DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because
The abstract is 159 words.  37 CFR 1.72 requires that the abstract may not exceed 150 words.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 11, 13, 18, 19, and 20 are rejected under 35 U.S.C. 102(a)(1) & 102(a)(2) as being anticipated by Zuo et al US PGPUB No. 20130254766.
Regarding Claim 11: A network interface comprising: 
circuitry to implement at least one of a flow table and a security database offload table; ([Zuo Fig. 1 ¶0045] “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. … virtual Switch 104 may send one or more requests over data path 118 to physical NIC 100 requesting creation of flows at flow caches 112a, 112b.” As the flow states of the outgoing flow table is offloaded to the outgoing flow cache in the NIC and flow states of the incoming flow table is offloaded to the incoming flow cache in the NIC, inside the incoming and outgoing cache, a flow table and security data base can be implemented in virtual bridge of the physical NIC (network interface).)  and 
a memory to store a plurality of security offload entries in a flow table or a security database offload table, each respective security offload entry including information to identify or match a respective flow and location information. ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached (stored in a memory) to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry (along with its entire information) from the database is to be identified or matched in the NIC cache with respect to the corresponding location information of the host security database (developed in the outgoing flow table and incoming flow table of the host).) 

Regarding Claim 13: The hardware network device of claim 11, further comprising circuitry to: 
receive, from the host, information identifying or to be used for matching a flow and location information to de-reference a location of a corresponding security entry for the flow in the host security database; ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon receiving from the host, information of the offload security entry can be used for matching or identifying a for de-referencing in the NIC cache with respect to the host security database because it shown by dashed lien there are correspondences between host flow table and NIC flow cache.) and 
cache a new security offload entry in one of the flow table or security database offload table on the network interface ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Thus, on offloading, the virtual bridge of the NIC facilitates to match the subsequent packet to a flow state in the appropriate flow cache in NIC (network interface) including the information identifying or to be used for matching the flow and the location information to de-reference a location of the corresponding security entry for the flow in the host security database. ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry from the database is to be de-referenced in the NIC cache with respect to the host security database (developed in the outgoing flow table and incoming flow table of the host).) 

Regarding Claim 18: The hardware network device of claim 11, further comprising circuitry to: 
cache the security offload entries in a security database offload table on the network interface; ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Thus, on offloading, the virtual bridge of the NIC facilitates to match the subsequent packet to a flow state in the appropriate flow cache in NIC (network interface)) and 
implement a flow table on the network interface, ([Zuo Fig. 1 ¶0045] “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. … virtual Switch 104 may send one or more requests over data path 118 to physical NIC 100 requesting creation of flows at flow caches 112a, 112b.” As the flow states of the outgoing flow table is offloaded to the outgoing flow cache in the NIC and flow states of the incoming flow table is offloaded to the incoming flow cache in the NIC, inside the incoming and outgoing cache, a flow table can be implemented in virtual bridge of the physical NIC (network interface).) 
wherein the flow table and the security database offload table have different sizes. ([Zuo ¶0049] “As such, storing only a portion of flow tables 106C/106d in flow caches 112a/112b decreases the amount of memory needed to offload flow tables to physical NIC 110. Because outgoing flow cache 112a and incoming flow cache 112b may not include full flow state data a cache miss may occur when processing a packet at virtual bridge 112.” Therefore, the flow table implemented in incoming flow cache and outgoing flow cache of the virtual bridge of the NIC has different size that the security database offload table.)   

Regarding Claim 19: The hardware network device of claim 11, further comprising circuitry to: 
implement a flow table; ([Zuo Fig. 1 ¶0045] “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. … virtual Switch 104 may send one or more requests over data path 118 to physical NIC 100 requesting creation of flows at flow caches 112a, 112b.” As the flow states of the outgoing flow table is offloaded to the outgoing flow cache in the NIC and flow states of the incoming flow table is offloaded to the incoming flow cache in the NIC, inside the incoming and outgoing cache, a flow table and security data base can be implemented in virtual bridge of the physical NIC (network interface).) and cache a plurality of security offload entries in the flow table. ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached (stored in a memory) to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry (along with its entire information) from the database is to be identified or matched in the NIC cache with respect to the corresponding location information of the host security database (developed in the outgoing flow table and incoming flow table of the host).)   

Regarding Claim 20: A computer platform, comprising: 
a processor including a plurality of cores; ([Zuo ¶0021] “Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware. Such as, for example, one or more processors and system memory, as discussed in greater detail below.” Thus, a computer platform may have processors.) 
host memory, communicatively coupled to the processor, ([Zuo ¶0021 “Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware. Such as, for example, one or more processors and system memory, as discussed in greater detail below. Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system.” Therefore, the computer platform has processors and system memory where computer-executable instructions and/or data structures are stored and accessed by computer system (through its processor))
one or more storage devices in which software instructions are stored; ([Zuo ¶0022] “Computer storage media (devices) includes RAM, ROM, EEPROM, CD-ROM, solid state drives (“SSDs) (e.g., based on RAM), Flash memory, phase-change memory (“PCM), other types of memory, other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer.” Therefore, multiple storage devices can be possible where the software instructions are stored.)  and 
a network interface, communicatively coupled to the processor via an input/output (I/O) link, ([Zuo ¶0029] “computer architecture 100 includes host 102, virtual machine 108, and physical NIC 110.” [Zuo ¶0032] “Physical NIC 110 comprises physical hardware that is capable of being virtualized and that is connected to other computer systems and/or networks using one or more external interfaces” Thus, the network interface (NIC) coupled with processor (host) connected to several networks.) the network interface including circuitry and one or more ports configured to enable the network interface to receive packets from one or more networks, ([Zuo ¶0008] “The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” [Zuo ¶0040] “In another example, a rule may specify that TCP packets sent to any destination with a specified port are subject to NAT.” Thus, NIC and its one or more ports are configured to receive network packets (say, TCP packet) from various networks.)
wherein the computer platform is configured, via execution of the software instructions on the processor and via the circuitry in the network interface, to, 
implement a host flow table in the host memory including a plurality of flow table entries; ([Zuo Fig. 1 ¶0042] “Along these lines, FIG. 1 depicts that virtual switch includes states 106 for virtual machine 108, which can include various types of states, such as the depicted outgoing rule set 106a, incoming rule set 106b, outgoing flow table 106c, and incoming flow table 106d.” Thus, the states of virtual switch in the host memory can have flow table (may be called as host flow table) containing the multiple flows depending on the rule sets.) 
implement a host security database in the host memory including a plurality of security entries; ([Zuo Fig 1 ¶0044] “If virtual switch 104 finds a matching rule, virtual switch 104 may also create a flow (or a pair of flows) in outgoing flow table 106c and/or incoming flow table 106d for use in processing Subsequent packets in the stream/context. For example, when the packet matches a rule in outgoing rule set 106a, virtual switch 104 may create a flow in outgoing flow table 106c and/or incoming flow table 106d (as depicted by the arrows connecting outgoing rule set 106a and the flow tables 106c. 106d). Alternatively, when the packet matches a rule in incoming rule set 106b, virtual switch 104 may create a flow in outgoing flow table 106c and/or incoming flow table 106d (as depicted by the arrows between incoming rule set 106b and the flow tables 106c, 106d). It will be appreciated that by creating flows in the opposite directions flow table, virtual switch may implement stateful firewalls.” Therefore, based on the outgoing and incoming matching rule sets of the state of the virtual switch controlling by the stateful firewalls, the outgoing and incoming flow tables are populated with multiple flows. In this way a database is created in the host where multiple entries of secured flows (based on matching rule and firewalls) are populated.) 
implement at least one of a flow table and a security database offload table on the network interface; ([Zuo Fig. 1 ¶0045] “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. … virtual Switch 104 may send one or more requests over data path 118 to physical NIC 100 requesting creation of flows at flow caches 112a, 112b.” As the flow states of the outgoing flow table is offloaded to the outgoing flow cache in the NIC and flow states of the incoming flow table is offloaded to the incoming flow cache in the NIC, inside the incoming and outgoing cache, a flow table and corresponding security data base can be implemented in virtual bridge of the physical NIC (network interface).) 
cache a plurality of security offload entries in the flow table or the security database offload table on the network interface, ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Thus, on offloading, the virtual bridge of the NIC facilitates to match the subsequent packet to a flow state in the appropriate flow cache in NIC (network interface)) each respective security offload entry including information to identify or match a respective flow and location information to de-reference a location of a security entry associated with the respective flow in the host security database. ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry from the database is to be de-referenced in the NIC cache with respect to the host security database (developed in the outgoing flow table and incoming flow table of the host).) 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 5, 6, 7, 9, 10, 12, 14, 16, 17, 21, 23, 24, and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Zuo et al US PGPUB No. 20130254766 in view of Chilikin al US PGPUB No. 20190044866.

