Patent Application 15476966 - PER-APPLICATION MICRO-FIREWALL IMAGES EXECUTING

Title: PER-APPLICATION MICRO-FIREWALL IMAGES EXECUTING IN CONTAINERS ON A DATA COMMUNICATIONS NETWORK

Application Information

• Invention Title: PER-APPLICATION MICRO-FIREWALL IMAGES EXECUTING IN CONTAINERS ON A DATA COMMUNICATIONS NETWORK
• Application Number: 15476966
• Submission Date: 2025-04-10T00:00:00.000Z
• Effective Filing Date: 2017-03-31T00:00:00.000Z
• Filing Date: 2017-03-31T00:00:00.000Z
• National Class: 726
• National Sub-Class: 011000
• Examiner Employee Number: 81210
• Art Unit: 2431
• Tech Center: 2400

Rejection Summary

• 102 Rejections: 0
• 103 Rejections: 2

Cited Patents

The following patents were cited in the rejection:

• US 0353498🔗
• US 0235755🔗

Office Action Text

    DETAILED ACTION
I.	Claims 11 and 12 have been cancelled.
II.	Claims 3, 8-10 and 13 have been examined.
III.	Responses to Applicant’s remarks have been given.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 03/19/2025 has been entered.
Response to Arguments
Applicant's arguments filed on 03/19/2025 have been fully considered but they are not persuasive. Though the newly-filed amendments to paragraph 9 of the Specification remove the previously-added new matter; however, the Specification remains objected to due to the removal of some of the original language in paragraph 9, which renders it to be an incomplete sentence.  Further elaboration on said objection is provided below. Thus, the Specification remains objected to and appropriate corrections are required.
The amendments to claims 8 and the cancellation of claim 12 give cause for the previous objections to said claims to be hereby withdrawn.
With regards to the Applicant’s arguments pertaining to the 35 U.S.C. 112(a) rejection of claims 8-13 (due to the claim limitations within claims 8 and 11), though the cancellation of claims 11 and 12 gives cause for the rejection of said claims to be hereby withdrawn, the rejection is maintained for claims 8-10 and 13.  
The previous claim language within claim 8 directed to “a single packet flow” was removed in the amendments filed on 03/19/2025; however, claim language pertaining to “the single packet flow” remains within claim 9.  Also, the newly-added claim limitations to claim 8 directed to “wherein a first instance of the first specific application executes in the first micro-firewall container and a second instance of the first specific application executes in a third micro-firewall container” lack support within the originally-filed Specification. The Applicant argues that “The original disclosure states ‘different micro containers can be assigned to different instances of the same application or to different instances of the same application, or to different sessions of the same application instance’ (see Specification, para. 22).” However, there is a lack of support within the originally-filed Specification with regards to “a third micro-firewall container”.  The disclosed “different micro containers” do not explicitly include a “third micro-firewall container”.  Thus, the 35 U.S.C. 112(a) rejection is hereby maintained.
The cancellation of claims 11 and 12 give cause for the previous 35 U.S.C. 112(b) rejection of said claims to be hereby withdrawn.  However, claim 9 is now rejected under 35 U.S.C. 112(b) due to a lack of antecedent basis for “the single packet flow”, as stated below.
Further, in response to Applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). The Examiner maintains that Huang and Blaisdell provide disclosure of the Applicant’s claimed invention via Huang’s disclosure of distinct security instances via paragraph 165, “security instance distinct from the plurality of user-space instances is instantiated (508).  The security instance is instantiated within the respective operating system environment, has a respective virtual address space in virtual memory of the respective operating system environment, and is executed in user space of the respective virtual address space.”, and Blaisdell’s disclosure of rules and conditions for the allowance and restriction of network traffic through a firewall via, but not limited to, paragraph 30, The trigger component is, in one embodiment, entirely contained within a firewall software program”, paragraph 33, “software rule triggers”, paragraphs 34, and 37, “firewall rules”, section 2.6 “Dynamic Enabling/Disabling of Firewall Rule Based on Usage Events” which covers paragraph 57, “Firewall rule are grouped into profiles”, paragraph 58, “Profiles are activated or deactivated by: software trigger, timer trigger, internal firewall rule trigger”.
Further, with regards to the Applicant’s arguments that “none of the cited portions of Blaisdell teach or suggest application instances on separate firewall micro-containers, as current recited in claim 8”, merely asserting, without further explanation, that the claims are not disclosed by the cited prior art is not persuasive of error on the part of the Examiner without particularly pointing out how the claims are not disclosed by the prior art cited by the Examiner; the burden of production has been met and has been properly shifted to Applicant. See In re Jung, 637 F.3d 1356, 1365 (Fed. Cir. 2011) (“[I]t has long been the Board’s practice to require an applicant to identify the alleged error in the examiner's rejections,” (citing Ex Parte Frye, 94 USPQ2d 1072 (BPAI 2010) (precedential).
Specification
The disclosure is objected to because of the following informalities: newly-filed amendment to the Specification removed all but two words in paragraph 9.  The only words remaining are “increasing throughput”, omitting the previous words in the sentence “Advantageously, firewall device performance is improved by”.  Those words (which were part of the originally-filed Specification) need to be added back so the sentence is complete. Either that or the remaining words “increasing throughput” need to also be removed. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 8-10 and 13 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claim 8 has a claim limitation directed to “wherein a first instance of the first specific application executes in the first micro-firewall container and a second instance of the first specific application executes in a third micro-firewall container” and claim 9 has claim language directed to “the single packet flow”. These claim limitations within claims 8 and 9 lack support within the originally-filed Specification.  Appropriate correction is required.
