INCREMENTAL MICRO-SEGMENTATION SYSTEM AND INCREMENTAL MICRO-SEGMENTATION METHOD

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . DETAILED ACTION Currently pending claims are 1 – 20. Claim Objection Claim 1 is objected to because of the following informalities (and Examiner respectfully request to correct as follows): “… comprises a processor” should be replaced with ““… comprises a hardware processor (or a processor device)” – Examiner notes this is because a computer processor could be a software processor (e.g. a Microsoft WORD processor). Appropriate correction(s) is (are) required. // “A computer processor” may include the “software processor” (e.g. a word processor) // Response to Arguments Applicant's arguments with respect to instant claims have been fully considered but are moot in view of the new ground(s) of rejection necessitated by Applicant's amendment – please see the following section for the detail of rationale to make the corresponding prior-art(s) rejections as set forth below. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the exclaimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 – 3, 5, 8, 10 – 13, 15, 18 & 20 are rejected under 35 U.S.C.103 as being unpatentable over Kjelstrup et al. (U.S. Patent 11,968,241), in view of Roytman et al. (WO 2023/192215 A1). As per claim 1 & 11, Kjelstrup teaches incremental micro-segmentation system, comprising: a shared network, wherein multiple network assets are deployed in the shared network (Kjelstrup: FIG. 1A & Col. 3 Line 42 – 59: a multi-tenant provider network as a shared network with multiple network assets such as network resources and services); and a network control device, authorized to monitor the shared network and perform in a learning stage being parallel to a generating stage and a deployment stage (Kjelstrup: FIG. 1A & Col. 4 Line 37 – 50 / Line 25 – 36, Col. 2 Line 45 – 50, Col. 9 Line 9 – 16 and Col. 10 Line 3 – 10: (a) an access monitoring component as a part of the access control management system constitutes a network control device to monitor, analysis and control the access control policy, and (b) performing a learning mode of auto-tuning of application permissions such that an appropriate access control policy can be generated based on the monitoring analysis (learning) to grant access only to those services and resources that actually use it, wherein (c) the auto-tuning learning mode can be run, continuously and for an indefinite duration (i.e. parallelly) to automatically alter (modify) the access control policy on a needed basis (Kjelstrup: Col. 9 Line 9 – 16 and Col. 10 Line 3 – 10)), and configured to: retrieve multiple key values from a network flow in the learning stage (Kjelstrup: see above & Col. 9 Line 30 – 32 and Col. 10 Line 13 – 25: the system retrieves (acquires) request data such as service and resource access data (i.e. multiple key values) from a network access monitoring component) including, at least, which resource (ID), date and time, frequency of the request (against a threshold), and etc.); based on an interested attribute of one or multiple temporary policy groups of a candidate policy group set that is not enforced (Kjelstrup: see above & Col. 9 Line 63 – 66, Col. 10 Line 3 – 8 / Line 13 – 15, Col. 12 Line 24 – 31 and Col. 13 Line 1 – 6: (a) the aggregated request data represents an interested attribute that indicates, (e.g.) the accessed resource, the number of resources, the number of access requests over a fixed duration during the auto-tuning learning mode, and using such request data to determine which of the services and resources were actually used by the applications during the continuous auto-tuning mode (i.e. monitored during the auto-tuning (learning) mode and not yet deployed to the outputting phase of the policy group(s) – i.e. not enforced as a temporary policy group (Col. 13 Line 1 – 6)), wherein (b) an aggregation of permissions for a class of resources (e.g. all resources) managed by a service associated with access policy rules constitutes policy group(s) (Col. 12 Line 24 – 31) – i.e. temporary policy group(s) <see (a)>), add the multiple key values to be a policy rule of the one or multiple temporary policy groups (Kjelstrup: see above & Col. 10 Line 6 – 10: such an analysis, based on the retrieved request data <see above>, is later used by the policy modifier to automatically alter (change) the access control policy and subsequently the policy modifier outputs a restricted access control policy accordingly) and different combinations of the multiple key values form different policy rules (Kjelstrup: see above & Col. 10 Line 6 – 10: upon automatically altering (changing) the access control policies by adding the multiple key values, the policy modifier outputs an updated (new) restricted access control policies to formulate different policy rules accordingly); compute a group score of each of the temporary policy groups according to a recommended factor (Kjelstrup: see above & Col. 9 Line 63 – 66 and Col. 10 Line 13 – 32: each of the temporary policy group(s) <see above> associated with the aggregated request data is represented with a single entry of access that indicates the number of access requests over a fixed duration, which constitutes a group score that can be used as a recommendation factor to justify whether to continue granting or denying access to the services or resources). However, Kjelstrup does not disclose expressly wherein the group score is computed based on a multiplication of multiple recommended factors taken from the group of: update interval, restricted range, confidential or sensitive level, involvement in management services, out-of-date services, or services with vulnerabilities. Roytman (& Kjelstrup) teach wherein the group score is computed based on a multiplication of multiple recommended factors taken from the group of: update interval, restricted range, confidential or sensitive level, involvement in management services, out-of-date services, or services with vulnerabilities (Kjelstrup: see above & Col. 11 Line 27 – 29) || (Roytman: FIG. 1 / E-122, E-150, E-148 & Page 12 / Para [0042] Line 7 – 9: (a) providing a group of asset risk score associated with a group of assets (FIG. 1 / E-122 | E-148) by calculating a combination score based on a multiplication of a group asset priority value with a plurality of each of individual incident risk scores associated with the group of assets (FIG. 1 / E-122 | E-148), and (b) each of the probabilities of a risk score serves as a recommendation factor, which can be used for policy recommendation (Kjelstrup: Col. 11 Line 27 – 29)). