DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Allowable Subject Matter
The indicated allowability of claims 1-20 is withdrawn in view of the newly discovered reference(s) to WO 2016/171691 A1.  Rejections based on the newly cited reference(s) follow.

Double Patenting
Responsive to the approved 3/29/2022 terminal disclaimer, the double patenting rejection has been withdrawn. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Parekh (US 7,257,833 B1) in view of Curcio (WO 2016/171691 A1) and Bansal (US 2017/0005986 A1).

Regarding claim 1, Parekh discloses: A method to implement rule processing and enforcement for interleaved Layer 4; Layer 7 and verb-based rulesets; the method comprising:
receiving stream data intercepted along a data path; 
identifying a data packet in the stream data; 
Refer to at least Col. 2, Ll. 31-35 and Ll. 60-61 of Parekh with respect to a stream of packets.
parsing the data packet to extract firewall input data from the a packet header of the data packet; 
Refer to at least Col. 2, Ll. 60-67 of Parekh with respect to extracting packet information from the packets, such as from the packet headers. 
determining whether one or more rules include elements that at least partially match the firewall input data from a header of the data packet, wherein each of the elements comprises a value to be compared with a corresponding value associated with the data packet and wherein a partial match occurs when at least a subset of the elements matches the corresponding values of the firewall input data; and 
Refer to at least Col. 3, Ll. 57-61, TABLE 1.0, Col. 9, Ll. 34-44, Col. 11, Ll. 44-51, and Col. 16, Ll. 5-34 of Parekh with respect to matching conditions to policy rules; partial matching. 
in response to determining that the one or more rules include elements that at least partially match the firewall input data from the header of the data packet: 
[automatically obtaining additional information] that is not included in the firewall input data from the header of the data packet; 
Refer to at least Col. 3, Ll. 30-35 & 47-49, Col. 5, Ll. 40-60, Col. 9, Ll. 34-44, and Col. 16, Ll. 5-34 of Parekh with respect to tiered processing of rules by associated agents, including determining partial rules matches and each tier obtaining progressively more information (typically for higher level protocols).  
performing at least [additional analysis, including at higher protocol layers] on the data packet to determine whether additional information from a payload of the data packet matches the additional elements; and 
Refer to at least Col. 5, Ll. 19-23, Col. 6, Ll. 30-37, Col. 7, Ll. 11-25, and Col. 13, Ll. 1-53 of Parekh with respect to conducting further examination of the packets of the packet stream. 
in response to determining that the firewall input data from the header of the data packet along with the additional information from the payload of the data packet satisfies all elements included in the particular rule, performing an action associated with the particular rule on the data packet, wherein the action is one of: a drop action or a pass action, wherein the pass action causes transmitting  the data packet toward a destination of the data packet.
Refer to at least the abstract, Col. 6, Ll. 43-46, Col. 7, Ll. 25-32, Col. 8, Ll. 11-12, and TABLE 1.0 of Parekh with respect to policy actions which may be taken. 
Parekh does not fully specify: for a hypervisor; determining whether any of the one or more partially matched rules also include additional elements that require additional information; in response to determining that a particular rule, of the one or more partially matched rules, also includes the additional elements that require additional information that  is not included in the firewall input data from the header of the data packet; performing at least partial deep packet inspection (DPI) on the data packet to determine whether additional information obtained from a payload of the data packet from the partial DPI matches the additional elements. However, Parekh in view of Curcio discloses: performing at least partial deep packet inspection (DPI) on the data packet to determine whether additional information obtained from the partial DPI matches the additional elements.
Refer to at least [0012], [0019], and [0024] of Curcio with respect to a deep packet inspection device which performs deep packet inspection on packets which are forwarded based on being tagged as requiring further scrutiny. 
determining whether any of the one or more partially matched rules also include additional elements that require additional information; in response to determining that a particular rule, of the one or more partially matched rules, also includes the additional elements that require additional information that  is not included in the firewall input data from the header of the data packet;
Refer to at least [0012], [0015], [0023], [0029], [0043], [0045], [0054], [0061], and [0064] of Curcio with respect to pre-filtering devices and performing rules matches of portions of a ruleset. It is determined whether rules of interest are matched, and whether additional rulesets can provide further information. Packets are marked for further scrutiny via DPI based on said matching.
Refer to at least [0019] of Curcio with respect to header and payload-based rules for pre-filtering.
Finally, Parekh-Curcio in view of Bansal discloses: for a hypervisor;
Refer to at least [0091] and [0145] of Bansal with respect to a hypervisor and firewall.
The teachings of Parekh and Curcio concern multistage packet analysis, and Parekh also includes mention of further examining said packets. Likewise, Curcio discusses tagging packets based on rules matches. Accordingly, these teachings are considered to be combinable. As well, the teachings of Bansal concern firewall rules and enforcement, and are likewise considered to be within the same field of endeavor and combinable.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Parekh to include additional pre-filtering for determining whether to perform DPI for at least the purpose of increased efficiency (e.g., [0009]-[0010] of Curcio); to further include applicability to hypervisors because the substitution of one known element (e.g., Parekh considers generic agents and modules which may be incorporated into known-in-the-art infrastructure) for another would have yielded predictable results to said one of ordinary skill in the art. 

