DETAILED ACTION
This Office Action is in response to the communication filed on 07/16/2020. 
Claims 1-20 are pending. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claims 8, and 19 are objected to because of the following informalities: 
"A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising:" as recited in claim 8 should read, for example, "A non-transitory computer readable medium having stored thereon instructions which when executed by a processing circuitry cause the processing circuitry to execute a process, the process comprising:" and "A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising:" as recited in claim 19 should read "A non-transitory computer readable medium having stored thereon instructions which when executed by a processing circuitry cause the processing circuitry to execute a process, the process comprising:" because the programming lacks functional relationship with a computer component.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 16-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 16, 18, and 19-20 recite the limitation "the entity identifier of the sender entity", however, there is insufficient antecedent basis for the limitation.
Dependent claims are also rejected for inheriting the deficiencies of the independent claims from which they depend on.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-9, and 12-15 are rejected under 35 U.S.C. 103 as being unpatentable over Miller et al. (US 2020/0389437) in view of Jain (US 2015/0007317).
Claim 1, Miller teaches: 
A method for identity-based firewall policy evaluation, comprising:
intercepting a packet directed to a recipient entity, wherein the packet is sent by a sender entity; (e.g. figs. 2-7, [0032], "receives a request from the first device 102 for communicating with the second device 104…the second firewall connection table 122 configured to map an identity of the first device 102 and an identity of the second device 104 for transmitting a plurality of packets between the first device 102 and the second device 104" [0039], "receives a request from a first device 102 for communicating with a second device 104. The first firewall 112 includes the first firewall connection table 126 configured to map an identity of the first device 102 and an identity of the second device 104 for transmitting a plurality of packets between the first device 102 and the second device 104…The second firewall 116 includes the second firewall connection table 122 configured to map an identity of the first device 102 and an identity of the second device 104 for transmitting a plurality of packets between the first device 102 and the second device 104")
determining whether the sender entity is permitted to communicate with the recipient entity according to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers and rules for communications among a plurality of entities including the recipient entity, each entity identifier corresponding to a respective entity of the plurality of entities, wherein each entity identifier is unique among the plurality of entity identifiers, wherein the rules for communications among the plurality of entities include a list of a pair of entities which are permitted to communicate with each other; forwarding the packet to the recipient entity when it is determined that the sender entity is permitted to communicate with the recipient entity; and (e.g. figs. 2-7, [0028], "when a communication between the first device 102 and the second device 104, such as a packet, is received by the second firewall 116, the packet is first evaluated by the second firewall connection table 122 to determine if the identity of the first device —the sender—in association with the identity of the second device —the receiver—is mapped in the second firewall connection table 122 to indicate that the first device is enabled for communicating with the second device. When this is true or a match, in some embodiments, the packet is passed to the receiver" [0034], "determines that the identity of the first device 102 is in the second firewall connection table 122 for communicating with the second device 104 and forwards the second packet to the second device 104" [0036], "determines that the identity of the first device 102 is in the second firewall connection table 122 for communicating with the second device 104. Once this is confirmed, the second packet is forwarded directly to the second device 104…the identities of the first device 102 and the second device 104 have been mapped in the second firewall connection table 122")
performing at least one mitigation action when it is determined that the recipient entity is not permitted to communicate with the sender entity. (e.g. figs. 2-7, [0037], "if the second firewall 116 determines that the identity of the first device 102 and the identity of the second device 104 are not mapped in the second firewall connection table 122—no match, the second firewall 116 forwards the second packet to the second firewall filter table 124 and the second firewall filter table 124 evaluates the second packet…When there is a closed port in the second firewall 116, the second packet is denied transmission and the second packet may be dropped")
Miller does not appear to explicitly teach but Jain teaches: 
a list of pairs of entities which are permitted to communicate with each other. (e.g. [0033]-[0037], "A service may have multiple communication groups, and each communication group may be defined as a communication group of virtual machines, servers, or other services (e.g., specified as a virtual IP address (VIP)) within that service that are allowed to communicate with each other…A communication group may contain as few as one pair of trusted virtual machines/services that are allowed to communicate with each other, providing a concept of trusted pairs. The pairing may be a set of virtual machines paired with a set of trusted services…Although communication groups apply to virtual machines and/or virtual machine applications, communication groups may apply to other sources and destinations. For example, communication groups may comprise storage/compute nodes of an application/service, nodes across different applications/services that are allowed to communicate with one another, and so forth")
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Jain into the invention of Miller, and the motivation for such an implementation would be for the purpose of protecting networks from inadvertent or malicious attacks, and reducing bandwidth costs (Jain [0017]).
