CLOUD SECURITY DISTRIBUTED ARCHITECTURE

§102 §103 §DP

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application is being examined under the pre-AIA first to invent provisions. 1. This action is in response to the communication filed on June 4, 2024. Claims 1-19 were originally received for consideration. No preliminary amendments for the claims have been received. 2. Claims 1-19 are currently pending consideration. Information Disclosure Statement 3. Initialed and dated copies of Applicant’s IDS (form 1449), received on January 16, 2025, is communicated with this Office Action. Double Patenting 4. The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1-19 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 11,184,398. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the ‘398 Patent renders obvious the claims of the present application. Claim 15 of the ‘398 Patent anticipates claim 1 as mapped below. The dependent claims are disclosed by the claims as well with the only differentiating factor the location of the elements. For example, the dependent claims disclose having the management planes being co-located with a corporate network (claim 3), with hosted services (claim 4) and having the data points being co-located with corporate networks (claim 5) and with hosted services (claim 6). However, it would have been obvious to have these management and data points of presence being co-located for efficiently and throughput purposes. Claim 1 is mapped to claim 15 of ‘398 as provided below. Application Claim 1 U.S. Patent 11,184,398 Claim 15 1. A network security system, comprising: a data plane configured to intermediate communications between client devices and hosted services, wherein: the data plane is hosted across two or more data plane points of presence, the data plane points of presence are geographically distributed, and each of the data plane points of presence independently implements data plane intermediary functionality, comprising: intercepting communications between the client devices and the hosted services; and applying security policies to the intercepted communications; and a management plane configured to provide management services of the network security system, wherein: the management plane is hosted across one or more management plane points of presence, and the management services comprise: providing configuration and the security policies to the data plane; and monitoring a status of the data plane points of presence. 1. A system, comprising: a network security system with a data plane that intermediates API-level communications between client devices and hosted services; wherein the data plane of the network security system is hosted across two or more points of presence; wherein each of the points of presence of the data plane independently implements API-level functionality of the data plane; wherein the points of presence of the data plane are distributed geographically; wherein the points of presence of the data plane intercept API-level requests from the client devices that are directed to the hosted services; wherein the points of presence of the data plane intercept API-level responses from the hosted services that are directed to the client devices; and wherein the points of presence of the data plane enforce policies on the intercepted API-level requests and on the intercepted API-level responses. 15. The system of claim 10, wherein the points of presence of the data plane further comprise a configuration agent that receives configuration and policy information from a configuration service of the points of presence of the management plane; wherein the points of presence of the data plane further comprise an event queue for recording and storing events to be sent to an event storage service of the points of presence of the management plane; and wherein the points of presence of the data plane further comprise a monitoring agent for performance and status monitoring that sends performance and status events to a monitoring service of the points of presence of the management plane. Allowable Subject Matter 5. Claims 12 and 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. Claim Rejections - 35 USC § 102 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of the appropriate paragraphs of pre-AIA 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on sale in this country, more than one year prior to the date of application for patent in the United States. 6. Claim(s) 1-2, 8-9, 16, 17 and 19 is/are rejected under pre-AIA 35 U.S.C. 102(b) as being anticipated by Wei (U.S. Patent Pub. No. US 2010/0251329). Regarding claim 1, Wei discloses: A network security system, comprising: a data plane configured to intermediate communications between client devices and hosted services (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud; a traffic management mechanism intercepts all client traffic and redirects them through the TPUs, wherein the TPUs provide defense and only forward clean traffic wherein a proxy can be in charge of the traffic interception and redirection (paragraphs 0114-0116), wherein: the data plane is hosted across two or more data plane points of presence, the data plane points of presence are geographically distributed, and each of the data plane points of presence independently implements data plane intermediary functionality (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud; a traffic management mechanism intercepts all client traffic and redirects them through the TPUs, wherein the TPUs provide defense and only forward clean traffic wherein a proxy can be in charge of the traffic interception and redirection (paragraphs 0114-0116), comprising: intercepting communications between the client devices and the hosted services (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud; a traffic management mechanism intercepts all client traffic and redirects them through the TPUs, wherein the TPUs provide defense and only forward clean traffic); and applying security policies to the intercepted communications (paragraph 0091: A traffic management mechanism intercepts all client traffic and redirects them through the TPUs. TPUs consult global data store in trouble detection, trouble prevention, access control and Denial of Service Attack (DOS) defense. In the end, only "clean traffic" is routed to the target data center and thus the network application is protected); and a management plane configured to provide management services of the network security system (paragraph 0099-0101, 0111, 0119-0128: monitor nodes can be used to update router