DYNAMIC SECURITY FOR FABRIC NETWORKS

Detailed Action This non-final office Action is in response to amendment filed on 12/30/2025. Claims 1, 7, 9, 10, 14, 15 and 20 have been amended, no claims have been cancelled. Claims 1-20 remain pending in the application. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/30/2025 has been entered. Response to Amendment The amended filed on 12/30/2025 has been entered. See above on lines 1-3 of this office action. Response to Arguments Remarks regarding the rejections under 35 U.S.C § 103 on the office action mailed on 10/01/2025, Applicant’s amendments to claims 1, 7, 9, 10, 14, 15 and 20 and arguments are carefully considered and are persuasive. However, upon further consideration, arguments are moot in view of new grounds of rejection. With respect to applicant’s argument to the remaining claims 2-6, 8, 11-13, and 15-19 on pages 10 - 15 of the remark, the applicant is relying on the newly added amendments of the independent claims 1, 10, and 15. Please see examiner’s response above and the detail of the rejection below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. Claims 1, 4, 7, and 10 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu). Regarding claim 1 Kumar teaches a method of protecting networks, comprising: detecting a compromised computing device associated with a security event generated by a unified security policy from a group of sites within a network; (see Kumar Col.1 lines 19-26: “receive network topology information of a network and device capability information corresponding to capabilities of devices in the network; detect a threat to an affected device of the network; determine threat information associated with the threat; select a security policy to mitigate the threat based on the threat information;”; determining a threat context of the compromised computing device, the threat context including data associated with the security event; (see Kumar Col.10 lines 1-20: “security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware, a Distributed Denial of Service (DDoS) feed indicating a list of malicious entities ( e.g., external entities) that may be attacking or attempting to attack a device 215, 217 of monitored network 210, or the like. A malicious entity may be a device that intends to spread malware.”, Col. 10 lines 25-28: “security platform 230 may detect a threat to monitored network 210 to enable security platform 230 to determine threat information associated with the threat to mitigate the threat.”). propagating the threat context to a controller (see Kumar Col.15 lines 46-54: “The example implementation 500 includes enforcement devices 517 (including firewalls 517-1, switches 517-2, routers 517-3, SDN platforms 517-4, and public cloud platforms 517-5), security platform 525, cloud threat feeds 535 and custom threat feeds 545. In the example implementation 500, security platform 525 may utilize detected threats and/or threat information from cloud threat feeds 535 and/or custom threat feeds 545 to select security policies to deploy to enforcement devices 517”Col.16 lines 4-10: “Using the threats and threat information from cloud threat feeds 535 and custom threat feeds 545, security platform 525 may deploy security policies to enforcement devices 517. According to some implementations herein, security platform 525 may deploy the security policies to enforce the security policies based on the types of threats and capabilities of the enforcement devices 517 (which may include the location of the enforcement devices 517 within a topology of a network, the location of the enforcement devices 517 relative to a location of a threat, or the like.)”; determining, based at least in part on the threat context, a user associated with the compromised computing device, the user being associated with a user context, the user context at least partially including a geolocation of the user; (Kumar see Kumar Col. 10 lines: 1-16: "security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Ma/ware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified”, Col.15 lines 8-22: “security platform 230 may provide or transmit information associated with the threat. For example, security platform 230 may provide information to cause a user interface to present results of a deployment of a selected security policy to a selected enforcement device to mitigate a detected threat. Example results of the deployment may include a malware report or alert ( e.g., notifying a user of the presence or non-presence of malware) and/or threat information associated with the detected threat, such as threat type, affected or targeted devices, sources or origins of the threat, or the like. In some implementations, security platform 230 may provide information to an intended target of a threat ( e.g., a warning to avoid a particular CnC site, infected host, communication with a flagged Geo IP address, etc.).”); provisioning the controller with a dynamic list and a data policy matching the dynamic list; (see Kumar Col.15 lines 55-67 – Col.16 lines 1-10: “security platform 525 may detect a threat using cloud threat feeds 535 and/or custom threat feeds 545. Cloud threat feeds 535 may be threat feeds that are available to networks in communication with a cloud computing environment (e.g., cloud computing environment 220). Custom threat feeds 545 may be threat feeds that are specific to a particular monitored network (e.g., when particular threats are known to be present in a monitored network 210, when particular devices of a monitored network 210 are known to be infected, or the like). Accordingly, security platform 230 may use cloud threat feeds 535 and custom threat feeds 545 to detect threats and receive threat information. Using the threats and threat information from cloud threat feeds 535 and custom threat feeds 545, security platform 525 may deploy security policies to enforcement devices 517. According to some implementations herein, security platform 525 may deploy the security policies to enforce the security policies based on the types of threats and capabilities of the enforcement devices 517 (which may include the location of the enforcement devices 517 within a topology of a network, the location of the enforcement devices 517 relative to a location of a threat, or the like).”). propagating the user context into the dynamic list referenced under the data policy (see Kumar Col.11 lines 59-67: “security platform 230 may select the security policy and/or the enforcement device based on which threat feed (e.g., which of the CnC feed, the Geo IP feed, the malware feed, the infected host feed, the DDoS feed, etc.) detected the threat and/or provided information on the threat. Security platform 230 may use the network topology information and the device capability information to select the enforcement device to enforce a selected security policy.”, Col.16 lines 1-10: “Using the threats and threat information from cloud threat feeds 535 and custom threat feeds 545, security platform 525 may deploy security policies to enforcement devices 517. According to some implementations herein, security platform 525 may deploy the security policies to enforce the security policies based on the types of threats and capabilities of the enforcement devices 517 (which may include the location of the enforcement devices 517 within a topology of a network, the location of the enforcement devices 517 relative to a location of a threat, or the like”); based at least in part on the geolocation of the user and a first geolocation of a first site of