SYSTEM FOR DYNAMIC NETWORK SECURITY CONTROL

DETAILED ACTION This action is in response to the Request for Continued Examination (RCE) filed on 11/25/2025. Claims 1, 10,19 have been amended. Claims 1-19 are pending examination. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Response to Arguments Rejection under 35 U.S.C. § 101 Applicants’ arguments with respect to rejection of claims 1-19 under 35 U.S.C 101 have fully considered and are persuasive. Hence, the rejection under 35 U.S.C 101 is being withdrawn. Rejection under 35 U.S.C. § 103 Applicants’ arguments with respect to rejection of claims 1-19 under 35 U.S.C. 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. A new reference, Lang et al. (US 20170126741 A1), has been introduced to disclose the amended claims. Lang teaches automatically generating and updating contextual network security rules based on changes in applications, services, and their attributes and automatically deploying those rules, including IP-layer filter lists to enforcements points. Lang also discloses mapping entities/ services to security policies using context and dynamically updating access-control rules without user intervention when protected entities or integrations change. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-19 is/are rejected under 35 U.S.C 103 as being unpatentable over Phillips et al. (US 20180026944 A1), hereinafter referred to as Phillips in view of Pandian et al. (US 20220272005 A1), hereinafter referred to as Pandian in further view of Lang et al. (US 20170126741 A1), hereinafter referred to as Lang. As per claim 1, Phillips discloses a computer-implemented method for dynamic network security control, the method comprising: accessing a plurality of network security policies stored in the TPCE; (The management layer 220 can also provide security services 225 including policing incoming and outgoing traffic, e.g., based on firewall policies, and identity verification for cloud consumers and tasks, as well as protection for data and other resources. The workloads layer 230 provides examples of functionality for which the cloud service provided may be utilized, Phillips, para [0037]) storing mappings between the plurality of ENAs and the plurality of network security policies in the TPCE; (The security management component 112, the memory 314 are electrically and/or communicatively coupled to one another to perform one or more functions of management device 110, Phillips, para [0057]). However, Phillips does not explicitly disclose the limitations: discovering a plurality of external network addresses (ENAs) associated with a plurality of services in a trusted public cloud environment (TPCE); recording the plurality of ENAs in the TPCE; Pandian discloses: discovering a plurality of external network addresses (ENAs) associated with a plurality of services in a trusted public cloud environment (TPCE); (Once the first set of packets are detected, the system may associate, store, or otherwise "map" the identifiers of the first set of data packets to a first profile corresponding to the first device that originated the data packets, operation 320, Pandian, para [0090]) recording the plurality of ENAs in the TPCE; (The system may then display a first interface element that represents, and visually presents, (1) the sub-network from which the first set of data packets originated and (2) the first device within the sub-network (operation 324), Pandian, para [0091]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips with Pandian in order to ensure devices receives appropriate access to services in the network (See Pandian, para [0090]- [0091]). However, Phillips in view of Pandian does not explicitly disclose the limitations: mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween, the contextual relationships being based on at least one of values of attributes of the plurality of ENAs or functional domains of services associated with the plurality of ENAs; receiving a change to at least one of the plurality of ENAs; and dynamically, and without user intervention, causing a network access control list to be updated in response to [[the]] a change received from an ENA detection module deployed at an API and configured to monitor the API associated with an ENA from among the plurality of ENAs, wherein the change is based in part on the stored mappings between the plurality of ENAs and the plurality of network security policies, the network access control list containing a list of rules that specifies which entities are granted or denied access to the plurality of ENAs associated with the plurality of services. Lang discloses: mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween, the contextual relationships being based on at least one of values of attributes of the plurality of ENAs or functional domains of services associated with the plurality of ENAs; (Automatically generate fine-grained contextual technical security rules (130), taking into account various system and context information, service/ component models/ metamodels, Lang, para [0036]. The system generates contextual security rules and cites service component and interaction models as inputs i.e., context tied to services/functional domains and related attributes) receiving a change to at least one of the plurality of ENAs; and (Whenever applications change (esp. the integration), the technical security rules can be automatically re-generated, Lang, para [0047]. Application change corresponds to a change in the protected