DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
	This office action responds to the amendments filed on May 9, 2022 for application 16/815,881.  Claims 1, 4, 6, 12-14, 16, and 18-19 were amended, and claim 21 was added as a new claim.  Claims 1, 4, 6, 8, 10-19, and 21 remain pending in the application.
Response to Arguments
	The Examiner has fully considered the Applicant’s arguments filed on May 9, 2022 and the Examiner responds as provided below.
	Regarding the Applicant’s response at pages 8-9 of the Remarks that concerns the § 112(b) rejection of claims 13 and 14, the amendments to the claims adequately addresses the issue and the rejection is withdrawn.
Regarding the Applicant’s response at pages 8-10 of the Remarks that concerns the § 103 rejection of the pending claims, the Applicant’s arguments are persuasive in consideration of the claim amendments that incorporated the identified allowable subject of dependent claims 6 and 7 into the rejected independent claims 1 and 19 and the new independent claim 21.  The Applicant’s arguments are moot, however, to the extent the argument’s relate to the limitation within the Examiner’s Amendment as presented below.
Regarding the double patenting rejection presented at p. 2-6 of the Office Action of January 28, 2021, the Applicant at p. 7 of the Reply of April 27, 2021 requested that “the rejections be held in abeyance until patentable subject matter is identified.”  After review of the allowable claims and US 10,601,874 in view of Koponen US 2015/0009796, the double patenting rejection is withdrawn.  
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Paul Durdik (Reg. No. 37,819) on June 10, 2022.
The claims have been amended as follows:
1. (Currently amended) A system comprising: 
a first rule engine provided in a hypervisor; 
a second rule engine provided in a network interface device, 
wherein the first and second rule engines are configured to: 
receive data flows, said data flows being between the network and an application; and 
determine data flow information of said data flows and, in dependence on said data flow information, perform actions with respect to said data flows; and 
a plurality of controllers, each of said controllers being configured to: provide, via
secure communications, control information to the first and second rule engines to define one or more actions performable with respect to said data flows, 
wherein the first and second rule engines are configured to: 
provide, via secure communications, state information relating to at least some of the received data flows to one or more of the plurality of controllers, 
wherein one or more of the plurality of controllers are configured to share the state information received with others of the plurality of controllers, wherein the one or more of the plurality of controllers are configured to use different keys to communicate with different ones of the others of the plurality of controllers, 
wherein each of said controllers receives, from a trusted repository, a list of public keys for communicating with at least one of the first and second rule engines, wherein the first and second rule engines are configured to receive, from the trusted repository, public keys for communicating with one of the plurality of controllers, 
wherein said first and second rule engines comprise hardware, one or more programmable hardware processors, or a combination of both, {00863276.DOCX }00754648.DOCXPage 2Application No.: 16/815,881Attorney Docket: LVL5 2041-4 
wherein said plurality of controllers each comprise hardware, one or more programmable hardware processors, or a combination of both.
19. (Currently amended) A server apparatus comprising: 
a controller configured to provide, via secure communications, control information to a first rule engine in a hypervisor, and a second rule engine in a network interface device to define one or more actions performable with respect to data flows received at the first and second rule engines, the first and second rule engines being configured to receive the data flows between a network and an application and to perform the one or more actions with respect to the data flows, 
wherein said controller is configured to: 
receive, via secure communications, state information from at least of the first and second rule engines; and 
share the received state information with one or more others of a plurality
of controllers, 
wherein said controller receives, from a trusted repository, a list of public keys for communicating with at least one of the first and second rule engines, wherein the first and second rule engines are configured to receive, from the trusted repository, public keys for communicating with one of the plurality of controllers, 
wherein the controller is configured to use different keys to communicate with different ones of the plurality of controllers, 
wherein the state information relates to at least some of the data flows received, 
wherein said controller comprises hardware, one or more programmable hardware processors, or a combination of both.