the group of sites, advertising the dynamic list and the data policy to the first site (see Kumar Col. 10 lines: 1-16: "security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Ma/ware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified”, Col.15 lines 8-22: “security platform 230 may provide or transmit information associated with the threat. For example, security platform 230 may provide information to cause a user interface to present results of a deployment of a selected security policy to a selected enforcement device to mitigate a detected threat. Example results of the deployment may include a malware report or alert ( e.g., notifying a user of the presence or non-presence of malware) and/or threat information associated with the detected threat, such as threat type, affected or targeted devices, sources or origins of the threat, or the like. In some implementations, security platform 230 may provide information to an intended target of a threat ( e.g., a warning to avoid a particular CnC site, infected host, communication with a flagged Geo IP address, etc.).”)”, Col.8 lines 59-67- Col.9 lines 1-20: “In some implementations, the content of the network topology information may include a number of devices 215, 217 in monitored network 210, communication link information indicating communication links between devices 215, 217 in monitored network 210 (e.g., indicating neighbor relationships between the devices 215, 217), location information of devices 215, 217 in monitored network 210 (e.g., physical location information, such as geographical information, site information, or rack/chassis location information, and/or logical information, such as the location within monitored network 210 relative to other devices of monitored network 210), port and/or socket information associated with communication links between devices 215, 217 in monitored network 210, or the like. The content of the device capability information for devices 215, 217 of monitored network 210 may include device type information of devices 215, 217 in monitored network 210 (e.g., a switch, a router, a gateway, an internal segmentation firewall, a perimeter firewall, an IPS, an IDS, etc.), functionality of devices 215, 217 in monitored network 210 (e.g., a list of the functions that devices 215, 217 are capable of performing), model information associated with devices 215, 217 (e.g., a model name, a model identifier, such as a serial number, or the like), communication protocols of devices 215, 217, bandwidth capabilities of devices 215, 217 (e.g., total bandwidth and/or available bandwidth), capacity of devices 215, 217, current security policies deployed to devices 215, 217, or the like.”); and Kumar appear to be silence however Chugtu teaches based at least in part on the geolocation of the user and a second geolocation of a second site of the group of sites, refraining from advertising the dynamic list and the data policy to the second site advertising the dynamic list and the data policy to the second site. (See Chugtu par.0051-0052: “the set of rules can include a set of firewall rules, a set of policies, and/or the like. In some implementations, server device 230 can configure a set of rules for each container. For example, server device 230 can configure a rule for each container that prevents the container from receiving traffic from another container associated with a different tenant (e.g., by preventing traffic from a container that has an IP address that includes a different tenant identifier than the IP address of the container). Additionally, or alternatively, and as another example, server device 230 can configure a rule for a container that prevents the container from providing traffic to another container associated with a different tenant (e.g., by preventing the container from providing traffic to another container that has an IP address that includes a different tenant identifier than the IP address of the container). a set of rules can be time-based (e.g., where particular traffic is permitted at a particular time). Additionally, or alternatively, and as another example, the set of rules can be size-based (e.g., where traffic of a threshold size is permitted, where server device 230 is permitted to send/receive a threshold amount of traffic in a time period, etc.). Additionally, or alternatively, and as another example, the set of rules can be destination and/or source-based (e.g., where traffic is permitted to/from a particular destination/source, permitted from a particular source but not to the particular source, etc.). Additionally, or alternatively, and as another example, the set of rules can be location-based (e.g., based on a geographic location of server device 230, a geographic location of a source and/or destination of traffic, etc.).”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar teaching “Security platform 230 includes one or more devices capable of detecting a threat to monitored network 210 and/or cloud computing environment 220 and/or providing security services over monitored network 210 and/or cloud computing environment 220. In some implementations, security platform 230 may determine threat information associated with the threat and select a security policy and/or an enforcement device to mitigate the threat. In some implementations, security platform 230 may include, may be included within, or may be implemented by a software defined secure network (SDSN).”, (see Kumar Col. 6 lines 16-26), with Chugtu teaching “the server device can configure a set of rules to permit the container to exchange traffic with a set of containers associated with the same tenant and/or to prevent the container from exchanging traffic with another set of containers associated with the same or a different tenant. For example, the server device can configure a set of firewall rules for the container. Continuing with the previous example, the server device can configure a first rule for a container that permits the container to receive and/or provide traffic associated with a particular tenant. Additionally, or alternatively, and as another example, the server device can configure a second rule that prevents the container from receiving and/or providing traffic associated with other tenants.”, (see Chugtu par.0015). Claim 10 is a computer-readable medium claim reciting the same reasons as set forth in the rejections of claim 1 respectively. Therefore, claim 10 is rejected for the same reasons as set forth in the rejections of claim 1. (see Kumar Col.1 lines 29-38: “a non-transitory computer-readable medium storing instructions, the instructions comprising one or more instructions that, when executed by one or more processors,”). Regarding claim 4 Kumar in view of Chugtu disclose the method of claim 1, Kumar further teaches wherein the dynamic list comprises an IP address, a port, an application name, a security group tag (SGT), a username, or combinations thereof that are associated with the compromised computing device. (See Kumar Col.10 lines 1-20: “security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware, a Distributed Denial of Service (DDoS) feed indicating a list of malicious entities ( e.g., external entities) that may be attacking or attempting to attack a device 215, 217 of monitored network 210,”). Regarding claim 7 Kumar in view of Chugtu disclose the method of claim 1, Kumar further teaches wherein the user context comprises a username associated with the compromised computing device, a quarantine virtual private network (VPN) associated with the compromised computing device, or combinations thereof. (See Kumar Col. 10 lines: 1-16: “security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware,”). Claims 5, 6, 9, and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu), in further view of Dods et al.