Regarding Claim 1: Zuo teaches a method comprising:
receiving a first packet at a network interface; ([Zuo ¶0019] “The method also includes a physical NIC maintaining one or more flow tables for the virtual machine. The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” Thus, the network interface (NIC) receives a packet.) 
performing flow classification to identify a flow the first packet belongs to; ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets when the network packet matches with the rule.)   
matching a security offload entry associated with the flow; ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached (stored in a memory) to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry (along with its entire information) from the database is to be identified or matched in the NIC cache with respect to the corresponding location information of the host security database related to the flow of traffic (developed in the outgoing flow table and incoming flow table of the host).) 
But Zuo fails to disclose:
marking a hardware descriptor with location information in the security offload entry.
However, Chilkin teaches:
marking a hardware descriptor with location information in the security offload entry. (([Chilikin Fig. 2 ¶0032] “… in some embodiments, one or more of the components of the environment 200 may be embodied as virtualized hardware components or emulated architecture, which may be established and maintained by the NIC 120,” [Chilikin Fig. 2 ¶0035] “The network traffic ingress/egress manager 208 is additionally configured to classify the received network traffic based on rules associated with a given matching list. To do so, as noted previously, the illustrative network traffic ingress/egress manager 208 includes the field vector generator 210 and the flow director 220. The illustrative field vector generator 210 includes a packet type determiner 212, a packet parser 214, and a field vector populator 216.” [Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” Thus, when network traffic ingress/egress manager of the NIC inside the host (Destination compute device) receives a network traffic, the rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic). [Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2).)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).  

Regarding Claim 2: Zuo in view of Chilikin teaches the method of claim 1, Zuo teaches: further comprising caching a plurality of security offload entries in a flow table or a security database offload table on the network interface coupled to a host having host memory ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Thus, on offloading, the virtual bridge of the NIC facilitates to match the subsequent packet to a flow state in the appropriate flow cache in NIC (network interface)), each respective security offload entry including information to identify or match a respective flow in at least one of a flow table and security database in the host memory. ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry from the database is to be de-referenced in the NIC cache with respect to the host security database (developed in the outgoing flow table and incoming flow table of the host).) 

Regarding Claim 4: Zuo in view of Chilikin teaches the method of claim 2, Zuo teaches: further comprising: 
caching the security offload entries in a security database offload table on the network interface; ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Thus, on offloading, the virtual bridge of the NIC facilitates to match the subsequent packet to a flow state in the appropriate flow cache in NIC (network interface)) and 
implementing a flow table on the network interface. ([Zuo Fig. 1 ¶0045] “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. … virtual Switch 104 may send one or more requests over data path 118 to physical NIC 100 requesting creation of flows at flow caches 112a, 112b.” As the flow states of the outgoing flow table is offloaded to the outgoing flow cache in the NIC and flow states of the incoming flow table is offloaded to the incoming flow cache in the NIC, inside the incoming and outgoing cache, a flow table can be implemented in virtual bridge of the physical NIC (network interface).)

Regarding Claim 5: Zuo in view of Chilikin teaches the method of claim 1, Zuo teaches further comprising:   
receiving, from the host, information identifying or to be used for matching a flow and location information to de-reference a location of a corresponding security entry for the flow in the host security database. ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon receiving from the host, information of the offload security entry can be used for matching or identifying a for de-referencing in the NIC cache with respect to the host security database because it shown by dashed lien there are correspondences between host flow table and NIC flow cache.)

Regarding Claim 6: Zuo in view of Chilikin teaches the method of claim 5, Zuo teaches further comprising caching a new security offload entry in one of the flow table or security database offload table on the network interface ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Thus, on offloading, the virtual bridge of the NIC facilitates to match the subsequent packet to a flow state in the appropriate flow cache in NIC (network interface)) including the information identifying or to be used for matching the flow and the location information to de-reference a location of the corresponding security entry for the flow in the host security database. ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry from the database is to be de-referenced in the NIC cache with respect to the host security database (developed in the outgoing flow table and incoming flow table of the host).) 

Regarding Claim 7: Zuo in view of Chilikin teaches the method of claim 6, but Zuo fails to disclose: wherein the security offload entry includes a flow identification (FlowID) field, an Action field, and a Value field in which a value comprising one of an offset value and an offset address from a base address at which the host security database is stored, and wherein the Action field identifies whether a hardware descriptor for a packet belonging to a flow matching the FlowID should be marked with the value in the Value field.
	However, Chilikin teaches:
wherein the security offload entry includes a flow identification (FlowID) field, an Action field, and a Value field in which a value comprising one of an offset value and an offset address from a base address at which the host security database is stored, and wherein the Action field identifies whether a hardware descriptor for a packet belonging to a flow matching the FlowID should be marked with the value in the Value field. ; ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” [Chilikin Fig. 5 ¶0043] “An illustrative set of rules 504 of a matching list 502 of a set of matching lists 500 is shown in FIG. 5. For example, assuming matching data on a first rule 504 (e. g., Ox0000000002000000), the compressed input set will be represented as Ox000001” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator and it can be regarded as identification field of flow (say FlowID). This vector ID is nothing but associated with field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2). Also, from Fig. 5 we have seen that offload entry (Matching List) contains data value (Value filed) action instruction (Action field) in addition to the vector filed ID (it is nothing but Bit Mask of Fig. 4 and regarded as flow identification field or FlowID). As this filed identification vectors consisting of the input bits of the input set (shown as 404 in Fig. 4), the corresponding action filed may contain the information about data values of the metadata of the network packet (descriptor) upon any matching any rule set.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC and providing a matching list containing an field vector ID as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set and using the vector ID as lookup purpose. (Chilikin ¶0042 ¶0044 and ¶0046) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC and providing a matching list containing an field vector ID to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set and to facilitate vector US as lookup purpose. (Chilikin ¶0042 ¶0044 and ¶0046).

