DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination (RCE) under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed On September 27, 2021 in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on August 30, 2021 has been entered.

Response to Amendments
	This office action is responsive to application 16/815,881 and the RCE filed on September 27, 2021 for the corresponding amendments filed on August 30, 2021.  Claims 1, 3, 7, 12, 16, and 18-20 were amended, and claims 1, 3-8, and 10-20 remain pending in the application.

Response to Arguments
	The Examiner has fully considered the Applicant’s arguments filed with the RCE, and the Examiner responds as provided below.
	Regarding the Applicant's response at page 8 of the Remarks that concerns the entering of the amendments in conjunction with the AFCP request, the filing of the RCE makes the issue moot, as the amendments are entered upon the filing of the RCE.

	Regarding the Applicant's response at page 9 of the Remarks that concerns the objection due to claim informalities, the amendments to the claims cure the issues and the corresponding objection is withdrawn.
	Regarding the Applicant's response at pages 9-11 of the Remarks that concerns the § 103 rejection of independent claims 1, 19, and 20, the Applicant’s arguments in conjunction with the claim amendments are persuasive, and consequently the Examiner conducted a new prior art search. The Applicant’s arguments are now moot with respect to the independent claims because the arguments do not apply to some of the references currently used in the rejection of the aforementioned claims as detailed below.
Regarding the Applicant's response at page 12 of the Remarks that concerns the § 103 rejection of the dependent claims, the argument for patentability rests upon the patentability of independent claim 1.  Because claim 1 is not patentable over the prior art of record as detailed below, the related argument of patentability for the dependent claims is moot.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 13 and 14 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
More specifically, claims 13 and 14 recite the limitation "the updating," and there is insufficient antecedent basis for this limitation in the claims.  The Examiner notes that claims 13 and 14 seemingly should depend on claim 12 because claim 12 introduces the limitation of “updat[ing],” and claims 13 and 14 subsequently claim “the updating.”  Thus, the rejection can be overcome by amending claims 13 and 14 to depend upon claim 12.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

(NOTE: within the Examiner’s parenthetical explanations below, material within quotation marks is language quoted from the prior art reference, underlined material is language quoted from the claims, and material within brackets is material altered from either a prior art reference or a claim.  Regarding the reconstruction of the claims, a numbered footnote indicates a primary phrase to be first moved upwards to the first cited reference, while a lettered footnote indicates a secondary phrase to be moved after the movement of the primary phrase from which it was lifted.  Or more succinctly, move numbered material first, lettered material last.)
Claims 1, 3-4, 8, 11, 15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhou et al. (US 2016/0156591, “Zhou”) in view of Koponen et al. (US 2015/0009796, “Koponen”), and further in view of Sood et al. (US 2016/0127333, “Sood”.