(US-11902330-B1 hereafter Dods). Regarding claim 5 Kumar in view of Chugtu disclose the method of claim 1, Kumar in view of Chugtu do not explicitly teach however Dods teaches wherein the data policy comprises: pre-crafted rules matching the dynamic list (see Dods Col. 5 lines 52-64: “the machine learning model may generate the security policy by identifying one or more security rules to be implemented by one or more of the network devices and/or one or more of the other endpoint devices. security rules that may be included in the security policy include a security rule that causes the user identity data to be added to a traffic feed of the compromised endpoint device and/or to be associated with a tag and/or metadata; a security rule that causes a network address of the compromised endpoint device to be added to a traffic feed of the compromised endpoint device and/or to be associated with a tag and/or metadata;”); and at least one action to take based on the pre-crafted rules. (See Dods Col. 6 lines 13-15: “security rule that causes one or more of the network devices to perform an action;”, Col. 7 lines 7-9: “actions include the security system adding the user identity data associated with the compromised endpoint device to a blacklist.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 1 with Dods teaching “when utilizing the data identifying malicious behavior, the user identity data, and the endpoint device data to generate the security policy, the security system may generate a security rule for the security policy that causes the user identity data associated with the compromised endpoint device to be added to a traffic feed of the compromised endpoint device; may generate a security rule for the security policy that temporarily adds the user identity data associated with the compromised endpoint device to a blacklist and causes the blacklist to be propagated to the network devices and the other endpoint devices”, (see Dods Col.5 lines 21-31). Regarding claim 6 Kumar in view of Chugtu disclose the method of claim 1, Kumar in view of Chugtu do not explicitly teach however Dods teaches further comprising tracking malicious activity metrics for the sites based on at least one parameter, wherein the at least one parameter comprises activity over a period of time, percentage of infected computing devices at the sites, or combinations thereof. (See Dods Col. 6 lines 33-46: “the security system may train the machine learning model, with historical data, to identify security rules (or the machine learning model determines confidence scores for security rules and/or identifies top scoring security rules) for a current malicious behavior situation (e.g., associated with the traffic of the compromised endpoint device, the endpoint device data, and the network device data). The historical data may include data identifying malicious behavior exhibited by compromised endpoint devices; data identifying effects of the malicious behavior on networks, network devices, and/or other endpoint devices; historical traffic associated with compromised endpoint devices; historical endpoint device data; historical network device data; historical topology data;”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 1 with Dods teaching “a security system that generates a network security policy based on a user identity associated with malicious behavior. For example, the security system may receive data identifying malicious behavior by a compromised endpoint device associated with a network and may receive user identity data identifying a user of the compromised endpoint device associated with the network. The security system may receive endpoint device data identifying the compromised endpoint device and other endpoint devices associated with the network”, (see Dods Col.5 lines 21-31). Claim 13 is a computer-readable medium claim reciting the same reasons as set forth in the rejections of claim 6 respectively. Therefore, claim 13 is rejected for the same reasons as set forth in the rejections of claim 6. Regarding claim 9 Kumar in view of Chugtu disclose the method of claim 1, Kumar in view of Chugtu do not explicitly teach however Dods teaches wherein advertising the dynamic list and the data policy to at least one of the sites is based on a site list, based on user-defined criteria, or combinations thereof. (See Dods Col. 5 lines 57- col. 6 lines 1-6: “security rules that may be included in the security policy include a security rule that causes the user identity data to be added to a traffic feed of the compromised endpoint device... a security rule that temporarily adds the use identity data and/or the network address of the compromised endpoint device to a blacklist and causes the blacklist to be propagated to the network devices and/or the other endpoint devices based on network addresses of the network devices and the other endpoint devices.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 1 with Dods teaching “a security rule that utilizes the user identity data to prevent the compromised endpoint device from accessing the network; a security rule that modifies security rules associated with the network devices; a security rule that modifies intrusion prevention system rules associated with the network; a security rule that notifies one or more of the network devices of the compromised endpoint device”, (see Dods Col.6 lines 7-13). Claim 14 is a computer-readable medium claim reciting the same reasons as set forth in the rejections of claim 9 respectively. Therefore, claim 14 is rejected for the same reasons as set forth in the rejections of claim 9. Regarding claim 12 Kumar in view of Chugtu disclose the non-transitory computer-readable medium of claim 10, Kumar further teaches wherein: the dynamic list comprises an IP address, a port, an application name, a security group tag (SGT), a username, or combinations thereof that are associated with the compromised computing device; (See Kumar Col.10 lines 1-20: “security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware, a Distributed Denial of Service (DDoS) feed indicating a list of malicious entities ( e.g., external entities) that may be attacking or attempting to attack a device 215, 217 of monitored network 210,”), and Kumar in view of Chugtu do not explicitly teach however Dods teaches the data policy comprises: pre-crafted rules matching the dynamic list; (see Dods Col. 5 lines 52-64: “the machine learning model may generate the security policy by identifying one or more security rules to be implemented by one or more of the network devices and/or one or more of the other endpoint devices. security rules that may be included in the security policy include a security rule that causes the user identity data to be added to a traffic feed of the compromised endpoint device and/or to be associated with a tag and/or metadata; a security rule that causes a network address of the compromised endpoint device to be added to a traffic feed of the compromised endpoint device and/or to be associated with a tag and/or metadata;”), and at least one action to take based on the pre-crafted rules. (See Dods Col. 6 lines 13-15: “security rule that causes one or more of the network devices to perform an action;”, Col. 7 lines 7-9: “actions include the security system adding the user identity data associated with the compromised endpoint device to a blacklist.