endpoints/services, triggering regeneration) dynamically, and without user intervention, causing a network access control list to be updated in response to [[the]] a change received from an ENA detection module deployed at an API and configured to monitor the API associated with an ENA from among the plurality of ENAs, wherein the change is based in part on the stored mappings between the plurality of ENAs and the plurality of network security policies, the network access control list containing a list of rules that specifies which entities are granted or denied access to the plurality of ENAs associated with the plurality of services (Technical security rules (e.g., ABAC rules, RBAC configuration files or IP layer filter lists. The technical security rules are then automatically pushed into the policy enforcement points for enforcement, Lang, para [0045]. Here, the rules are automatically pushed to enforcement points i.e., dynamic update without user intervention and includes IP layer filter lists like an ACL like construct) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian) with adaptive model-driven security system (Lang). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips and Pandian with Lang in order to effectively manage security policies within a computing system (See Lang, para [0045]). As per claim 2, Phillips, Pandian and Lang disclose the computer-implemented method of claim 1, the method further comprising: enforcing the network access control list by: Furthermore, Phillips discloses: receiving a request from an entity for access a particular service of the plurality of services; (At 702, a device of a network (e.g., service provider network 102) and comprising a processor (e.g., management device 110), receives a request for the device of the network to apply a firewall policy rule to control traffic to a machine of the network, Phillips, para [0088]) retrieving a rule on the list of rules that specifies which entities are granted or denied access to a particular ENA associated with the particular service; and (Firewalls work by enforcing firewall policy rules, e.g., a list of permits or deny conditions, on traffic flowing between the different physical or virtual machines, devices or subnets it connects, Phillips, para [0040]). granting or denying the request based in part on the rule (Firewall policies associated with such applications and services can define traffic authorized to enter and exit from the respective physical or virtual machines, devices and/or subnets at which the respective applications and services are deployed, Phillips, para [0042]). As per claim 3, Phillips, Pandian and Lang disclose the computer-implemented method of claim 1, further comprising: Furthermore, Pandian discloses: responsive to receiving the change in the plurality of ENAs, updating the mappings between the changed plurality of ENAs and the plurality of network security policies stored in a third storage; and (In operation 320, the attributes used to identify the origin second sub-network and device of the second set of data packets are mapped to a profile corresponding to the second device, operation 344, Pandian, para [0094]). causing the network access control list to be updated based on the updated mappings (The system may then display a second interface element for the second device and second sub-network along with the first interface element for the first device and first sub-network in the combined visual representation, operation 348. In this way, the system visually represents the constituent sub-networks and their corresponding devices, Pandian, para [0094]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips with Pandian in order to ensure devices receives appropriate access to services in the network (See Pandian, para [0090]- [0091]). As per claim 4, Phillips, Pandian and Lang disclose the computer-implemented method of claim 3, detecting the change in the plurality of ENAs comprising detecting at least one of: Furthermore, Phillips discloses: a creation of a new service associated with a new ENA in the TPCE; an association of a new ENA with an existing service in the TPCE; a deletion of an existing service associated with an existing ENA in the TPCE; a disassociation of an existing ENA from an existing service in the TPCE; a creation of a network address translation (NAT) gateway associated with an ENA in the TPCE; a deletion of an NAT gateway associated with an existing ENA in the TPCE; a release of an ENA in the TPCE; a creation of a virtual private network (VPN) connection in the TPCE; and a deletion of a VPN connection in the TPCE. (The policy generation component 302 can be configured to facilitate users with generating firewall policy rules for their applications or services deployed on the service provider network 102, Phillips, para [0059]). As per claim 5, Phillips, Pandian and Lang disclose the computer-implemented method of claim 1, wherein recording the plurality of ENAs includes for each ENA in the plurality of ENAs, recording one or more of the following attributes associated with the ENA: Furthermore, Phillips discloses: a network address value of the ENA; a name of a service associated with the ENA; a functional domain in which the service associated with the ENA executes; a time stamp when the ENA is associated with the service; an allocation identifier associated with an allocation of the ENA; or an association identifier associated with an association of the ENA with the service (The policy generation component 302 can receive