Regarding Claim 1
Zhou discloses
A system (Fig. 11, ¶¶ [0073]-[0074]) comprising: 
a first rule engine (Fig. 11, ¶¶ [0074]-[0075], “…includes a firewall filter for identifying relevant firewall rules and applying those firewall rules for filtering packets,” and “ a context-aware distributed firewall module 1150” as a first rule engine) provided in a hypervisor (Fig. 11, ¶¶ [0074]-[0076], “As mentioned earlier, some embodiments of the invention are implemented by virtualization software or hypervisors,” and “As illustrated, the virtualization software 1105 [as a hypervisor] includes … a context-aware distributed firewall module 1150,” i.e., the “firewall module 1150” is provided in a hypervisor); 
a second rule engine (Fig. 11, ¶ [0074], “This physical network 1190 may span one or more datacenters and include various physical switches [as a second rule engine to manage network traffic] and routers.”) provided in a network interface device (Fig. 11, ¶ [0074], “This physical network 1190 may span one or more datacenters and include various physical switches and routers,” i.e., a switch as an edge device to manage network traffic comprises a network interface device to the “physical network 1190”), between a network and an application (Fig. 11,  ), 
wherein the first and second rule engines (Fig. 11, ¶¶ [0074]-[0076]) are configured to: 
receive data flows (Fig. 11, ¶¶ [0022]-[0023], “These rules are applied to the VM, and the firewall engine would use only these rules to inspect the network traffic [as data flows] of the VM,” i.e., the data flows that are receive[d] are illustrated as vertical bi-directional arrows between the “VMs 1111-1114” and the “physical network 1190” and other illustrated system elements), said data flows being between the network (Fig. 11, ¶¶ [0075], i.e., the “physical network 1190”) and the application (Fig. 11, ¶ [0076], i.e., the application is disclosed either as the “VMs 1111-1114” or applications that are implicitly run within the VMs); and 
determine data flow information of said data flows (¶ [0023], “The firewall engine will use only the rules attached to the VM to inspect [and thereby determine data flow information of] network traffic [as data flow] for that VM.”) and, 
in dependence on said data flow information (¶ [0023]), perform actions with respect to said data flows (¶ [0075], “…also includes a firewall filter for identifying relevant firewall rules and applying those firewall rules for [perform[ing an] action[] by] filtering packets”); and 
a plurality of controllers (Fig. 11, ¶ [0077], “The controller interface 1140 receives control plane messages from a controller or a cluster [or plurality] of controllers 1160.”), each of said controllers being configured to provide, … 1, control information (¶ [0077], “The controller interface 1140 receives control plane messages [as control information] from a controller or a cluster of controllers 1160.”) to the first and second rule engines to define one or more actions performable with respect to said data flows (¶¶ [0077]-[0078], “In some embodiments, these control plane message includes configuration data for configuring the various components of the virtualization software and/or the virtual machines (such as the physical switching element 1120 and the physical routing element 1130). In some embodiments, the control plane messages also include messages for firewall configurations [that enable actions performable with respect to said data flows], e.g., messages that include updates to the firewall rules stored at the host machine 1100,” and “The context-aware distributed firewall module 1150 [as the first rule engine] receives the firewall rules update (or the firewall configuration messages) from the controller interface 1150,” noting that Zhou teaches delivering “control plane messages” for “physical switching element 120,” but is silent to delivering such messages to a switch as the second rule engine in the “physical network 1190,” which represents the well-known technology of a network edge device; thus, delivering similar control messages to manage the similar switches in the interface of the physical network 1190 is suggested by the similarly related “switching element 120” receiving control messages.  See MPEP § 2141(III), stating “Prior art is not limited just to the references being applied, but includes the understanding of one of ordinary skill in the art. The prior art reference (or references when combined) need not teach or suggest all the claim limitations, however, Office personnel must explain why the difference(s) between the prior art and the claimed invention would have been obvious to one of ordinary skill in the art.”), 
wherein the first and second rule engines (Fig. 11, ¶¶ [0074]-[0076]) are configured to: 
2…, 
3 …, 
4 …, 
wherein said first and second rule engines comprise hardware, one or more programmable hardware processors, or a combination of both (Fig. 12, ¶ [0088], “Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions.”), 
wherein said plurality of controllers each comprise hardware, one or more programmable hardware processors, or a combination of both (Fig. 12, ¶ [0088]).
