Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 21-40 have been examined.
Claims 1-20 are Cancelled. 

Drawings
2.	The drawings filed on 09/20/2021 are acceptable for examination proceedings.
Specification
3.	The specification filed on 09/20/2021 is acceptable for examination proceedings.

Information Disclosure Statement
4.	The information disclosure statement (IDS) submitted on 11/30/2021. Accordingly, the information disclosure statement is being considered by the examiner.

Priority
5.	Application 17479336, filed 09/20/2021 is a continuation of 16183125, filed 11/07/2018 ,now U.S. Patent #11128602 and having 1 RCE-type filing therein. Therefore, the effective filling date for the subject matter defined in the pending claims of this application is 11/07/2018.	

Internet Communications
6. 	Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439,
http://www.uspto.gov/sites/defauit/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only. (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03. 

US Patent 11,128,125
Instant Application No.17/479,336
1. A method for filtering data packets at a firewall system comprising: receiving a data packet that is transmitted over a public network, the data packet having a plurality of fields at a data packet system; determining whether a precondition evaluates to true for one or more of the plurality of fields, where an action is associated the precondition; performing the action associated with the precondition on the data packet if it is determined that the precondition exists for one or more of the plurality of fields; processing the data packet using a plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields; identifying a user associated with the data packet; determining whether one or more rules are stored in a cache for one or more of a plurality of groups associated with the user by comparing one or more data fields from the data packet with the one or more data fields of the cache, wherein the cache is separate from the data packet system; processing the one or more rules stored in the cache to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups; and processing the data packet using the one or more rules stored in the cache if present.
21. A method for filtering data packets at a firewall system comprising: receiving a data packet that is transmitted over a public network, the data packet having a plurality of fields at a data packet system; processing the data packet using a plurality of rules if it is determined that a precondition does not exist for the one or more of the plurality of fields; determining whether one or more rules are stored in a cache for one or more of a plurality of groups associated with a user by comparing one or more data fields from the data packet with one or more data fields of the cache, wherein the cache is separate from the data packet system; processing the one or more rules stored in the cache if present to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups.  
2. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises evaluating further conditions associated with the one or more rules stored in the cache for a security policy.
22. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises evaluating further conditions associated with the one or more rules stored in the cache for a security policy.  
3. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises identifying one or more of the plurality of fields that are associated with a precondition associated with the one or more rules for a security policy and an associated group of the security policy stored in the cache.
23. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises identifying one or more of the plurality of fields that are associated with a precondition associated with the one or more rules for a security policy and an associated group of the security policy stored in the cache.   
4. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises generating the precondition by processing a Boolean expression associated with the one or more rules stored in the cache.
24. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises generating the precondition by processing a Boolean expression associated with the one or more rules stored in the cache.  
5. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises applying a simplification algorithm to a feature-rich Boolean expression to generate the precondition associated with the one or more rules stored in the cache.
25. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises applying a simplification algorithm to a feature- rich Boolean expression to generate the precondition associated with the one or more rules stored in the cache
6. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation.
26. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation.    
7. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false.
27. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false.  
8. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises: simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation; evaluating whether one of the two Boolean subexpressions is always true or always for all possible values for one or more fields; and storing the Boolean subexpression as a precondition.
28. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises: simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation; evaluating whether one of the two Boolean subexpressions is always true or always for all possible values for one or more fields; and storing the Boolean subexpression as a precondition.  
9. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises: receiving filter parameters from a graphic user interface; and converting the filter parameters into a complex Boolean expression for subsequent processing to identify a precondition.
29. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises: receiving filter parameters from a graphic user interface; and converting the filter parameters into a complex Boolean expression for subsequent processing to identify a precondition.  
10. The method of claim 1 wherein processing the data packet using the one or more rules stored in the cache if present comprises: receiving a feature rich Boolean expression; extracting the precondition from the feature rich Boolean expression; and storing a remaining condition associated with the precondition.
30. (New) The method of claim 21 wherein processing the data packet using the one or more rules stored in the cache if present comprises: receiving a feature rich Boolean expression; extracting the precondition from the feature rich Boolean expression; and storing a remaining condition associated with the precondition.  