Claims 10 and 13 are rejected by virtue of their dependencies upon the rejected independent claim 8.
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claim 9 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 9 recites the limitation "the single packet flow" in lines 3 and 6. There is insufficient antecedent basis for these limitations in the claim. Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3, 8, 10 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over United States Patent Application Publication No. US 2017/0353498 to Huang et al., hereinafter Huang, and further in view of United States Patent Application Publication No. US 2008/0235755 to Blaisdell et al., hereinafter Blaisdell.
Regarding claim 3, Huang teaches wherein more than one micro-firewall container is spawned for a specific network application (paragraphs 97, 98, and 124).
Regarding claim 8, Huang teaches a computer-implemented method in a firewall device of a data communication system (Figure 2A, “Instance Engine 314”), for executing per-application micro-firewall images in a dedicated container on a data communications network, the method comprising the steps of: 
prior to execution of network applications, generating application profiles from metadata concerning the network applications installed on network devices (Figures 3B and 5B, and paragraphs 144, 149 and 169), 
storing the application profiles in an application profile database (Figure 3B, and paragraphs 97, 101, 131, 138, 139, and 155); 
detecting a current execution of a first specific network application and a second specific network application on a network device remote from the firewall device, using deep packet inspection (Figures 4B and 5A, and paragraphs 8, 26, 73, 141 and 164); 
responsive to the detections, retrieving a first application profile associated with the first specific network application and a second application profile associated with the second specific network application (Figures 5B and 5C and paragraphs 56 and 172).
Huang teaches the claimed invention, as cited above.  However, Huang is not relied upon to teach the claim limitations of “wherein the network devices are remote from the firewall device” and “spawning a first micro-firewall container from an operating system of the firewall, to execute the first application profile of the first specific network application and spawning a second micro-firewall container to execute the second application profile of the second specific network application, wherein a first instance of the first specific application executes in the first micro-firewall container and a second instance of the first specific application executes in a third micro-firewall container; executing the first and second application profiles in the first and second micro-firewall containers, respectively to examine network traffic associated with the first and second specific network applications, detecting one or both of the first and second specific network application has ceased execution; and closing one or both of the micro-firewall container”. Blaisdell teaches said claim limitations, as cited below.
Further regarding claim 8, Blaisdell teaches wherein the network devices are remote from the firewall device (Figures 3 and 4, paragraph 38, “preferably at a location accessible to a network administrator and not to general users of the network”, paragraph 48, “Device periodically discovers upstream peer for firewall location”, and paragraph 257); 
spawning a first micro-firewall container from an operating system of the firewall, to execute the first application profile of the first specific network application and spawning a second micro-firewall container to execute the second application profile of the second specific network application (paragraph 30, The trigger component is, in one embodiment, entirely contained within a firewall software program”, paragraphs 40, 55, and 106, “A node can only request propagation for policies controlling its own resources (i.e., source or destination address belonged to it).”, and paragraphs 120 and 251, “Firewall could only be installed from a host/router which own the source (egress firewall) or destination (ingress firewall)”), 
wherein a first instance of the first specific application executes in the first micro-firewall container and a second instance of the first specific application executes in a third micro-firewall container (paragraph 30, The trigger component is, in one embodiment, entirely contained within a firewall software program”, paragraphs 34, and 37, “firewall rules”, paragraph 40, paragraph 48, “Device periodically discovers upstream peer for firewall location”, paragraph 55, section 2.6 “Dynamic Enabling/Disabling of Firewall Rule Based on Usage Events” which covers paragraph 57, “Firewall rule are grouped into profiles”, paragraph 58, “Profiles are activated or deactivated by: software trigger, timer trigger, internal firewall rule trigger” and paragraphs 59-61, paragraph 106, “A node can only request propagation for policies controlling its own resources (i.e., source or destination address belonged to it).”, and paragraphs 119, 120 and 251, “Firewall could only be installed from a host/router which own the source (egress firewall) or destination (ingress firewall)”); 
executing the first and second application profiles in the first and second micro-firewall containers, respectively to examine network traffic associated with the first and second specific network application (Figures 3 and 4, and paragraph 33, “software rule triggers”, paragraphs 34, and 37, “firewall rules”, section 2.6 “Dynamic Enabling/Disabling of Firewall Rule Based on Usage Events” which covers paragraph 57, “Firewall rule are grouped into profiles”, paragraph 58, “Profiles are activated or deactivated by: software trigger, timer trigger, internal firewall rule trigger” and paragraphs 59-61; and paragraphs 106, and 119); 
detecting one or both of the first and second specific network applications has ceased execution (paragraph 79, “Deep packet inspection support (configurable based on local resource availability)”, and paragraph 80, “Dynamically provisioned (API/authentication framework to allow external injection of rules and activation/deactivate of rule)”); 
