DETAILED ACTION
Amendments submitted on July 18, 2022 for Application No. 16/806794 are presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on July 18, 2022 has been entered.
 
Response to Arguments
Applicant’s arguments filed March 28, 2022 have been considered but they are not persuasive. In the remarks applicant argues:
I)	On page 7, Applicant argues that the previous Claim Objections and 35 USC 112 Rejections should be withdrawn.
Applicant’s amendment has overcome some of these previous issues and they have been withdrawn.

II)	On page 7, Applicant argues that the cited prior art does not teach the current claim amendments.
Applicant’s arguments are considered moot based on the new grounds of rejection set forth below.

Claim Objections
Claim 3 is objected to because of the following informalities:
Claim 3 recites “the at least one ingress parameter or one egress parameter”, which should be “the at least one ingress parameter or egress parameter” as defined in independent claims 1, 8, and 15.. Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-4, 7-11, 14-17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over NPL “Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments” hereinafter referred to as Sandeep in view of Chen (US 2008/0310440).

As per claims 1, 8, and 15, Sandeep discloses A non-transitory computer readable medium comprising computer-readable instructions stored thereon, which when executed by one or more processors, cause the one or more processors to perform operations comprising: 
establish a plurality of targets for a network, each of the plurality of targets including: 
at least one of an ingress parameter or an egress parameter, and a policy for network packets (Sandeep, Table 1 and Section 3.3, teaches a set of flow rules/polices including source, destination, and an action. Sandeep, Section 3.2 and 3.4, also teaches using ingress and egress parameters.); 
receive at least one network packet on the network (Sandeep, Table 1 and Section 3.4, teaches receiving an ingress packet, matching the packet parameters to a flow rule in the table, and performing the associated instruction such as forward, drop, etc…); 
identify at least two matching targets from the plurality of targets, the at least two matching targets comprising parameters that match the at least one network packet, each of the matching targets containing at least one policy (Sandeep, Table 1 and Section 3.4, teaches receiving an ingress packet, matching the packet parameters to a flow rule in the table, and performing the associated instruction such as forward, drop, etc… Sandeep, Section 3.5, also discusses the idea of having multiple matches and teaches that normally when there are multiple matches that the rule with the highest priority is executed.); 
apply at least one of the policies from … at least [one] matching target to the at least one network packet … (Sandeep, Table 1 and Section 3.4, teaches receiving an ingress packet, matching the packet parameters to a flow rule in the table, and performing the associated instruction such as forward, drop, etc… Sandeep, Section 3.5, also discusses the idea of having multiple matches and teaches that normally when there are multiple matches that the rule with the highest priority is executed. Sandeep, Section 3.3, also teaches that a rule can modify the source or destination address to send the packet to a specific device.); and 
forward the at least one network packet in accordance with the applied [policy] (Sandeep, Table 1 and Section 3.4, teaches receiving an ingress packet, matching the packet parameters to a flow rule in the table, and performing the associated instruction such as forward, drop, etc… Sandeep, Section 3.3, also teaches that a rule can modify the source or destination address to send the packet to a specific device.)  
Sandeep, Section 3.5, teaches that normally when there are multiple matches that the rule with the highest priority is executed. Sandeep also teaches that when there are policy conflicts that policies can be combined, modified or deleted to resolve those conflicts. However, Sandeep does not specifically teach applying a policy from each of the at least two matching targets.
Chen discloses identify at least two matching targets from the plurality of targets, the at least two matching targets comprising parameters that match the at least one network packet, each of the matching targets containing at least one policy; apply at least one of the policies from each of the at least two matching targets to the at least one network packet …; and forward the at least one network packet in accordance with the applied policies (Chen, paragraphs 21-23, teaches having multiple match engines. One match engine compares the content of the packet to security rules as in paragraph 22. Another match engine compares the header of the packet to security rules as in paragraph 23. Chen, paragraph 21, specifically recites “a plurality of match engines that can apply the security rules to the data packet simultaneously. Each of the match engines practices one rule matching the data packet”. Therefore, Chen teaches applying a separate rule based on the header of the packet and a separate rule based on the content of the packet.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Chen with the teachings of Sandeep. Sandeep teaches applying a single policy when there are conflicts or creating a new set of flow rules by combining, modifying, or deleting rules to resolve conflicts. Chen teaches detecting multiple matching rules and executing both of the rules/policies. Therefore, it would have been obvious to have improved the invention of Sandeep by adding the teachings of Chen to allow more granular control over what rules are applied to the incoming packets.
Sandeep in view of Chen discloses applying the rules “simultaneously” and does not specifically teach applying the policies “in a defined sequence”. However, performing the policies “in a defined sequence” would have been “obvious to try”. Chen teaches applying multiple rules, such as a content based rule and a header based rule, simultaneously. As both rules are being applied, it would have been obvious to either 1) apply the rules at the time as shown by Chen, or 2) apply the rules one after the other in sequence. Therefore, it would have been obvious to apply the policies “in a defined sequence” because “a person of ordinary skill has good reason to pursue the known options within his or her technical grasp. If this leads to the anticipated success, it is likely the product not of innovation but of ordinary skill and common sense”.