12. The method of claim 10 further comprising processing the remaining condition to provide optimized identification of matching conditions by: identifying a path comprising a plurality of comparison nodes; and identifying a path from a first node to a third node as a shortcut to a matching condition.
31. (New) The method of claim 30 further comprising processing the one or more rules stored in the cache to provide optimized identification of matching conditions.
11. The method of claim 10 wherein the optimized identification of matching conditions comprises a shortcut to a matching condition based on a predetermined field value and a number of times a comparison node is visited.
32. (New) The method of claim 31 wherein the optimized identification of matching conditions comprises a shortcut to a matching condition based on a predetermined field value and a number of times a comparison node is visited.  
12. The method of claim 10 further comprising processing the remaining condition to provide optimized identification of matching conditions by: identifying a path comprising a plurality of comparison nodes; and identifying a path from a first node to a third node as a shortcut to a matching condition.
33. (New) The method of claim 30 further comprising processing the remaining condition to provide optimized identification of matching conditions by: identifying a path comprising a plurality of comparison nodes; and identifying a path from a first node to a third node as a shortcut to a matching condition.  
13. A firewall system for filtering data packets comprising: a first processor configured to receive a data packet that is transmitted over a public network, the data packet having a plurality of fields from a network interface at a data packet system; a second processor configured to retrieve a precondition from a data memory device and to use the precondition to determine whether a precondition evaluates to true for one or more of the plurality of fields by comparing the precondition to the one or more of the plurality of fields, where an action is associated the precondition; a third processor configured to perform the action associated with the precondition on the data packet if it is determined by the second processor that the precondition exists for one or more of the plurality of fields; a fourth processor configured to process the data packet using a plurality of rules if it is determined by the second processor that the precondition does not exist for the one or more of the plurality of fields; and a fifth processor configured to determine whether one or more rules are stored in a cache for one or more of a plurality of groups associated with a user by comparing one or more data fields from the data packet with the one or more data fields of the cache and to process the data packet using the one or more rules stored in the cache if present, wherein the cache is separate from the data packet system, and to process the one or more rules stored in the cache to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups.
34. (New) A firewall system for filtering data packets comprising: a first processor configured to receive a data packet that is transmitted over a public network, the data packet having a plurality of fields from a network interface at a data packet system; a second processor configured to process the data packet using a plurality of rules if it is determined that a precondition does not exist for the one or more of the plurality of fields; and a third processor configured to determine whether one or more rules are stored in a cache for one or more of a plurality of groups associated with a user by comparing one or more data fields from the data packet with the one or more data fields of the cache and to process the data packet using the one or more rules stored in the cache if present, wherein the cache is separate from the data packet system, and to process the one or more rules stored in the cache to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups.  
14. The system of claim 13 wherein the third processor is configured to evaluate further conditions.
35. (New) The system of claim 34 wherein a fourth processor is configured to evaluate further conditions.  
15. The system of claim 13 wherein the second processor is configured to identify one or more of the plurality of fields that are associated with a precondition.
36. (New) The system of claim 34 wherein the second processor is configured to identify one or more of the plurality of fields that are associated with a precondition.  
16. The system of claim 13 further comprises a sixth processor configured to generate the precondition by processing a Boolean expression.
37. (New) The system of claim 34 further comprises a fourth processor configured to generate the precondition by processing a Boolean expression.  
17. The system of claim 13 wherein the second processor is configured to apply a simplification algorithm to a feature-rich Boolean expression to generate the precondition.
38. (New) The system of claim 34 wherein the second processor is configured to apply a simplification algorithm to a feature-rich Boolean expression to generate the precondition.  
18. The system of claim 13 wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation.
39. (New) The system of claim 34 wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation.  
19. The system of claim 13 wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false for all possible values for one or more fields.
40. (New) The system of claim 34 wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false for all possible values for one or more fields.  



Claim Rejections – 35 USC §103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 21-23 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Nurmela et al. (US patent. No. US 7,386,525 B2, hereinafter Nurmela) in view of Krishnan et al. (US Pub. No. US 2003/0051165 A1, hereinafter Krishnan). 

Nurmela provides data packet filtering and finding a rule matching a data packet in a rule base. A data packet comprises parameter fields for identifying the data packet, the rule base comprises a plurality of rules, each rule comprises one or more parameter fields, and the matching rule is a rule, whose parameter field values correspond to the parameter field values of said data packet. The matching rule is found by determining rule sets for the data packet, one rule set comprising the rules to which one parameter field value of the data packet can match, and by finding the rule with the smallest label that is present in all said rule sets of the data packet, said rule with the smallest label indicating the rule matching the data packet.