user input selecting a particular service at which the application or service is deployed. The user input can include the IP address, CIDR or security group name associated with the local machine or group of local machines, Phillips, para [0059]). As per claim 6, Phillips, Pandian and Lang disclose the computer-implemented method of claim 5, wherein mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween comprises: Furthermore, Phillips discloses: identifying a value of an attribute associated with a particular ENA; (The remote address variable represents a single remote machine or device associated with a single remote IP address, Phillips, para [0066]). identifying a particular network security policy associated with the value of the attribute; and (The remote address variable includes a security group name and the policy evaluation component 304 can access to information that identifies the IP addresses for the machines respectively associated with the same group name and VNIC, and/or the number of remote machines associated with the security group name, Phillips, para [0066]). mapping the particular ENA to the particular network security policy (The number of remote machines associated with a CIDR subnet or security group name can vary. Fig 4 represents a graph showing different remote address variables associated with different firewall policies and their risk value, Phillips, para [0066]- [0067]). As per claim 7, Phillips, Pandian and Lang disclose the computer-implemented method of claim 6, wherein mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween comprises: Furthermore, Phillips discloses: identifying a name of a service associated with a particular ENA; (Service provider network 102 provides various services such as Workloads, management, virtualization, hardware and software. Workloads and functions which may be provided from layer 230 include but are not limited to: mapping and navigation 231, data analytics processing 232, transaction processing 233, software development 234, software management 235, and security software development 236, Phillips, Fig 2, para [0037]) identifying a particular network security policy associated with the name of the service; and (The security management component 112 can perform security services, e.g., security services 225, and software security development, e.g., security software development 236, associated with network firewalls, such as user-defined firewall rules, Phillips, para [0037]) mapping the particular ENA to the particular network security policy (The number of remote machines associated with a CIDR subnet or security group name can vary. Fig 4 represents a graph showing different remote address variables associated with different firewall policies and their risk value, Phillips, para [0066]- [0067]). As per claim 8, Phillips, Pandian and Lang disclose the computer-implemented method of claim 6, wherein mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween comprises: Furthermore, Phillips discloses: identifying a functional domain of a service associated with a particular ENA; (The management device 110 or features and functionalities of the management device 110, e.g., security management component 112 or features and functionalities of security management component 112, can be located on or within another device included in the service provider network 102, e.g., a server device of the one or more server devices 104.sub.1-n, a VM of the one or more VMs 106.sub.1-n, a data store of the one or more data stores 108.sub.1-n, Phillips, para [0055]) identifying a particular network security policy associated with the functional domain of the service; and (One or more features and functionalities of the management device 110 and/or the security management component 112 can be distributed across a plurality of devices included in the service provider network 102. Further, the management device 110, the security management component 112, and/or features and functionalities of the management device 110 and the security management component 112 can be associated with a real or virtual machine or device included in the service provider network 102, Phillips, para [0055]). mapping the particular ENA to the particular network security policy (The number of remote machines associated with a CIDR subnet or security group name can vary. Fig 4 represents a graph showing different remote address variables associated with different firewall policies and their risk value, Phillips, para [0066]- [0067]). As per claim 9, Phillips, Pandian and Lang disclose the computer-implemented method of claim 1, further comprising: Furthermore, Phillips discloses: detecting a change in the plurality of network security policies; and (The risk value of a firewall policy rule can vary and is compared to a threshold value and is forwarded to the policy revision component 308. The policy revision component 308 can be configured to further analyze a firewall rule to determine a variable or characteristic of the variable, e.g., port range, that is responsible the rule having a high or relatively high total risk value, Phillips, para [0084]- [0085]). responsive to detecting a change in the plurality of network security policies, updating the mappings between the plurality of ENAs and the changed plurality of network security policies stored in a third storage; and (The policy revision component 308 can be configured to provide rules that are above or near a maximum threshold risk value to be reviewed in greater detail by a security