Obviousness

Obviousness Analysis under 35 U.S.C. § 103 for US Patent 8,621,627

This analysis considers combinations of prior art references that would render the claims of US Patent 8,621,627 obvious to a person having ordinary skill in the art (POSA) at the time of the invention (filing date: February 12, 2010). The motivation to combine these references is also discussed.

The core innovation of US Patent 8,621,627 lies in offloading intrusion detection and prevention processing to a virtual machine on the host, with a Network Interface Controller (NIC) intelligently steering traffic for this processing, and potentially performing initial filtering itself. The patent emphasizes the efficiency gains and latency reduction compared to conventional software virtual switches or external appliances.

Prior Art References for US8621627:

The patent itself lists several prior art documents. While some are general, others are more directly relevant to the claimed invention.

• US 2006/0206300 A1 (Microsoft Corporation): "VM network traffic monitoring and filtering on the host"
  • This reference describes monitoring and filtering VM network traffic on the host. This directly addresses intrusion detection in a virtualized environment.
• US 2009/0254990 A1 (McGee, William Gerald): "System and method for intelligent coordination of host and guest intrusion prevention in virtualized environment"
  • This patent application explicitly discusses intelligent coordination of host and guest intrusion prevention, which aligns with the overall goal of US8621627.
• U.S. patent application Ser. No. 11/250,894 (Chelsio Communications, Inc.): "Filtering Ingress Packets In Network Interface Circuitry."
  • This is explicitly incorporated by reference into US8621627 and describes filter functionality within the NIC, applying accept/reject actions and additional filtering rules.

Obviousness Combinations:

Combination 1: US 2006/0206300 A1 (Microsoft) in view of US 2009/0254990 A1 (McGee) and general knowledge of NIC capabilities.

• Rationale: US 2006/0206300 A1 teaches monitoring and filtering VM network traffic on the host, which covers the "additional processing" aspect (intrusion detection) being performed by a VM on the host. US 2009/0254990 A1 further details "intelligent coordination of host and guest intrusion prevention," reinforcing the concept of a dedicated VM for such security tasks. A POSA would understand that traditional software virtual switches can be performance bottlenecks, as acknowledged in the background of US8621627. Given the known capabilities of NICs to offload network processing (e.g., TCP/IP offload engines were already prevalent), a POSA would have been motivated to offload some of the network traffic steering and initial filtering related to intrusion detection to the NIC itself to improve performance and reduce host overhead. The motivation would be to enhance the efficiency of the intrusion detection system by leveraging hardware acceleration available in NICs. This combination would likely render Claim 1 obvious, as it teaches receiving a data frame, determining if additional processing (intrusion detection from US 2006/0206300 A1 and US 2009/0254990 A1) is needed, sending it to the host VM for that processing, and then receiving it back and steering it to the destination.

Combination 2: Combination 1 further in view of U.S. patent application Ser. No. 11/250,894 (Chelsio).

• Rationale: Building on Combination 1, U.S. patent application Ser. No. 11/250,894 (Chelsio) directly teaches "Filtering Ingress Packets In Network Interface Circuitry." This reference explicitly describes filter functionality within the NIC that can apply accept/reject actions and modify frames. A POSA, seeking to further optimize the performance of the intrusion detection system described in Combination 1, would be motivated to integrate the NIC's filtering capabilities to pre-process frames. This pre-processing would allow the NIC to drop clearly malicious or unnecessary frames before they even reach the host-based intrusion detection VM, thereby reducing the load on the host and the intrusion detection VM. This combination would particularly render Claim 5 and Claim 22 obvious, which claim that the NIC can drop frames that would otherwise be sent to the host for additional processing. It would also contribute to the obviousness of Claim 7, as the filtering rules applied by the NIC could be considered an "indication in the data frame" (or derived from it) upon which the determination for additional processing is based. Furthermore, the configuration of these filter rules by the host-based intrusion detection processing, as mentioned in US8621627, aligns with the "intelligent coordination" described in McGee.

Combination 3: Combination 2 further in view of the "oVLAN tag" concept (Embodiment 2) or "MAC-in-MAC encapsulation" (Embodiment 3) from the specification of US8621627 and general networking knowledge.

• Rationale: The specification of US8621627 introduces specific mechanisms like oVLAN tags (Embodiment 2) and MAC-in-MAC encapsulation (Embodiment 3) for the NIC to indicate that a frame needs intrusion detection processing and for steering. These are well-known networking techniques for tagging and encapsulating traffic to influence forwarding decisions. A POSA, having the motivation to use the NIC for intelligent steering (as established in Combination 1 and 2), would readily apply these established networking techniques to differentiate and steer traffic to the intrusion detection VM. For example, adding an oVLAN tag to frames requiring inspection or encapsulating them in a MAC-in-MAC header with a specific destination MAC address (e.g., for the IDS VM) would be an obvious implementation choice to signal the NIC to route the traffic appropriately. This specifically addresses the "based on an indication in the data frame" aspect of Claim 7 and Claim 13 (adding an indication) and Claim 19 (Ethernet header as an indication). The patent itself notes that an oVLAN tag refers to a 4-byte IEEE 802.1 Q-in-Q encapsulation according to Ethernet standards, indicating it as a known technology.

Motivation to Combine:

The primary motivation for a POSA to combine these prior art references would be to overcome the performance bottlenecks and latency issues associated with host-based software virtual switches and external network appliances for intrusion detection in virtualized environments, as explicitly identified in the background of US8621627. The desire to improve efficiency, reduce CPU overhead on the host, and minimize communication latency for security processing would drive a POSA to leverage the capabilities of a NIC to offload and intelligently steer network traffic for intrusion detection. The existing knowledge of NIC offload functions and standard networking encapsulation techniques would provide the tools for implementing such a solution.