Krishnan provides a data packet filter firewall is to use a memory cache. In such a system, when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache. In addition, after the packet filter rules have been applied to the received data packet, the disposition (e.g. allow or deny) is also stored in the cache associated with the relevant parameters of the received data packet. Thereafter, if a data packet is received with parameters which are the same as parameters previously stored in the cache, the firewall can apply the associated disposition without applying all the rules to the data packet. This enhances performance in view of the fact that for certain applications, ongoing communications will occur between two computers, and there is no need to check every data packet exchanged between the computers during the communication session (i.e., connection). Thus, while this technique improves performance for data packets exchanged during connections, the technique does not improve performance for new connections.

Regarding claims 21 and 34, Nurmela discloses method for filtering data packets at a firewall system comprising (Abstract: packet filtering and finding a rule matching a data packet in a rule base, for example):  receiving a data packet that is transmitted over a public network (fig. 3 step 300 show 300, a data packet to be filtered is received, for example), the data packet having a plurality of fields at a data packet system; processing the data packet using a plurality of rules if it is determined that a precondition does not exist for the one or more of the plurality of fields (fig. 3 shows step 302, rule sets for the data packet are determined. Each rule set relates to at least one parameter field value of the data packet and comprises the rules to which said parameter field value can match, that is, the rules which contain said parameter field value, for example).


Nurmela fails to expressly disclose determining whether one or more rules are stored in a cache for one or more of a plurality of groups associated with a user by comparing one or more data fields from the data packet with one or more data fields of the cache, wherein the cache is separate from the data packet system; processing the one or more rules stored in the cache if present to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups.

However, Krishnan disclose determining whether one or more rules are stored in a cache for one or more of a plurality of groups associated with a user by comparing one or more data fields from the data packet with one or more data fields of the cache (para. 0005 discloses when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache, for example), wherein the cache is separate from the data packet system; processing the one or more rules stored in the cache if present to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups (para. 0005 discloses a data packet filter firewall is to use a memory cache. In such a system, when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache. In addition, after the packet filter rules have been applied to the received data packet, the disposition (e.g. allow or deny) is also stored in the cache associated with the relevant parameters of the received data packet. Thereafter, if a data packet is received with parameters which are the same as parameters previously stored in the cache, the firewall can apply the associated disposition without applying all the rules to the data packet. This enhances performance in view of the fact that for certain applications, ongoing communications will occur between two computers, and there is no need to check every data packet exchanged between the computers during the communication session (i.e., connection), for example).  

Nurmela and Krishnan are analogous art because they both are directed to adaptive re-ordering of data packet filter rules to improve the performance of the filter while maintaining a security policy and one of ordinary skill in the art would have had a reasonable expectation of success to modify the teachings of Krishnan with the specified features of Nurmela because they are from the same field of endeavor.

In view of the above, having the method of Nurmela and then given the well- established teaching of Krishnan, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Krishnan with the teachings of Nurmela in order adaptive re-ordering of data packet filter rules to improve the performance of the filter while maintaining a security policy (Krishnan: para. 0001).   

Regarding claim 22, the combination of Nurmela as modified by Krishnan discloses wherein processing the data packet using the one or more rules stored in the cache if present comprises evaluating further conditions associated with the one or more rules stored in the cache for a security policy (para. 0005 of Krishnan discloses if a data packet is received with parameters which are the same as parameters previously stored in the cache, the firewall can apply the associated disposition without applying all the rules to the data packet, for example).  
The same motivational statement applies as set forth above in claim 21.

Regarding claim 23, the combination of Nurmela as modified by Krishnan discloses wherein processing the data packet using the one or more rules stored in the cache (para. 0005 of Krishnan discloses when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache , for example) if present comprises identifying one or more of the plurality of fields that are associated with a precondition associated with the one or more rules for a security policy and an associated group of the security policy stored in the cache (fig. 4 of Krishnan show each rule has a sequence number, which indicates the order in which the rules will be applied against an incoming data packet. Furthermore, para. 0003 of Krishnan discloses a rule may indicate that any data packet from source X will be blocked, while another rule may indicate that any data packet from source Y to destination Z will be allowed to pass. The rules are stored in sequential order in the data packet filter and every data packet received by the firewall is tested against the rules in sequential order, for example). 
The same motivational statement applies as set forth above in claim 21.

