DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.


Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 2022-10-17 has been entered.


Response to Amendment
The amendment filed 2022-10-17 has been entered and fully considered.

Response to PTAB Decision
The final rejection mailed 2020-11-25 properly set forth a 35 U.S.C. § 112(a) rejection of claims 1-20 (¶13) for failure to comply with the written description requirement because the claims contained subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor at the time the application was filed, had possession of the claimed invention.  The Examiner, in both the final rejection and the Examiner’s Answer mailed 2021-06-10, noted numerous deficiencies and contradictions within applicants’ own specification and appeal brief filed 2021-05-25.  
In the PTAB decision mailed 2022-08-17, the decision stated that “We note that the original claims of the application filed on November 7, 2018, for example, include the disputed limitations, which are not addressed by the Examiner”.  Although it seems that the PTAB decision may have conflated the written description requirement of sufficient description explaining how a claimed function is performed (See, e.g., MPEP § 2161.01(I)), which is a deficiency that can exist in original claims, with “new matter” situations, the Examiner defers to the PTAB decision under the doctrine of res judicata and thus the rejection of claims 1-20 under 35 U.S.C. § 112(a) for lack of written description has been withdrawn.

The final rejection mailed 2020-11-25 properly set forth an objection to the drawings under 37 CFR 1.83(a), which requires that applicant “must show every feature of the invention specified in the claims”.   The final rejection mailed 2020-11-25 also properly set forth an objection to the specification under 37 CFR 1.75(d)(1), requires that “the claims must find clear support or antecedent basis in the description”.
In the PTAB decision mailed 2022-08-17, the decision affirmed the Examiner that “such issues should have been settled by petition to the Director of the U.S. Patent and Trademark Office”.  During prosecution, applicant’s responses have appeared to mock the regulatory requirements by providing nothing more than perfunctory, repetitive, and clearly deficient responses to the Examiner’s earnest attempt at ensuring the specification and drawings fulfilled their requirements of showing the claimed features and providing clear support or antecedent basis for the claims.  Regardless, because the objections are nonetheless tangentially related to the withdrawn 35 U.S.C. § 112(a) rejection for lack of written description, to avert even the appearance of anything less than deference to the PTAB decision under the doctrine of res judicata, the Examiner withdraws the objections to the specification and drawings.

The final rejection mailed 2020-11-25 properly set forth a 35 U.S.C. § 112(b) rejection of claims 1-20 (¶14) for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.  The Examiner, in both the final rejection and the Examiner’s Answer mailed 2021-06-10, noted that the claims were not technically accurate (and thus did not correspond with the specification as required under MPEP §2173.03).  
In the PTAB decision mailed 2022-08-17, the decision stated that “A claim is indefinite when it contains words or phrases whose meaning is unclear”.  Although it seems that the PTAB decision may have conflated lack of clarity (i.e. precision) with accuracy and has not addressed the requirement of correspondence to the specification as a test of whether the applicant has particularly pointed out and distinctly claimed the subject matter which the inventor or a joint inventor regards as the invention as required under MPEP §2173.03, the Examiner defers to the PTAB decision under the doctrine of res judicata and thus the rejection of claims 1-20 under 35 U.S.C. § 112(b) for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention has been withdrawn.


Response to Arguments
Applicant’s arguments, see page 7, filed 2022-10-17, with respect to the nonstatutory double patenting rejections of claims 1-20 have been fully considered but they are not persuasive.  As noted in the nonstatutory double patenting rejection, all of the claim limitations of the independent claims are anticipated by the claim limitations of the related patents except for the final limitation “processing the second data packet by making an incremental change to the plurality of rules” (present only in independent claim 1), which is rendered obvious by the art of record, and a feature of a “subset of conditions of the data packet”, which does not narrow the scope of the claim in any particular fashion (as explained in the § 103 rejection).
Applicant first argues that “At present, the rejection is premature”.  However, MPEP § 804(II)(B) recites that “Nonstatutory double patenting requires rejection of an application claim when the claimed subject matter is not patentably distinct from the subject matter claimed in a commonly owned patent”.  Applicant has provided no basis or evidence whatsoever for the absurd position that the rejection is premature.  Thus, the Examiner respectfully submits that the rejection is timely and required.
Applicant then argues that “the burden is on the Office to demonstrate that each limitation of each pending claim is obvious in view of the co-pending applications, including an explanation of how the KSR factors support that finding of obviousness, in order to present a prima facie basis for the obviousness-type double patenting rejection”.  The Examiner notes that this argument has already been judicated, as PTAB has found that “The Examiner provides sufficient findings and conclusions regarding obviousness”.
Finally, regarding Applicant’s point regarding KSR, the Examiner notes that the final limitation of the instant application is merely grouped into the claim and has no association or effect on the remainder of the claim and is known in the art, i.e. the claim is merely arranging old elements with each element performing the same function it had been known to perform and yields no more than one would expect from such an arrangement.  In such a situation, KSR makes clear that the combination is obvious; See MPEP § 2141(I).  Further, again, PTAB has found that “The Examiner provides sufficient findings and conclusions regarding obviousness”.
Based on the above, the Examiner respectfully submits that the nonstatutory double patenting rejections of claims 1-20 are proper.