Zhou doesn’t disclose
	1 … via secure communications…
	2 provide, via secure communications, state information relating to at least some of the received data flows to one or more of the plurality of controllers,
	3 wherein the one or more of the plurality of controllers are configured to share the state information received with others of the plurality of controllers,
	4 wherein the one or more of the plurality of controllers are configured to use different keys to communicate with different ones of the others of the plurality of controllers,
Koponen, however, discloses
	2 provide, via secure communications (Sood ¶ [0034]), state information (¶ [0079], “The MFE [managed forwarding element] interface 315 also allows the network controller 300 to receive state information from the MFEs. This may include collection of statistics regarding the physical ports of the MFEs and/or the logical ports that the MFEs implement;” and Fig. 2, ¶ [0044], “Each of the VMs connects to one of the MFEs 220-245. In some embodiments, the MFEs are software forwarding elements that operate on the same host as the VM that couples to them (e.g., in the virtualization software of the host).”) to one or more of the plurality of controllers (¶ [0076], “The interface 305 to other controllers enables the controller 300 to communicate with other network controllers in its domain as well as controllers in other domains in order to exchange [and thereby provide] network state information.”),
3 wherein the one or more of the plurality of controllers are configured to share the state information received with others of the plurality of controllers (Fig. 3, ¶ [0076], “The interface 305 to other controllers enables [and thereby configure[s]] the controller 300 to communicate [and share the state information] with other network controllers”),
Sood, however, discloses
	1 … via secure communications… (¶ [0034], “It should be appreciated that, in some embodiments, protecting the VNF [virtualized network function] and VNFC  [virtualized network function component] communications (e.g., via encrypted [secure] communications or an otherwise secure communication channel)…,” where the “firewall module 1150” and “controller interface 1140” comprise VNF and/VNFC elements; and “As described below, in some embodiments, the server 204 may establish encryption tunnels 230 for secure communication (e.g., for VNF-VNF, VNFC-VNFC, and/or VNF-VNFC communication),” with the “encryption tunnels 230” being employed to establish secure communications with the “physical resources 222,” with secure communications between physical devices, i.e., the switch as a second rule engine and a controller via TLS or SSL being well-known in the art.  See MPEP § 2141(III))
	4 wherein the one or more of the plurality of controllers (Zhou Fig. 11, ¶ [0077]) are configured to use different keys to communicate with different ones of the others of the plurality of controllers (¶ [0034], “It should be appreciated that, in some embodiments, each VNF 202, VNFC 214, process flow, and/or communicative entity pairing (e.g., particular VNF 202 and other VNF 202 [or plurality of controllers]) may have a separate cryptographic key (or [a different] set of cryptographic keys) for secure communication and may also have a separate security policy 408,” noting that the alternative of using the same keys between different “communicative entity pairing[s]” leads to a less secure system),
	Regarding the combination of Zhou and Koponen, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security network system of Zhou to have included the state information feature of Koponen. One of ordinary skill in the art would have been motivated to incorporate the state information feature of Koponen because Koponen teaches a software defined network (SDN) system that uses state information to instruct virtualized components on “how to forward logical network packets,” see Koponen ¶ [0046], and Koponen teaches a system that comprehensively manages local and global state information to improve SDN performance, see Koponen ¶¶ [0052]-[0054]. 
	Regarding the combination of Zhou-Koponen and Sood, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security network system of Zhou-Koponen to have included the key management feature of Sood. One of ordinary skill in the art would have been motivated to incorporate the key management feature of Sood because Sood teaches a system that is “configured to perform various key management functions, cryptographic functions, secure communication channel management, and/or other security functions to ensure … communication is protected to the extent required by the relevant security policy 408,” which ensures secure communication within the network security system.
Regarding Claim 3
Zhou in view of Koponen, and further in view of Sood (“Zhou-Koponen-Sood”) disclose a system as claimed in claim 1, and Zhou further discloses
wherein the first and second rule engines (Fig. 11, ¶¶ [0074]-[0076]) are each configured to communicate with at least one of the controllers (Fig. 11, ¶¶ [0074]-[0077], as aptly illustrated, the “controllers 1160” are configured to communicate with the switches as the second rule engine and the “controller interface 1140” of a controller is to communicate with the “firewall module 1150” as the first rule engine).  