7.	Claims 24,25-33 and 35-40 are rejected under 35 U.S.C. 103 as being unpatentable over Nurmela et al. (US patent. No. US 7,386,525 B2, hereinafter Nurmela) in view of Krishnan et al. (US Pub. No. US 2003/0051165 A1, hereinafter Krishnan), further in view of Kay (US Pub. No. US 2010/0008359 A1).

Kay discloses an apparatus is described that performs prioritized matching through processing of network traffic in accordance with provisioned rules and policies. The apparatus includes a plurality of microcode-controlled state machines, and a distribution circuit that routes input data to the plurality of microcode-controlled state machines, such that the plurality of microcode-controlled state machines apply rules to the input data to determine matches and produce priority indicators, wherein each match has an associated priority indicator.


  Regarding claim 24, the combination of Nurmela as modified by Krishnan discloses all the claimed invention except for, wherein processing the data packet using the one or more rules stored in the cache if present comprises generating the precondition by processing a Boolean expression associated with the one or more rules stored in the cache.  

However, Kay discloses wherein processing the data packet using the one or more rules stored in the cache if present comprises generating the precondition by processing a Boolean expression associated with the one or more rules stored in the cache (para. 0043 the aggregation circuit includes output logic that enforces policies. A policy may be a simple collection of rules related using Boolean logic. In one embodiment, the aggregation circuit aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules. If any of these multiple rules are true, then a configured action is taken, such as dropping the packet, for example).

Nurmela as modified by Krishnan and Kay are analogous art because they both are directed to processing of computer network traffic to facilitate network security and network monitoring applications and one of ordinary skill in the art would have had a reasonable expectation of success to modify Kay with the specified features of Nurmela as modified by Krishnan because they are from the same field of endeavor.

In view of the above, having the method of Nurmela as modified by Krishnan and then given the well- established teaching of Kay, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Kay with the teachings of Nurmela as modified by Krishnan in order for facilitating optimized, cost-effective and flexible network security and network traffic monitoring features (Kay: para. 0003). 

Regarding claims 25-30, the combination of Nurmela as modified by Krishnan discloses all the claimed invention except for, wherein processing the data packet using the one or more rules stored in the cache if present comprises applying a simplification algorithm to a feature- rich Boolean expression to generate the precondition associated with the one or more rules stored in the cache.  

