DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Amendment
This office action is in response to applicant’s amendment filed, 17 March 2026, of application filed, with the above serial number, on 24 June 2024 in which claims 26-27 have been amended. Claims 9-11 and 24-39 are pending in the application.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 9-11 and 24-39 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nantel (hereinafter “Nantel”, 2016/0315907) in view of Leon (hereinafter “Leon”, 2019/0386957).
As per Claim 9, Nantel discloses a non-transitory, machine-readable medium having stored thereon program code, the program code comprising instructions to:
collect host identifiers (host IDs) of devices that connect to a network (at least paragraph 31; retrieve unique physical addresses of one or more host devices 102 and map them with corresponding Internet Protocol (IP) addresses assigned by the DHCP server 106 to the one or more host devices 102 {where the transient identifier is an IP address which is dynamic; where persistent identifier is unique physical address such as MAC});
maintain mappings of the host IDs to corresponding Internet Protocol (IP) addresses of the devices, wherein the instructions to maintain mappings comprise instructions to update the mappings to indicate changes in assignments of IP addresses to devices (at least paragraph 31-33, 39; As the IP address allocated to each host device 102 is dynamic, agent 104 can be configured to keep the mapping information between MAC addresses of the host devices and the assigned IP addresses updated at all times; update the mapping of physical address to IP address in real-time/dynamically; DHCP agent 104 to relay the mapped unique physical addresses of one or more host devices 102 to a network security device 112. Such information can be sent as DHCP relay lease information. Based on such relay information, network security device 112 can be configured to define network traffic management/security policies corresponding to the unique physical addresses of the one or more host devices, enabling visibility of layer-2 information, such as fixed MAC addresses of devices 102, at layer-3 devices 112, such as routers/hubs/switches/gateway devices/firewalls/among other network devices 112; send desired/updated mapping information to layer-3 network device 112 (e.g., a firewall), which can then define network security policies such as packet filter policies for one or more specific host devices 102);
propagate, to network devices of the network, updates to the mappings based on changes in the IP address assignments (at least paragraph 31, 43; configured to keep the mapping information between MAC addresses of the host devices and the assigned IP addresses updated at all times), wherein the instructions to propagate updates to the mappings comprise the instructions to,
based on detection of an update to the mappings (at least paragraph 31; As the IP address allocated to each host device 102 is dynamic), determine whether a fast path condition is satisfied and immediately propagate the update to the network devices if the fast path condition is satisfied (at least paragraph 27, 31, 43; Maintaining of the mapping information can be done in real-time; the network security device can update a mapping between IP addresses and the physical addresses of the one or more host devices in real-time based on relay information received from the DHCP agent);
based on a determination that the fast path condition is not satisfied, accumulate updates to the mappings until a bulk propagate condition is satisfied (at least paragraph 31, 43; Maintaining of the mapping information can be done … dynamically or at defined/configured periodic intervals);
update a quarantine list based on changes in the IP address assignments of those devices (at least paragraph 45; managing (data plane) traffic…update the mapping between IP addresses and physical addresses of the one or more host devices in real-time … identifying/quarantining of host devices that violate policies, and logging and reporting information); and
propagate to firewalls, the quarantine list update (at least paragraph 27-35; the network security device can update a mapping between IP addresses and the physical addresses of the one or more host devices in real-time based on relay information received from the DHCP agent; relaying to other devices including firewalls).
Nantel fails to explicitly disclose set state indicators of whether devices are compromised or not compromised in a compromise state list in response to identification of a set of one or more compromise devices, and wherein the instructions to determine whether the fast path condition is satisfied comprise instructions to determine whether the compromise state list identifies a device corresponding to the detected update. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Leon.
Leon discloses, in an analogous art, an active threat detector identifying IP addresses as malicious, creating and sending routing tables or lists of only addresses that are threats by flagging addresses as malicious addresses, with such data being managed in the control plane of the network and sending data to firewalls (at least Leon paragraph 39-44, 100, 102). Leon discloses that once an IP address is identified as being malicious, other nodes are notified of this newly identified address so they can prepare to block a packet from that node.
Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Leon’s malicious address flagging with Nantel’s IP address table, as Leon describes correlating such information provides a more robust security scheme such that if one node identifies a threat, the other nodes can be automatically updated to recognize and prepare for the same threat to block such packets communicating with a malicious address. This would be an obvious enhancement with Nantel’s system of mapping such dynamic IP addresses that change with the MAC physical address that doesn’t change so that malicious actors would not be able to simply change the IP address and infiltrate the network, the MAC address mapping would identify such tactics and still block the communication and apply the Policy Rule that Nantel enforces.
As per Claim 10. The non-transitory, machine-readable medium of claim 9, wherein the program code further comprises instructions to propagate changes in state indicators to network devices of the network using the host IDs (at least paragraph 27-35; relaying identified and quarantined devices to other firewalls based on MAC addresses; the network traffic management/security policies can be configured to perform any or a combination of network access control (NAC), identifying/quarantining of host devices that violate policies, logging and reporting information, among any other configured function/feature that requires security policies defined for host devices; par. 29: enabling the DHCP agent to relay the mapped unique physical addresses of one or more host devices to a network security device; and defining, at the network security device, network traffic management/security policies corresponding to at least one of the unique physical addresses of the one or more host devices).
As per Claim 11. The non-transitory, machine-readable medium of claim 9, wherein the instructions to collect host IDs comprise instructions to collect host IDs from headers of packets or messages corresponding to establishing a connection or session (at least paragraph 26; retrieve unique physical addresses (layer-2 information such as MAC addresses) of one or more host devices and map them with corresponding Internet Protocol (IP) addresses assigned by the DHCP server to the one or more host devices. The system can further include a physical address information forwarding module configured to enable the DHCP agent to relay the mapped unique physical addresses (layer-2 information such as MAC addresses) of one or more host devices to a network security device. System of the present disclosure can further include a physical address based network policy definition module configured at the network security device (layer-3 device) to define network traffic management/security policies corresponding to at least one of the unique physical addresses (layer-2 information such as MAC addresses) of the one or more host devices, enabling visibility of layer-2 information at layer-3 devices).
As per Claim 24. The non-transitory, machine-readable medium of claim 9, wherein the instructions to update the quarantine list in the data plane comprise the instructions to update an entry in the quarantine list for a compromised device according to a corresponding change in the IP address assignments to the compromised device (at least paragraph 27, 34, 38, 45; changes in IP addresses does not impact policy; update the mapping between IP addresses and physical addresses of the one or more host devices in real-time based on relay information received from the DHCP agent; identifying/quarantining of host devices that violate policies).
As per Claim 25. The non-transitory, machine-readable medium of claim 9, wherein the program code further comprises instructions to change a state indicator in a first entry in the compromise state list to indicate not compromised for a device and to update the quarantine list in the data plane to remove an IP address currently assigned to the device in response to the change in the compromise state list (at least paragraph 27, 34-38, 45; identifying/ quarantining of host devices that violate policies; changes in IP addresses does not impact policy; aggregate DHCP lease information with existing SSO information (from say 110), and forward this data to network/security/layer-3 devices 112, which can use this enhanced information to enforce accurate NAC, quarantining and logging. Network devices 112 can also exchange such physical address/MAC address information of host devices 102 with one or more other network security/manager devices in order to allow for adequate centralized logging and reporting, and to provide an ability for other units/modules managed by the network management device(s) to query the device(s) for new detected devices (using their MAC address) in order to obtain their current posture as it relates to NAC, quarantining or other policy status that may related to the device in question; currently assigned IP address indicating old IP addresses are released).
As per Claim 26. The non-transitory, machine-readable medium of claim 9, wherein, wherein the bulk propagate condition corresponds to at least one of expiration of a time period and a threshold number of updates (at least paragraph 31, 43; Maintaining of the mapping information can be done … dynamically or at defined/configured periodic intervals (periodic interval time expiring)).