Claim 4, Miller-Jain combination teaches
wherein the firewall policy further indicates permissible communication circumstances for each pair of entities that are permitted to communicate with each other, further comprising: determining whether the packet violates the firewall policy based on the permissible communication circumstances; and performing at least one mitigation action when it is determined that the packet violates the firewall policy based on the permissible communication circumstances. (e.g. Miller figs. 2-7, [0028], [0034], [0036]-[0037]; Jain [0033]-[0037])
Claim 5, Miller-Jain combination teaches:
wherein the rules for communicating among the plurality of entities includes at least one port via which the recipient entity and the sender entity are permitted to communicate. (e.g. Miller figs. 2-7, [0028]-[0029], [0032], [0037])
Claim 6, Miller-Jain combination teaches:
wherein the at least one mitigation action includes at least one of: rejecting the packet, terminating communications with a sender of the packet, and reconfiguring a load balancer to cease forwarding packets from a sender of the packet to the recipient entity. (e.g. Miller figs. 2-7, [0037]; Jain [0055], [0062], [0068])
Claim 7, Miller-Jain combination teaches:
resolving the packet against a cache to determine an Internet Protocol (IP) address of the sender entity, the cache including results of a plurality of Domain Name Service entries of historical entities that communicated with the recipient entity, wherein the firewall policy defines a whitelist of IP addresses, wherein it is determined that the sender entity is not permitted to communicate with the recipient entity when the IP address of the sender entity is not among the whitelist of IP addresses. (e.g. Miller figs. 2-7, [0024], [0032], [0042]-[0043], [0046]; Jain [0018], [0029], [0031], [0033])
Claim 8, this claim is directed to a medium containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claim 9, this claim is directed to a system containing similar limitations as recited in claim 1 and is rejected using the same rationale to combine the references.
Claim 12, this claim is directed to a system containing similar limitations as recited in claim 4 and is rejected using the same rationale to combine the references.
Claim 13, this claim is directed to a system containing similar limitations as recited in claim 5 and is rejected using the same rationale to combine the references.
Claim 14, this claim is directed to a system containing similar limitations as recited in claim 6 and is rejected using the same rationale to combine the references.
Claim 15, this claim is directed to a system containing similar limitations as recited in claim 7 and is rejected using the same rationale to combine the references.
Claims 2, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Miller et al. (US 2020/0389437) in view of Jain (US 2015/0007317) further in view of Carney et al. (US 2012/0069845).
Claim 2, Miller-Jain combination teaches determined that the sender entity is not permitted to communicate with the recipient entity, and whether the sender entity is permitted to communicate with the recipient entity is determined (see above) and does not appear to explicitly teach but Carney teaches: 
determining whether a packet includes extension fields, wherein it is determined that a sender entity is not permitted to communicate with a recipient entity when the packet does not include extension fields, wherein whether the sender entity is permitted to communicate with the recipient entity is determined based on the extension fields when the packet includes extension fields. (e.g. figs. 7-9, [0052], [0055], [0058])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Carney into the invention of Miller-Jain combination, and the motivation for such an implementation would be for the purpose of sanitizing the bad packet to prevent the packet from accessing a secure network, destroying and/or damaging files, stealing information, creating security holes, spreading computer viruses and/or malware (Carney [0064]).
Claim 10, this claim is directed to a system containing similar limitations as recited in claim 2 and is rejected using the same rationale to combine the references.
Claims 3, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Miller et al. (US 2020/0389437) in view of Jain (US 2015/0007317) further in view of Golubchik et al. (US 2002/0032865).