However, Kay discloses wherein processing the data packet using the one or more rules stored in the cache if present comprises applying a simplification algorithm to a feature- rich Boolean expression to generate the precondition associated with the one or more rules stored in the cache, (see para. 0035 discloses each traffic segment is routed in parallel for processing by each rule engine of a set of rule engines para.0037 discloses after a rule engine has completed evaluation of a rule, it notifies the aggregation circuit of the result para. 0038 discloses the aggregation circuit includes output logic that enforces policies, which are sets of rules and the logical, casual and/or temporal relationship between them. . .); para. 0043 discloses the aggregation circuit includes output logic that enforces policies. A policy may be a simple collection of rules related using Boolean logic. In one embodiment, the aggregation circuit aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules. If any of these multiple rules are true, then a configured action is taken, such as dropping the packet. The aggregation policy can be implemented as a tree, where each tree node can be configured to function as a logical OR or AND. A policy can be configured to be a complicated composite relationship between rules, such as a sum of products, and/or a causal or temporal relationship. The aggregation logic can implement any combinatorial or sequential logic; para. 0047-0053 discloses Rules used by rule engines can be specified in several ways, including but not limited to bit configuration of the hardware, use of low-level assembler, translation from existing languages used by common intrusion detection systems (IDS) and firewalls or use of a high-level language. In one embodiment, low level assembler is used, based on a unique and proprietary instruction set architecture (ISA) corresponding to an underlying hardware architecture optimized for network security applications. In another embodiment, a high level, tailored rule definition language is used, based on a proprietary high-level language for the Stream and Packet Inspection Front End (SPIFE). Some examples of rules in a high-level rule definition language include para. 0048 discloses drop inbound eth:ip :tcp ip.src=1.2.3.4, tcp.dport=80; para. 0049 discloses Meaning: drop TCP packets that are coming inbound (from the external network toward the protected segment), which have an IP source address of 1.2.3.4 and a destination port 80 (http). Para. 0050 discloses drop inbound eth:ip :udp payload: "malicious"; para. 0051discloses meaning: drop User Datagram Protocol (UDP) packets that are coming inbound (from the external network toward the protected segment) if their payload contains the keyword "malicious". Para. 0052 discloses drop inbound eth:ip :udp payload: "malic*ious" [ignorecase]; 0053 discloses meaning: drop User Datagram Protocol (UDP) packets that are coming inbound (from the external network toward the protected segment) if their payload includes the keyword "malicious" where any number of characters separates the "c" from the "i". The payload is case-insensitive, such that, for example, "Malicious", "mAliCicious", and "MALICIOUS" are dropped.) and Figures 2, 9 and 10), wherein processing the data packet using the one or more rules stored in the cache if present comprises simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation (see para.0043;  para. 0047-0053 and Figures 2, 9 and 10), wherein processing the data packet using the one or more rules stored in the cache if present comprises simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false (see para.0075-0076 and Figures 5 and 7), wherein processing the data packet using the one or more rules stored in the cache if present comprises: simplifying a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation; evaluating whether one of the two Boolean subexpressions is always true or always for all possible values for one or more fields; and storing the Boolean subexpression as a precondition (fig. 2 and furthermore para. 0038; 0043; para. 0047-0053 discloses the aggregation circuit 206 aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules. If any of these multiple rules are true, then a configured action is taken, such as dropping the packet. The aggregation policy can be implemented as a tree, where each tree node can be configured to function as a logical OR or AND. A policy can be configured to be a complicated composite relationship between rules, such as a sum of products, and/or a causal or temporal relationship. The aggregation logic can implement any combinatorial or sequential logic, for example) wherein processing the data packet using the one or more rules stored in the cache if present comprises: receiving filter parameters from a graphic user interface; and converting the filter parameters into a complex Boolean expression for subsequent processing to identify a precondition (see para. 0038; para. 0043; para.0047-0053; para.0078-0080 and Figures 2, 8, 9 and 10), wherein processing the data packet using the one or more rules stored in the cache if present comprises: receiving a feature rich Boolean expression; extracting the precondition from the feature rich Boolean expression; and storing a remaining condition associated with the precondition (see para. 0063-0072 and Figures 2, 4 and 5).
	
Nurmela as modified by Krishnan and Kay are analogous art because they both are directed to processing of computer network traffic to facilitate network security and network monitoring applications and one of ordinary skill in the art would have had a reasonable expectation of success to modify Kay with the specified features of Nurmela as modified by Krishnan because they are from the same field of endeavor.
In view of the above, having the method of Nurmela as modified by Krishnan and then given the well- established teaching of Kay, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Kay with the teachings of Nurmela as modified by Krishnan in order for facilitating optimized, cost-effective and flexible network security and network traffic monitoring features (Kay: para. 0003). 
Regarding claim 31, the combination of Nurmela as modified by Krishnan further in view of Kay discloses processing the one or more rules stored in the cache to provide optimized identification of matching conditions (col. 2 lines 62-67 of  Nurmela discloses a rule matching a data packet, a data packet comprising parameter fields for identifying the data packet, the rule base comprising a plurality of sequentially labelled rules, each rule comprising one or more parameter fields, and a rule matching a data packet being a rule, furthermore, para. 0005 of Krishnan discloses when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache).  
The same motivational statement applies as set forth above in claim 24.

Regarding claim 32, the combination of Nurmela as modified by Krishnan further in view of Kay discloses wherein the optimized identification of matching conditions ((Abstract of Nurmela packet filtering and finding a rule matching a data packet in a rule base, for example) comprises a shortcut to a matching condition based on a predetermined field value and a number of times a comparison node is visited (para.0041 Kay; para. 0063-0072 of kay and Figures of Kay 2, 4 and 5 of Kay).
The same motivational statement applies as set forth above in claim 24.

Regarding claim 33, the combination of Nurmela as modified by Krishnan further in view of Kay discloses processing the remaining condition to provide optimized identification of matching conditions by: identifying a path comprising a plurality of comparison nodes; and identifying a path from a first node to a third node as a shortcut to a matching condition (para.0041 Kay; para. 0063-0072 of kay and Figures of Kay 2, 4 and 5 of Kay).
The same motivational statement applies as set forth above in claim 21.