21. (Currently Amended) A system comprising: 
a first rule engine provided in a hypervisor; 
a second rule engine provided in a network interface device, 
wherein the first and second rule engines are configured to: {00863276.DOCX }00754648.DOCXPage 5Application No.: 16/815,881Attorney Docket: LVL5 2041-4 
receive data flows, said data flows being between the network and an application; and 
determine data flow information of said data flows and, in dependence on said data flow information, perform actions with respect to said data flows; and 
a plurality of controllers, each of said controllers being configured to: provide,
via secure communications, control information to the first and second rule engines to define one or more actions performable with respect to said data flows, 
wherein the first and second rule engines are configured to: 
provide, via secure communications, state information relating to at least some of the received data flows to one or more of the plurality of controllers,
wherein one or more of the plurality of controllers are configured to share the state information received with others of the plurality of controllers, wherein the one or more of the plurality of controllers are configured to use different keys to communicate with different ones of the others of the plurality of controllers, 
wherein each of said controllers receives a list of public keys including a digital signature for communicating with at least one of the first and second rule engines, wherein each of said controllers is programmed securely with a key from the list of public keys required to verify the digital signature, 
wherein said first and second rule engines comprise hardware, one or more programmable hardware processors, or a combination of both, 
wherein said plurality of controllers each comprise hardware, one or more programmable hardware processors, or a combination of both.
Allowable Subject Matter
Claims 1, 4, 6, 8, 10-19, and 21 are allowed.
The following is the Examiner’s statement of reasons for allowance.  The closest prior-art references identified by the Examiner are 1) “Koponen” (US 2015/0009796), 2) “Yung” (US 7,778,194), 3) “Sood” (US 2016/0127333), 4) “He” (US 2010/0037311), 5) “Zhou” (US 2016/0156591), 6) “Tuomenoksa” (US 2002/0091859), and 7) “Raman” (US 2015/0281178).  1) Koponen discloses a software-defined network with a plurality of managed forwarding elements (MFEs) associated with virtual machines, the MFEs collect statistics concerning state information that is forwarded to controllers and then shared amongst other controllers in different domains.  2) Yung discloses a method of classifying data flows to determine data flow information and relies upon secure communication by the use of SSL.  3) Sood discloses a virtualized network that relies upon different cryptographic keys to implement secure communication between various virtual network functions (VNF) and VNF components.  4)  He discloses a star-connected network where an SSL server maintains a list of public keys for client nodes.  5) Zhou discloses a software defined system that comprises a context-aware distributed firewall scheme with firewall or rule engines tasked to provide firewall protection, wherein the virtualized component of the system is implement via a hypervisor.  
6) Tuomenoksa discloses a network with various gateways where a partner list of the gateways is stored in a network operations center.  7) Raman discloses a virtualized network with firewall service virtual machines where state information can be received and updated between various firewall engines of different hosts.
What is missing from the prior art is a system with the following characteristics.  The system comprises a first rule engine that is provided in a hypervisor, and a second rule engine, located between a network and an application, that is provided in a network interface device.  The first and second rule engines comprise hardware, one or more programmable hardware processors, or a combination of both. The first and second rule engines are configured to receive data flows between the network and the application and determine data flow information.  In dependence on the data flow information, the first and second rule engines perform actions with respect to said data flows.  A plurality of controllers comprise hardware, one or more programmable hardware processors, or a combination of both, and the first and second rule engines are each configured to communicate with at least one of the controllers.  Each of the controllers is configured to provide, via secure communications, control information to the first and second rule engines to define one or more actions performable with respect to said data flows.  The first and second rule engines are additionally configured to provide, via secure communications, state information related to at least some of the received data flows to one or more of the plurality of controllers, and one or more of the plurality of controllers are additionally configured to share the state information received with other controllers.  The one or more of the plurality of controllers use different keys to communicate with different ones of the others of the plurality of controllers, and each of the controllers receives a list of public keys for communicating with at least some of the rule engines.  The list of public keys is received from a trusted repository or includes a digital signature, wherein each of the first and second rule engines are configured to receive public keys for communicating with one of the plurality of controllers from the trusted repository or each of the controllers is programmed securely with a key from the list of public keys that are required to verify the digital signature.
Accordingly, the prior art of record, when taken individually or in combination, fails to teach or suggest the subject matter recited in claims in independent claims 1, 19, and 21.  Therefore, claims 1, 19, and 21 are deemed allowable over the prior art of record.  The dependent claims that further limit the independent claims are allowable by virtue of their dependency.
Any comments considered necessary by Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on 
Statement of Reasons for Allowance.”
Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to D'ARCY WINSTON STRAUB whose telephone number is (303)297-4405. The examiner can normally be reached Monday-Friday 9:00-5:00 Mountain Time.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR B PATEL can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/D'Arcy Winston Straub/Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491