and closing one or both of the micro-firewall container (paragraph 79, “Deep packet inspection support (configurable based on local resource availability)”, and paragraph 80, “Dynamically provisioned (API/authentication framework to allow external injection of rules and activation/deactivate of rule)”).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Blaisdell with the teachings of Huang to improve the security of the network environment because “it would be desirable have a firewall operated by the ISP that implements rules and policies of a network owner or the owner of a stand-alone device, thereby preventing unwanted traffic from entering the network and ensuring that there is available bandwidth for data leaving the network in certain specified circumstances” (Blaisdell – paragraph 7).
Huang teaches the claimed invention, as cited above.  However, Huang is not relied upon to teach the claim limitations of “wherein the first firewall is assigned a specific source address or a specific destination address, and executes a plurality of application profiles associated with the specific source address or the specific destination address”.  Blaisdell teaches said claim limitations, as cited below.
Regarding claim 10, Blaisdell teaches wherein the first firewall is assigned a specific source address or a specific destination address, and executes a plurality of application profiles associated with the specific source address or the specific destination address (paragraph 106, “A node can only request propagation for policies controlling its own resources (i.e. source or destination address belonged to it).”, paragraph 120, “source node, destination node”, and paragraph 130, “MAP: (node, protocol, source address, source port, dest address, dest port, lifetime)”).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Blaisdell with the teachings of Huang to improve the security of the network environment because “it would be desirable have a firewall operated by the ISP that implements rules and policies of a network owner or the owner of a stand-alone device, thereby preventing unwanted traffic from entering the network and ensuring that there is available bandwidth for data leaving the network in certain specified circumstances” (Blaisdell – paragraph 7)
Huang teaches the claimed invention, as cited above.  However, Huang is not relied upon to teach the claim limitations pertaining to “wherein the application profile comprises two or more of port, expected bandwidth, application layer protocol identification, URLs accessed and supporting resources”.  Blaisdell teaches said claim limitations, as cited below.
Regarding claim 13, Blaisdell teaches wherein the application profile comprises two or more of port (paragraph 130, “MAP: (node, protocol, source address, source port, dest address, dest port, lifetime)”), expected bandwidth (paragraphs 24, 26, 27, 45, “preserve the bandwidth of the premium service”, and paragraph 99, “minimum reserved bandwidth”), application layer protocol identification, URLs accessed and supporting resources.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Blaisdell with the teachings of Huang to improve the security of the network environment because “it would be desirable have a firewall operated by the ISP that implements rules and policies of a network owner or the owner of a stand-alone device, thereby preventing unwanted traffic from entering the network and ensuring that there is available bandwidth for data leaving the network in certain specified circumstances” (Blaisdell – paragraph 7).
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Huang and Blaisdell as applied to independent claim 8 above, and further in view of United States Patent Application Publication No. US 20160191549 A1 to Nguyen et al., hereinafter Nguyen.
Huang and Blaisdell teach the claimed invention, as cited above.  However, Huang and Blaisdell are not relied upon to teach the claim limitations pertaining to “wherein the first specific application comprises a browser to receive the single packet flow from a remote resource, and the second specific application comprises a process executing within the browser to output results of the single packet flow”.  Nguyen is cited to teach the claim limitations, as cited below
Regarding claim 9, Nguyen teaches wherein the first specific application comprises a browser to receive the single packet flow from a remote resource, and the second specific application comprises a process executing within the browser to output results of the single packet flow (paragraph 14, “Such communication can be the result of human user interactions such as a user browsing a web page.”, paragraph 16, “the mapping from IP address to MAC address and to domain name using extracted DNS and DHCP flow metadata”, paragraph 55, “For each flow, the inventive application compares Alice’s behavior against other software engineers as a way of baselining for our anomaly detection”, paragraph 57, “where its critical information is extracted from each traffic flow composed of a sequence of packets sent from a particular source to a particular unicast, anycast, or multicast destination that the source desires to label as a flow. The basic metadata set specifically collected is the flow's”, paragraph 63, ““the application that uses flow”, and paragraphs 76, 79, 80, 82, 86, and 88).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Nguyen with the teachings of Huang and Blaisdell due to that “Knowing the types of applications and protocols can help network security analysts quickly detect unwanted and/or suspicious traffic flows” (Nguyen – paragraph 76) and “Correlating the network user information with traffic flows provides true insights and opens up possibilities for more powerful analysis and more accurate detection of security problems” (Nguyen – paragraph 88).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The references cited on form PTO-892 are cited to further show the state of the art with respect to the implementation of firewalls within a network environment. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEREMIAH L AVERY whose telephone number is (571)272-8627. The examiner can normally be reached M-F 8:30am -5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/JEREMIAH L AVERY/Primary Examiner, Art Unit 2431