Regarding claim 2, Parekh-Curcio-Bansal discloses: The method of Claim 1, wherein the firewall input data includes at least Layer 1 and Layer 2 data; wherein the additional information includes at least Layer 7 header data; or at least Layer 7 payload data.
Refer to at least Col. 6, Ll. 47-49, Col. 7, Ll. 11-25, and Col. 13, Ll. 1-53 of Parekh with respect to obtaining packet information, including that of various protocol layers up to that of the Application layer. 
Refer to at least [0013] of Curcio with respect to patterns indicative of, e.g., an application.
Refer to at least [0081] of Bansal with respect to packets associated with layers L1-L7.
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 3, Parekh-Curcio-Bansal discloses: The method of Claim 1, wherein the partial DPI and the a full DPI are performed by a DPI engine; and wherein performing the partial DPI or performing the full DPI comprises generating a decrypted data packet by decrypting the data packet, analyzing Layer 7 data included in the decrypted data packet, and extracting Layer 7 data from the decrypted data packet; 
Refer to at least Col. 5, Ll. 19-21, Col. 7, Ll. 10-25, and FIG. 6 of Parekh with respect to the application decode engine for decoding application layer information in the packets. 
Refer to at least [0012], [0019], and [0024] of Curcio with respect to DPI. 
and wherein performing the full DPI comprises analyzing all fields of the decrypted data packet; wherein the firewall input data includes one or more of: Layer 4 data, or Layer 7 data; wherein the one or more of: Layer 4 data or Layer 7 data is used to generate context data for determining whether the one or more rules apply to the firewall input data; 
wherein the Layer 4 data includes one or more of: a source address, a source port, a destination address, a destination port, or a protocol identifier; wherein the Layer 7 data includes one or more of: a Layer 7 protocol name, or one or more Layer 7 verbs; and wherein the one or more Layer 7 verbs include one or more of: HTTP action verbs, FTP commands, or SQL commands.
Refer to at least TABLE1.0 and TABLE 2.0 or Parekh with respect to exemplary rules and associated analysis; e.g., extracting frame, header, and data information. 
Refer to at least [0012], [0019], and [0024] of Curcio with respect to DPI. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 4, Parekh-Curcio-Bansal discloses: The method of Claim 1, wherein the particular rule, of the one or more rules that at least partially match the firewall input data, includes one or more of: Layer 4-specific data, Layer 7-specific data, or Layer 4-7-specific data.
Refer to at least TABLE 1.0 of Parekh with respect to exemplary rules. 

Regarding claim 5, Parekh-Curcio-Bansal discloses: The method of Claim 1, further comprising: applying the one or more rules to the firewall input data to determine whether the data packet is to be transmitted toward the destination of the data packet.
Refer to at least the abstract, Col. 6, Ll. 43-46, Col. 7, Ll. 25-32, Col. 8, Ll. 11-12, and TABLE 1.0 of Parekh with respect to policy actions which may be taken. 

Regarding claims 6-7, they are rejected for substantially the same reasons as claims 1 and 5 above (i.e., the citations).

Regarding independent claim 8, it is substantially similar to independent claim 1 above, and is therefore likewise rejected.

Regarding claims 9-14, they are substantially similar to claims 2 and 4-7 above, and are therefore likewise rejected.

Regarding independent claim 15, it is substantially similar to independent claim 1 above, and is therefore likewise rejected.

Regarding claims 16-20, they are substantially similar to claims 2 and 4-7 above, and are therefore likewise rejected.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/V.S/Examiner, Art Unit 2432