Regarding Claim 9: Zuo in view of Chilikin teaches the method of claim 1, further comprising: 
receiving a second packet at an input port of the network hardware device; ([Zuo ¶0019] “The method also includes a physical NIC maintaining one or more flow tables for the virtual machine. The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” Thus, the network interface (NIC) receives a packet.)
performing flow classification to identify a flow the second packet belongs to; ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets when the network packet matches with the rule.)  
determining there is not a matching entry for the flow that is identified in at least one of the flow table and the security database offload table on the network device; ([Zuo ¶0058] “Act 208 also includes, when the network packet does not match with a flow in the one or more flow tables, an act of the physical NIC passing the network packet to the host for processing against the one or more rule sets (act 214). For example, if the network packet does not match a flow in outgoing flow cache 112a or incoming flow cache 112b, virtual bridge 112 can send the packet to virtual switch 104 at host 102 for additional processing.” Therefore, matching entry for the flow between the flow table and security data base on the virtual bridge of the NIC cannot be found.) 
But Zuo fails to disclose:
generating a hardware descriptor associated with the second packet containing indicia indicating there was not a matching entry for the flow to which the second packet belongs.
However, Chilikin teaches: 
generating a hardware descriptor associated with the second packet containing indicia indicating there was not a matching entry for the flow to which the second packet belongs. ([Chilikin ¶0053] “In block 324, the NIC 120 determines whether a rule matched the input set. If not, the method 300 branches to block 326, in which the NIC 120 performs a default action on the received network packet data (e. g., enqueue at least a portion the received network packet into a default packet processing queue).” [Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0040] “… the rule comparator 224 is configured to identify the matching list from a set of matching lists (e.g., based on the determined network packet type) and compare each rule of the matching list, in order, to the input set.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, when no rule matching is set, a default action of enqueuing some portion of received network packet into a default packet processing queue. However, the rule compressor can always generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator which is configured to compare each rule of matching list.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC even no matching found as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC even no matching found to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).

Regarding Claim 10: Zuo in view of Chilikin teaches the method of claim 9, Zuo teaches wherein the network hardware device includes a memory- mapped input-output (MMIO) address space ([Zuo Fig. 4, ¶0045, “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b.” We have seen from Fig. 4 that the virtual bridge of the physical link contains outgoing flow cache and/or incoming flow cache which are corresponding to outgoing flow table 106c and incoming flow cache 112b. Also, the virtual switch of the host can offload flow states to the outgoing flow cache 112a and/or incoming flow cache 112b. Thus, we can consider virtual bridge in the physical NIC as a MMIO cache or address space.) further comprising: 
performing flow classification on the host to identify a flow the second packet belongs to ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets in the host when the network packet matches with the rule.)  
…
identifying an entry in the host security database corresponding to the flow; ([Zuo ¶0067] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch creating a flow in the one or more flow tables (act314). For example, after matching the network packet against a rule in one of outgoing rule set 106a or incoming rule set 106b, virtual switch can create one or more flows based on the rule in outgoing flow table 106c and/or incoming flow table 106d.” [Zuo ¶0068] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch offloading the flow to the physical NIC (act316). For example, based on the matching rule, virtual switch 104 can offload the flow outgoing flow cache 112a and/or incoming flow cache 112b.” Therefore, we see that based on incoming and outgoing rule one or more flow table [may be considered as host security database] (106a and or 106b) is created inside the host and an identification is performed when based on the matching the network packet those flows are offloaded to the NIC flow cache (112a and/or 112b).)
writing, via the host to a memory location in the MMIO address, information identifying the flow and one of an offset value, an offset address from the base address, or a host memory address for the entry in the host security database. ([Zuo ¶0068] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch offloading the flow to the physical NIC (act316). For example, based on the matching rule, virtual switch 104 can offload the flow outgoing flow cache 112a and/or incoming flow cache 112b.” [Zuo Fig. 4, ¶0045, “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b.” Therefore, upon identifying the flow based on matching of the rule set virtual switch is offloading (writing) the flow to the NIC cache (which we can be considered as MMIO cache) and accordingly) which may include host memory address for the entry in the host flow table (may be considered as host security database) because Fig. 4 suggests that the flow tables and NIC cache are corresponding to each other (shown by dashed arrow).)  
But, Zuo fails to disclose:
…
or extracting information via the host to identifying the flow the second packet belongs to from the hardware descriptor; 
…
However, Chilkin teaches:
or extracting information via the host to identifying the flow the second packet belongs to from the hardware descriptor; ([Chilikin Fig. 2 ¶0032] “… in some embodiments, one or more of the components of the environment 200 may be embodied as virtualized hardware components or emulated architecture, which may be established and maintained by the NIC 120,” [Chilikin Fig. 2 ¶0035] “The network traffic ingress/egress manager 208 is additionally configured to classify the received network traffic based on rules associated with a given matching list. To do so, as noted previously, the illustrative network traffic ingress/egress manager 208 includes the field vector generator 210 and the flow director 220. The illustrative field vector generator 210 includes a packet type determiner 212, a packet parser 214, and a field vector populator 216.” [Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” Thus, when network traffic ingress/egress manager of the NIC inside the host (Destination compute device) receives a network traffic, the rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic). [Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor or the metadata of the flow of any network packet which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2))
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine to the NIC Cache by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine to the NIC Cache further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044). 

Regarding Claim 12: Zuo teaches the hardware network device of claim 11, Zuo teaches further comprising circuitry to: 
receive a first packet at an input port of the network interface; ([Zuo ¶0019] “The method also includes a physical NIC maintaining one or more flow tables for the virtual machine. The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” Thus, the network interface (NIC) receives a packet.)
perform flow classification to identify a flow the first packet belongs to; ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets when the network packet matches with the rule.)   
match a security offload entry cached on the network interface associated with the flow; ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached (stored in a memory) to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry (along with its entire information) from the database is to be identified or matched in the NIC cache with respect to the corresponding location information of the host security database related to the flow of traffic (developed in the outgoing flow table and incoming flow table of the host).) 
But Zuo fails to disclose:
generate a hardware descriptor associated with the first packet; 
mark the hardware descriptor with the location information in the security offload entry that is matched.
However, Chilkin teaches:
generate a hardware descriptor associated with the first packet; ([Chilikin Fig. 2 ¶0032] “… in some embodiments, one or more of the components of the environment 200 may be embodied as virtualized hardware components or emulated architecture, which may be established and maintained by the NIC 120,” [Chilikin Fig. 2 ¶0035] “The network traffic ingress/egress manager 208 is additionally configured to classify the received network traffic based on rules associated with a given matching list. To do so, as noted previously, the illustrative network traffic ingress/egress manager 208 includes the field vector generator 210 and the flow director 220. The illustrative field vector generator 210 includes a packet type determiner 212, a packet parser 214, and a field vector populator 216.” [Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” Thus, when network traffic ingress/egress manager of the NIC inside the host (Destination compute device) receives a network traffic, the rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic.) 
mark the hardware descriptor with the location information in the security offload entry that is matched. ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2).)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).

