DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Examiner acknowledges the applicant's submission of the amendment dated 2/28/26, which has been entered.
1. REJECTIONS BASED ON PRIOR ART
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC ' 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-4, 6-18 and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Benson (US 20190306194).
With respect to claim 1, the Benson reference teaches a method of orchestrating security policy, comprising:
receiving a policy definition associated with on-premises infrastructure that defines a desired state; (paragraph 24, where the FMS regional manager 222 includes FMS regional customer API/Console 204, FMS internal control API 206, FMS Config manager component 214, and has an associated FMS data store 212. The FMS Regional Manager 222 can handle user interactions from the customer API/console, such as receiving security policy definitions; and paragraph 11, where the Firewall Management Service (FMS) used to manage security policies across multiple accounts in a web services context)
identifying a target of the on-premises infrastructure from the policy definition; (paragraph 24, where FMS will provide regional endpoint URLs that provide a regional customer API 204 in each FMS supported region, such as target region 220) and
determining a management service associated with the target; (paragraph 24, where FMS will provide regional endpoint URLs that provide a regional customer API 204 in each FMS supported region, such as target region 220)
identifying a plugin for the management service; (paragraph 24, where FMS will provide regional endpoint URLs that provide a regional customer API 204 in each FMS supported region, such as target region 220; and paragraph 41, where method 600 may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software, firmware, or a combination thereof. In one embodiment, method 600 may be performed by the various components of FMS, as shown in FIGS. 1-4.) and
communicating the policy definition to the management service through the plugin, wherein the management service sets a state of the target to the desired state. (paragraph 24, where FMS Regional Manager 222 can perform a number of operations from within the context of the target region 220. In one embodiment, FMS Regional Manager 222 can integrate with the organizations service 208 to obtain a per organization account list, as described above. FMS Regional Manager 222 can further process FMS policy updates, where it will use the organizations data from organizations service 208 to update a local policy database in FMS data store 212 and trigger corresponding work flows)
wherein communicating the policy definition comprises invoking the plugin, wherein the plugin communicates with the management service through an application programming interface exposed by the management service. (paragraph 24, where where FMS Regional Manager 222 can perform a number of operations from within the context of the target region 220. In one embodiment, FMS Regional Manager 222 can integrate with the organizations service 208 to obtain a per organization account list, as described above. FMS Regional Manager 222 can further process FMS policy updates, where it will use the organizations data from organizations service 208 to update a local policy database in FMS data store 212 and trigger corresponding work flows; and the FMS will provide regional endpoint URLs that provide a regional customer API 204 in each FMS supported region, such as target region 220)
With respect to claim 2, the Benson reference teaches the method of claim 1, further comprising: requesting a current state of the target from the management service through the plugin; receiving the current state; determining the current state is different from the desired state by comparing the current state and the desired state; and initiating a remediation workflow to set the target to the desired state. (paragraph 24, where FMS Policy Evaluator 216 can evaluate the current state of a resource security configuration and generate notifications in case of a compliance status change. In one embodiment, there is a separate instance of FMS Policy Evaluator 216 for each of one or more member accounts 240. The FMS Change Worker 226 can perform repairs to the resource security configuration, such as the addition, removal or modification of a WebACL associated with a resource, based on the compliance notifications)
With respect to claim 3, the Benson reference teaches the method of claim 1, wherein receiving the policy definition comprises receiving a policy definition template that specifies a predefined policy. (paragraph 27, where the FMS internal control API 206 may check to see if the requested policy already exists. If the policy does exist, FMS config manager 214 may identify any changes from the existing policy and fail the request if the requested version doesn't match the existing version)
With respect to claim 4, the Benson reference teaches the method of claim 1, wherein the management service is one of a plurality of management services in a control plane of a security orchestration system, and wherein the plugin layer is one of a plurality of plugins in a plugin layer of the security orchestration system. (paragraph 24, where FMS will provide regional endpoint URLs that provide a regional customer API 204 in each FMS supported region, such as target region 220; and paragraph 41, where method 600 may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software, firmware, or a combination thereof. In one embodiment, method 600 may be performed by the various components of FMS, as shown in FIGS. 1-4.)
With respect to claim 6, the Benson reference teaches the method of claim 1, wherein identifying the target comprises identifying a virtualization manager. (paragraph 18, where these resources may include instances of virtual computing resources, one or more managed services, network firewalls or security groups, or any other cloud computing resource or service that utilizes security elements. Each of these resources may be assigned to a particular account, and may have a corresponding security configuration including one or more security elements associated with the resource)
With respect to claim 7, the Benson reference teaches the method of claim 1, wherein identifying the target comprises identifying a virtual resource. (paragraph 18, where these resources may include instances of virtual computing resources, one or more managed services, network firewalls or security groups, or any other cloud computing resource or service that utilizes security elements. Each of these resources may be assigned to a particular account, and may have a corresponding security configuration including one or more security elements associated with the resource)
Claims 8-14 are the system implementation of claims 1-5 and 7 above, and rejected under the similar rationale.