Regarding claim 35, the combination of Nurmela as modified by Krishnan further in view of Kay discloses wherein a fourth processor is configured to evaluate further conditions (see para. para 0043; para. 0047-0053; para. 0075-0076 and Figures 5 and 7 of Kay).

Regarding claim 36, the combination of Nurmela as modified by Krishnan further in view of Kay discloses wherein the second processor is configured to identify one or more of the plurality of fields that are associated with a precondition (see paras. 0043; 0047-0053; 0075 -0076 of Kay and figs. 5 and 7 of Kay, for example).


Regarding claim 37, the combination of Nurmela as modified by Krishnan further in view of Kay discloses a fourth processor configured to generate the precondition by processing a Boolean expression ((fig. 2 of Kay and furthermore para. 0038; 0043; para. 0047-0053 of Kay discloses the aggregation circuit 206 aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules, for example). 

  	Regarding claims 38-40 discloses, the combination of Nurmela as modified by Krishnan discloses all the claimed invention except for, wherein the second processor is configured to apply a simplification algorithm to a feature-rich Boolean expression to generate the precondition,  wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation, wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false for all possible values for one or more fields. 

However, Kay discloses wherein the second processor is configured to apply a simplification algorithm to a feature-rich Boolean expression to generate the precondition (para. 0043 the aggregation circuit includes output logic that enforces policies. A policy may be a simple collection of rules related using Boolean logic. In one embodiment, the aggregation circuit aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules. If any of these multiple rules are true, then a configured action is taken, such as dropping the packet, for example), wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation (para. 0043 the aggregation circuit includes output logic that enforces policies. A policy may be a simple collection of rules related using Boolean logic. In one embodiment, the aggregation circuit aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules. If any of these multiple rules are true, then a configured action is taken, such as dropping the packet, for example), wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation and then evaluating whether one or both of the two Boolean subexpressions is always true or always false for all possible values for one or more fields (see para. 0035 discloses each traffic segment is routed in parallel for processing by each rule engine of a set of rule engines para.0037 discloses after a rule engine has completed evaluation of a rule, it notifies the aggregation circuit of the result para. 0038 discloses the aggregation circuit includes output logic that enforces policies, which are sets of rules and the logical, casual and/or temporal relationship between them . . .); para. 0043 discloses the aggregation circuit includes output logic that enforces policies. A policy may be a simple collection of rules related using Boolean logic. In one embodiment, the aggregation circuit aggregates the outputs of individual blocks, for example expressed as a Boolean OR of several rules. If any of these multiple rules are true, then a configured action is taken, such as dropping the packet. The aggregation policy can be implemented as a tree, where each tree node can be configured to function as a logical OR or AND. A policy can be configured to be a complicated composite relationship between rules, such as a sum of products, and/or a causal or temporal relationship. The aggregation logic can implement any combinatorial or sequential logic; para. 0047-0053 discloses Rules used by rule engines can be specified in several ways, including but not limited to bit configuration of the hardware, use of low-level assembler, translation from existing languages used by common intrusion detection systems (IDS) and firewalls or use of a high-level language. In one embodiment, low level assembler is used, based on a unique and proprietary instruction set architecture (ISA) corresponding to an underlying hardware architecture optimized for network security applications. In another embodiment, a high level, tailored rule definition language is used, based on a proprietary high-level language for the Stream and Packet Inspection Front End (SPIFE). Some examples of rules in a high-level rule definition language include para. 0048 discloses drop inbound eth:ip :tcp ip.src=1.2.3.4, tcp.dport=80; para. 0049 discloses Meaning: drop TCP packets that are coming inbound (from the external network toward the protected segment), which have an IP source address of 1.2.3.4 and a destination port 80 (http). Para. 0050 discloses drop inbound eth:ip :udp payload: "malicious"; para. 0051discloses meaning: drop User Datagram Protocol (UDP) packets that are coming inbound (from the external network toward the protected segment) if their payload contains the keyword "malicious". Para. 0052 discloses drop inbound eth:ip :udp payload: "malic*ious" [ignorecase]; 0053 discloses meaning: drop User Datagram Protocol (UDP) packets that are coming inbound (from the external network toward the protected segment) if their payload includes the keyword "malicious" where any number of characters separates the "c" from the "i". The payload is case-insensitive, such that, for example, "Malicious", "mAliCicious", and "MALICIOUS" are dropped.) and Figures 2, 9 and 10).