Regarding Claim 14: Zuo teaches the hardware network device of claim 13, but Zuo fails to disclose: wherein the security offload entry includes a flow identification (FlowID) field, an Action field, and a Value field in which a value comprising one of an offset value, an offset address from a base address at which the host security database is stored, and wherein the Action field identifies whether a hardware descriptor for a packet belonging to a flow matching the FlowID should be marked with the value in the Value field.
	However, Chilikin teaches:
	wherein the security offload entry includes a flow identification (FlowID) field, an Action field, and a Value field in which a value comprising one of an offset value, an offset address from a base address at which the host security database is stored, and wherein the Action field identifies whether a hardware descriptor for a packet belonging to a flow matching the FlowID should be marked with the value in the Value field. ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” [Chilikin Fig. 5 ¶0043] “An illustrative set of rules 504 of a matching list 502 of a set of matching lists 500 is shown in FIG. 5. For example, assuming matching data on a first rule 504 (e. g., Ox0000000002000000), the compressed input set will be represented as Ox000001” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator and it can be regarded as identification field of flow (say FlowID). This vector ID is nothing but associated with field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2). Also, from Fig. 5 we have seen that offload entry (Matching List) contains data value (Value filed) action instruction (Action field) in addition to the vector filed ID (it is nothing but Bit Mask of Fig. 4 and regarded as flow identification field or FlowID). As this filed identification vectors consisting of the input bits of the input set (shown as 404 in Fig. 4), the corresponding action filed may contain the information about data values of the metadata of the network packet (descriptor) upon any matching any rule set.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC and providing a matching list containing an field vector ID as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set and using the vector ID as lookup purpose. (Chilikin ¶0042 ¶0044 and ¶0046) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC and providing a matching list containing an field vector ID to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set and to facilitate vector US as lookup purpose. (Chilikin ¶0042 ¶0044 and ¶0046).

Regarding Claim 16: Zuo teaches the hardware network device of claim 11, Zuo teaches further comprising circuitry to: 
receive a second packet at an input port of the network interface; ([Zuo ¶0019] “The method also includes a physical NIC maintaining one or more flow tables for the virtual machine. The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” Thus, the network interface (NIC) receives a packet.)
perform flow classification to identify a flow the second packet belongs to; ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets when the network packet matches with the rule.)  
determine there is not a matching entry for the flow that is identified in at least one of the flow table and the security database offload table; ([Zuo ¶0058] “Act 208 also includes, when the network packet does not match with a flow in the one or more flow tables, an act of the physical NIC passing the network packet to the host for processing against the one or more rule sets (act 214). For example, if the network packet does not match a flow in outgoing flow cache 112a or incoming flow cache 112b, virtual bridge 112 can send the packet to virtual switch 104 at host 102 for additional processing.” Therefore, matching entry for the flow between the flow table and security data base on the virtual bridge of the NIC cannot be found.) 
But Zuo fails to disclose:
 generate a hardware descriptor associated with the second packet containing indicia indicating there was not a matching entry for the flow to which the second packet belongs.
However, Chilikin teaches:
generate a hardware descriptor associated with the second packet containing indicia indicating there was not a matching entry for the flow to which the second packet belongs. ([Chilikin ¶0053] “In block 324, the NIC 120 determines whether a rule matched the input set. If not, the method 300 branches to block 326, in which the NIC 120 performs a default action on the received network packet data (e. g., enqueue at least a portion the received network packet into a default packet processing queue).” [Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0040] “… the rule comparator 224 is configured to identify the matching list from a set of matching lists (e.g., based on the determined network packet type) and compare each rule of the matching list, in order, to the input set.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, when no rule matching is set, a default action of enqueuing some portion of received network packet into a default packet processing queue. However, the rule compressor can always generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator which is configured to compare each rule of matching list.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC even no matching found as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).

Regarding Claim 17: Zuo in view of Chilikin teaches the hardware network device of claim 16, wherein the network interface includes a memory-mapped input-output (MMIO) address space, ([Zuo Fig. 4, ¶0045, “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b.” We have seen from Fig. 4 that the virtual bridge of the physical link contains outgoing flow cache and/or incoming flow cache which are corresponding to outgoing flow table 106c and incoming flow cache 112b. Also, the virtual switch of the host can offload flow states to the outgoing flow cache 112a and/or incoming flow cache 112b. Thus, we can consider virtual bridge in the physical NIC as a MMIO cache or address space.) further comprising circuitry to: 
receive, at a memory location in the MMIO address space, information derived from a security entry in the host security database identifying or to be used for matching a flow to which the second packet belongs and location information to de-reference a location of the security entry in the host security database. ([Zuo ¶0067] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch creating a flow in the one or more flow tables (act314). For example, after matching the network packet against a rule in one of outgoing rule set 106a or incoming rule set 106b, virtual switch can create one or more flows based on the rule in outgoing flow table 106c and/or incoming flow table 106d.” [Zuo ¶0068] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch offloading the flow to the physical NIC (act316). For example, based on the matching rule, virtual switch 104 can offload the flow outgoing flow cache 112a and/or incoming flow cache 112b.” [Zuo Fig. 4, ¶0045, “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b.” Therefore, we see that based on incoming and outgoing rule one or more flow table [may be considered as host security database] (106a and or 106b) is created inside the host and an identification (locating) is performed when based on the matching the network packet those flows are offloaded to the NIC flow cache (112a and/or 112b).)

Regarding Claim 21: Zuo teaches the computer platform of claim 20, Zuo teaches wherein the circuitry in the interface is further configured to: 
receive a first packet at an input port of the network interface; ([Zuo ¶0019] “The method also includes a physical NIC maintaining one or more flow tables for the virtual machine. The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” Thus, the network interface (NIC) receives a packet.)
perform flow classification to identify a flow the first packet belongs to; ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets when the network packet matches with the rule.)  
match a security offload entry cached on the network interface associated with the flow; ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, upon offloading the offload security entry of a given flow is cached (stored in a memory) to the NIC flow cache and since there are correspondences (shown by dashed arrows) between host flow table and NIC flow cache, the offloading security entry (along with its entire information) from the database is to be identified or matched in the NIC cache with respect to the corresponding location information of the host security database related to the flow of traffic (developed in the outgoing flow table and incoming flow table of the host).)
But Zuo fails to disclose:
generate a hardware descriptor associated with the first packet; 
mark the hardware descriptor with the location information in the security offload entry that is matched; and 
write the hardware descriptor to a ring buffer in the host memory.
However, Chilkin teaches:
generate a hardware descriptor associated with the first packet; ([Chilikin Fig. 2 ¶0032] “… in some embodiments, one or more of the components of the environment 200 may be embodied as virtualized hardware components or emulated architecture, which may be established and maintained by the NIC 120,” [Chilikin Fig. 2 ¶0035] “The network traffic ingress/egress manager 208 is additionally configured to classify the received network traffic based on rules associated with a given matching list. To do so, as noted previously, the illustrative network traffic ingress/egress manager 208 includes the field vector generator 210 and the flow director 220. The illustrative field vector generator 210 includes a packet type determiner 212, a packet parser 214, and a field vector populator 216.” [Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” Thus, when network traffic ingress/egress manager of the NIC inside the host (Destination compute device) receives a network traffic, the rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic.) 
mark the hardware descriptor with the location information in the security offload entry that is matched; ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2).)
write the hardware descriptor to a ring buffer in the host memory. ([Chilikin ¶0064] “Example 9 includes the subject matter of any of Examples 1 - 8, and wherein to insert the identifier into the metadata associated with the received network packet comprises to insert the identifier into a descriptor associated with the received network packet.” [Chilikin ¶0024] “… the communication circuitry 118 may include specialized circuitry, hardware, or combination thereof to perform pipeline logic (e.g., hardware algorithms) for performing the functions described herein, including processing network packets (e .g ., parse received network packets, determine destination computing devices for each received network packets , forward the network packets to a particular buffer queue of a respective host buffer of the destination compute device 106 , etc. ), performing computational functions , etc.” [Chilikin ¶0024] “For example, the actionable instruction may indicate that the NIC 120 is to include the rule identifier into metadata (e. g., the header of the network packet, a field in a descriptor associated with network packet, etc.), insert the received network packet into a particular processing queue (e. g., based on a flow / workload / etc.) to which the received network packet corresponds, etc.” Therefore, the descriptor or metadata of the network packet is inserted into a particular queue of a given host buffer of a any destination device with the help of actionable instruction linked with NIC.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC and inserting the descriptor in a host buffer as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set and serving a respective descriptor with a unique identifier to facilitate a matching rule. (Chilikin ¶0042, ¶0044, and ¶0041) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC even no matching found to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set and facilitating matching rule by descriptor with a unique key. (Chilikin ¶0042 ¶0044).