As per Claims 27-39. The limitations therein have substantially the same scope as claims 9-11, 24-26 because claims 9-11, 24-26 are a non-transitory, machine readable medium implemented by those apparatus of claims 127-33 and method being performed in claims 34-39. Therefore claims 27-39 are rejected for at least the same reasons as claims 9-11, 24-26.
Response to Arguments
Applicant's arguments filed 17 March 2026 have been fully considered but they are not persuasive.
Applicant argues that the proposed modification 1) fails to disclose propagating mappings based on determining whether a device with an updated IP address assignment is indicated in the compromised state list and 2) that the modification makes little technical sense.
Regarding 1) Applicant argues that Nantel is maintaining the mappings and not directed to propagating the mappings based on changes including such fast path determination. In other words, Applicant is arguing that the claims recite immediately propagating the mappings if the mapping is for a compromised device change of address mapping, and waiting for bulk propagation if the device is not compromised. However, while Nantel discloses in par. 31 that “Maintaining of the mapping information can be done in real-time or dynamically or at defined/configured periodic intervals”, such maintaining is for the DHCP agent as well as propagating as par. 27, 32, 43 recites that the DHCP agent relay/ propagate the mapping information to a network security device, the network security device being a firewall or other security device that uses the addresses and mappings in order to enforce security policies. Par. 27 outlines that such security can be done in real-time from the DHCP agent. And in par. 34-35 Nantel describes forwarding the data to the other devices to enforce accurate NAC, quarantining, etc.
Thus, as mapped in the rejection to claim 9 above, Nantel describes either such claimed ‘fast path’ approach to relaying updates or such claimed ‘bulk’ propagation with relaying in real-time or at periodic interval as they are aggregated. And Nantel clearly describes the desire to keep mapping information updated at all times, particularly to enforce accurate network access control, quarantining, and other security policies (par. 27, 31, 35). But, while Nantel teaches the benefits of both, Nantel simply doesn’t explicitly teach the benefits of relaying mapping for devices that are quarantined while those that are not are relayed at periodic intervals. Nantel would simply update aggregated mappings at periodic intervals or ‘bulk propagate condition’ using the claim terminology, for example, which would result in a secure network, without the added expense of additional traffic from the additional mapping update each time a healthy device is updated that real time offers.
Thus, Leon is relied on to disclose the limitation determine whether the fast path condition is satisfied comprise instructions to determine whether the compromise state list identifies a device corresponding to the detected update
Leon discloses an active threat detector identifying IP addresses as malicious, creating and sending routing tables or lists of only addresses that are threats by flagging addresses as malicious addresses, with such data being managed in the control plane of the network and sending data to firewalls (at least Leon paragraph 39-44, 100, 102). Leon discloses that once an IP address is identified as being malicious, other nodes are notified of this newly identified address so they can prepare to block a packet from that node.
In response to applicant's argument that the references fail to show certain features of the invention, it is noted that the features upon which applicant relies (i.e., a quarantine list of IP addresses) are not recited in the rejected claim(s). Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Claim 9 recites a compromise state list and a quarantine list in a data plane, these are connected to the IP address mappings but the quarantine list itself is not claimed to contain IP addresses necessarily.
Regarding 2) The modification of Nantel with Leon makes sense in that both Nantel and Leon protect against network based attacks by determining malicious devices and notifying or relaying the identification information such as IP address to other nodes or devices in the network. Nantel teaches such relaying can be real time or at intervals for such malicious devices but leaves it up to the network administrator to determine which to use, while Leon simply teaches when such a device is an active threat that once a threat or malicious device is detected other nodes are automatically updated with real-time threat detection. Thus, Nantel’s system teaches relaying such mappings up to user preference and at intervals may be preferable, and Leon discloses the obvious benefit of real time threat detection and importance of notifying and updating other nodes of the threat. The combination thus allowing periodic relaying of mapping changes with real time relaying of active threats, enhancing the security of the network.
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763. The examiner can normally be reached 8:30-5 MST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/GREGORY TODD/Primary Examiner, Art Unit 2443