specialist or another system, Phillips, para [0084]- [0085]). causing the network access control list to be updated based on the updated mappings (The notification component 310 can be configured to notify a user identity associated with ownership of the local machine or subnet associated with the firewall policy rule that the firewall policy rule is not associated with the acceptable degree of security risk, Phillips, para [0085]). As per claim 10, Phillips discloses a non-transitory computer-readable medium, stored thereon computer-executable instructions, that when executed by a processor of a computer system, cause the computer system to: access a plurality of network security policies stored in the TPCE; (The management layer 220 can also provide security services 225 including policing incoming and outgoing traffic, e.g., based on firewall policies, and identity verification for cloud consumers and tasks, as well as protection for data and other resources. The workloads layer 230 provides examples of functionality for which the cloud service provided may be utilized, Phillips, para [0037]). store mappings between the plurality of ENAs and the plurality of network security policies in the TPCE; (The security management component 112, the memory 314 are electrically and/or communicatively coupled to one another to perform one or more functions of management device 110, Phillips, para [0057]). However, Phillips does not explicitly disclose the limitations: discover a plurality of external network addresses (ENAs) associated with a plurality of services in a trusted public cloud environment (TPCE); record the plurality of ENAs in the TPCE; Pandian discloses: discover a plurality of external network addresses (ENAs) associated with a plurality of services in a trusted public cloud environment (TPCE); (Once the first set of packets are detected, the system may associate, store, or otherwise "map" the identifiers of the first set of data packets to a first profile corresponding to the first device that originated the data packets, operation 320, Pandian, para [0090]). record the plurality of ENAs in the TPCE; (The system may then display a first interface element that represents, and visually presents, (1) the sub-network from which the first set of data packets originated and (2) the first device within the sub-network (operation 324), Pandian, para [0091]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips with Pandian in order to ensure devices receives appropriate access to services in the network (See Pandian, para [0090]- [0091]). Phillips in view of Pandian does not explicitly disclose the limitations: map the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween, the contextual relationships being based on at least one of values of attributes of the plurality of ENAs or functional domains of services associated with the plurality of ENAs; receive a change to at least one of the plurality of ENAs; and dynamically, a change received from an ENA detection module deployed at an API and configured to monitor the API associated with an ENA from among the plurality of ENAs, wherein the change is based in part on the stored mappings between the plurality of ENAs and the plurality of network security policies, the network access control list containing a list of rules that specifies which entities are granted or denied access to the plurality of ENAs associated with the plurality of services. Lang discloses: map the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween, the contextual relationships being based on at least one of values of attributes of the plurality of ENAs or functional domains of services associated with the plurality of ENAs; (Automatically generate fine-grained contextual technical security rules (130), taking into account various system and context information, service/ component models/ metamodels, Lang, para [0036]. The system generates contextual security rules and cites service component and interaction models as inputs i.e., context tied to services/functional domains and related attributes) receive a change to at least one of the plurality of ENAs; and (Whenever applications change (esp. the integration), the technical security rules can be automatically re-generated, Lang, para [0047]. Application change corresponds to a change in the protected endpoints/services, triggering regeneration) dynamically, a change received from an ENA detection module deployed at an API and configured to monitor the API associated with an ENA from among the plurality of ENAs, wherein the change is based in part on the stored mappings between the plurality of ENAs and the plurality of network security policies, the network access control list containing a list of rules that specifies which entities are granted or denied access to the plurality of ENAs associated with the plurality of services (Technical security rules (e.g., ABAC rules, RBAC configuration files or IP layer filter lists. The technical security rules are then automatically pushed into the policy enforcement points for enforcement, Lang, para [0045]. Here, the rules are automatically pushed to enforcement points i.e., dynamic update without user intervention and includes IP layer filter lists like an ACL like construct) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian) with adaptive model-driven security system (Lang). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips and Pandian with Lang in order to effectively manage security policies within a computing system (See Lang, para [0045]). As per claim 11, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 10, stored thereon additional computer-executable instructions, that when executed by a processor of a computer system, cause the computer system to: enforce the network access control list by: Furthermore, Phillips discloses: receiving a request from an entity for access a particular service of the plurality of services; (At 702, a device of a network (e.g., service provider network 102) and comprising a processor (e.g., management device 110), receives a request for the device of the network to apply a firewall policy rule to control traffic to a machine of the network, Phillips, para [0088]). retrieving a rule on the list of rules that specifies which entities are granted or denied access to a particular ENA associated with the particular service; and (Firewalls work by enforcing firewall policy rules, e.g., a list of permits or deny conditions, on traffic flowing between the different physical or virtual machines, devices or subnets it connects, Phillips, para [0040]). granting or denying the request based in part on the rule (Firewall policies associated with such applications and services can define traffic authorized to enter and exit from the respective physical or virtual machines, devices and/or subnets at which the respective applications and services are deployed, Phillips, para [0042]). As per claim 12, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 10, stored thereon additional computer-executable instructions, that when executed by a processor of a computer system, cause the computer system to: Furthermore, Pandian discloses: responsive to receiving the change in the plurality of ENAs, update the mappings between the changed plurality of ENAs and the plurality of network security policies stored in a third storage; and (In operation 320, the attributes used to identify the origin second sub-network and device of the second set of data packets are mapped to a profile corresponding to the second device, operation 344, Pandian, para [0094]). cause the network access control list to be updated based on the updated mappings (The system may then display a second interface element for the second device and second sub-network along with the first interface element for the first device and first sub-network in the combined visual representation, operation 348. In this way, the system visually represents the constituent sub-networks and their corresponding devices, Pandian, para [0094]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips with Pandian in order to ensure devices receives appropriate access to services in the network (See Pandian, para [0090]- [0091]). As per claim 13, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 12, detecting the change in the plurality of ENAs comprising detecting at least one of: Furthermore, Phillips discloses: a creation of a new service associated with a new ENA in the TPCE; an association of a new ENA with an existing service in the TPCE; a deletion of an existing service associated with an existing ENA in the TPCE; a disassociation of an existing ENA from an existing service in the TPCE; a creation of a network address translation (NAT) gateway associated with an ENA in the TPCE; a deletion of an NAT gateway associated with an existing ENA in the TPCE; a release of an ENA in the TPCE; a creation of a virtual private network (VPN) connection in the TPCE; and a deletion of a VPN connection in the TPCE (The policy generation component 302 can be configured to facilitate users with generating firewall policy rules for their applications or services deployed on the service provider network 102, Phillips, para [0059]). As per claim 14, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 10, wherein Furthermore, Phillips discloses: recording the plurality of ENAs includes for each ENA in the plurality of ENAs, recording one or more of the following attributes associated with the ENA: a network address value of the ENA; a name of the service associated with the ENA; a functional domain in which the service associated with the ENA executes; a time stamp when the ENA is associated with the service; an allocation identifier associated with an allocation of the ENA; or an association identifier associated with an association of the ENA with the service (The policy generation component 302 can receive user input selecting a particular service at which the application or service is deployed. The user input can include the IP address, CIDR or security group name associated with the local machine or group of local machines, Phillips, para [0059]). As per claim 15, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 14, wherein mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween comprises: Furthermore, Phillips discloses: identifying a value of an attribute associated with a particular ENA; (The remote address variable represents a single remote machine or device associated with a single remote IP address, Phillips, para [0066]). identifying a particular network security policy associated with the value of the attribute; and (The remote address variable includes a security group name and the policy evaluation component 304 can access to information that identifies the IP addresses for the machines respectively associated with the same group name and VNIC, and/or the number of remote machines associated with the security group name, Phillips, para [0066]). mapping the particular ENA to the particular network security policy (The number of remote machines associated with a CIDR subnet or security group name can vary. Fig 4 represents a graph showing different remote address variables associated with different firewall policies and their risk value, Phillips, para [0066]- [0067]). As per claim 16, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 15, wherein mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween comprises: Furthermore, Phillips discloses: identifying a name of the service associated with a particular ENA; (Service provider network 102 provides various services such as Workloads, management, virtualization, hardware and software. Workloads and functions which may be provided from layer 230 include but are not limited to: mapping and navigation 231, data analytics processing 232, transaction processing 233, software development 234, software management 235, and security software development 236, Phillips, Fig 2, para [0037]) identifying a particular network security policy associated with the name of the service; and (The security management component 112 can perform security services, e.g., security services 225, and software security development, e.g., security software development 236, associated with network firewalls, such as user-defined firewall rules, Phillips, para [0037]) mapping the particular ENA to the particular network security policy (The number of remote machines associated with a CIDR subnet or security group name can vary. Fig 4 represents a graph showing different remote address variables associated with different firewall policies and their risk value, Phillips, para [0066]- [0067]). As per claim 17, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 15, wherein mapping the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween comprises: Furthermore, Phillips discloses: identifying a functional domain of the service associated with a particular ENA; (The management device 110 or features and functionalities of the management device 110, e.g., security management component 112 or features and functionalities of security management component 112, can be located on or within another device included in the service provider network 102, e.g., a server device of the one or more server devices 104.sub.1-n, a VM of the one or more VMs 106.sub.1-n, a data store of the one or more data stores 108.sub.1-n, Phillips, para [0055]) identifying a particular network security policy associated with the functional domain of the service; and (One or more features and functionalities of the management device 110 and/or the security management component 112 can be distributed across a plurality of devices included in the service provider network 102. Further, the management device 110, the security management component 112, and/or features and functionalities of the management device 110 and the security management component 112 can be associated with a real or virtual machine or device included in the service provider network 102, Phillips, para [0055]). mapping the particular ENA to the particular network security policy (The number of remote machines associated with a CIDR subnet or security group name can vary. Fig 4 represents a graph showing different remote address variables associated with different firewall policies and their risk value, Phillips, para [0066]- [0067]). As per claim 18, Phillips, Pandian and Lang disclose the non-transitory computer-readable medium of claim 10, stored thereon additional computer-executable instructions, that when executed by a processor of a computer system, cause the computer system to: Furthermore, Phillips discloses: detect a change in the plurality of network security policies; and (The risk value of a firewall policy rule can vary and is compared to a threshold value and is forwarded to the policy revision component 308. The policy revision component 308 can be configured to further analyze a firewall rule to determine a variable or characteristic of the variable, e.g., port range, that is responsible the rule having a high or relatively high total risk value, Phillips, para [0084]- [0085]). responsive to detecting a change in the plurality of network security policies, update the mappings between the plurality of ENAs and the changed plurality of network security policies stored in a third storage; and (The policy revision component 308 can be configured to provide rules that are above or near a maximum threshold risk value to be reviewed in greater detail by a security specialist or another system, Phillips, para [0084]- [0085]). cause the network access control list to be updated based on the updated mappings (The notification component 310 can be configured to notify a user identity associated with ownership of the local machine or subnet associated with the firewall policy rule that the firewall policy rule is not associated with the acceptable degree of security risk, Phillips, para [0085]). As per claim 19, Phillips disclose a computer system comprising: a processor; and (A system is provided that includes a processor and a memory that stores executable instructions that, when executed by the processor, facilitate performance of various operations, Phillips, para [0025]) a non-transitory computer readable storage medium, stored thereon computer-executable instructions, that when executed by the processor, cause the processor to: (Computing devices comprises media such as tangible and/or non-transitory computer readable (or machine-readable) storage media, Phillips, para [0098]) access a plurality of