Applicant’s arguments, see page 8, filed 2022-10-17, with respect to the rejection of claims 14-20 under 35 U.S.C. 101 as being directed to non-statutory subject matter (software, per se) have been fully considered but they are not persuasive.
Applicant argues that the “suitable non-substantive amendments have been submitted to address the noted informality”.  The Examiner first notes that the rejection is not an “informality” – the claims fail step 1 of the subject matter eligibility test, See MPEP § 2106.03(II), and thus are not directed to statutory subject matter.  Hence, the claims have been rejected for this fundamental deficiency of being patent eligible.
The Examiner first recognizes that claim 14 has been amended to recite “a first processor implemented in hardware”; however, the Examiner does not find that this is sufficient to limit the claim to statutory subject matter.  In particular, the Examiner notes that the broadest reasonable interpretation of a processor “implemented in hardware”, does not require the hardware itself to be a required element of the processor or the claim as a whole.  That is, the limitation does not even narrow the scope of the “first processor” to hardware, as the claim merely recites where the processor is implemented, as opposed to claiming the hardware as part of the structure of the processor itself.  Note, for example, that software per se can be (and routinely is) implemented in hardware, such as by executing it on a machine, but executing software on a machine when the machine is not a positively required element of the claim does not make the software patent eligible.  To become patent eligible (or, more particularly, at least pass step 1 of the subject matter eligibility test, See MPEP § 2106(III)), the claim to software must include hardware that would limit the claim to a machine or manufacture.  Finally, applicant also clearly intends the limitation to add nothing that would render the claim patent eligible, as applicant has officially stated on the record that adding “implemented in hardware” to the claim was “non-substantive” (Remarks filed 2022-10-17, p. 8).
Based on the above, the Examiner respectfully submits that the 35 U.S.C. 101 rejection of claims 14-20 as being directed to non-statutory subject matter (software, per se) is proper.

Applicant’s arguments, see page 8, filed 2022-10-17, with respect to the rejection of claims 1-20 under 35 U.S.C. § 103 have been fully considered but they are not persuasive.
In response to applicant’s argument that the “prior art fails to disclose the claimed subject matter as amended”, the Examiner respectfully disagrees.  Specifically, the Examiner notes that the amendment (at least to the independent claims) does not meaningfully limit the scope of the claims (as is explained in the § 103 rejections).  Further, the Examiner notes that the prior art of record teaches all of the added claim features, as also noted in the § 103 rejections.  Thus, the Examiner respectfully submits that the 35 U.S.C. 103 rejections of claims 1-20 are proper.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.  See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA .  A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms that may be used.  Please visit www.uspto.gov/patent/patents-forms.  The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens.  An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting over the following US Patents in view of the prior art of record (Guo, Bharali, and Dong):
U.S. Patent 10965647 (Application 16183069), which is directed towards a variant of the instant application wherein rules have subsets (silent on incremental update).
U.S. Patent 11128602 (Application 16183125), which is directed towards a variant of the instant application wherein rules are stored in a cache (silent on incremental update).
Although the claims at issue are not identical, they are not patentably distinct from each other because the claim limitations are either anticipated by the claims of the issued patents, or are otherwise obvious variations.  In particular, independent claim 1 is anticipated by both patents with the exception of an incremental update to the rules, which is obvious in view of the cited prior art of record (as noted infra), and independent claim 14 is anticipated by the claims of both patents (as noted infra).  The dependent claims are anticipated by both patents with the exception of trivial features, which are obvious in view of the prior art of record (Guo, Bharali, and Dong).
*underlining below indicates identical language
Instant US Patent Application 16183178
US Patent 10965647 (Application 16183069)
1. A method for filtering data packets at a firewall system comprising:
receiving a data packet having a plurality of fields;


