Remarks
Claims 1, 3-5, 7-9, 11-13, 15-17, 19, and 20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 4/2/2025 has been entered.
Response to Arguments
Applicant's arguments filed 4/2/2025 have been fully considered but they are not persuasive.
With respect to Applicant’s allegations on page 11 of the response regarding temporary policies, Smith certainly discloses temporary policies, such as in pessimistic mode, allowing communications to take place for a period of time, after which the communications will not be allowed anymore unless a permanent rule is in place. For example, paragraph 31 states “The connection between the two applications is terminated after a specified amount of time has passed if the reconciliation engine 128 does not affirmatively instruct the agents associated with those applications to keep the connection alive.”
With respect to Applicant’s allegations on page 11 of the response regarding two factor authentication, Smith is not relied upon for two factor authentication. Toshima, for example, discloses two factor authentication. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
With respect to Applicant’s allegations on page 11 of the response regarding a predetermined need, such as updates, repairs, or maintenance, it is noted that the claim is not this narrow. The claim also includes “upkeep”, which can be any functioning of the system whatsoever, since all system functionality is upkeep. More examples are provided in the rejection below as well.
Applicant then alleges “Claim 1 states that both the policies and the behavior of the security agent are temporarily modified to accommodate the exception.” However, the only mention of any agent is in the final limitation: “the policies and agent are temporarily modified for the period of time to allow the exception”. However, no agent is even in claim 1, so an agent that is not in the claim cannot be modified.
With respect to Applicant’s allegations in the rest of this paragraph, Smith certainly discloses temporary communications being allowed, such as in pessimistic mode, for a period of time and then disallowing the communications after that period of time unless permanent rules are put in place, as noted above.
Applicant then appears to reiterate arguments in the middle of page 12 (i.e. “Again…”). As this is simply reiterating above points that have been fully responded to, no further response is necessary.
However, it is noted that Applicant does not appear to have made any argument with respect to “Policies based on resource identity” above. This is simply a general allegation. Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references. Smith clearly discloses that the policies are based on resource identities, for example, by explicitly setting policies for applications (e.g., paragraph 61-63 setting policies for “WebApp”, “Database”, source system, destination system, etc., as examples.
With respect to Applicant’s allegations regarding claim 7, a portion of the amendment is found in Yin (with respect to user confirmations) on top of the previous disclosures noted with respect to Smith and O’Neil. Also, with respect to Applicant’s allegations regarding Smith and thresholds, as previously noted, a threshold may be 0, meaning any communications would be above the pre-specified limit.
With respect to Applicant’s allegations regarding claim 7 and O’Neil, Applicant does not appear to argue what O’Neil is cited for, such as thresholds set for detecting unusual communication activity. This is clearly found in O’Neil’s paragraph 76, for example: “items … that were observed frequently (e.g., more than some threshold number of times)…”.
Applicant then references claim 8, a previous rejection, provides Applicant’s understanding of a portion of Smith, and alleges “it does not describe detecting unauthorized applications based on their membership in a microsegment or enforce policies specific to microsegments. Additionally, the process does not include mechanisms for flagging applications as unauthorized solely due to their location within a microsegment.” None of this appears to be claimed. All that is claimed in claim 8 is “wherein the one or more unauthorized communications include an application within a microsegment that is unauthorized”. In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., detecting unauthorized applications based on their membership in a microsegment or enforce policies specific to microsegments. Additionally, the process does not include mechanisms for flagging applications as unauthorized solely due to their location within a microsegment) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Claim Objections
Claims 1, 9, and 17 objected to because of the following informalities: Claim 1 refers to “a temporary policies” in the penultimate limitation. However, since “a” is singular and “policies” is plural, this appears grammatically incorrect. Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 1, 3-5, 7-9, 11-13, 15-17, 19, and 20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 states that the unauthorized communications (and later, communications) are between the user and application, where this user is given the option to bypass policies, performs 2 factor authentication, and the like. However, the application as originally filed does not include basis for the end user that is communicating with the application to bypass communications himself/herself. Rather, it is a user with the proper role (e.g., paragraph 57), such as admin, that can modify the policies. All independent claims have the same issue and are rejected for the same reasons. All dependent claims are rejected at least based on their dependencies.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1, 3-5, 7-9, 11-13, 15-17, 19, and 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 recites the limitation "the policies and agent" in the final limitation. There is insufficient antecedent basis for the limitation “the … agent” in the claim. All independent claims have the same issue and are rejected for the same reasons. All dependent claims are rejected at least based on their dependencies.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-5, 7-9, 11-13, 15-17, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith (U.S. Patent Application Publication 2018/0234460) in view of O’Neil (U.S. Patent Application Publication 2018/0234385), Toshima (U.S. Patent Application Publication 2011/0119371), Yin (U.S. Patent Application Publication 2015/0372977), and Stair (U.S. Patent Application Publication 2018/0241718).