network security policies stored in the TPCE; (The management layer 220 can also provide security services 225 including policing incoming and outgoing traffic, e.g., based on firewall policies, and identity verification for cloud consumers and tasks, as well as protection for data and other resources. The workloads layer 230 provides examples of functionality for which the cloud service provided may be utilized, Phillips, para [0037]). store mappings between the plurality of ENAs and the plurality of network security policies in the TPCE; (The security management component 112, the memory 314 are electrically and/or communicatively coupled to one another to perform one or more functions of management device 110, Phillips, para [0057]). However, Phillips does not explicitly disclose the limitations: discover a plurality of external network addresses (ENAs) associated with a plurality of services in a trusted public cloud environment (TPCE); record the plurality of ENAs in the TPCE; Pandian discloses: discover a plurality of external network addresses (ENAs) associated with a plurality of services in a trusted public cloud environment (TPCE); (Once the first set of packets are detected, the system may associate, store, or otherwise "map" the identifiers of the first set of data packets to a first profile corresponding to the first device that originated the data packets, operation 320, Pandian, para [0090]) record the plurality of ENAs in the TPCE; (The system may then display a first interface element that represents, and visually presents, (1) the sub-network from which the first set of data packets originated and (2) the first device within the sub-network (operation 324), Pandian, para [0091]). A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips with Pandian in order to ensure devices receives appropriate access to services in the network (See Pandian, para [0090]- [0091]). However, Phillips in view of Pandian does not explicitly disclose the limitations: map the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween, the contextual relationships being based on at least one of values of attributes of the plurality of ENAs or functional domains of services associated with the plurality of ENAs; receive a change to at least one of the plurality of ENAs; and dynamically, a change received from an ENA detection module deployed at an API and configured to monitor the API associated with an ENA from among the plurality of ENAs, wherein the change is based in part on the mappings between the plurality of ENAs and the plurality of network security policies, the network access control list containing a list of rules that specifies which entities are granted or denied access to the plurality of ENAs associated with the plurality of services. Lang discloses: map the plurality of ENAs to the plurality of network security policies based on contextual relationships therebetween, the contextual relationships being based on at least one of values of attributes of the plurality of ENAs or functional domains of services associated with the plurality of ENAs; (Automatically generate fine-grained contextual technical security rules (130), taking into account various system and context information, service/ component models/ metamodels, Lang, para [0036]. The system generates contextual security rules and cites service component and interaction models as inputs i.e., context tied to services/functional domains and related attributes) receive a change to at least one of the plurality of ENAs; and (Whenever applications change (esp. the integration), the technical security rules can be automatically re-generated, Lang, para [0047]. Application change corresponds to a change in the protected endpoints/services, triggering regeneration) dynamically, a change received from an ENA detection module deployed at an API and configured to monitor the API associated with an ENA from among the plurality of ENAs, wherein the change is based in part on the mappings between the plurality of ENAs and the plurality of network security policies, the network access control list containing a list of rules that specifies which entities are granted or denied access to the plurality of ENAs associated with the plurality of services (Technical security rules (e.g., ABAC rules, RBAC configuration files or IP layer filter lists. The technical security rules are then automatically pushed into the policy enforcement points for enforcement, Lang, para [0045]. Here, the rules are automatically pushed to enforcement points i.e., dynamic update without user intervention and includes IP layer filter lists like an ACL like construct) A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Phillips with Pandian by incorporating the method of accessing and mapping devices to network policies (Phillips) and detecting and recording devices in a cloud environment (Pandian) with adaptive model-driven security system (Lang). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Phillips and Pandian with Lang in order to effectively manage security policies within a computing system (See Lang, para [0045]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAGHAVENDER CHOLLETI whose telephone number is (703) 756-1065. The examiner can normally be reached M-F 9am-5pm ET. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, RUPAL DHARIA can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. Respectfully submitted, /RAGHAVENDER NMN CHOLLETI/Examiner, Art Unit 2492 /RUPAL DHARIA/Supervisory Patent Examiner, Art Unit 2492