Obviousness

Obviousness Analysis under 35 U.S.C. § 103 for US8397282

This analysis identifies combinations of prior art references that would render the claims of US patent 8397282 obvious to a person having ordinary skill in the art (PHOSITA) as of its priority date (March 10, 2004), and explains the motivation for such combinations.

Claims of US8397282

The independent claims of US8397282 describe a method (Claim 1), a device (Claim 12), and a computer program product (Claim 24) for controlling data through a firewall. Key features across these claims include:

• Defining at least one node associated with two or more network interfaces.
• Associating a set of firewall rules with the node(s).
• Receiving, accepting, or denying packets based on these rules.
• Crucially, the set of firewall rules is dynamically self-configurable during runtime without operator interaction.
• The set of firewall rules comprises a plurality of chains of rules forming various paths through a hierarchical structure.
• The hierarchical structure comprises defined places for dynamically updating the set of firewall rules during runtime.

Identified Prior Art Combinations and Motivation

The primary prior art for this analysis includes US Patent No. 7,610,621 (US7610621B2), a direct parent application to US8397282, and the well-known Linux iptables firewall system.

Combination 1: US7610621B2 in view of iptables functionality

Prior Art References:

1. US7610621B2 (White et al.): This patent, titled "System and method for behavior-based firewall modeling," shares a priority date of March 10, 2004, and is explicitly a parent application to US8397282. Its abstract and detailed description lay out a "conceptual model representing a network firewall that separates firewall functionality into individually configurable and controllable components." It teaches:
   • A conceptual model of firewall structure, including the definition of "nodes" associated with two or more network interfaces.
   • Modeling behaviors for network traffic, including for packets traversing connections between nodes.
   • A "dynamically reconfigurable implementation of the firewall model."
   • The notion of an "automated system" that enables the firewall owner to "generally describe how the firewall should behave, and the automated system can automatically produce the requisite, specific firewall configuration, without detailed manipulation by a human operator." This directly addresses the "without operator interaction" aspect, attributing it to the automated system implementing the conceptual model.
2. Linux iptables: As explicitly referenced in the detailed description of US8397282, "the Linux operating system has a subsystem known as “iptables” (for Internet Protocol Tables) that offers a “rule” syntax for representing the logic of packet handling through the Linux system." Iptables was well-established and publicly available before the March 10, 2004, priority date (introduced with Linux kernel 2.4 in 2001). Iptables natively provides:
   • A "plurality of chains of rules" (e.g., INPUT, FORWARD, OUTPUT chains, and user-defined chains) forming a hierarchical structure for packet traversal.
   • The ability to dynamically update firewall rules during runtime through programmatic commands (e.g., adding, inserting, or deleting rules from chains) without requiring a system reboot or manual recompilation.

Reasoning for Obviousness:

A person having ordinary skill in the art (PHOSITA) in 2004, aiming to implement the "dynamically reconfigurable implementation of the firewall model" described in US7610621B2, would have been motivated to use existing, robust, and dynamic firewall management technologies. The explicit mention of iptables in US8397282 confirms its relevance and common knowledge to a PHOSITA in this field.

1. Dynamic Self-Configurability and Without Operator Interaction: US7610621B2 describes an "automated system" that can "automatically produce the requisite, specific firewall configuration, without detailed manipulation by a human operator." This automated configuration inherently implies that the firewall rules are "dynamically self-configurable during runtime without operator interaction." A PHOSITA implementing such an automated system would leverage the programmatic capabilities of underlying firewall mechanisms, such as iptables, to effect these runtime changes. The automation itself eliminates the need for direct operator intervention at the rule-level.
2. Chains of Rules and Hierarchical Structure: The iptables system inherently operates with "chains of rules" that can be linked, effectively forming a hierarchical structure. This structure allows for defining various paths for packets depending on matching criteria. This is a fundamental aspect of iptables architecture, which a PHOSITA would readily utilize when designing a firewall.
3. Defined Places for Dynamically Updating Rules: The detailed description of US8397282 further elaborates on "dynamic chains of rules... to 'tap' into the main firewall chains and offer isolated, well-defined places for specific behavior to be introduced" (referencing the :A, :M, :D, and :X sub-trees and their "taps"). This concept of organizing rules into logical "chains" or "sub-trees" for specific behaviors and providing "taps" (i.e., jump points) for dynamic insertion/deletion of rules is a common software engineering practice for managing complexity in modular and extensible systems. A PHOSITA, tasked with implementing a dynamically reconfigurable firewall using a system like iptables, would naturally design a structured set of rule chains (like the A, M, D, X sub-trees) where rules could be logically added, deleted, or modified at runtime to tailor firewall behavior, aligning with the core capabilities of iptables.

Motivation to Combine:

The motivation for combining these elements would be high. US7610621B2 provides a powerful conceptual model for a flexible, behavior-based, and dynamically reconfigurable firewall. However, it requires a concrete implementation method. The iptables system offers a practical and widely used mechanism for dynamic packet filtering rule management in Linux environments, which is precisely what is needed to realize the dynamic reconfiguration aspects of US7610621B2. A PHOSITA would be motivated to combine the abstract design of US7610621B2 with a known, flexible rule-management system like iptables to create a working, automated, and dynamically adaptable firewall that addresses the need for firewalls that can "dynamically adapt to changing conditions and operator requirements", a problem explicitly acknowledged in the background of US8397282. The use of an "automated system" to configure firewalls "without detailed manipulation by a human operator" is a clear driver for such integration, leveraging the programmatic rule modification capabilities of iptables.

Therefore, the combination of the node-based, dynamically reconfigurable firewall model from US7610621B2 with the known, dynamic rule chain management capabilities of iptables would have been obvious to a PHOSITA at the time of invention, as it merely applies known techniques to implement a desired functionality taught in a closely related prior art.