determining whether a precondition evaluates to true for one or more of the plurality of fields, where an action is associated the precondition;
performing the action associated with the precondition on the data packet if it is determined that the precondition exists for one or more of the plurality of fields and is a subset of conditions of the data packet;











receiving a second data packet having a plurality of fields; and
processing the second data packet by making an incremental change to the plurality of rules.
1. A method for filtering data packets at a firewall system comprising:
 receiving a data packet having a plurality of fields;
determining whether a precondition exists, and if it is determined that the precondition exists, determining whether the precondition evaluates to true for one or more of the plurality of fields, where an action is associated with the precondition; 
performing the action associated with the precondition on the data packet if it is determined that the precondition exists and evaluates to true for one or more of the plurality of fields;
filtering one or more rules from a plurality of rules as a function of the precondition to create a subset of rules;
processing the data packet using the filtered plurality of rules if it is determined that the precondition exists for the one or more of the plurality of fields; and
processing the data packet using the unfiltered plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields.
14. A firewall system for filtering data packets comprising:
a first processor implemented in hardware configured to receive a data packet having a plurality of fields from a network interface;
a second processor configured to retrieve a precondition from a data memory device and to use the precondition to determine whether a precondition is a subset of conditions of the data packet by comparing the precondition to the one or more of the plurality of fields, where an action is associated the precondition;



a third processor configured to perform the action associated with the precondition on the data packet if it is determined by the second processor that the precondition exists for one or more of the plurality of fields; and






a fourth processor configured to process the data packet using a plurality of rules if it is determined by the second processor that the precondition does not exist for the one or more of the plurality of fields.
14. A firewall system for filtering data packets comprising:
a first processor configured to receive a data packet having a plurality of fields from a network interface;
a second processor configured to retrieve a precondition from a data memory device and to determine whether the precondition exists, and if it is determined that the precondition exists, to use the precondition to determine whether the precondition evaluates to true for one or more of the plurality of fields by comparing the precondition to the one or more of the plurality of fields, where an action is associated with the precondition;
a third processor configured to perform the action associated with the precondition on the data packet if it is determined by the second processor that the precondition exists and evaluates to true for one or more of the plurality of fields;
filtering one or more rules from a plurality of rules as a function of the precondition;
processing the data packet using the filtered plurality of rules if it is determined that the precondition exists for the one or more of the plurality of fields; and
a fourth processor configured to process the data packet using the unfiltered plurality of rules if it is determined by the second processor that the precondition does not exist for the one or more of the plurality of fields.


Instant US Patent Application 16183178
US Patent 11128602 (Application 16183125)
1. A method for filtering data packets at a firewall system comprising:
receiving a data packet having a plurality of fields;

determining whether a precondition evaluates to true for one or more of the plurality of fields, where an action is associated the precondition;
performing the action associated with the precondition on the data packet if it is determined that the precondition exists for one or more of the plurality of fields and is a subset of conditions of the data packet;



















receiving a second data packet having a plurality of fields; and
processing the second data packet by making an incremental change to the plurality of rules.
1. A method for filtering data packets at a firewall system comprising:
receiving a data packet that is transmitted over a public network, the data packet having a plurality of fields at a data packet system;
determining whether a precondition evaluates to true for one or more of the plurality of fields, where an action is associated the precondition;
performing the action associated with the precondition on the data packet if it is determined that the precondition exists for one or more of the plurality of fields;
processing the data packet using a plurality of rules if it is determined that the precondition does not exist for the one or more of the plurality of fields;
identifying a user associated with the data packet;
determining whether one or more rules are stored in a cache for one or more of a plurality of groups associated with the user by comparing one or more data fields from the data packet with the one or more data fields of the cache, wherein the cache is separate from the data packet system; 
processing the one or more rules stored in the cache to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups; and
processing the data packet using the one or more rules stored in the cache if present.
14. A firewall system for filtering data packets comprising:
a first processor implemented in hardware configured to receive a data packet having a plurality of fields from a network interface;