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 10 with Dods teaching “The security system may identify a malicious behavior associated with an endpoint device connected to a network and may identify user identity data ( e.g., an email address, an active directory usemame, a username, a token, and/or the like) associated with the endpoint device”, (see Dods Col.3 lines 7-12). Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu), in further view of Valluri et al. (“20200177606”, hereafter Valluri). Regarding claim 8 Kumar in view of Chugtu disclose the method of claim 1, Kumar in view of Chugtu appear to be silence however Valluri teaches wherein the threat context is advertised to the controller via overlay management protocol (OMP). However, Valluri explicitly teaches wherein the threat context is advertised to the controller via overlay management protocol (OMP). (See Valluri par. 0040: “Threats can be detected by the locally-implemented security services 103, where a threat signature 105 can be sent upstream via an upstream OMP message 107a to the network controller appliances 132. The network controller appliances 132 can add the threat signature 105 (may be specific to the enterprise it is serving) and can push the threat signature 105 downstream via a downstream OMP message 107b propagating to other edge network devices 142b. The upstream and downstream OMP messages 107a, 107 can be new message types in an address family in the OMP messages.” Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 1 with Valluri teaching “OMP messages/updates can include new category of messages for Security and DNS threat is a sub-category of Security. The threat signature 105 detected by the edge network device 142a, 302A and 302B (collectively, 302) may be transmitted back and forth between the network controller appliance 132 and the edge network devices 142A and 142B, respectively.”, (see Valluri par. 0045). Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu), in view of Mani et al. (US-20200053169-A1 hereafter Mani), in view of Pularikkal et al. (US-20210075799-A1 hereafter Pularikkal), in further view of Dods-2 et al. (US-10972508 B1 hereafter Dods-2). Regarding claim 2 Kumar in view of Chugtu disclose the method of claim 1, Kumar in view of Chugtu appear to be silence however Mani teaches wherein determining the user comprises fetching a user identity from an identity services engine (ISE), the method (see Mani par.0040: “identifying information of the service device, such as MAC address, IP address, or other identities or metadata like username, serial number, device identity (ID), device make and model, and so on, may be obtained from the service device and exchanged with an authentication services (e.g., an identity services engine or “ISE”).”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 1 and Mani teaching “where the trusted participant (e.g., edge switch) authenticates the device. In this "pre-provisioning" stage, authentication may take place using one or more of a variety of authentication protocols, such as IEEE 802.lX (dotlx), MAC authentication bypass (MAB), and web authentication (WebAuth). For instance, identifying information of the service device, such as MAC address, IP address, or other identities or metadata like usemame, serial number, device identity (ID), device make and model, and so on, may be obtained from the service device and exchanged with an authentication services ( e.g., an identity services engine or "ISE")”. Kumar in view of Chugtu, and Mani appear to be silence however Pularikkal teaches notifying the ISE of the compromised computing device (see Pularikkal par.0046: Information regarding application flows classified as anomalous is sent (412) to Identity Services Engine 110 as an anomaly notification,"). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu, and mani teaching described above with Pularikkal teaching “Anomalous flows are handled by Identity Services Engine 110, which applies change of authorization policies to restrict the incoming application flow. These change of authorization policies take into account user context, device context, and application context.”, (see Pularikkal par.0029). Kumar in view of Chugtu, Mani and Pularikkal appear to be silence however Dods-2 teaches Dods-2 teaches: registering, with the ISE, changes to an IP address for the compromised computing device. (See Dods-2 Col. 6 lines 54-57: “the security platform may add an address ( e.g., an IP address) of the compromised endpoint device to a blacklist so that the compromised endpoint device may be prevented from accessing the network and/or the other endpoint devices.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu, Mani and Pularikkal teaching described above with Dods-2 teaching "adding an address (e.g., an IP address) of the compromised endpoint device to a blacklist. In this way, the compromised endpoint device may be prevented from spreading the malicious behavior to the network.", (see Dods-2Col. 6 lines 53-59). Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu), in view of Mani et al. (US-20200053169-A1 hereafter Mani), in view of Pularikkal et al. (US-20210075799-A1 hereafter Pularikkal), in further view of Dods-2 et al. (US-10972508 B1 hereafter Dods-2), in further view of Voit et al. (“US-20180139240-A1” hereafter Voit). Regarding claim 3 Kumar in view of Chugtu, Mani, Pularikkal, and Dods-2 disclose the method of claim 2, Kumar in view of Chugtu, Mani, Pularikkal, and Dods-2 appear to be silence however Voit teaches further comprising, based at least in part on the IP address of the compromised computing device changing to a new IP address, updating the dynamic list to include the new IP address. (See Voit par. 0020: “The central security application 105 has a list of potential attackers (from the service 110) and a list of potential intrusion events/attacks (from the host alerts 150 and network alerts 152) that may identify an attacker. The central security application 105 builds a list, identified in FIG. 1 as the ephemeral access control list (ACL) 170, which identifies one or more attackers that should be addressed in the network 115…”). Par. 0021: “The central security application 105 sends information describing the list 170 to the security application 120, for example. The list 170 serves as a dynamic filter that is maintained by the security application 120, and only a subset of the list 170 is downloaded to the equipment in the network 115.”. Par. 0021: “the security policy for that route can be brought down into the network (e.g., to one or more of network devices 140, 142 and 144) from the list 170 maintained by the security application 120.”. Par. 0022: “The security policy for the threat that is known in the network 115 ("y.y.y.y") is downloaded from the list 170 to network device 140, as an example. In general, as routing changes occur, security policies are downloaded and applied only for traffic which might come from a domain where an attack vector is known to exist.”. Examiner interpret that the central security application built and change the list 170 of potential attackers as the dynamic list that is being updated with attacker information. The routing changes occur and applied for traffic that might come from domain where an attack is known. Is being interpret as the change of IP address. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the Kumar in view of Chugtu, Mani, Pularikkal, and Dods-2 of claim 2 with Voit teaching “a dynamic routing and/or forwarding information (e.g., a route advertisement) results in modification of a filter against a global list (the list 170) maintained by the security application 120.” to properly update using IP address (see Voit par.0025). Regarding claim 11 Kumar in view of Chugtu disclose the non-transitory computer-readable medium of claim 10, Kumar in view of Chugtu appear to be silence however Mani teaches wherein determining the user comprises fetching a user identity from an identity services engine (ISE) (see Mani par.0040: “identifying information of the service device, such as MAC address, IP address, or other identities or metadata like username, serial number, device identity (ID), device make and model, and so on, may be obtained from the service device and exchanged with an authentication services (e.g., an identity services engine or “ISE”).”), Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu teaching of claim 10 with Mani teaching “where the trusted participant (e.g., edge switch) authenticates the device. In this "pre-provisioning" stage, authentication may take place using one or more of a variety of authentication protocols, such as IEEE 802.lX (dotlx), MAC authentication bypass (MAB), and web authentication (WebAuth). For instance, identifying information of the service device, such as MAC address, IP address, or other identities or metadata like usemame, serial number, device identity (ID), device make and model, and so on, may be obtained from the service device and exchanged with an authentication services ( e.g., an identity services engine or "ISE")” Kumar in view of Chugtu and Mani appear to be silence however Pularikkal teaches the operations further comprising: notifying the ISE of the compromised computing device; (see Pularikkal par.0046: Information regarding application flows classified as anomalous is sent (412) to Identity Services Engine 110 as an anomaly notification,"), Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu, and mani teaching described above with Pularikkal teaching “Anomalous flows are handled by Identity Services Engine 110, which applies change of authorization policies to restrict the incoming application flow. These change of authorization policies take into account user context, device context, and application context.”, (see Pularikkal par.0029). Kumar in view of Chugtu, Mani and Pularikkal appear to be silence however Dods-2 teaches registering, with the ISE, changes to an IP address for the compromised computing device (see Dods-2 Col. 6 lines 54-57: “the security platform may add an address ( e.g., an IP address) of the compromised endpoint device to a blacklist so that the compromised endpoint device may be prevented from accessing the network and/or the other endpoint devices.”); and Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu, Mani, and Pularikkal teaching described above with Dods-2 teaching "adding an address (e.g., an IP address) of the compromised endpoint device to a blacklist. In this way, the compromised endpoint device may be prevented from spreading the malicious behavior to the network.", (see Dods-2Col. 6 lines 53-59). Kumar in view of Chugtu, Mani, Pularikkal, and Dods-2 appear to be silence however Voit teaches based at least in part on the IP address of the compromised computing device changing to a new IP address, updating the dynamic list to include the new IP address. (See Voit par. 0020: “The central security application 105 has a list of potential attackers (from the service 110) and a list of potential intrusion events/attacks (from the host alerts 150 and network alerts 152) that may identify an attacker. The central security application 105 builds a list, identified in FIG. 1 as the ephemeral access control list (ACL) 170, which identifies one or more attackers that should be addressed in the network 115…”). Par. 0021: “The central security application 105 sends information describing the list 170 to the security application 120, for example. The list 170 serves as a dynamic filter that is maintained by the security application 120, and only a subset of the list 170 is downloaded to the equipment in the network 115.”. Par. 0021: “the security policy for that route can be brought down into the network (e.g., to one or more of network devices 140, 142 and 144) from the list 170 maintained by the security application 120.”. Par. 0022: “The security policy for the threat that is known in the network 115 ("y.y.y.y") is downloaded from the list 170 to network device 140, as an example. In general, as routing changes occur, security policies are downloaded and applied only for traffic which might come from a domain where an attack vector is known to exist.”. Examiner interpret that the central security application built and change the list 170 of potential attackers as the dynamic list that is being updated with attacker information. The routing changes occur and applied for traffic that might come from domain where an attack is known. Is being interpret as the change of IP address. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Kumar in view of Chugtu, Mani, Pularikkal, and Dods-2 teaching described above with Voit teaching “a dynamic routing and/or forwarding information ( e.g., a route advertisement) results in modification of a filter against a global list (the list 170) maintained by the security application 120.”, (see Voit par.0025). Claims 15 and 18 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Dods et al.(US-11902330-B1 hereafter Dods), Kumar et al. (US-10771506-B1 hereafter Kumar), in further view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu). Regarding claim 15 Dods teaches a controller comprising: a processor; (see Dods Col. 13 lines 25-28: “Controller 440 includes a processor in the form of, for example, a CPU, a GPU, an APU, a microprocessor, a microcontroller, a DSP, an FPGA, an ASIC, and/or another type of processor. The processor is implemented in hardware, firmware, or a combination of hardware and software.”), and a non-transitory computer-readable media storing instructions that, when executed by the processor, causes the processor to perform operations comprising: (see Dods Col. 13 lines 49-53: “Controller 440 may perform these processes in response to executing software instructions stored by a non-transitory computer-readable medium. A computer readable medium is defined herein as a non-transitory memory device.”, lines 59-62: “When executed, software instructions stored in a memory and/or storage component associated with controller 440 may cause controller 440 to perform one or more processes described herein.”), Dods does not explicitly teach however Kumar teaches receiving a threat context of a compromised computing device associated with a security event generated by a unified security policy from a group of sites within a network; (see Kumar Col.1 lines 19-26: “receive network topology information of a network and device capability information corresponding to capabilities of devices in the network; detect a threat to an affected device of the network; determine threat information associated with the threat; select a security policy to mitigate the threat based on the threat information;”, see Kumar Col.10 lines 1-20: “security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware, a Distributed Denial of Service (DDoS) feed indicating a list of malicious entities ( e.g., external entities) that may be attacking or attempting to attack a device 215, 217 of monitored network 210, or the like. A malicious entity may be