With respect to claim 8, the Examiner notes the claim recites “one or processors coupled to one or more memories that store instructions, that when executed by the one or more processors, cause the system to” perform the steps noted above. This is taught by Benson, paragraph 51.
With respect to claim 13, the Benson reference teaches the system of claim 8, wherein the on-premises infrastructure comprises a private cloud. (paragraph 18, where these resources may include instances of virtual computing resources, one or more managed services, network firewalls or security groups, or any other cloud computing resource or service that utilizes security elements. Each of these resources may be assigned to a particular account, and may have a corresponding security configuration including one or more security elements associated with the resource)
Claims 15-18 and 20 are the non-transitory computer-readable media implementation of claims 1-5 and 7 above, and rejected under the similar rationale.
Claim Rejections - 35 USC ' 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 5 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Benson (US 20190306194) in view of Zhao (US 20190132291).
With respect to claim 5, the Benson reference does not explicitly teach wherein identifying the target comprises identifying a hypervisor.
The Zhao reference teaches it is conventional to have wherein identifying the target comprises identifying a hypervisor. (paragraph 17, where the application tunnel manager 150 invokes the Application Programming Interfaces (APIs) of the hypervisor 102 to create a new virtual network interface card (NIC) in all of the target virtual machines which the application has been assigned to. In the illustrated embodiment, the application tunnel manager 150 invokes the APIs of hypervisor 102 to create virtual NIC 130 on virtual machine 120 for use by the application 122)
It would have been obvious to a person of ordinary skill in the art before the claimed invention was effectively filed to modify the Benson reference to have wherein identifying the target comprises identifying a hypervisor, as taught by the Zhao reference.
The suggestion/motivation for doing so would have been to allow the hypervisor expose one or more APIs that enables management programs to execute various functions on the VMs being executed by the hypervisor. (Zhao, paragraph 26)
Therefore it would have been obvious to combine the Benson and Zhao references for the benefits shown above to obtain the invention as specified in the claim.
Claim 19 is the non-transitory computer-readable media implementation of claim 5 above, and rejected under the similar rationale.
2. ARGUMENTS CONCERNING PRIOR ART REJECTIONS
Rejections - USC 102/103
Applicant's arguments and amendments with respect to claims (see pages 9-11 of the remarks) have been considered but are not persuasive. The Applicant argues
“Benson does not disclose the concept of a plugin. As alleged by the Office Action, Benson discloses a URL that is an API endpoint. A POSITA would understand that these are fundamentally different concepts. For example, the application describes a plugin as "a runtime executable." Application, 0007. A POSITA would understand than this is far different from a an API endpoint URL.”; and Benson doesn’t teach the limitation of “wherein communicating the policy definition comprises invoking the plugin, and wherein the plugin communicates with the management service through an
application programming interface exposed by the management service.”
Firstly, the Examiner notes the Applicant’s specification does not explicitly define what is required to meet the limitation of a ‘plugin’. While the Applicant’s specification gives an example of a ‘plugin’ could be (see paragraph 7, where “network plugin may be a runtime executable that configures a network interface”), there is no explicit definition of what is required by the term. Further, in response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., a plugin defined as ‘runtime executable’) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Secondly, the Benson reference teaches (paragraph 11) a Firewall Management Service (FMS) that used to manage security policies across multiple accounts in a web services context; and in conventional web services systems, customers with multiple accounts may have difficulty managing their security posture across those multiple accounts. Benson further teaches (paragraph 24) that the FMS will provide regional endpoint URLs that provide a regional customer API 204 in each FMS supported region, such as target region 220; and also teaches (paragraph 41) where method used the FMS may be performed by the various components of FMS, as shown in FIGS. 1-4. Thus, in view of the citations above, the various components (i.e. software components analogous to the ‘plugin’) of FMS uses the API to communicate the policies of the multiple accounts. Therefore, the Examiner contends the prior art of record teaches the limitations above as broadly and instantly claimed.
Lastly, the Examiner notes the responses above and/or the updated citations in the rejections above for any remaining arguments.
3. CLOSING COMMENTS
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PRASITH THAMMAVONG whose telephone number is (571) 270-1040. The examiner can normally be reached Monday - Friday 12-8 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Arpan Savla can be reached on (571) 272-1077. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/PRASITH THAMMAVONG/
Primary Examiner, Art Unit 2137