a second processor configured to retrieve a precondition from a data memory device and to use the precondition to determine whether a precondition is a subset of conditions of the data packet by comparing the precondition to the one or more of the plurality of fields, where an action is associated the precondition;

a third processor configured to perform the action associated with the precondition on the data packet if it is determined by the second processor that the precondition exists for one or more of the plurality of fields; and
a fourth processor configured to process the data packet using a plurality of rules if it is determined by the second processor that the precondition does not exist for the one or more of the plurality of fields.
14. A firewall system for filtering data packets comprising:
a first processor configured to receive a data packet that is transmitted over a public network, the data packet having a plurality of fields from a network interface at a data packet system;
a second processor configured to retrieve a precondition from a data memory device and to use the precondition to determine whether a precondition evaluates to true for one or more of the plurality of fields by comparing the precondition to the one or more of the plurality of fields, where an action is associated the precondition;
a third processor configured to perform the action associated with the precondition on the data packet if it is determined by the second processor that the precondition exists for one or more of the plurality of fields;
a fourth processor configured to process the data packet using a plurality of rules if it is determined by the second processor that the precondition does not exist for the one or more of the plurality of fields; and
a fifth processor configured to determine whether one or more rules are stored in a cache for one or more of a plurality of groups associated with a user by comparing one or more data fields from the data packet with the one or more data fields of the cache and to process the data packet using the one or more rules stored in the cache if present, wherein the cache is separate from the data packet system, and to process the one or more rules stored in the cache to provide user group matching to identify one or more groups that are associated with the user that are not mentioned in a policy that are to be ignored, and wherein the cache is checked for one or more remaining groups.

First, the newly amended feature of a “subset of conditions of the data packet” is a non-substantive amendment that does not narrow the scope of the claim in any particular fashion (as explained in the § 103 rejection).  As this non-distinguishing limitation is the only feature of independent claim 14 of the instant application that is not recited in claim 14 of both related patents, claim 14 of the instant application is anticipated by claim 14 of both related patents.
Independent claim 1 also recites, in addition to the subset limitation supra, a limitation regarding incremental updates to the rules that is not recited in the related patents.  Although the incremental update and related aspects of this feature are not claimed in the related patents, that feature is obvious in view of the cited prior art of record.  In particular, Bharali discloses processing the second data packet by making an incremental change to the plurality of rules {para. 0027: “dynamic resolution of FQDN address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query”}.  
Because the incremental change to the rules has no association or effect on the remainder of the claim and is known in the art, i.e. the claim is merely arranging old elements with each performing the same function it had been known to perform and yields no more than one would expect from such an arrangement, KSR makes clear that the combination is obvious; See MPEP § 2141(I).
The Examiner notes that this rejection has been affirmed by PTAB in the decision mailed 2022-08-17.  If the next response does not: 1) include a Terminal Disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) to overcome the nonstatutory double patenting rejections, 2) amend the claims in such a manner as to traverse the obviousness rejection – without adding “new matter”, and/or 3) specifically point out deficiencies in the rejection that have not already been judicated, the response may be considered non-responsive; See MPEP § 714.03.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-20 are rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.  The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor at the time the application was filed, had possession of the claimed invention.
In particular, claim 1 recites the limitation “performing the action associated with the precondition on the data packet if it is determined that the precondition … is a subset of conditions of the data packet”, and the written description does not provide adequate support for this limitation, i.e. it is “new matter”.  The most relevant disclosure of the specification appears to be [0016], which states that “the precondition can be seen as a subset of the original condition”.  That is, the specification only provides support for the precondition being a subset of the original condition, not a subset of the conditions of the data packet.
Claims 14 shares a similar deficiency, but to a much larger extent.  That is, in addition to the deficiency of claim 1, claim 14 further recites that the determination of whether “the precondition … is a subset of conditions of the data packet” is performed using the precondition itself, which is not only also unsupported by the written description, but is just gibberish.  The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim 4 is rejected under 35 U.S.C. 112(a) as failing to comply with the written description requirement.  The claim contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor at the time the application was filed, had possession of the claimed invention.
In particular, claim 4 recites the limitation “wherein processing the second data packet by making the incremental change to the plurality of rules comprises … adding a small number of matching fields”, and the written description does not provide adequate support for this limitation as a whole, i.e. it is “new matter”.  The most relevant disclosure of the specification appears to be [0080], which states that “In a fourth example embodiment, adding or removing one or a small number of matching field values from the precondition may have an impact on the outcome of the rules”.  The deficiency in this disclosure is that while the specification provides support for adding/removing fields, the specification does not provide adequate written description for performing this addition of fields as an aspect of making an incremental change or processing a data packet.  Further, the Examiner recognizes that [0080] also discloses “examples of situations”, but, at best, the examples are situations where the addition of fields “may have an impact on the outcome”.  That is, there is also no disclosure as to what fields to add, how to select them, or even that the fields are added as part of those examples and/or what impact they would have.