a device that intends to spread malware.”, Col. 10 lines 25-28: “security platform 230 may detect a threat to monitored network 210 to enable security platform 230 to determine threat information associated with the threat to mitigate the threat.”); determining, based at least in part on the threat context, a user associated with the compromised computing device, the user being associated with a user context, the user context at least partially including a geolocation of the user; (Kumar see Kumar Col.10 lines 1-20: “security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware, a Distributed Denial of Service (DDoS) feed indicating a list of malicious entities ( e.g., external entities) that may be attacking or attempting to attack a device 215, 217 of monitored network 210, or the like. A malicious entity may be a device that intends to spread malware.”, Col. 10 lines 25-28: “security platform 230 may detect a threat to monitored network 210 to enable security platform 230 to determine threat information associated with the threat to mitigate the threat.”, Col.15 lines 8-22: “security platform 230 may provide or transmit information associated with the threat. For example, security platform 230 may provide information to cause a user interface to present results of a deployment of a selected security policy to a selected enforcement device to mitigate a detected threat. Example results of the deployment may include a malware report or alert ( e.g., notifying a user of the presence or non-presence of malware) and/or threat information associated with the detected threat, such as threat type, affected or targeted devices, sources or origins of the threat, or the like. In some implementations, security platform 230 may provide information to an intended target of a threat ( e.g., a warning to avoid a particular CnC site, infected host, communication with a flagged Geo IP address, etc.).”); provisioning a dynamic list and a data policy matching the dynamic list; (see Kumar Col.15 lines 55-67 – Col.16 lines 1-10: “security platform 525 may detect a threat using cloud threat feeds 535 and/or custom threat feeds 545. Cloud threat feeds 535 may be threat feeds that are available to networks in communication with a cloud computing environment (e.g., cloud computing environment 220). Custom threat feeds 545 may be threat feeds that are specific to a particular monitored network (e.g., when particular threats are known to be present in a monitored network 210, when particular devices of a monitored network 210 are known to be infected, or the like). Accordingly, security platform 230 may use cloud threat feeds 535 and custom threat feeds 545 to detect threats and receive threat information. Using the threats and threat information from cloud threat feeds 535 and custom threat feeds 545, security platform 525 may deploy security policies to enforcement devices 517. According to some implementations herein, security platform 525 may deploy the security policies to enforce the security policies based on the types of threats and capabilities of the enforcement devices 517 (which may include the location of the enforcement devices 517 within a topology of a network, the location of the enforcement devices 517 relative to a location of a threat, or the like).” propagating the user context into the dynamic list referenced under the data policy (see Kumar Col.11 lines 59-67: “security platform 230 may select the security policy and/or the enforcement device based on which threat feed (e.g., which of the CnC feed, the Geo IP feed, the malware feed, the infected host feed, the DDoS feed, etc.) detected the threat and/or provided information on the threat. Security platform 230 may use the network topology information and the device capability information to select the enforcement device to enforce a selected security policy.”, Col.16 lines 1-10: “Using the threats and threat information from cloud threat feeds 535 and custom threat feeds 545, security platform 525 may deploy security policies to enforcement devices 517. According to some implementations herein, security platform 525 may deploy the security policies to enforce the security policies based on the types of threats and capabilities of the enforcement devices 517 (which may include the location of the enforcement devices 517 within a topology of a network, the location of the enforcement devices 517 relative to a location of a threat, or the like); based at least in part on the geolocation of the user and a first geolocation of a first site of the group of sites, advertising the dynamic list and the data policy to the first site (see Kumar Col. 10 lines: 1-16: "security platform 230 may detect a threat to monitored network 210 and/or cloud computing environment 220 using one or more threat feeds from a threat detection system. For example, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Ma/ware feed indicating a list of identified malicious files ( or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified”, Col.15 lines 8-22: “security platform 230 may provide or transmit information associated with the threat. For example, security platform 230 may provide information to cause a user interface to present results of a deployment of a selected security policy to a selected enforcement device to mitigate a detected threat. Example results of the deployment may include a malware report or alert ( e.g., notifying a user of the presence or non-presence of malware) and/or threat information associated with the detected threat, such as threat type, affected or targeted devices, sources or origins of the threat, or the like. In some implementations, security platform 230 may provide information to an intended target of a threat ( e.g., a warning to avoid a particular CnC site, infected host, communication with a flagged Geo IP address, etc.).”)”, Col.8 lines 59-67- Col.9 lines 1-20: “In some implementations, the content of the network topology information may include a number of devices 215, 217 in monitored network 210, communication link information indicating communication links between devices 215, 217 in monitored network 210 (e.g., indicating neighbor relationships between the devices 215, 217), location information of devices 215, 217 in monitored network 210 (e.g., physical location information, such as geographical information, site information, or rack/chassis location information, and/or logical information, such as the location within monitored network 210 relative to other devices of monitored network 210), port and/or socket information associated with communication links between devices 215, 217 in monitored network 210, or the like. The content of the device capability information for devices 215, 217 of monitored network 210 may include device type information of devices 215, 217 in monitored network 210 (e.g., a switch, a router, a gateway, an internal segmentation firewall, a perimeter firewall, an IPS, an IDS, etc.), functionality of devices 215, 217 in monitored network 210 (e.g., a list of the functions that devices 215, 217 are capable of performing), model information associated with devices 215, 217 (e.g., a model name, a model identifier, such as a serial number, or the like), communication protocols of devices 215, 217, bandwidth capabilities of devices 215, 217 (e.g., total bandwidth and/or available bandwidth), capacity of devices 215, 217, current security policies deployed to devices 215, 217, or the like.”); and Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Dods teaching “the security system