As per claims 2 and 9, Sandeep in view of Chen discloses wherein the at least one ingress parameter or egress parameter is one of a virtual private network, a user policy group, a device policy group, or a wild card, wherein a wild card matches any network packet (Sandeep, Table 1 and Section 3.4, teaches wild card parameters. Sandeep, Section 3.1, also teaches the use of a VPN and how the flow rules need to take that into consideration.) 

As per claims 3 and 10, Sandeep in view of Chen discloses wherein the at least one ingress parameter or one egress parameter is a range of parameters (Sandeep, Table 1, shows a range of source and destination IP addresses such as 10.5.50.0/24 which is a range of 10.5.50.0 - 10.5.50.24.)
 
As per claims 4, 11, and 17, Sandeep in view of Chen discloses receive specification of the at least one target from a user (Sandeep, Sections 3.7.1 and 3.7.2, teaches that the rules are designed by administrators which are users.) 

As per claims 7, 14, and 20, Sandeep in view of Chen discloses search sequentially for the at least two matching targets from the plurality of targets (Sandeep, Section 3.5, teaches that normally when there are multiple matches that the rule with the highest priority is executed. Sandeep, Section 3.4, also teaches searching the flow table for matching entries and the associated instruction is executed. This instruction may direct the packet to another flow table to check for additional matches. Chen, paragraphs 21-23, teaches storing the rules sequentially and searching through the rules to find matches with the packets. Chen, paragraph 22, recites “the content match engine applies the security rules to the data packet in the sequential order according to the priorities of the security rules”.)

As per claim 16, Sandeep in view of Chen discloses wherein the at least one ingress parameter or egress parameter is one of a virtual private network, a user policy group, a device policy group, or a wild card, wherein a wild card matches any network packet (Sandeep, Table 1 and Section 3.4, teaches wild card parameters. Sandeep, Section 3.1, also teaches the use of a VPN and how the flow rules need to take that into consideration.), or
wherein the at least one ingress parameter or egress parameter is a range of parameters (Sandeep, Table 1, shows a range of source and destination IP addresses such as 10.5.50.0/24 which is a range of 10.5.50.0 - 10.5.50.24.)

Allowable Subject Matter
Claims 6, 13, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “wherein the defined sequence moves from a highest-level ingress parameter matching target policy to a lowest-level ingress parameter matching target policy to a lowest-level egress parameter matching target policy to a highest-level egress parameter matching target policy". The closest prior art of record includes:
Sandeep (NPL “Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments”) – teaches executing rules based on the priority. Sandeep, Sections 3.5 and 4.1.3, also teaches that the rules can be subsets or supersets of other rules.
Chen (US 2008/0310440) – teaches executing multiple matched policies on the same packet.
Caldwell (US 2017/0201537) – teaches executing the policies in a specific sequence, but also states “the rules and policies may be applied in other sequences”.
However, the combination of limitations as currently claimed cannot be found in the cited prior art of record.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Huang (US 2018/0115470) – appears to be a patent application similar to the Sandeep reference.
Kunz (US 2020/0351211) – teaches executing a sequence of flow tables in order.
Sata (US 2013/0188489) – teaches comparing an incoming packet to a flow table to determine how to process the packet.
Nguyen (US 2014/0052836) – teaches matching multiple rules to a flow and executing the rules in order based on priority.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498