Claims 1-13 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.  Specifically, claim 1 recites the limitation “processing the second data packet by making an incremental change to the plurality of rules”, and there is insufficient antecedent basis for the limitation “the plurality of rules” in the claim.  Claims 2-9 are rejected under a similar rationale for additionally reciting the limitation.  The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim 5 is rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.  Specifically, claim 5 recites the limitation “to generate the precondition associated with the incremental change and a remaining condition”, and it is ambiguous as to whether the phrase “and a remaining condition” is modifying the prepositional phrase “to generate” or  the verbal phrase “associated with”.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 14-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter; specifically, it is directed towards software, per se.
Claims 14-20 are directed towards software, per se.  The United States Patent and Trademark Office (USPTO) is obliged to give claims their broadest reasonable interpretation consistent with the specification during proceedings before the USPTO.  See In re ZIetz, 893 F.2d 319 (Fed. Cir. 1989) (during patent examination the pending claims must be interpreted as broadly as their terms reasonably allow).  The broadest reasonable interpretation of a claim drawn to a plurality of processors typically covers forms of hardware, software per se, and combinations thereof in view of the ordinary and customary meaning of processor, particularly when the specification is silent; See MPEP 2111.01.  When the broadest reasonable interpretation of a claim covers software per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter, as software per se does not fall within at least one of the four categories of patent eligible subject matter recited in 35 U.S.C. 101 (process, machine, manufacture, or composition of matter).  Software is descriptive material that can be considered statutory ONLY if it is both functional and clearly embodied as structural, non-transitory matter; See MPEP § 2106.03(I).  Even if the software of claims 14-20 is functional, it is not clearly defined as being embodied as structural, non-transitory matter and is therefore not statutory.
The Examiner first recognizes that claim 14 has been amended to recite “a first processor implemented in hardware”; however, the Examiner does not find that this is sufficient to limit the claim to statutory subject matter.  In particular, the Examiner notes that the broadest reasonable interpretation of a processor “implemented in hardware”, does not require the hardware itself to be a required element of the processor or the claim as a whole.  That is, the limitation does not even narrow the scope of the “first processor” to hardware, as the claim merely recites where the processor is implemented, as opposed to claiming the hardware as part of the structure of the processor itself.  Note, for example, that software per se can be (and routinely is) implemented in hardware, such as by executing it on a machine, but executing software on a machine when the machine is not a positively required element of the claim does not make the software patent eligible.  To become patent eligible (or, more particularly, at least pass step 1 of the subject matter eligibility test, See MPEP § 2106(III)), the claim to software must include hardware that would limit the claim to a machine or manufacture.  Finally, applicant also clearly intends the limitation to add nothing that would render the claim patent eligible, as applicant has officially stated on the record that adding “implemented in hardware” to the claim was “non-substantive” (Remarks filed 2022-10-17, p. 8).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Guo et al. (US Pre-Grant Publication No. 20180013795-A1, hereinafter “Guo”).

