg. 3; para. 1 of subsec. 2.1, pg. 3; Fig. 3, pg. 4] LightBox is disclosed, a system that implements a process for stateful processing of a middlebox module in a trusted execution environment by means of a SGX-enabled computing infrastructure;  [para. 1 of sec. 7.1, pg. 10] the system comprises an enclave that runs on a workstation with Intel E3-1505 CPU [one or more processors]) which is arranged to perform the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.   

As per claim 37, Duan teaches a non-transistory computer readable medium storing computer instructions ([Duan, para. 9 of sec. 1, pg. 3; para. 1 of sec. 7.1, pg. 10] a cache-efficient dual lookup algorithm with space-efficient cuckoo hashing that runs in the memory of a workstation is disclosed]) that, when executed by one or more processors, ([para. 1 of sec. 7.1, pg. 10] the algorithm runs on a workstation with Intel E3-1505 CPU [one or more processors]) are arranged to cause the one or more processors to perform a computer-implemented method for facilitating stateful processing of a middlebox module implemented in a trusted execution environment, ([para. 2 of sec. 1, pg. 1; Fig. 2, pg. 3; para. 1 of subsec. 2.1, pg. 3; Fig. 3, pg. 4] the algorithm facilitates a process for stateful processing of a middlebox module in a trusted execution environment by means of a SGX-enabled computing infrastructure) the computer-implemented method comprising the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.  
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Wang et al. (US Patent No. 11,080,189) discloses a CPU-efficient cache replacement method with two-phase eviction that includes a hot queue that evicts and adds data to the cache based on a LRU system, storing mapping data to a reference hash table.    
Wang et al. (US Pub. 2021/0064581) discloses a small in-memory cache to speed up operations that uses cuckoo hashing similar in a manner similar to the flow cache, flow storage, and look-up table described.    
Gember-Jacobson et al. (US Pub. 2016/0182360) discloses transferring flows of states associated with flows for a middlebox where states are extracted from flows of packets and transferred to buffers in accordance with data structures organized by a hash table.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.

/Z.L./Examiner, Art Unit 2493                                                                                            
/Jeremy S Duffield/Primary Examiner, Art Unit 2498