may store the user identity data, the data identifying the malicious behavior, the traffic associated with the compromised endpoint device, the endpoint device data, and/or the network device data in a data structure (e.g., a database, a table, a list, and/or the like) associated with the security system. The security system may store such data so that the security system may process such data to generate a security policy to isolate the compromised endpoint device.”, (see Dods Col.4 lines: 57-65) with Kumar teaching “Security platform 230 includes one or more devices capable of detecting a threat to monitored network 210 and/or cloud computing environment 220 and/or providing security services over monitored network 210 and/or cloud computing environment 220. In some implementations, security platform 230 may determine threat information associated with the threat and select a security policy and/or an enforcement device to mitigate the threat. In some implementations, security platform 230 may include, may be included within, or may be implemented by a software defined secure network (SDSN).”, (see Kumar Col. 6 lines 16-26). Dods in view of Kumar do not explicitly teach however Chugtu teaches based at least in part on the geolocation of the user and a second geolocation of a second site of the group of sites, refraining from advertising the dynamic list and the data policy to the second site advertising the dynamic list and the data policy to the second site. (See Chugtu par.0051-0052: “the set of rules can include a set of firewall rules, a set of policies, and/or the like. In some implementations, server device 230 can configure a set of rules for each container. For example, server device 230 can configure a rule for each container that prevents the container from receiving traffic from another container associated with a different tenant (e.g., by preventing traffic from a container that has an IP address that includes a different tenant identifier than the IP address of the container). Additionally, or alternatively, and as another example, server device 230 can configure a rule for a container that prevents the container from providing traffic to another container associated with a different tenant (e.g., by preventing the container from providing traffic to another container that has an IP address that includes a different tenant identifier than the IP address of the container). a set of rules can be time-based (e.g., where particular traffic is permitted at a particular time). Additionally, or alternatively, and as another example, the set of rules can be size-based (e.g., where traffic of a threshold size is permitted, where server device 230 is permitted to send/receive a threshold amount of traffic in a time period, etc.). Additionally, or alternatively, and as another example, the set of rules can be destination and/or source-based (e.g., where traffic is permitted to/from a particular destination/source, permitted from a particular source but not to the particular source, etc.). Additionally, or alternatively, and as another example, the set of rules can be location-based (e.g., based on a geographic location of server device 230, a geographic location of a source and/or destination of traffic, etc.).”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Dods in view of Kumar teaching described above with Chugtu teaching “the server device can configure a set of rules to permit the container to exchange traffic with a set of containers associated with the same tenant and/or to prevent the container from exchanging traffic with another set of containers associated with the same or a different tenant. For example, the server device can configure a set of firewall rules for the container. Continuing with the previous example, the server device can configure a first rule for a container that permits the container to receive and/or provide traffic associated with a particular tenant. Additionally, or alternatively, and as another example, the server device can configure a second rule that prevents the container from receiving and/or providing traffic associated with other tenants.”, (see Chugtu par.0015). Regarding claim 18, Dods in view of Kumar and Chugtu teach the controller of claim 15, Dods further teaches wherein the data policy comprises: pre-crafted rules matching the dynamic list (see Dods Col. 5 lines 52-64: “the machine learning model may generate the security policy by identifying one or more security rules to be implemented by one or more of the network devices and/or one or more of the other endpoint devices. security rules that may be included in the security policy include a security rule that causes the user identity data to be added to a traffic feed of the compromised endpoint device and/or to be associated with a tag and/or metadata; a security rule that causes a network address of the compromised endpoint device to be added to a traffic feed of the compromised endpoint device and/or to be associated with a tag and/or metadata;”); and at least one action to take based on the pre-crafted rules. (See Dods Col. 6 lines 13-15: “security rule that causes one or more of the network devices to perform an action;”, Col. 7 lines 7-9: “actions include the security system adding the user identity data associated with the compromised endpoint device to a blacklist.”). Regarding claim 19, Dods in view of Kumar and Chugtu teach the controller of claim 15, Dods further teaches the operations further comprising tracking malicious activity metrics for the sites based on at least one parameter, wherein the at least one parameter comprises activity over a period of time, percentage of infected computing devices at the sites, or combinations thereof. (See Dods Col. 6 lines 33-46: “the security system may train the machine learning model, with historical data, to identify security rules (or the machine learning model determines confidence scores for security rules and/or identifies top scoring security rules) for a current malicious behavior situation (e.g., associated with the traffic of the compromised endpoint device, the endpoint device data, and the network device data). The historical data may include data identifying malicious behavior exhibited by compromised endpoint devices; data identifying effects of the malicious behavior on networks, network devices, and/or other endpoint devices; historical traffic associated with compromised endpoint devices; historical endpoint device data; historical network device data; historical topology data;”). Regarding claim 20 Dods in view of Kumar and Chugtu teach the controller of claim 15, Dods further teaches wherein advertising the dynamic list and the data policy to at least one of the sites is based on a site list, based on user-defined criteria, or combinations thereof. (See Dods Col. 5 lines 57- col. 6 lines 1-6: “security rules that may be included in the security policy include a security rule that causes the user identity data to be added to a traffic feed of the compromised endpoint device... a security rule that temporarily adds the use identity data and/or the network address of the compromised endpoint device to a blacklist and causes the blacklist to be propagated to the network devices and/or the other endpoint devices based on network addresses of the network devices and the other endpoint devices.”). Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Dods et al.