With respect to independent claim 14, Guo discloses a firewall system for filtering data packets {para. 0042: “processing of incoming network packets to enable network protection devices, such as IPSs, IDSs, firewalls”} comprising:
a first processor implemented in hardware configured to receive a data packet having a plurality of fields from a network interface {paras. 0031, 0033, & 0051: “packet stream has been received” wherein the packets may be “IP version 4 (IPv4), IP version 6 (IPv6)”; note that the broadest reasonable interpretation of the first and subsequent processors encompass a single processor (whether software or hardware), and even if it didn’t, Guo notes that the invention may be carried out with “one or more processors”; that is, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Guo before him or her, to arrange the assignment of processors for performing the claim limitations so that each function has its own processor, and the suggestion and/or motivation for doing so would have been because it is merely a rearrangement of code assignment (parts) that does not affect the performance of the functions; See MPEP § 2144.04(VI)(C)}.
a second processor configured to retrieve a precondition from a data memory device and to use the precondition to determine whether a precondition is a subset of conditions of the data packet {para. 0066: “the two conditions” are each “relating to whether” a particular string “is present within the packet”, since there are multiple potential “conditions” (preconditions) (and other fields/data of the data packet unrelated to the two conditions), each condition is therefore a strict subset of the conditions of the packet (as well as a strict subset of rule conditions).  The Examiner further notes that determining whether a particular precondition is a subset of conditions is a mere description of an inherent property of sets, and thus does not add anything to the claims.  That is, ignoring that the phrase is not adequately described (¶12), if the precondition exists within the fields of the data packet (or within the original condition, as recited in the specification ([0016])), the precondition is, by definition of a mathematical set, a subset, regardless of whether the precondition (a set) comprises a strict subset (fewer elements than the set) of the set or all of the elements of the set} by comparing the precondition to the one or more of the plurality of fields, where an action is associated the precondition {para. 0066: “pre -match process 502 can be configured to look for two conditions, with the first condition relating to whether the string ‘Content-Type:’ is present within a packet”}.
a third processor configured to perform the action associated with the precondition on the data packet if it is determined by the second processor that the precondition exists for one or more of the plurality of fields {para. 0066: “correlation process 504 can report the example rule 400 as a candidate to CPMP processor 506, because both packets satisfy the two conditions”}.
a fourth processor configured to process the data packet using a plurality of rules if it is determined by the second processor that the precondition does not exist for the one or more of the plurality of fields {para. 0074: “If no match is found, jump to the default pointer”; the Examiner notes that this is assuming the claim limitation is of performing a default action, since the claimed act is contingent that the plurality of rules are not applicable – except a presumed default rule/action}.


Claims 1-3 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Guo et al. (US Pre-Grant Publication No. 20180013795-A1, hereinafter “Guo”) in view of Bharali et al. (US Pre-Grant Publication No. 20140150051-A1, hereinafter “Bharali”).

With respect to independent claim 1, Guo discloses a method for filtering data packets at a firewall system {para. 0042: “processing of incoming network packets to enable network protection devices, such as IPSs, IDSs, firewalls”} comprising:
receiving a data packet having a plurality of fields {paras. 0033 & 0051: “packet stream has been received” wherein the packets may be “IP version 4 (IPv4), IP version 6 (IPv6)”}.
determining whether a precondition evaluates to true for one or more of the plurality of fields, where an action is associated the precondition {para. 0066: “pre -match process 502 can be configured to look for two conditions, with the first condition relating to whether the string ‘Content-Type:’ is present within a packet”}.
performing the action associated with the precondition on the data packet if it is determined that the precondition exists for one or more of the plurality of fields {para. 0066: “correlation process 504 can report the example rule 400 as a candidate to CPMP processor 506, because both packets satisfy the two conditions”} and is a subset of conditions of the data packet {para. 0066: “the two conditions” are each “relating to whether” a particular string “is present within the packet”, since there are multiple potential “conditions” (preconditions) (and other fields/data of the data packet unrelated to the two conditions), each condition is therefore a strict subset of the conditions of the packet (as well as a strict subset of rule conditions).  The Examiner further notes that determining whether a particular precondition is a subset of conditions is a mere description of an inherent property of sets, and thus does not add anything to the claims.  That is, ignoring that the phrase is not adequately described (¶12), if the precondition exists within the fields of the data packet (or within the original condition, as recited in the specification ([0016])), the precondition is, by definition of a mathematical set, a subset, regardless of whether the precondition (a set) comprises a strict subset (fewer elements than the set) of the set or all of the elements of the set}.
receiving a second data packet having a plurality of fields {paras. 0033 & 0051: “packet stream has been received” wherein the packets may be “IP version 4 (IPv4), IP version 6 (IPv6)”}.
Although Guo teaches rule pre-match processing, Guo does not explicitly disclose that the rules may be incrementally updated; however, Bharali discloses:
processing the second data packet by making an incremental change to the plurality of rules {para. 0027: “dynamic resolution of FQDN address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query”}.