Regarding Claim 23: Zuo teaches the computer platform of claim 20, Zuo teaches wherein the circuitry in the interface is further configured to: 
receive a second packet at an input port of the network interface; ([Zuo ¶0019] “The method also includes a physical NIC maintaining one or more flow tables for the virtual machine. The physical NIC receives a network packet associated with the virtual machine, and processes the network packet for the virtual machine.” Thus, the network interface (NIC) receives a packet.)
perform flow classification to identify a flow the second packet belongs to; ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets when the network packet matches with the rule.)  
determine there is not a matching entry for the flow that is identified in at least one of the flow table and the security database offload table; ([Zuo ¶0058] “Act 208 also includes, when the network packet does not match with a flow in the one or more flow tables, an act of the physical NIC passing the network packet to the host for processing against the one or more rule sets (act 214). For example, if the network packet does not match a flow in outgoing flow cache 112a or incoming flow cache 112b, virtual bridge 112 can send the packet to virtual switch 104 at host 102 for additional processing.” Therefore, matching entry for the flow between the flow table and security data base on the virtual bridge of the NIC cannot be found.)  
But Zuo fails to disclose:
generate a hardware descriptor associated with the second packet containing indicia indicating there was not a matching entry for the flow to which the second packet belongs.
However, Chilikin teaches:
generate a hardware descriptor associated with the second packet containing indicia indicating there was not a matching entry for the flow to which the second packet belongs. ([Chilikin ¶0053] “In block 324, the NIC 120 determines whether a rule matched the input set. If not, the method 300 branches to block 326, in which the NIC 120 performs a default action on the received network packet data (e. g., enqueue at least a portion the received network packet into a default packet processing queue).” [Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0040] “… the rule comparator 224 is configured to identify the matching list from a set of matching lists (e.g., based on the determined network packet type) and compare each rule of the matching list, in order, to the input set.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, when no rule matching is set, a default action of enqueuing some portion of received network packet into a default packet processing queue. However, the rule compressor can always generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator which is configured to compare each rule of matching list.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC even no matching found as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).

Regarding Claim 24: Zuo in view of Chilikin teaches the computer platform of claim 23, Zuo teaches wherein the network interface includes a memory-mapped input-output (MMIO) address space, ([Zuo Fig. 4, ¶0045, “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b.” We have seen from Fig. 4 that the virtual bridge of the physical link contains outgoing flow cache and/or incoming flow cache which are corresponding to outgoing flow table 106c and incoming flow cache 112b. Also, the virtual switch of the host can offload flow states to the outgoing flow cache 112a and/or incoming flow cache 112b. Thus, we can consider virtual bridge in the physical NIC as a MMIO cache or address space.)  and wherein execution of the instructions on the host processor enable the computer platform to:  
perform flow classification on the host to identify a flow the second packet belongs to ([Zuo ¶0019] “Processing the network packet includes the physical NIC comparing the network packet with the one or more flow tables. When the network packet matches with a flow in the one or more flow tables, the physical NIC performs an action on the network packet based on the matching flow.” [Zuo ¶0020] “Processing the network packet includes the virtual switch receiving the network packet from one of the virtual machine or the physical NIC, and the virtual Switch matching the network packet with a rule in the one or more rule sets. Based on matching the network packet with the rule, the virtual switch creates a flow in the one or more flow tables and offloads the flow to the physical NIC.” Thus, a flow classification to the network packet is performed by matching its flow with other flows in flow table or by using some rule sets in the host when the network packet matches with the rule.)  
…
locate a security entry in the host security database corresponding to the flow; identifying an entry in the host security database corresponding to the flow; ([Zuo ¶0067] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch creating a flow in the one or more flow tables (act314). For example, after matching the network packet against a rule in one of outgoing rule set 106a or incoming rule set 106b, virtual switch can create one or more flows based on the rule in outgoing flow table 106c and/or incoming flow table 106d.” [Zuo ¶0068] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch offloading the flow to the physical NIC (act316). For example, based on the matching rule, virtual switch 104 can offload the flow outgoing flow cache 112a and/or incoming flow cache 112b.” Therefore, we see that based on incoming and outgoing rule one or more flow table [may be considered as host security database] (106a and or 106b) is created inside the host and an identification (locating) is performed when based on the matching the network packet those flows are offloaded to the NIC flow cache (112a and/or 112b).)
 write, to a memory location in the MMIO address space, information identifying or to be used for matching the flow to which the second packet belongs and location information to de-reference a location of the security entry in the host security database. ([Zuo ¶0068] “Act 308 also includes, based on matching the network packet with the rule, an act of the virtual switch offloading the flow to the physical NIC (act316). For example, based on the matching rule, virtual switch 104 can offload the flow outgoing flow cache 112a and/or incoming flow cache 112b.” [Zuo Fig. 4, ¶0045, “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b.” Therefore, upon identifying the flow based on matching of the rule set virtual switch is offloading (writing) the flow to the NIC cache (which we can be considered as MMIO cache) and accordingly) which may include host memory address for the entry in the host flow table (may be considered as host security database) because Fig. 4 suggests that the flow tables and NIC cache are corresponding to each other (shown by dashed arrow).)
But Zuo fails to disclose:
or extract information from the hardware descriptor to identifying the flow the second packet belongs to;
…
However, Chilkin teaches:
or extract information from the hardware descriptor to identifying the flow the second packet belongs to ([Chilikin Fig. 2 ¶0032] “… in some embodiments, one or more of the components of the environment 200 may be embodied as virtualized hardware components or emulated architecture, which may be established and maintained by the NIC 120,” [Chilikin Fig. 2 ¶0035] “The network traffic ingress/egress manager 208 is additionally configured to classify the received network traffic based on rules associated with a given matching list. To do so, as noted previously, the illustrative network traffic ingress/egress manager 208 includes the field vector generator 210 and the flow director 220. The illustrative field vector generator 210 includes a packet type determiner 212, a packet parser 214, and a field vector populator 216.” [Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” Thus, when network traffic ingress/egress manager of the NIC inside the host (Destination compute device) receives a network traffic, the rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic). [Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor or the metadata of the flow of any network packet which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2))
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine to the NIC Cache by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine to the NIC Cache further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044). 