Claim 3, Miller-Jain combination teaches the intercepted packet, determining whether the sender entity is permitted to communicate with the recipient entity, wherein it is determined that the sender entity is permitted to communicate with the recipient entity, and wherein it is determined that the sender entity is not permitted to communicate with the recipient entity (see above) and does not appear to explicitly teach but Golubchik teaches: 
a message authenticator and an entity identifier of a sender entity, wherein the message authenticator is computed based on the entity identifier of the sender entity and a current time relative to an epoch of the sender entity, computing a value based on the entity identifier and a current time relative to an epoch of the recipient entity; and comparing the computed value to the message authenticator, wherein it is determined that the sender entity is permitted to communicate with the recipient entity when the computed value matches the message authenticator, wherein it is determined that the sender entity is not permitted to communicate with the recipient entity when the computed value does not match the message authenticator. (e.g. [0043], [0068])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Golubchik into the invention of Miller-Jain combination, and the motivation for such an implementation would be for the purpose of allowing many clients to send data intended for a common destination server at about the same without overloading the common destination server and its link to the Internet or similar network (Golubchik [0002]).
Claim 11, this claim is directed to a system containing similar limitations as recited in claim 3 and is rejected using the same rationale to combine the references.
Claims 16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Miller et al. (US 2020/0389437) in view of Jain (US 2015/0007317) further in view of Hayes (US 2010/0031024).
Claim 16, Miller teaches:
A method for encoding entity identifiers for use in identity-based firewall policy evaluation, comprising:
intercepting a packet sent by a sender entity to a recipient entity, wherein the sender entity and the recipient entity are subject to a firewall policy, wherein the firewall policy indicates a plurality of entity identifiers and rules for communications among a plurality of entities including the sender entity and the recipient entity, each entity identifier corresponding to a respective entity of the plurality of entities, wherein each entity identifier is unique among the plurality of entity identifiers, wherein the rules for communications among the plurality of entities include a list of a pair of entities which are permitted to communicate with each other; (e.g. figs. 2-7, [0028], "when a communication between the first device 102 and the second device 104, such as a packet, is received by the second firewall 116, the packet is first evaluated by the second firewall connection table 122 to determine if the identity of the first device —the sender—in association with the identity of the second device —the receiver—is mapped in the second firewall connection table 122 to indicate that the first device is enabled for communicating with the second device. When this is true or a match, in some embodiments, the packet is passed to the receiver" [0032], "receives a request from the first device 102 for communicating with the second device 104…the second firewall connection table 122 configured to map an identity of the first device 102 and an identity of the second device 104 for transmitting a plurality of packets between the first device 102 and the second device 104" [0034], "determines that the identity of the first device 102 is in the second firewall connection table 122 for communicating with the second device 104 and forwards the second packet to the second device 104" [0036], "determines that the identity of the first device 102 is in the second firewall connection table 122 for communicating with the second device 104. Once this is confirmed, the second packet is forwarded directly to the second device 104…the identities of the first device 102 and the second device 104 have been mapped in the second firewall connection table 122" [0039], "receives a request from a first device 102 for communicating with a second device 104. The first firewall 112 includes the first firewall connection table 126 configured to map an identity of the first device 102 and an identity of the second device 104 for transmitting a plurality of packets between the first device 102 and the second device 104…The second firewall 116 includes the second firewall connection table 122 configured to map an identity of the first device 102 and an identity of the second device 104 for transmitting a plurality of packets between the first device 102 and the second device 104")
Miller does not appear to explicitly teach but Jain teaches: 
a list of pairs of entities which are permitted to communicate with each other. (e.g. [0033]-[0037], "A service may have multiple communication groups, and each communication group may be defined as a communication group of virtual machines, servers, or other services (e.g., specified as a virtual IP address (VIP)) within that service that are allowed to communicate with each other…A communication group may contain as few as one pair of trusted virtual machines/services that are allowed to communicate with each other, providing a concept of trusted pairs. The pairing may be a set of virtual machines paired with a set of trusted services…Although communication groups apply to virtual machines and/or virtual machine applications, communication groups may apply to other sources and destinations. For example, communication groups may comprise storage/compute nodes of an application/service, nodes across different applications/services that are allowed to communicate with one another, and so forth")
a packet including a header, and adding a signature to the header of the packet. (e.g. [0057], "adds the identifier and checksum to the packet header")
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Jain into the invention of Miller, and the motivation for such an implementation would be for the purpose of protecting networks from inadvertent or malicious attacks, and reducing bandwidth costs (Jain [0017]).