Regarding Claim 4
Zhou-Koponen-Sood disclose a system as claimed in claim 3, and Zhou further discloses 
wherein different rules engines…1 (Fig. 11, ¶¶ [0074]-[0076]) 
Sood further discloses
1 …use different keys to communicate with the same one of the controllers (¶ [0034], “It should be appreciated that, in some embodiments, each VNF 202, VNFC 214, process flow, and/or communicative entity pairing (e.g., particular VNF 202 and other VNF 202) may have a separate cryptographic key (or set of cryptographic keys) for secure communication,” i.e., the “separate cryptographic keys” can be used for the different communication channels between the rules engines and controllers in a virtualized environment as disclosed in Zhou and Koponen). 
Regarding the combination of Zhou-Koponen and Sood, the rationale to combine is the same as provided from claim 1 due to the overlapping subject matter between claims 1 and 4. 
Regarding Claim 8
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
wherein … 1 each of the plurality of controllers…2 (Fig. 11, ¶ [0077]).
Koponen further discloses
	1 …communication between [controllers] … (Fig. 3, ¶ [0076], “The interface 305 to other controllers enables the controller 300 to communicate with other network controllers in its domain as well as controllers in other domains”)
Sood further discloses
2 …is secure (“As described below, in some embodiments, the server 204 may establish encryption tunnels 230 for secure communication (e.g., for VNF-VNF, VNFC-VNFC, and/or VNF-VNFC communication),” with the “encryption tunnels 230” being employed to establish secure communications with the “physical resources 222,” with secure communications between physical devices, i.e., controllers via TLS or SSL being well-known in the art.  See MPEP § 2141(III))).
Regarding the combination between Zhou and Koponen and Zhou-Koponen and Sood, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 8.
Regarding Claim 11
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Koponen further discloses 
wherein the state information (¶ [0079]) relating to at least some of the received data flows (Zhou Fig. 11, ¶¶ [0022]-[0023]) comprises delivery information for at least one of the received data flows (¶ [0046], “That is, in some embodiments, the network controllers provide the network state information to the MFEs that instructs the MFEs [via delivery information] as to how to forward logical network packets,”).  
Regarding the combination between Zhou and Koponen, the rationale to combine is the same as provided for claim 1 due to the overlapping subject matter between claims 1 and 11.
Regarding Claim 15
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
1… from one of the controllers to another of the controllers (Fig. 11, ¶ [0077]).  
Koponen further discloses
	1 wherein sharing of state information enables failover… (¶ [0077], “If only the interface 305 were to fail, then in some embodiments one of the other controllers in the cluster could take over [and thereby shar[e] state information that enable failover] for the controller 300 and maintain communication with the controllers at other domains.”)
Regarding Independent Claims 19 and 20
With respect to independent claims 19 and 20, a corresponding reasoning as given earlier for independent claim 1 applies, mutatis mutandis, to the subject matter of claims 19 and 20. Therefore, claims 19 and 20 are rejected, for similar reasons, under the grounds set forth for claim 1. 
B.	Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Zhou in view of Koponen and Sood, and further in view of Tuomenoksa et al. (US 2002/0091859, “Tuomenoksa”).
Regarding Claim 5
Zhou-Koponen-Sood disclose a system as claimed in claim 3, and Zhou further discloses 
wherein each of the controllers…1 
Zhou-Koponen-Sood doesn’t disclose
1 …receives a list of public keys for communicating with at least some of the rule engines.
Tuomenoksa, however, discloses
1 …receives a list of public keys for communicating with at least some of the rule engines (¶ [0197], “The network operations center 610 may determine a partner list for each of the gateways [analogous to the rule engines] enabled by the network operations center 610 and may store [and thereby receive[] into memory of the controller] the partner list for each enabled gateway,” and “…the network operations center 610 may enable a tunnel between the first gateway 650 and the second gateway 651 by determining that each gateway consents to enabling the tunnel and providing sufficient information, such as a partner list that includes each partner's virtual IP address, public portion of the public key [as the public key], firewall information, etc. to each gateway such that the gateways are capable of establishing the tunnel.”).