Regarding Claim 25: Zuo in view of Chilikin teaches the computer platform of claim 23, Zuo teaches wherein the circuitry in the interface is further configured to: 
implement a flow table; ([Zuo Fig. 1 ¶0045] “Virtual switch 104 can also offload flow state(s) to outgoing flow cache 112a and/or incoming flow cache 112b at virtual bridge 112 of physical NIC 110, as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. … virtual Switch 104 may send one or more requests over data path 118 to physical NIC 100 requesting creation of flows at flow caches 112a, 112b.” As the flow states of the outgoing flow table is offloaded to the outgoing flow cache in the NIC and flow states of the incoming flow table is offloaded to the incoming flow cache in the NIC, inside the incoming and outgoing cache, a flow table and security data base can be implemented in virtual bridge of the physical NIC (network interface).)  and 
cache a plurality of security offload entries in the flow table. ([Zuo Fig. 1 ¶0045] “In some circumstances, offloading flow state to physical NIC 110 enables virtual bridge 112 to perform packet processing apart from virtual switch 104, thereby reducing processor usage at host 102. For example, Subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” ([Zuo Fig. 1 ¶0045] “… as depicted by the dashed arrow between outgoing flow table 106c and outgoing flow cache 112a and the dashed arrow between incoming flow table 106d and incoming flow cache 112b. For example, subsequent to a flow being offloaded to physical NIC 110, physical NIC 110 may receive a subsequent packet of the same stream (e.g., from virtual machine 108 over data path 114 or from another computer system over external interface 126). In this circumstance, virtual bridge 112 can match the Subsequent packet to a flow state in the appropriate flow cache 112a, 112b, and perform the action defined in the flow itself, without first sending the packet to virtual switch 104.” Therefore, as there is a correspondence (shown by dashed arrows) between host table and the NIC flow cache, upon offloading the offload security entry of a given flow is cached (stored in a memory) to the NIC flow cache.)

Claims 3, 22, 26, 27 and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Zuo et al US PGPUB No. 20130254766 in view of Chilikin et al US PGPUB No. 20190044866 and further in view of Gearhart et al US PGPUB No. 20130219171.
 
Regarding Claim 3: Zuo in in view of Chilikin teaches the method of claim 2, but Zuo fails to disclose: wherein the host includes a host security database and each security entry in the host security database includes a Security Association (SA) context, further comprising:
processing the hardware descriptor via execution of software on the host, the processing of the hardware descriptor including, 
extracting the location information of the hardware descriptor; 
using the location information to de-reference an index of a security entry in the host security database; and 
applying the SA context in that security entry to the first packet.
	However, Chilikin teaches: 
	… 
processing the hardware descriptor via execution of software on the host, the processing of the hardware descriptor including, ([Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” The rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic).)
extracting the location information of the hardware descriptor; ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2))
using the location information to de-reference an index of a security entry in the host security database; ([Chilikin Fig. 5 ¶0043] “An illustrative set of rules 504 of a matching list 502 of a set of matching lists 500 is shown in FIG. 5. For example, assuming matching data on a first rule 504 (e. g., Ox0000000002000000), the compressed input set will be represented as Ox000001” Thus, the location information given by the rule compressor or the descriptor obtained from the rule comparator are used to create a matching list (Fig. 5) which can be considered as host security data base and the location information can be used to locate security entry in the matching list (host security database).)
… 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).
	But Zuo in view of Chilikin fails to disclose:
	wherein the host includes a host security database and each security entry in the host security database includes a Security Association (SA) context, further comprising: 
	…
applying the SA context in that security entry to the first packet.
However, Gearhart teaches: 
wherein the host includes a host security database and each security entry in the host security database includes a Security Association (SA) context, ([Gearhart Fig. 1 ¶0024] “In one embodiment, networking software 103' includes SA policy rules that govern the encapsulation of IP data packets using a security protocol Such as the IPsec protocol.” Therefore, it has been that the networking software includes security association.) further comprising:
 …
applying the SA context in that security entry to the first packet. ([Gearhart ¶0020] “Security Association (SA) information is a set of security information that describes a particular type of secure connection between two devices. The SA information includes the particular security mechanisms that two devices may employ to securely communicate with one another.” [Gearhart Fig. 1 ¶0024] “In one embodiment, networking software 103' includes SA policy rules that govern the encapsulation of IP data packets using a security protocol Such as the IPsec protocol. … In one embodiment, the TCP/IP stack 184 in the host IHS 103 sends IP data packets to an external security offload device 104. The SA policy rules of the network software 183' in the operating system 181' of the host IHS 103 determine the rules governing encapsulation of packets using IPsec. The network software 183' implementing the TCP/IP stack 184 chooses the appropriate IPsec SA to use for encapsulating the data packet.” Thus, SA policy rules can be can be applied where the context or policy rules may be defined (“governed”) for security entry of the packet like the IP data packets sent by the TCP/IP stack to an external security offload device (Fig. 1) where packets are encapsulated by using IPsec because of the SA policy used by the networking software.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location by enhancing Zuo in view of Chilikin’s system by applying the security context information to the networking software as taught by Gearhart for describing a particular security mechanism so that two devices securely communicate with each other like using tunneling, choice of cryptographic algorithms for authentication, the cryptographic keys for these algorithm, etc. (Gearhart ¶0020 ¶0023)  
The motivation is to improve Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location further by applying the security context information to the networking software so that two devices securely communicate with each other like using tunneling, choice of cryptographic algorithms for authentication, the cryptographic keys for these algorithm, etc. (Gearhart ¶0020 ¶0023)

Regarding Claim 22: Zuo in in view of Chilikin teaches the computer platform of claim 21, but Zuo fails to teach: wherein each entry in the host security database includes a Security Association (SA) context, wherein execution of the instructions on the host processor enable the computer platform to: 
extract the location information in the hardware descriptor; 
use the location information to de-reference an index of a security entry in the host security database; and 
applying the SA context in that security entry to the first packet.
However, Chilikin teaches: 
	… 
	wherein execution of the instructions on the host processor enable the computer platform to (([Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” The rule comparator controlled by host processor takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic).)
extract the location information in the hardware descriptor; ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2))
use the location information to de-reference an index of a security entry in the host security database ([Chilikin Fig. 5 ¶0043] “An illustrative set of rules 504 of a matching list 502 of a set of matching lists 500 is shown in FIG. 5. For example, assuming matching data on a first rule 504 (e. g., Ox0000000002000000), the compressed input set will be represented as Ox000001” Thus, the location information given by the rule compressor or the descriptor obtained from the rule comparator are used to create a matching list (Fig. 5) which can be considered as host security data base and the location information can be used to locate security entry in the matching list (host security database).);
… 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).
But Zuo in view of Chilikin fails to disclose:
wherein each entry in the host security database includes a Security Association (SA) context 
…
applying the SA context in that security entry to the first packet.
However, Gearhart teaches:
wherein each entry in the host security database includes a Security Association (SA) context ([Gearhart Fig. 1 ¶0024] “In one embodiment, networking software 103' includes SA policy rules that govern the encapsulation of IP data packets using a security protocol Such as the IPsec protocol.” Therefore, it has been that the networking software includes security association.)
applying the SA context in that security entry to the first packet. ([Gearhart ¶0020] “Security Association (SA) information is a set of security information that describes a particular type of secure connection between two devices. The SA information includes the particular security mechanisms that two devices may employ to securely communicate with one another.” [Gearhart Fig. 1 ¶0024] “In one embodiment, networking software 103' includes SA policy rules that govern the encapsulation of IP data packets using a security protocol Such as the IPsec protocol. … In one embodiment, the TCP/IP stack 184 in the host IHS 103 sends IP data packets to an external security offload device 104. The SA policy rules of the network software 183' in the operating system 181' of the host IHS 103 determine the rules governing encapsulation of packets using IPsec. The network software 183' implementing the TCP/IP stack 184 chooses the appropriate IPsec SA to use for encapsulating the data packet.” Thus, SA policy rules can be can be applied where the context or policy rules may be defined (“governed”) for security entry of the packet like the IP data packets sent by the TCP/IP stack to an external security offload device (Fig. 1) where packets are encapsulated by using IPsec because of the SA policy used by the networking software.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location by enhancing Zuo in view of Chilikin’s system by applying the security context information to the networking software as taught by Gearhart for describing a particular security mechanism so that two devices securely communicate with each other like using tunneling, choice of cryptographic algorithms for authentication, the cryptographic keys for these algorithm, etc. (Gearhart ¶0020 ¶0023)  
The motivation is to improve Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location further by applying the security context information to the networking software so that two devices securely communicate with each other like using tunneling, choice of cryptographic algorithms for authentication, the cryptographic keys for these algorithm, etc. (Gearhart ¶0020 ¶0023)