Regarding Claim 1,
Smith discloses a non-transitory computer readable storage medium having computer readable code stored thereon for programming a microsegmentation system to perform steps of:
Monitoring network communications of a network (Exemplary Citations: for example, Abstract, Paragraphs 12-28, 30-60, 62-77, and associated figures; this extremely broad limitation is met by any of the devices and components within Smith generating any metadata, policies, links, associations, logs, determinations, etc., based on any received communications, allowing/blocking, determinations to allow/block, creation of policies, modification of policies, etc., as examples);
Generating a network communication model that labels the network communications (Exemplary Citations: for example, Abstract, Paragraphs 12-28, 30-60, 62-77, and associated figures; as above, for example);
Generating policies based on the network communication model, wherein the policies specify which applications are authorized to communicate with one another and wherein the policies are based on a resource identity (Exemplary Citations: for example, Abstract, Paragraphs 12-28, 30-60, 62-77, and associated figures; as above, for example, as well as updating policies by expiration, changes, allowing, denying, etc., as examples. It is noted that the policies are between applications (e.g., “WebApp” and “Database”) and based on their identities, for example);
Updating the policies based on ongoing network communication monitoring (Exemplary Citations: for example, Abstract, Paragraphs 12-28, 30-60, 62-77, and associated figures; as above, for example, as well as updating policies by expiration, changes, allowing, denying, etc., as examples);
Performing one of allowing or blocking communications via the microsegmentation system based on the policies (Exemplary Citations: for example, Abstract, Paragraphs 12-28, 30-60, 62-77, and associated figures; allow/block, for example);
Responsive to detecting one or more unauthorized communications, providing the option to bypass policies associated with the application via two factor authorization to determine if an exception is acceptable for the one or more unauthorized communications, wherein the two factor authorization is associated with a user associated with the one or more unauthorized communications for bypassing the policies, wherein, subsequent to expiration of a period of time, a temporary policies provided for the exception revert back such that the one or more unauthorized communications are blocked unless instructed to allow by a reconciliation engine (Exemplary Citations: for example, Abstract, Paragraphs 18-28, 30-60, 63-67, 76, 77, and associated figures; this two factor authorization may be both a source and destination LSA authorizing the communications, PME and LSA, LSA and reconciliation engine, or even portions of these (e.g., source LSA allowing communications based on the source application and destination application), PME determining that communications should be authorized based on communications from source and destination LSAs, or the like, as examples; policies are updated periodically, thereby resulting in a time period after which different policy rules may be in place, including those disallowing communications that were allowed before, current policies only being valid for a particular time period, waiting for a certain time period for a response from reconciliation engine and then terminating communications that were allowed during that time period, etc., as examples. It is noted that the only mention of a reconciliation engine in the specification is a copy of what is within paragraphs 30-32 of Smith, for example. Thus even if there was a claimed reconciliation engine that performs any action (which is not the case currently, since nothing is required by the limitation “unless instructed to allow by a reconciliation engine”), Smith clearly teaches any subject matter related to a reconciliation engine that has basis in the application as originally filed); and
Providing the temporary polices for the exception to allow communications for the period of time based on results of the two factor authorization, wherein providing temporary policies for the exception of the one or more unauthorized communications is based on a predetermined need for exception to perform any of updates, upkeep, repairs, and maintenance, and wherein the temporary policies are provided for a single specified application for the period of time, and wherein the policies and agent are temporarily modified for the period of time to allow the exception (Exemplary Citations: for example, Abstract, Paragraphs 18-28, 30-60, 63-66, 76, 77, and associated figures; policies are only current for a particular time period, allowing for temporary communications until the reconciliation engine tells the LSA(s) to terminate communications, updating a policy for an indefinite time period, or the like, as examples; policies being updated, constant determinations as to whether communications are authorized, and the like, as described above, fit within being based on at least one of update, upkeep, repairs, and maintenance, for example. Two factor authorization is performed based on this need to update, repair, or maintenance, for example. As noted above, the policies specify applications authorized to communicate with each other);
But does not explicitly disclose that the network communication model is a machine learning model adapted to label the network communications as healthy or unhealthy, that the communications and unauthorized communications are between the user and the application, that the two factor authorization includes two factor authentication, providing the user associated with the one or more unauthorized communications the option to bypass via a user interface for the user to perform the two factor authentication, wherein the two factor authentication is performed to authenticate the user associated with the one or more unauthorized communications for bypassing the policies associated with the application.