Nurmela as modified by Krishnan and Kay are analogous art because they both are directed to processing of computer network traffic to facilitate network security and network monitoring applications and one of ordinary skill in the art would have had a reasonable expectation of success to modify Kay with the specified features of Nurmela as modified by Krishnan because they are from the same field of endeavor.

In view of the above, having the method of Nurmela as modified by Krishnan and then given the well- established teaching of Kay, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention was made to modify the teachings of Kay with the teachings of Nurmela as modified by Krishnan in order for facilitating optimized, cost-effective and flexible network security and network traffic monitoring features (Kay: para. 0003). 

Pertinent Art
8.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure Yu (Pub. No.: US 2012/0110656 A1) provides a network node for selective invalidation of packet filtering cache results based on rule priority, the network node comprising: a cache of results of a packet filtering rule set to store a plurality of entries, each cache entry including a rule identifier of a packet filtering rule to which the cache entry relates and a rule set version identifier that identifies a version of the packet filtering rule set when the cache entry was created; a version memory to store a highest priority rule modified for each of a plurality of rule set version identifiers; a current rule set version identifier identifying a current version of the packet filtering rule set; and a packet processor to: determine, when a cache entry corresponding to a received packet is included in the cache, whether the rule identifier included in the cache entry is of a higher priority than a highest priority rule stored in the version memory for the rule set version identifier included in the cache entry, and apply, to the packet, an action included in the cache entry when the rule identifier included in the cache entry is of a higher priority.

9.	Teal (Pub. No.: US 2019/0081983 A1) provides a data recorder on a firewall, and the method may further include applying a network security rule at the firewall based on the process data, e.g., to control network communications associated with the first process or one or more other processes executing on the endpoint. In this manner, an endpoint firewall may usefully be controlled based on a set of firewall rules or properties stored in, or secured by, a tamper protection cache and an endpoint protection driver as described herein. More generally, any process data stored in a process cache and/or tamper protection cache may be usefully streamed to a data recorder for use in subsequent analysis, threat detection, endpoint management, and so forth.

10.	Kraft (US patent No. 10,878,110 B2) provides a data packet filter firewall is to use a memory cache. In such a system, when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache. In addition, after the packet filter rules have been applied to the received data packet, the disposition (e.g. allow or deny) is also stored in the cache associated with the relevant parameters of the received data packet. Thereafter, if a data packet is received with parameters which are the same as parameters previously stored in the cache, the firewall can apply the associated disposition without applying all the rules to the data packet. This enhances performance in view of the fact that for certain applications, ongoing communications will occur between two computers, and there is no need to check every data packet exchanged between the computers during the communication session (i.e., connection). Thus, while this technique improves performance for data packets exchanged during connections, the technique does not improve performance for new connections.

11. 	Krishnan et al. (US patent No.: 6,606,710 B2) provides a data packet filter firewall is to use a memory cache. In such a system, when a data packet arrives, the relevant parameters (e.g. source and destination) of the data packet are stored in a cache. In addition, after the packet filter rules have been applied to the received data packet, the disposition (e.g. allow or deny) is also stored in the cache associated with the relevant parameters of the received data packet. Thereafter, if a data packet is received with parameters which are the same as parameters previously stored in the cache, the firewall can apply the associated disposition without applying all the rules to the data packet. This enhances performance in view of the fact that for certain applications, ongoing communications will occur between two computers, and there is no need to check every data packet exchanged between the computers during the communication session (i.e., connection). Thus, while this technique improves performance for data packets exchanged during connections, the technique does not improve performance for new connections.

12. 	Santos et al. (US patent 8,627,448 B2) provide the node have a current rule set version identifier identifying a current version e.g. alphanumeric value, of a packet filtering rule set. A packet processor e.g. CPU, determines whether a rule identifier included in a cache entry has higher priority than a highest priority rule stored in a version memory e.g. RAM, for the version identifier when the entry corresponding to a received packet is included in a cache . The processor applies an action included in the entry to the packet when the rule identifier included in the entry has the higher priority.

Conclusion
13.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932.  The examiner can normally be reached on Mon.-Fri. 9:00 AM - 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






A.G.
November 3, 2022
/ABIY GETACHEW/Primary Examiner, Art Unit 2434