Guo and Bharali are analogous art because they are from the same field of endeavor or problem-solving area of firewall policy.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Guo and Bharali before him or her, to modify/develop the firewall rules of Guo’s system to utilize updating IP-address information corresponding to FQDNs in firewall rules.  The suggestion and/or motivation for doing so would have been because it is merely combining prior art elements according to known methods to yield predictable results, i.e. ensuring that the corresponding IP-address for an FQDN is updated whenever the address changes.  Therefore, it would have been obvious to combine the firewall rules in Guo’s system with updating IP-address information corresponding to FQDNs in firewall rules to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.

With respect to dependent claim 2, Bharali discloses wherein processing the second data packet by making the incremental change to the plurality of rules comprises evaluating further IP address conditions associated with the incremental change {para. 0054: “periodic updater (e.g., the resolver function/component or another function/component) can check the status of each FQDN based entry used in each policy and re-fetch the resolved IP addresses before the TTL expires”}.

With respect to dependent claim 3, Bharali discloses wherein processing the second data packet by making the incremental change to the plurality of rules comprises identifying one or more of the plurality of IP address fields that are associated with a precondition associated with the incremental change {paras. 0029-0030: “the IP address information is periodically updated based on a Time To Live (TTL) value”}.

With respect to claims 15-16, a corresponding reasoning as given earlier in this section with respect to claims 2-3 applies, mutatis mutandis, to the subject matter of claims 15-16; therefore, claims 15-16 are rejected, for similar reasons, under the grounds as set forth for claims 2-3.


Claims 4-13 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Guo et al. (US Pre-Grant Publication No. 20180013795-A1, hereinafter “Guo”) in view of Bharali et al. (US Pre-Grant Publication No. 20140150051-A1, hereinafter “Bharali”) and Dong et al. (“Packet Classifiers In Ternary CAMs Can Be Smaller”, SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems, doi>10.1145/1140277.1140313, hereinafter “Dong”).

With respect to dependent claim 4, although Guo teaches firewall rules, Guo does not explicitly disclose that the rules require Boolean expressions; however, Dong discloses wherein processing the second data packet by making the incremental change to the plurality of rules comprises generating the precondition by processing a Boolean expression associated with the incremental change {pp. 311-312: “the protocol field clauses in Rules 1-3 of Table 1”} and adding a small number of matching fields {pp. 311-312 and 315: replacement of any wildcard field with a value and/or “Expanding rules”}.

Guo-Bharali and Dong are analogous art because they are from the same field of endeavor or problem-solving area of firewall rules.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Guo-Bharali and Dong before him or her, to modify/develop the firewall rules of Guo-Bharali’s system to utilize Boolean expressions and Boolean optimization.  The suggestion and/or motivation for doing so would have been because it is merely combining prior art elements according to known methods to yield predictable results, i.e. using traditional firewall rules that permit policy applicable to multiple fields as well as optimizing said policy.  Therefore, it would have been obvious to combine the firewall rules in Guo-Bharali’s system with Boolean expressions and Boolean optimization to obtain the invention as specified in the instant claim(s).  The Examiner notes that this motivation applies to all dependent and/or otherwise subsequently addressed claims.

With respect to dependent claim 5, Dong discloses wherein processing the second data packet by making the incremental change to the plurality of rules comprises applying a simplification algorithm to a feature-rich Boolean expression to generate the precondition associated with the incremental change and a remaining condition {pp. 315 & 318: “Trimming Rules” and “Merging Rules”, which includes rules with a “range specified by the rule field clause” (ranges are logical ORs of elements), and/or “Expanding Rules”}.

With respect to dependent claim 6, Dong discloses wherein processing the second data packet by making the incremental change to the plurality of rules comprises simplifying a Boolean expression that includes one OR operation in combination with two AND operations into two Boolean expressions {p. 315: “reduce the number of prefixes by merging two or more contiguous prefixes into a larger prefix”}.

With respect to dependent claim 7, Dong discloses wherein processing the second data packet by making the incremental change to the plurality of rules comprises simplifying a Boolean expression into two Boolean subexpressions that do not contain an OR operation {p. 315: “trimming, expanding, adding and merging rules” – any rules that are always true or false would effectively collapse other rules or itself, respectively}.