O’Neil, however, discloses that the network communication model is a machine learning model adapted to label the network communications as healthy or unhealthy (Exemplary Citations: for example, Abstract, Paragraphs 4, 15, 19, 20, 44-51, 153, and associated figures; machine learning model generating policies and labelling communications as healthy/unhealthy, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the machine learning model and policy generation techniques of O’Neil into the policy enforcement system of Smith in order to allow the system to determine whether or not communications are healthy without any a priori knowledge of whether or not such communications are health or unhealthy, to allow for machine learning in generation of policies, to reduce the burden on administrators, and/or to increase security in the system.
Toshima, however, discloses that the two factor authorization includes two factor authentication, providing the user associated with the one or more unauthorized communications a user interface for the user to perform the two factor authentication, wherein the two factor authentication is performed to authenticate the user associated with the one or more unauthorized communications (Exemplary Citations: for example, Paragraphs 232-237, 268, and associated figures; administrator authenticating to access management functionality, including username, password, fingerprint, voice, retinal, IC card, etc., authentications, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the multi-factor authentication techniques of Toshima into the policy enforcement system of Smith as modified by O’Neil in order to provide a strong authentication to verify that users are who they say they are, to ensure that an administrator is authentic prior to performing management functions, to allow for use of a variety of authentication factors, and/or to increase security in the system.
Yin, however, discloses policies that specify which users are authorized to communicate with which applications, responsive to detecting the one or more unauthorized communications, providing the user associated with the one or more unauthorized communications an option to bypass policies associated with the application via a user interface for the user to perform two factor authentication, wherein the option to bypass is for bypassing the policies associated with the application via the user interface (Exemplary Citations: Figures 2, 3, 5-10, and associated written description; policies for users and applications, user interface that an administrator can use to allow, block, temporarily allow/block, change policies, etc., as well as communication paths between admin machine and firewall, firewall and other devices, etc., as examples). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the policy management techniques of Yin into the policy enforcement system of Smith as modified by O’Neil and Toshima in order to allow administrators to set policies manually, to allow for overriding of previous policies when determined to be necessary by administrators, to provide for both automatic and manual authorization determinations, and/or to increase security in the system.
Stair, however, discloses that the communications and unauthorized communications are between the user and the application and that the user is authenticated and authorized for the bypassing of policies (Exemplary Citations: for example, Abstract, Paragraphs 17, 22, 23, 26, 27, 33-37, and associated figures; SPA request denied initially as unauthorized, then user attempting to communicate with application is authenticated and authorized via validation of a request, then communications are allowed between user and application for a period of time, for example); and
Wherein, subsequent to expiration of the period of time, the temporary policies provided for the exception revert back such that communication between the user and the application are blocked (Exemplary Citations: for example, Abstract, Paragraphs 17, 22, 23, 26, 27, 33-37, and associated figures; deny after temporary policy expires, for example). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the client initiated firewall bypass techniques of Stair into the policy enforcement system of Smith as modified by O’Neil, Toshima, and Yin in order to allow end users to temporarily modify policies as necessary to communicate with particular applications/services, to ensure that end users are both authenticated and authorized to access applications/services, to enforce authenticated on-demand network access, and/or to increase security in the system.