Regarding Claim 26: Zuo teaches a non-transitory machine-readable medium having instructions stored thereon configured to be executed by a processor in a host platform including host memory ([Zuo ¶0021 “Embodiments of the present invention may comprise or utilize a special purpose or general-purpose computer including computer hardware. Such as, for example, one or more processors and system memory, as discussed in greater detail below. Embodiments within the scope of the present invention also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer system.” Therefore, the computer platform has processors and computer readable media where computer-executable instructions and/or data structures are stored and accessed by computer system (through its processor)) and a network interface ([Zuo ¶0029] “computer architecture 100 includes host 102, virtual machine 108, and physical NIC 110.” [Zuo ¶0032] “Physical NIC 110 comprises physical hardware that is capable of being virtualized and that is connected to other computer systems and/or networks using one or more external interfaces” Thus, the network interface (NIC) is also coupled with other hardware of the computer system.) to enable the host platform to: 
implement a host security database in the host memory including a plurality of security entries; ([Zuo Fig 1 ¶0044] “If virtual switch 104 finds a matching rule, virtual switch 104 may also create a flow (or a pair of flows) in outgoing flow table 106c and/or incoming flow table 106d for use in processing Subsequent packets in the stream/context. For example, when the packet matches a rule in outgoing rule set 106a, virtual switch 104 may create a flow in outgoing flow table 106c and/or incoming flow table 106d (as depicted by the arrows connecting outgoing rule set 106a and the flow tables 106c. 106d). Alternatively, when the packet matches a rule in incoming rule set 106b, virtual switch 104 may create a flow in outgoing flow table 106c and/or incoming flow table 106d (as depicted by the arrows between incoming rule set 106b and the flow tables 106c, 106d). It will be appreciated that by creating flows in the opposite directions flow table, virtual switch may implement stateful firewalls.” Therefore, based on the outgoing and incoming matching rule sets of the state of the virtual switch controlling by the stateful firewalls, the outgoing and incoming flow tables are populated with multiple flows. In this way a database is created in the host where multiple entries of secured flows (based on matching rule and firewalls) are populated.)
But Zuo fails to disclose:
read a hardware descriptor posted to the host memory by the network interface, the hardware descriptor associated with a packet received at the network interface; 
extract location information from the hardware descriptor; 
use the location information to locate a security entry in the host security database; and 
apply a Security Association (SA) context defined by the security entry to the packet.
However, Chilikin teaches:
read a hardware descriptor posted to the host memory by the network interface, the hardware descriptor associated with a packet received at the network interface; ([Chilikin Fig. 2 ¶0032] “… in some embodiments, one or more of the components of the environment 200 may be embodied as virtualized hardware components or emulated architecture, which may be established and maintained by the NIC 120,” [Chilikin Fig. 2 ¶0035] “The network traffic ingress/egress manager 208 is additionally configured to classify the received network traffic based on rules associated with a given matching list. To do so, as noted previously, the illustrative network traffic ingress/egress manager 208 includes the field vector generator 210 and the flow director 220. The illustrative field vector generator 210 includes a packet type determiner 212, a packet parser 214, and a field vector populator 216.” [Chilikin ¶0041] “… the rule comparator 224 is configured to take an action based on a matched rule, or more particularly based on an actionable instruction associated with the matched rule. For example, one such action may include setting metadata of the network packet or a respective descriptor field with a unique identifier of a matching rule or index of the matched rule relative to the matching set.” Thus, when network traffic ingress/egress manager of the NIC inside the host (Destination compute device) receives a network traffic, the rule comparator takes an action based on matched rule which set the metadata of the network packet or the respective descriptor (it may correspond to descriptor of a hardware which is responsible for network traffic).)
extract location information from the hardware descriptor; ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” Thus, the rule compressor can generate an input set as bit mask (see Fig. 4) which can be used for extracting location information from the descriptor which is set up based on rule comparator. The field vectors corresponding to the network traffic generated by descriptor is configured by the field vector populator (Fig. 2))
use the location information to locate a security entry in the host security database; ([Chilikin Fig. 5 ¶0043] “An illustrative set of rules 504 of a matching list 502 of a set of matching lists 500 is shown in FIG. 5. For example, assuming matching data on a first rule 504 (e. g., Ox0000000002000000), the compressed input set will be represented as Ox000001” Thus, the location information given by the rule compressor or the descriptor obtained from the rule comparator are used to create a matching list (Fig. 5) which can be considered as host security data base and the location information can be used to locate security entry in the matching list (host security database).) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set. (Chilikin ¶0042 ¶0044) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set. (Chilikin ¶0042 ¶0044).
But Zuo in view of Chilikin falis to disclose:
apply a Security Association (SA) context defined by the security entry to the packet.
However, Gearhart teaches:
apply a Security Association (SA) context defined by the security entry to the packet. ([Gearhart ¶0020] “Security Association (SA) information is a set of security information that describes a particular type of secure connection between two devices. The SA information includes the particular security mechanisms that two devices may employ to securely communicate with one another.” [Gearhart Fig. 1 ¶0024] “In one embodiment, networking software 103' includes SA policy rules that govern the encapsulation of IP data packets using a security protocol Such as the IPsec protocol. … In one embodiment, the TCP/IP stack 184 in the host IHS 103 sends IP data packets to an external security offload device 104. The SA policy rules of the network software 183' in the operating system 181' of the host IHS 103 determine the rules governing encapsulation of packets using IPsec. The network software 183' implementing the TCP/IP stack 184 chooses the appropriate IPsec SA to use for encapsulating the data packet.” Thus, SA policy rules can be can be applied where the context or policy rules may be defined (“governed”) for security entry of the packet like the IP data packets sent by the TCP/IP stack to an external security offload device (Fig. 1) where packets are encapsulated by using IPsec because of the SA policy used by the networking software.)
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location by enhancing Zuo in view of Chilikin’s system by applying the security context information to the networking software as taught by Gearhart for describing a particular security mechanism so that two devices securely communicate with each other like using tunneling, choice of cryptographic algorithms for authentication, the cryptographic keys for these algorithm, etc. (Gearhart ¶0020 ¶0023)  
The motivation is to improve Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location further by applying the security context information to the networking software so that two devices securely communicate with each other like using tunneling, choice of cryptographic algorithms for authentication, the cryptographic keys for these algorithm, etc. (Gearhart ¶0020 ¶0023)

Regarding Claim 27: Zuo in view of Chilikin and further in view of Gearhart teaches the non-transitory machine-readable medium of claim 26, Zuo teaches wherein the instructions comprise instructions for one or more operating system components. ([Zuo ¶0030] “Host 102 provides a virtualization environment. For example, host 102 may include a parent partition (which executes a host operating system) and one or more child partitions. Each child partition can be viewed as providing a virtualized hardware environment for executing a corresponding virtual machine. Such as virtual machine 108.” [Zuo ¶0031] “Each virtual machine (including virtual machine 108) executes one or more virtualized applications, such as an operating system, application Software, etc.” Thus, we can say that instructions (applications) are able to run on one or more operating systems (including virtualized environment.)