(US-11902330-B1 hereafter Dods), Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu), in view of Hooda et al. (US-20200177629-A 1 hereafter Hooda), in view of Pularikkal et al. (US-20210075799-A1 hereafter Pularikkal), in further view of Dods-2 et al. (US-10972508 B1 hereafter Dods-2). Regarding claim 16 Dods in view of Kumar and Chugtu teach the controller of claim 15, Dods in view of Kumar and Chugtu do not explicitly teach however Hooda teaches wherein determining the user comprises fetching a user identity from an identity services engine (ISE), ( see Hooda par.0097: “a data center network controller, and databases and directories containing information for users, devices, things, policies, billing, and similar information to provide authentication, authorization, and accounting services. In this example, the AAA system 612 can function as the centralized authority for identity and access to the campus network 152 and the branch office 154. However, it will be appreciated that the AAA system 612 can also be co-located in the data center 150, the other sites 158, or other networks (e.g., a co-location center, a Cloud Service Provider network (e.g., IaaS, PaaS, SaaS, etc.) in other embodiments. The AAA system 612 can utilize various technologies, such as Remote Authentication Dial-In User Service (RADIUS), Diameter, and the like, to communicate with hosts, network devices, applications, and so on. An example of an implementation of the AAA system 612 is the Cisco® Identity Services Engine (ISE).” the operations further comprising: Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Dods in view of Kumar and Chugtu teaching of claim 15 with Hooda teaching “User identity, group or organizational identity, user location, client device type, and other contextual information regarding users can be shared across the network environment 600 via the AAA system 612.”, (see par.0029) Dods in view of Kumar, Chugtu and Hooda appear to be silence however Pularikkal teaches notifying the ISE of the compromised computing device (see Pularikkal par.0046: Information regarding application flows classified as anomalous is sent (412) to Identity Services Engine 110 as an anomaly notification,"); Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Dods in view of Kumar Chugtu and Hooda teaching described above with Pularikkal teaching “Anomalous flows are handled by Identity Services Engine 110, which applies change of authorization policies to restrict the incoming application flow. These change of authorization policies take into account user context, device context, and application context.”, (see Pularikkal par.0029). Dods in view of Kumar Chugtu and Hooda and Pularikkal appear to be silence however Dods-2 teaches registering, with the ISE, changes to an IP address for the compromised computing device. (See Dods-2 Col. 6 lines 54-57: “the security platform may add an address ( e.g., an IP address) of the compromised endpoint device to a blacklist so that the compromised endpoint device may be prevented from accessing the network and/or the other endpoint devices.”). Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine Dods in view of Kumar Chugtu, Hooda and Pularikkal teaching described above with Dods-2 “a security system that generates a network security policy based on a user identity associated with malicious behavior.”, (see Dods-2 Col. 2 lines 54-56). Claim 17 rejected under 35 U.S.C. 103 as being unpatentable over Dods et al.(US-11902330-B1 hereafter Dods), Kumar et al. (US-10771506-B1 hereafter Kumar), in view of Chugtu et al.( US-20190081955-A1 hereafter Chugtu), in view of Hooda et al. (US-20200177629-A 1 hereafter Hooda), in view of Pularikkal et al. (US-20210075799-A1 hereafter Pularikkal), in further view of Dods-2 et al. (US-10972508 B1 hereafter Dods-2), in further view of Voit et al. (“US-20180139240-A1” hereafter Voit). Regarding claim 17 Dods in view of Kumar Chugtu and Hooda, Pularikkal and Dods-2 disclose the controller of claim 16, Dods in view of Kumar Chugtu and Hooda, Pularikkal and Dods-2 appear to be silence however Void teaches based at least in part on the IP address of the compromised computing device changing to a new IP address: updating the controller with the new IP address (See Voit par. 0017: “system for the network 115 may be a Software-Defined Network (SDN) controller. For example, a (local) security application 120 running on the SDN controller 122 may receive response from the central security application 105 and locally perform filtering. The SDN controller 122 is a computing resource.”, par. 0020: “The central security application 105 has a list of potential attackers (from the service 110) and a list of potential intrusion events/attacks (from the host alerts 150 and network alerts 152) that may identify an attacker. The central security application 105 builds a list, identified in FIG. 1 as the ephemeral access control list (ACL) 170, which identifies one or more attackers that should be addressed in the network 115…”). Par. 0021: “The central security application 105 sends information describing the list 170 to the security application 120, for example. The list 170 serves as a dynamic filter that is maintained by the security application 120, and only a subset of the list 170 is downloaded to the equipment in the network 115.”). Examiner interpret that the list built by the applications 105 is being modified and send to the controller 122 for potential threat.); and updating the dynamic list to include the new IP address. (See Voit Par. 0021: “the security policy for that route can be brought down into the network (e.g., to one or more of network devices 140, 142 and 144) from the list 170 maintained by the security application 120.”. Par. 0022: “The security policy for the threat that is known in the network 115 ("y.y.y.y") is downloaded from the list 170 to network device 140, as an example. In general, as routing changes occur, security policies are downloaded and applied only for traffic which might come from a domain where an attack vector is known to exist.”. Examiner interpret that the central security application built and change the list 170 of potential attackers as the dynamic list that is being updated with attacker information. Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to combine the teaching of the controller of claim 16 with Voit teaching “The security policies associated with threats are filtered so that just current attack vectors from within subnets learned via the routing and/or forwarding information (at the network level of the network) are installed in the local ACL/policy database of the network devices. As routing changes occur, the list of applied policies are continually refined/revisited”, (see Voit par.0040). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Ptacek et al. (US-7596807-B2) in response to an attack, a control plane is used to instruct the access control devices to allow network communications between the compartments of the computer network based on a usage model describing legitimate. Amidon et al. (US-10237287-B1) network communications while restricting other network communications between the compartments. Communication between a user computer and a destination computer is monitored by a security appliance. Selective information from the communication is extracted. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to DUILIO MUNGUIA whose telephone number is (571)270-5277. The examiner can normally be reached M-F 9:30AM - 5:00Pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached at (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /DUILIO MUNGUIA/Examiner, Art Unit 2497 /BASSAM A NOAMAN/Primary Examiner, Art Unit 2497