Regarding the combination of Zhou-Koponen-Sood and Tuomenoksa, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security network system of Zhou-Koponen-Sood to have included the partner-list feature of Tuomenoksa. One of ordinary skill in the art would have been motivated to incorporate the partner-list feature of Tuomenoksa because Tuomenoksa teaches that the “partner list may reflect the mutual consent of the two gateways to enable one or more tunnels between the two gateways,” see Tuomenoksa ¶ [0195], which thereby increases the flexibility and degree of security of the network system. 
C.	Claims 10, 13-14, and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Zhou in view of Koponen and Sood, and further in view of Yung (US 7,778,194, “Yung”).
Regarding Claim 10
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
wherein the state information (Koponen ¶ [0079]) relating to at least some of the received data flows (Fig. 11, ¶¶ [0022]-[0023]) comprises…1 
Zhou-Koponen-Sood doesn’t disclose
1 …a flow counter for each of at least one of the received data flows.  
Yung, however, discloses
	1 …a flow counter for each of at least one of the received data flows (Col 11:35-12:5 “traffic classification engine 86 also maintains an SSL packet flow count, incrementing the SSL packet flow count for a given SSL connection (308) upon detection of a SSL packet”).
	Regarding the combination of Zhou-Koponen-Sood and Yung, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network security system of Zhou-Koponen-Sood to have included the data-flow counter feature of Yung. One of ordinary skill in the art would have been motivated to incorporate the data-flow feature of Yung because Koponen discusses the production of “physical network statistics received from the MFEs,” see Koponen ¶ [0053], and the data-flow feature of Yung enables the gathering of data to compile the statistics as taught by Koponen.  Additionally, one of ordinary skill in the art would have been motivated to incorporate the secure communication feature of Yung because Koponen discusses a network involving the Internet, see Koponen ¶ [0045], and “[t]he Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of message transmission on the Internet,” see Yung Col. 4:9-37. 
Regarding Claim 13
Zhou-Koponen-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the updating the state information (¶ [0059]) comprises…1 
Yung further discloses
1 …incrementing a flow counter for the at least one of the received data flows (Col. 7:60-8:23, “If the packet is part of an existing flow, the packet processor 82 associates the packet with the corresponding flow object and updates flow object attributes as required (110). For example, the packet processor 82, in one embodiment, increments the packet count associated with the flow (116).”).
Regarding the combination of Zhou-Koponen-Sood and Yung, the rationale to combine is the same as provided in claim 10 due to the overlapping subject matter between claims 10 and 13. 
Regarding Claim 14
Zhou-Koponen-Sood discloses the system as claimed in claim 1, and Koponen further discloses
wherein the updating the state information (¶ [0079]) comprises…1 
Yung further discloses
1 …inserting information about a new flow (Fig. 4, Col. 7:11-59, ”A flow object, in one implementation, is a data structure including fields whose values characterize various attributes of the flow, including source and destination IP addresses, port numbers, traffic class identifiers and the like (see Section B.1., below).” and “If a flow object is not found, packet processor 82 constructs a new flow object (106)” that is incorporated or insert[ed] into the state information).  
Regarding the combination of Zhou-Koponen-Sood and Yung, the rationale to combine is the same as provided in claims 1 and 10, respectively due to the overlapping subject matter between claims 10 and 14. 