table, and provides a monitoring service that provides the cloud routing network information for the basis of operations), wherein: the management plane is hosted across one or more management plane points of presence (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud), and the management services comprise: providing configuration and the security policies to the data plane (paragraphs 0065-0066: a centralized global storage stores and manages threat signature patterns, stores monitoring results of global network conditions, stores monitoring results of all protected network applications, and correlates these stored data to provide access management and security protection); and monitoring a status of the data plane points of presence (paragraph 0099-0101, 0111, 0119-0128: monitor nodes can be used to update router table, and provides a monitoring service that provides the cloud routing network information for the basis of operations). Claim 2 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses: The network security system of claim 1, wherein: the management plane comprises at least two management plane points of presence that are geographically distributed (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud); and each data plane point of presence is in communication with one of the at least two management plane points of presence (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud; a traffic management mechanism intercepts all client traffic and redirects them through the TPUs, wherein the TPUs provide defense and only forward clean traffic wherein a proxy can be in charge of the traffic interception and redirection (paragraphs 0114-0116). Claim 8 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses: The network security system of claim 1, wherein the management services further comprise: receiving event data from the data plane (paragraphs 0063, 0149: monitoring network traffic); and storing the event data (paragraph 0149: redirect traffic and process traffic based on the monitoring). Claim 9 is rejected as applied above in rejecting claim 8. Furthermore, Wei discloses: The network security system of claim 8, wherein the management services further comprise: analyzing the event data (paragraph 0063: aggregating the security rules); generating summary data of the event data based on the analysis (paragraph 0063: aggregating the security rules); and providing reporting services comprising the summary data (paragraphs 0063-0064: aggregating the security rules and providing them to the nodes). Claim 16 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses: The network security system of claim 1, wherein the data plane points of presence further comprise a firewall (paragraph 0051: firewall), a secure tunnel gateway (paragraph 0069: tunnel), a load balancer (paragraph 0149: distributing traffic to different nodes), one or more proxies (paragraph 0150: TPU), and outbound network address translation (NAT) (paragraph 0063: network address translation). Claim 17 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses: The network security system of claim 1, wherein the data plane points of presence and the management plane points of presence are hosted separately (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud; a traffic management mechanism intercepts all client traffic and redirects them through the TPUs, wherein the TPUs provide defense and only forward clean traffic wherein a proxy can be in charge of the traffic interception and redirection (paragraphs 0114-0116); it is clear that the management components can be separate from the data plan components). Claim 19 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses: The network security system of claim 1, further comprising: a control plane configured to direct proxies of the data plane points of presence (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud; a traffic management mechanism intercepts all client traffic and redirects them through the TPUs, wherein the TPUs provide defense and only forward clean traffic wherein a proxy can be in charge of the traffic interception and redirection (paragraphs 0114-0116). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action: (a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negated by the manner in which the invention was made. 7. Claims 3 and 18 is/are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Wei (U.S. Patent Pub. No. US 2010/0251329). Claim 3 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses that the management plane comprises at least two management plane points of presence that are geographically distributed (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud). However, Wei does not explicitly disclose that at least one of the management plane points of presence are co-located with one or more corporate networks in which the client devices operate. Wei discloses geographically distributed nodes (TPUs) and has management functions which are separate from nodes which perform the actions (paragraphs 0091-0092). It would have been obvious to one of ordinary skill in the art to co-locate the management plane point of presence in order to provide corporations with direct control over the management functions. Claim 18 is rejected as applied above in rejecting claim 1. Furthermore, Wei does not explicitly disclose wherein at least one of the data plane points of presence and at least one of the management plane points of presence are co-hosted. Wei discloses geographically distributed nodes (TPUs) and has management functions which are separate from nodes which perform the actions (paragraphs 0091-0092). It would have been obvious to one of ordinary skill in the art to co-host the management plane point of presence in order to streamline the hosting of both planes. 