Regarding Claim 9,
Claim 9 is a method claim that corresponds to medium claim 1 and is rejected for the same reasons.
Regarding Claim 17,
Claim 17 is a system claim that corresponds to medium claim 1 and is rejected for the same reasons.
Regarding Claim 3,
Smith as modified by O’Neil, Toshima, Yin, and Stair discloses the medium of claim 1, in addition, Smith discloses that the one or more unauthorized communications are between a source application and a destination application (Exemplary Citations: for example, Abstract, Paragraphs 18-28, 30-60, 63-66, 76, 77, and associated figures).
Regarding Claim 11,
Claim 11 is a method claim that corresponds to medium claim 3 and is rejected for the same reasons.
Regarding Claim 19,
Claim 19 is a system claim that corresponds to medium claim 3 and is rejected for the same reasons.
Regarding Claim 4,
Smith as modified by O’Neil, Toshima, Yin, and Stair discloses the medium of claim 1, in addition, Smith discloses that the one or more unauthorized communications are between a plurality of applications (Exemplary Citations: for example, Abstract, Paragraphs 18-28, 30-60, 63-66, 76, 77, and associated figures).
Regarding Claim 12,
Claim 12 is a method claim that corresponds to medium claim 4 and is rejected for the same reasons.
Regarding Claim 20,
Claim 20 is a system claim that corresponds to medium claim 4 and is rejected for the same reasons.
Regarding Claim 5,
Smith as modified by O’Neil, Toshima, Yin, and Stair discloses the medium of claim 1, in addition, Smith discloses wherein the two factor authorization includes approval via an interface for the microsegmentation system including new and/or updated microsegments and a secondary communication channel for verification (Exemplary Citations: for example, Abstract, Paragraphs 18-28, 30-60, 63-66, 76, 77, and associated figures); and
Yin discloses wherein the two factor authentication includes approval via the user interface for the microsegmentation system including new and/or updated microsegments and a secondary communication channel for verification (Exemplary Citations: Figures 2, 3, 5-10, and associated written description; user interface that an administrator can use to allow, block, temporarily allow/block, change policies, etc., as well as communication paths between admin machine and firewall, firewall and other devices, etc., as examples).
Regarding Claim 13,
Claim 13 is a method claim that is broader than medium claim 5 and is rejected for the same reasons.
Regarding Claim 7,
Smith as modified by O’Neil, Toshima, Yin, and Stair discloses the medium of claim 1, in addition, Smith as modified by O’Neil, Toshima, Yin, and Stair discloses that the one or more unauthorized communications are automatically detected by the microsegmentation system as unusual communication activity based on the unusual communication activity exceeding a pre-specified limit, and responsive to the automatic detecting, asking a user to confirm an acceptability of the unauthorized communication (Smith: Exemplary Citations: for example, Abstract, Paragraphs 18-28, 30-60, 63-66, 76, 77, and associated figures; unusual may be if no policy exists, if pessimistic mode is set, or the like, as examples. Threshold may be 0, for example. It is also noted that O’Neill discloses thresholds, for example, in paragraph 76, for example; Yin: Exemplary Citations: Figures 2, 3, 5-10, and associated written description; user confirming whether communications are allowed or not, for example).
Regarding Claim 15,
Claim 15 is a method claim that is broader than medium claim 7 and is rejected for the same reasons.
Regarding Claim 8,
Smith as modified by O’Neil, Toshima, Yin, and Stair discloses the medium of claim 1, in addition, Smith discloses that the one or more unauthorized communications include an application within a microsegment that is unauthorized (Exemplary Citations: for example, Abstract, Paragraphs 7, 12-28, 30-60, 62-77, and associated figures; imposter application, unauthorized application, application that is not authorized to communicate with another specific application, or the like, as examples).
Regarding Claim 16,
Claim 16 is a method claim that is broader than medium claim 8 and is rejected for the same reasons.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey D. Popham/Primary Examiner, Art Unit 2432