Regarding Claim 16
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
wherein at least one rule engine (Fig. 11, ¶¶ [0074]-[0075]) is configured to: …1
Yung further discloses
1 parse frames of the received data flows (Col. 5:53-6:23, “the packet processor 82 is operative to process data packets, such as storing packets in a buffer structure, detecting new data flows, and parsing the data packets for various attributes (such as source and destination addresses, and the like)”); 
determine a match of one or more frames of one of the received data flows to data flow information stored in a data store (Fig. 1, Col. 6:24-40, i.e., the “persistent memory 76” acts as a data store, the memory 76 is part of a “traffic monitoring device” that performs in similar fashion to the engine device that is disclosed by Koponen as a MFE) of the at least one rule engine (Col. 5:53-6:23, “the packet processor 82 is operative to process data packets, such as storing packets in a buffer structure, detecting new data flows, and parsing the data packets for various attributes (such as source and destination addresses, and the like);” and Col. 7:60-8:23, “As FIG. 4 shows, if the data flow does not match an existing traffic class (115), packet processor 82 or traffic classification engine 86 flags the packet for traffic discovery (116).”), where the comparison to determine a “match” requires the storage of an already existing traffic classification in memory (i.e., the data store); and 
in response to the determined match, perform one of said actions with respect to said one of the received data flows (Col. 7:60-8:23, “As discussed above, traffic monitoring device 30 may perform other operations, such as firewall or gateway operations, packet capture operations, and/or bandwidth management functions,” and Col. 18:23-55, “A discard policy causes flow control module 132 to discard or drop data packets [as an action] or flows associated with a particular traffic class.”). 
	Regarding the combination of Zhou-Koponen-Sood and Yung, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the network security system of Zhou-Koponen-Sood to have included the frame analysis feature of Yung. One of ordinary skill in the art would have been motivated to incorporate the frame analysis feature of Yung because Yung teaches a system that “facilitate[s] the classification of encrypted network traffic,” see Yung col. 5:1-4, that can be achieved by parsing and matching frames of data flows.

Regarding Claim 17
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
wherein said data flow information (¶ [0023]) comprises…1 
Yung further discloses
1 …header information (Col. 4:11-59, “flows are identified based on the following flow attributes: 1) source IP address, 2) destination IP address, 3) source port number, 4) destination port number, and 5) protocol (derived from the “protocol” field in IPv4 headers, and the “NextHeader” field in IPv6 headers).”).
Regarding the combination of Zhou-Koponen-Sood and Yung, the rationale to combine is the same as provided for claim 16 due to the overlapping subject matter of claims 16 and 17. 
Regarding Claim 18
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
wherein the one or more of the plurality of controllers (Fig. 11, ¶ [0077]) are configured to…1 
Yung further discloses
1 …periodically query at least one of the first and second rule engines for updates to the state information (Col. 7:60-43, i.e., “For example, traffic discovery module 84 can monitor data flows in real time to discover traffic classes in the data flows, or store flagged packets and process the stored packets periodically to discover new traffic classes,” i.e., the “monitoring” for discovering new traffic classes as a form of state information necessitates update[ing] state information, which suggests the action of periodically query[ing] of the rule engine to discover the new traffic classes).
Regarding the combination of Zhou-Koponen-Sood and Yung, the rationale to combine is the same as provided for claim 16 due to the overlapping subject matter of claims 16 and 18.
D.	Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Zhou in view of Koponen and Sood, and further in view of Raman et al. (US 2015/0281178 “Raman”).
Regarding Claim 12
Zhou-Koponen-Sood disclose a system as claimed in claim 1, and Zhou further discloses 
wherein at least one rule engine (Fig. 11, ¶¶ [0074]-[0075]) is configured to: …1; and {00817052.DOCX }Page 3Application No.: 16/815,881Attorney Docket: LVL5 2041-4 
2 ….  
Zhou-Koponen-Sood doesn’t disclose
	1 … store in at least one data store of the at least one rule engine, the state information,
	2 update the state information held in the at least one data store for at least some of the received data flows.
Raman, however, discloses
	1 … store in at least one data store of the at least one rule engine (Zhou Fig. 11, ¶¶ [0074]-[0075]), the state information (Fig. 4, ¶ [0051], “FIG. 4 illustrates an example of connection state data 400 [or state information as disclosed by Koponen ¶ [0079]] stored in a connection state data storage 125 [as a data store] of some embodiments.”),
	2 update the state information held in the at least one data store for at least some of the received data flows (¶ [0059], “…the SVM [service virtual machine] on the first host can receive, update, and supply connection state information. The firewall engine of the first host can then send directly or indirectly (through a VM migrator executing on the host) the supplied connection state information to the firewall engine of the second host [that receive[s] data flows]”).