With respect to dependent claim 8, Guo and Dong disclose wherein processing the second data packet by making the incremental change to the plurality of rules comprises:
simplifying a Boolean expression associated with the incremental change {Dong, p. 315: “reduce the number of prefixes by merging two or more contiguous prefixes into a larger prefix”}.
evaluating whether one of the two Boolean subexpressions is always true {Dong, p. 315: “trimming, expanding, adding and merging rules” – any rules that are always true or false would effectively collapse other rules or itself, respectively}.
storing the Boolean subexpression as a precondition {Guo, para. 0066: “pre -match process 502 can be configured to look for two conditions, with the first condition relating to whether the string ‘Content-Type:’ is present within a packet”}.

With respect to dependent claim 9, Bharali and Dong disclose wherein processing the second data packet by making the incremental change to the plurality of rules comprises:
receiving filter parameters from a graphic user interface {Bharali, para. 0056: “When events are reported in user interface or reports and charts, the IP addresses can also be resolved to a domain or host/server name if available (e.g., based on a name resolution query)”}.
converting the filter parameters into a complex Boolean expression {Dong, p. 312: “Example rules in a packet classifier” include the rules expressed as complex Boolean expressions}.

With respect to dependent claim 10, Bharali and Dong disclose wherein processing the second data packet by making the incremental change to the plurality of rules comprises:
receiving a feature rich Boolean expression associated with the incremental change {Bharali, para. 0027: “dynamic resolution of FQDN address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query”}.
extracting the precondition from the feature rich Boolean expression {Dong, p. 313: “the packet classifier shown in the second column of Table 2”, the entries are one field of many of the packet classifier}.
storing a remaining condition {Dong, p. 312: “Example rules in a packet classifier”; the remainder of the rule must remain as part of the optimized field entries}.

With respect to dependent claim 11, Dong discloses processing the incremental change to provide optimized identification of matching conditions {p. 313: constructing a more efficient and optimized packet classifier “through an algorithmic sequence of operations which include trimming rules, expanding rules, merging rules, and sometimes even adding rules to meet the reduction objectives”}.

With respect to dependent claim 12, Dong discloses wherein the optimized identification of matching conditions comprises a shortcut to a matching condition based on a predetermined field value {pp. 311-312: “the protocol field clauses in Rules 1-3 of Table 1”; as all of the fields are a logical AND of the others; the Examiner provides Office Notice of short-circuit evaluation, aka minimal evaluation, aka McCarthy evaluation, and Examiner submits that, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to implement minimal evaluation when evaluating different fields, as it eliminates needless computation that is known not to have effect on the result}.

With respect to dependent claim 13, Dong discloses processing the remaining condition to provide optimized identification of matching conditions by:
identifying a path comprising a plurality of comparison nodes {pp. 311-312: “the protocol field clauses in Rules 1-3 of Table 1”; as all of the fields are a logical AND of the others, the “path” includes all of the protocol field clauses for each rule}.
identifying a path from a first node to a third node {pp. 311-312: “the protocol field clauses in Rules 1-3 of Table 1”; as all of the fields are a logical AND of the others; the Examiner provides Office Notice of short-circuit evaluation, aka minimal evaluation, aka McCarthy evaluation, and Examiner submits that, before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to implement minimal evaluation when evaluating different fields, as it eliminates needless computation that is known not to have effect on the result}.

With respect to claims 17-18, a corresponding reasoning as given earlier in this section with respect to claims 4-5 applies, mutatis mutandis, to the subject matter of claims 17-18; therefore, claims 17-18 are rejected, for similar reasons, under the grounds as set forth for claims 4-5.

With respect to dependent claim 19, Dong discloses wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean expressions that do not contain an OR operation {p. 315: “reduce the number of prefixes by merging two or more contiguous prefixes into a larger prefix”}.

With respect to dependent claim 20, Dong discloses wherein the second processor is configured to simplify a Boolean expression that includes at least one OR operation in combination with at least two AND operations into two Boolean subexpressions that do not contain an OR operation {p. 315: “reduce the number of prefixes by merging two or more contiguous prefixes into a larger prefix”} and then evaluating whether one or both of the two Boolean subexpressions is always true or always false for all possible values for one or more fields {p. 315: “trimming, expanding, adding and merging rules” – any rules that are always true or false would effectively collapse other rules or itself, respectively}.




Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kevin Bechtel whose telephone number is (571)270-5436. The examiner can normally be reached Monday - Friday, 09:00 - 17:00 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Kevin Bechtel/Primary Examiner, Art Unit 2491