Regarding Claim 28: Zuo in view of Chilikin and further in view of Gearhart teaches a non-transitory machine-readable medium of claim 26, but Zuo fails to teach: wherein the location information comprises an offset value, and wherein execution of the instructions enables the host platform to determine an index in the host security database for the security entry using the offset value.
	However Chilikin teaches:
wherein the location information comprises an offset value, and wherein execution of the instructions enables the host platform to determine an index in the host security database for the security entry using the offset value.  ([Chilikin ¶0015] “For example, the NIC 120 may extract the data from one or more header fields of the received network packet, as well as at certain offsets in the payload of the received network packet. The NIC 120 is further configured to parse at least a portion of the received network packet to extract the indicated data and insert each extracted data into a corresponding portion of a field vector” ([Chilikin Fig. 2 ¶0038] “The field vector populator 216 is configured to populate a field vector corresponding to the received network packet.” [Chilikin Fig 4 ¶0042] “The rule compressor 226 is configured to compress each of the rules of the matching lists. To do so, the rule compressor 226 may be configured to compress the rules at bit - level. As illustratively shown in FIG. 4, the field vector 400 has 64 fields 402. It should be appreciated that, typically, only a subset of the fields 402 can be used as an input set. As illustratively shown, the fields 402 having an index of 7, 11, 15, 16, 20, 21, and 38 have been populated. As illustratively shown in FIG. 4, the input set 406 is embodied as a bit mask having seven bits set with the following value: Ox02118c0002000000.” [Chilikin Fig. 5 ¶0043] “An illustrative set of rules 504 of a matching list 502 of a set of matching lists 500 is shown in FIG. 5. For example, assuming matching data on a first rule 504 (e. g., Ox0000000002000000), the compressed input set will be represented as Ox000001” Therefore in case of certain offset the payload of the received network packet is parsed by the NIC and NIC extracts data and insert each extracted data in corresponding portion of a field vector. The field vector populator and rule compressor together creates descriptors containing the metadata of the wave packet. Then a matching table (database) (Fig. 5) can be produced based on the descriptors where Vector Field ID can be regarded as an index.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by identifying the descriptor fields corresponding to the network packet and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC in case of offsetting the received payload of network packets and providing a matching list containing an field vector ID as taught by Chilikin which reducing the operating power of NIC by using subset of field vectors corresponding to the location information of the descriptor corresponding to an network traffic generated by the rule compressor as an input set and using the vector ID as lookup purpose. (Chilikin ¶0042 ¶0044 and ¶0046) 
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by identifying the descriptor fields corresponding to the network packet in case of offsetting the received payload of network packets and extracting the location information of from the descriptor with help of network traffic ingress/egress manager of NIC and providing a matching list containing an field vector ID to reduce the operating power of NIC where subset of field vectors corresponding to the location information of the descriptor is used as input set and to facilitate vector US as lookup purpose. (Chilikin ¶0042 ¶0044 and ¶0046).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zuo et al US PGPUB No. 20130254766 in view of Chilikin et al US PGPUB No. 20190044866 and further in view of Klingauf et al US PGPUB No. 20180349291.

Regarding Claim 8: Zuo in view of Chilikin teaches the method of claim 6, Zuo teaches further comprising: 
employing a cache eviction policy to determine an existing security offload entry to evict from one of the flow table or security database offload table on the network interface; ([Zuo ¶0049] “Because outgoing flow cache 112a and incoming flow cache 112a may not include full flow state data a cache miss may occur when processing a packet at virtual bridge 112. When a cache miss occurs, virtual bridge 112 forwards the packet to virtual switch 104 for additional processing. One will appreciate that different kinds of cache replacement/freshness policies may be employed.” So, when a cache miss is occurred, replacement/freshness policies may be employed.)
But Zuo in view of Chilikin fails to disclose:
evicting the security offload entry that is determined;
replacing the security offload entry that is evicted with the new security offload entry.
However, Klingauf teaches:
evicting the security offload entry that is determined ([Klingauf ¶0003] “The cache misses cause accesses to lower - level memory to retrieve the requested data in addition to evicting data to create storage for the retrieved data.” Thus, a data (security offload entry) in the cache flow table can be evicted determined by the cache miss for creating a storage for another data.) 
replacing the security offload entry that is evicted with the new security offload entry. ([Klingauf ¶0038] “… then a cache replacement policy, such as a Least Recently Used (LRU) algorithm, determines which way within the set is to have its data evicted and replaced by the cache fill line data.” Therefore, the cache replacement policy can decide data (security offload entry) is evicted and replaced by using LRU algorithm and cache fill line data mechanism.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location by enhancing Zuo in view of Chilikin’s system by evicting and replacing any data during cache miss based on the cache replacement policy as taught by Klingauf for efficiently allocating data in a cache. (Klingauf ¶0006)  
The motivation is to improve Zuo in view of Chilikin’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) and identifying the descriptors of the network traffic with extraction of their location further by evicting and replacing any data during cache miss based on the cache replacement policy to efficiently allocate data in a cache. (Klingauf ¶0006)

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Zuo et al US PGPUB No. 20130254766 and in view of Klingauf et al US PGPUB No. 20180349291.
Regarding Claim 15: Zuo teaches the hardware network device of claim 13, Zuo teaches further comprising circuitry to: 
employ a cache eviction policy to determine an existing security offload entry to evict from one of the flow table or security database offload table on the interface; ([Zuo ¶0049] “Because outgoing flow cache 112a and incoming flow cache 112a may not include full flow state data a cache miss may occur when processing a packet at virtual bridge 112. When a cache miss occurs, virtual bridge 112 forwards the packet to virtual switch 104 for additional processing. One will appreciate that different kinds of cache replacement/freshness policies may be employed.” So, when a cache miss is occurred, replacement/freshness policies may be employed.)
But Zuo in view of fails to disclose:
evict the security offload entry that is determined; and 
replace the security offload entry that is evicted with the new security offload entry.
However, Klingauf teaches:
evict the security offload entry that is determined; ([Klingauf ¶0003] “The cache misses cause accesses to lower - level memory to retrieve the requested data in addition to evicting data to create storage for the retrieved data.” Thus, a data (security offload entry) in the cache flow table can be evicted determined by the cache miss for creating a storage for another data.) 
replace the security offload entry that is evicted with the new security offload entry. ([Klingauf ¶0038] “… then a cache replacement policy, such as a Least Recently Used (LRU) algorithm, determines which way within the set is to have its data evicted and replaced by the cache fill line data.” Therefore, the cache replacement policy can decide data (security offload entry) is evicted and replaced by using LRU algorithm and cache fill line data mechanism.) 
Therefore, before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine by enhancing Zuo’s system by evicting and replacing any data during cache miss based on the cache replacement policy as taught by Klingauf for efficiently allocating data in a cache. (Klingauf ¶0006)  
The motivation is to improve Zuo’s system of offloading packet processing for networking device virtualization with a host maintaining rule set(s) for a virtual machine and a physical NIC maintaining flow table(s) for the virtual machine further by evicting and replacing any data during cache miss based on the cache replacement policy to efficiently allocate data in a cache. (Klingauf ¶0006)

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ARIF KHAN whose telephone number is (571)272-6528. The examiner can normally be reached Monday - Friday: 8:30 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on (571)272-3972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/A.K./Examiner, Art Unit 2491                                                                                                                                                                                                        
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491