	Regarding the combination of Zhou-Koponen-Sood and Raman, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the security network system of Zhou-Koponen-Sood to have included the data storage feature of Raman. One of ordinary skill in the art would have been motivated to incorporate the data storage feature of Raman because Raman teaches the use of a “state data store” enables the migration of a guest virtual machine (“GVM”) by allowing for the updating of connection state information between the firewall engines of the first and second hosts without synchronizing firewall states.  See Raman ¶ [0008]. 

Allowable Subject Matter
Claims 6 and 7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is the Examiner’s statement of reasons for allowance.  The closest prior-art references identified by the Examiner are 1) “Koponen” (US 2015/0009796), 2) “Yung” (US 7,778,194), 3) “Sood” (US 2016/0127333), 4) “He” (US 2010/0037311), 5) “Zhou” (US 2016/0156591), 6) “Tuomenoksa” (US 2002/0091859), and 7) “Raman” (US 2015/0281178).  1) Koponen discloses a software-defined network with a plurality of managed forwarding elements (MFEs) associated with virtual machines, the MFEs collect statistics concerning state information that is forwarded to controllers and then shared amongst other controllers in different domains.  2) Yung discloses a method of classifying data flows to determine data flow information and relies upon secure communication by the use of SSL.  3) Sood discloses a virtualized network that relies upon different cryptographic keys to implement secure communication between various virtual network functions (VNF) and VNF components.  4)  He discloses a star-connected network where an SSL server maintains a list of public keys for client nodes.  5) Zhou discloses a software defined system that comprises a context-aware distributed firewall scheme with firewall or rule engines tasked to provide firewall protection, wherein the virtualized component of the system is implement via a hypervisor.  
6) Tuomenoksa discloses a network with various gateways where a partner list of the gateways is stored in a network operations center.  7) Raman discloses a virtualized network with firewall service virtual machines where state information can be received and updated between various firewall engines of different hosts.
What is missing from the prior art is a system with the following characteristics.  The system comprises a first rule engine that is provided in a hypervisor, and a second rule engine, located between a network and an application, that is provided in a network interface device.  The first and second rule engines comprise hardware, one or more programmable hardware processors, or a combination of both. The first and second rule engines are configured to receive data flows between the network and the application and determine data flow information.  In dependence on the data flow information, the first and second rule engines perform actions with respect to said data flows.  A plurality of controllers comprise hardware, one or more programmable hardware processors, or a combination of both, and the first and second rule engines are each configured to communicate with at least one of the controllers.  Each of the controllers is configured to provide, via secure communications, control information to the first and second rule engines to define one or more actions performable with respect to said data flows.  The first and second rule engines are additionally configured to provide, via secure communications, state information related to at least some of the received data flows to one or more of the plurality of controllers, and one or more of the plurality of controllers are additionally configured to share the state information received with other controllers.  The one or more of the plurality of controllers use different keys to communicate with different ones of the others of the plurality of controllers, and each of the controllers receives a list of public keys for communicating with at least some of the rule engines.  The list of public keys includes a digital signature, wherein each of the controllers is programmed securely with a key of the list of public keys required to verify this digital signature.  The list of public keys is received from a trusted repository, wherein each of the rule engines is configured to receive public keys for communicating with one of the plurality of controllers from the trusted repository.
Accordingly, the prior art of record, when taken individually or in combination, fails to teach or suggest the subject matter recited in claims 6 and 7.  Therefore, claims 6 and 7 are deemed allowable over the prior art of record (and in consideration of the base independent claim 1 and intervening clams 3 and 5).
Any comments considered necessary by Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491