Miller-Jain combination teaches a signature and the entity identifier of the sender entity (see above) and does not appear to explicitly teach but Hayes teaches:
computing a signature based on an entity identifier of a sender entity. (e.g. figs. 2-3, [0033], "The cryptographic check sum is an encrypted hash or digital signature. This digital signature ensures that the data or information to which it is affixed has not been modified since it was transmitted. In this case, the integrity of the first three items of the first certificate; namely, the identification of the sender, the identification of the certificate authority and the sender's first public key, is what is to be ensured by the digital signature" Claim 27, "generate the first digital signature by applying a second hashing function to data representing the identification of the sender…")
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Hayes into the invention of Miller-Jain combination, and the motivation for such an implementation would be for the purpose of perform real-time authentication of data by applying a digital signature, without requiring a tremendous amount of time or computing power, while at the same time providing a high degree of security and ease of implementation (Hayes [0016]).
Claim 19, this claim is directed to a medium containing similar limitations as recited in claim 16 and is rejected using the same rationale to combine the references.
Claim 20, this claim is directed to a system containing similar limitations as recited in claim 16 and is rejected using the same rationale to combine the references.
Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Miller et al. (US 2020/0389437) in view of Jain (US 2015/0007317) in view of Hayes (US 2010/0031024) further in view of Golubchik et al. (US 2002/0032865).
Claim 17, Miller-Jain-Hayes combination teaches the signature, the sender entity, the recipient entity (see above) and does not appear to explicitly teach but Golubchik teaches: 
determined based further on a current time relative to an epoch of a sender entity, wherein the sender entity and a recipient entity are synchronized such that the epoch of the sender entity is the same as an epoch of the recipient entity. (e.g. [0043], [0068])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Golubchik into the invention of Miller-Jain-Hayes combination, and the motivation for such an implementation would be for the purpose of allowing many clients to send data intended for a common destination server at about the same without overloading the common destination server and its link to the Internet or similar network (Golubchik [0002]).
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Miller et al. (US 2020/0389437) in view of Jain (US 2015/0007317) in view of Hayes (US 2010/0031024) in view of Golubchik et al. (US 2002/0032865) further in view of Huh et al. (US 2008/0022105).
Claim 18, Miller-Jain-Hayes-Golubchik combination teaches wherein determining the signature further comprises: computing a message authenticator based on the entity identifier of the sender entity and the current time relative to the epoch of the sender entity, the computed message authenticator, the determined signature (e.g. Golubchik [0043], [0068]) and does not appear to explicitly teach but Huh teaches:
removing all but a predetermined number of bits of a computed message authenticator to create a reduced message authenticator, wherein a determined signature includes the reduced message authenticator. (e.g. [0011])
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings described by Huh into the invention of Miller-Jain-Hayes-Golubchik combination, and the motivation for such an implementation would be for the purpose of reducing the time taken and the number of computations required to generate a digital signature and reducing the load of a digital signature generator (Huh [0003], [0017]-[0018]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: US 2013/0097600 discloses an approach in which a local module receives data frame initiated by a first virtual machine and has a target destination at a second virtual machine, which executes on destination host system. The local module identifies a local port ID and a destination global queue pair number corresponding to the second virtual machine. The local module
includes the destination global queue pair number and the destination local port ID in an overlay header and encapsulates the data frame with the overlay header, which results in an encapsulated frame. In turn, the local module sends the encapsulated frame through a computer network to the second virtual machine.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMIE C LIN whose telephone number is (571)272-7752. The examiner can normally be reached M-F 9:00AM -5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AMIE C. LIN/Primary Examiner, Art Unit 2436