8. Claim 4-6 is/are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Wei (U.S. Patent Pub. No. US 2010/0251329) in view of Jungck (U.S. Patent 6,829,654). Claim 4 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses: The network security system of claim 1, wherein: the management plane comprises at least two management plane points of presence that are geographically distributed (paragraphs 0091-0093: TPUs are deployed at different locations with each location forming a computing cloud). Wei does not explicitly disclose at least one of the management plane points of presence are co-located with one or more hosted services. In an analogous art, Jungck discloses providing servers and caches at every major network intersection to cover every POP (column 30, lines 33-37) and places content and services of core content providers at network-logically and physically-geographically proximate locations with respect to clients (column 30, lines 35-44). It would have been obvious to one of ordinary skill in the art to co-locate the management POP with the hosted services, as is performed in Jungck, so that enhanced response times and enhanced throughput are provided (column 30, lines 42-45). Claim 5 is rejected as applied above in rejecting claim 1. Furthermore, Wei does not explicitly disclose that at least one of the data plane points of presence are co-located with one or more corporate networks in which the client devices operate. In an analogous art, Jungck discloses providing servers and caches at every major network intersection to cover every POP (column 30, lines 33-37) and places content and services of core content providers at network-logically and physically-geographically proximate locations with respect to clients (column 30, lines 35-44). It would have been obvious to one of ordinary skill in the art to co-locate the data points of presence with the corporate networks, as is performed in Jungck, so that enhanced response times and enhanced throughput are provided between the corporate servers and the clients (column 30, lines 42-45). Claim 6 is rejected as applied above in rejecting claim 1. Furthermore, Wei does not explicitly disclose: wherein at least one of the data plane points of presence are co-located with one or more hosted services. In an analogous art, Jungck discloses providing servers and caches at every major network intersection to cover every POP (column 30, lines 33-37) and places content and services of core content providers at network-logically and physically-geographically proximate locations with respect to clients (column 30, lines 35-44). It would have been obvious to one of ordinary skill in the art to co-locate the data points of presence with the host services, as is performed in Jungck, so that enhanced response times and enhanced throughput are provided between the hosted services and the clients (column 30, lines 42-45). 9. Claim 7 is/are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Wei (U.S. Patent Pub. No. US 2010/0251329) in view of Brand (U.S. Patent Pub. No. US 2010/0161759). Claim 7 is rejected as applied above in rejecting claim 1. Furthermore, Wei discloses The network security system of claim 1, wherein the management services further comprise: receiving the security policies and the configuration from management clients (paragraph 0091: A traffic management mechanism intercepts all client traffic and redirects them through the TPUs. TPUs consult global data store in trouble detection, trouble prevention, access control and Denial of Service Attack (DOS) defense. In the end, only "clean traffic" is routed to the target data center and thus the network application is protected). Wei does not explicitly disclose providing a web services interface and receiving the security policies and configuration information through that interface. In an analogous art, Brand discloses allowing users to perform file-based operations using a web-based interface (paragraph 0020). It would have been obvious to allow the use of a web-based interface to provide security configurations and policies to allow the policies and configurations to be synchronized with the data centers (Brand: paragraph 0006). 10. Claims 10-11 is/are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Wei (U.S. Patent Pub. No. US 2010/0251329) in view of Sinha (U.S. Patent Pub. No. US 2012/0240183). Claim 10 is rejected as applied above in rejecting claim 1. Furthermore, Wei does not explicitly disclose provisioning services configured to provide client devices with a corresponding software client application. In an analogous art, Sinha discloses management software which is in a configuration profile (paragraph 0073). This configuration profile may include software configured to operate on the mobile device to coordinate and provide MDN functionality (paragraph 0073). It would have been obvious to one of ordinary skill in the art to provide client devices with a software client application so that desired functionality can be provided to the devices (paragraph 0073). Claim 11 is rejected as applied above in rejecting claim 10. Furthermore, Sinha discloses: The network security system of claim 10, wherein the provisioning services are further configured to provide policy updates to the client devices (paragraph 0074: configuration updates). 11. Claims 13-14 is/are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Wei (U.S. Patent Pub. No. US 2010/0251329) in view of Devarajan et al. (U.S. Patent Pub. No. US 2014/0026179). Claim 13 is rejected as applied above in rejecting claim 12. Furthermore, Wei does not explicitly disclose wherein the data plane intermediary functionality further comprises determining the intercepted communication is encrypted, decrypting the intercepted communication, and determining a user identity associated with the intercepted communication, wherein the enforcing the security policy on the intercepted communication is based on the user identity. In an analogous art, Devarajan discloses dynamically associating traffic to users regardless of the source (see Abstract) and allows dynamic user identification that associates traffic flow with the users even if the traffic is encrypted (paragraph 0114). It would have been obvious to implement the methodology of Devarajan in the system of Wei in order to allow organizations to eliminate the need for physical infrastructure for delivering cloud-based SWG systems to the organizations (Devarajan: paragraph 0114). Claim 14 is rejected as applied above in rejecting claim 13. Furthermore, Devarajan discloses: The network security system of claim 13, wherein the data plane intermediary functionality further comprises: re-encrypting the intercepted communication (paragraph 0041: redirect traffic by re-establishing a tunnel (encryption) between a gateway and a processing node); and transmitting the re-encrypted communication to the particular hosted service (paragraph 0041: redirect traffic by re-establishing a tunnel (encryption) between a gateway and a processing node). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to KAVEH ABRISHAMKAR whose telephone number is (571)272-3786. The examiner can normally be reached M-F 9-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached at 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /KAVEH ABRISHAMKAR/ 12/19/2025 Primary Examiner, Art Unit 2494