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification that a group score is computed based on a multiplication of multiple recommended factors taken from the group of different factors because Roytman teaches to alternatively, effectively and securely provide a group of asset risk score associated with a group of assets by calculating with a multiplication of a group asset priority value along with a plurality of each of individual incident risk scores associated with the group of assets (see above) within the Kjelstrup’s system of auto-tuning permissions for an access control list (ACL) system using a learning mode (see above). when determining that the group score is greater than a threshold, generate a recommendation set comprising the one or multiple temporary policy groups in the generation stage (Kjelstrup: see above & Col. 10 Line 13 – 32 / Line 10 – 11 and Col. 9 Line 63 – 66: determining whether the number of access requests to a particular service / resource exceeded a threshold and generate a recommendation either to continue granting or denying access to that service or resource and subsequently the policy modifier would output a further restricted access control policy – i.e. as in a generation stage); and deploy the recommendation set to an access control list in the deployment stage to make content of the one or multiple temporary policy groups be enforced (Kjelstrup: see above & Col. 10 Line 43 – 47 / Line 49 – 51: the further restricted (modified) policy <see above> is provided (deployed) to a policy manager to be used during continued execution of the applications), wherein the temporary policy groups of the candidate policy group set are not added to the access control list before the deployment stage is performed (Roytman: see above) || (Kjelstrup: see above & Col. 11 Line 27 – 29, Col. 9 Line 63 – 66, Col. 10 Line 3 – 8 / Line 13 – 15, Col. 12 Line 24 – 31 and Col. 13 Line 1 – 6: the temporary policy groups are processed and used for policy recommendation (Kjelstrup: Col. 11 Line 27 – 29) during the continuous auto-tuning mode (i.e. monitored during the auto-tuning (learning) mode, which is not yet deployed to the outputting phase of the enforced policy group(s)). As per claim 2, 10, 12 & 20, Kjelstrup teaches wherein the interested attribute comprises a control attribute and an observation attribute, and the network control device is configured to, based on the multiple key values indicated by the control attribute and the multiple key values listed by the observation attribute, take the multiple key values as a key value-set by referring to the interested attribute of the one or multiple temporary policy groups, and add the key value-set to the policy rule of the one or multiple temporary policy groups (Kjelstrup: see above & Col. 9 Line 63 – 66 / Line 22 – 32, Col. 10 Line 3 – 8 / Line 10 – 32 and Col. 12 Line 24 – 31: e.g. – (a) the accessed resource ID (IP / Port#), the number of access requests, and etc., constitutes the observation attributes and (b) the privilege (permissions) associated a target service / resource constitutes a control attribute) and determining whether the number of access requests to a particular service / resource exceeded a threshold and generate a recommendation either to continue granting or denying access to that service or resource). As per claim 3 & 13, Kjelstrup teaches wherein the recommended factor comprises an update interval of each of the temporary policy groups, a restricted range of each of the temporary policy groups, a confidential or sensitive level of each of the temporary policy groups, or the one or multiple temporary policy groups involved in management services, out-of-date services, or services with vulnerabilities (Kjelstrup: see above & Col. 9 Line 63 – 66, Col. 10 Line 3 – 8 / Line 10 – 32 and Col. 12 Line 24 – 31: e.g. involved in management services, or services with vulnerabilities after determining whether the number of access requests to a particular service / resource exceeded a threshold). As per claim 5 & 15, Kjelstrup teaches adding the one or multiple temporary policy groups whose group score is greater than the threshold to a section of the access control list as a regular policy group; and removing the one or multiple temporary policy groups that are added to the access control list from the candidate policy group set (Kjelstrup: see above & Col. 10 Line 8 – 25: removing permissions of temporary policy rules after determining whether the number of access requests to a particular service / resource below a threshold). As per claim 8 & 18, Kjelstrup teaches determine whether the candidate policy group set is empty and remains for a period of time; and when the candidate policy group set is empty and remains for the period of time, determine that the access control list is well-defined (Kjelstrup: see above & Col. 4 Line 10 – 19: (a) the auto-tuning mode for learning and altering the policies / rules in an access control system can be set by a fixed duration (with starting / ending time), and (b) the process would be complete (well-done/defined) for the active policies / rules when the auto-tunning duration is expired – i.e. the candidate policy group set becomes empty). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the exclaimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 4 & 14 are rejected under 35 U.S.C.103 as being unpatentable over Kjelstrup et al. (U.S. Patent 11,968,241), in view of Roytman et al. (WO 2023/192215 A1), and in view of Median et al. (U.S. Patent 2020/0412763). As per claim 4 & 14, Mercian (& Kjelstrup) teaches performing a process for optimizing content of the recommendation set, wherein the process comprises deactivating a duplicate policy rule of the one or multiple temporary policy group that is repeated in the access control list (Kjelstrup: see above & Col. 13 Line 5 – 6 / Line 34 – 35: the repeated policy rule with redundant permissions would be removed from a policy for improving system performance in general); and Mercian (& Kjelstrup) teaches performing the process for optimizing the one or multiple temporary policy groups, wherein the process comprises adding a default setting to the one or multiple temporary policy groups, and the default setting comprises a log file setting or an intrusion prevention security (IPS) setting (Kjelstrup: see above) || (Mercian: Para [0041]: managing an access control list policy (ACL) by using a default setting either with a white-list or black-list). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of adding a default setting comprises an intrusion prevention security (IPS) setting because Mercian teaches to alternatively, effectively and securely provide a comprehensive security mechanism manage an access control list policy (ACL) by using a default setting either with a white-list or black-list (see above) within the Kjelstrup’s system of auto-tuning permissions for an access control list (ACL) system using a learning mode (see above). Claims 6 – 7 & 16 – 17 are rejected under 35 U.S.C.103 as being unpatentable over Kjelstrup et al. (U.S. Patent 11,968,241), in view of Roytman et al. (WO 2023/192215 A1), and , in view of Median et al. (U.S. Patent 2020/0412763), and in view of Peretti et al. (U.S. Patent 8,006,088). As per claim 6 & 16, Peretti (& Kjelstrup as modified) teaches when adding the one or multiple temporary policy groups to the regular policy group of the access control list each time, reorder all the regular policy groups of the access control list according to the priority (Kjelstrup: see above) || (Peretti: Col. 10 Line 34 – 43 & Col. 2 Line 64 – Col. 3 Line 5: (a) the system assigning the order in which policies from different policy objects are applied and to manage how conflicts between different policy objects are resolved and (b) also assigning relative priority to the rules such that adding a target rule into a policy groups only if no rule in the system whose priority is higher than the target rule – i.e. re-ordering the (new) target rule with the highest priority). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of when adding the one or multiple temporary policy groups to the regular policy group of the access control list each time, reorder all the regular policy groups of the access control list according to the priority because Peretti teaches to alternatively, effectively and securely assign the order in which policies from different policy objects are applied and to address how conflicts between different policy objects are resolved and also assign relative priority to the rules such that adding a target rule into a policy groups only if no rule in the system whose priority is higher than the target rule – i.e. re-ordering the (new) target rule with the highest priority (see above) within the Kjelstrup’s system of auto-tuning permissions for an access control list (ACL) system using a learning mode (see above). As per claim 7 & 17, Kjelstrup as modified teaches compute a restricted range of all the regular policy groups of the access control list; and set a high priority to a small restricted range and set a low priority to a large restricted range (Mercian: Para [0031] Line 12 – 15: (a) the default policy rule is automatically inherited as a low priority when no (other) higher priority rules can be applied to a request and (b) Mercian teaches assigning a default rule such that denies network traffic from any source to any destination, which has a very large restricted range to be denied by default – i.e. with a low priority). Claims 9 & 19 are rejected under 35 U.S.C.103 as being unpatentable over Kjelstrup et al. (U.S. Patent 11,968,241), in view of Roytman et al. (WO 2023/192215 A1), and in view of Peretti et al. (U.S. Patent 8,006,088). As per claim 9 & 19, Peretti (& Kjelstrup) teaches inspect a test network flow with the regular policy groups by the priority of the regular policy groups of the access control list; and when determining that a key value-set of the test network flow matches the policy rule of the access control list, allow or block the test network flow based on an attribute of the policy rule that is allowed-access or denied-access (Kjelstrup: see above) || (Peretti: Col. 10 Line 34 – 43 & Col. 2 Line 64 – Col. 3 Line 5: (a) the system assigning the order in which policies from different policy objects are applied and to address how conflicts between different policy objects are resolved and (b) also assigning relative priority to the rules such that adding a target rule into a policy groups only if no rule in the system whose priority is higher than the target rule – i.e. re-ordering the (new) target rule with the highest priority). It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of when adding the one or multiple temporary policy groups to the regular policy group of the access control list each time, reorder all the regular policy groups of the access control list according to the priority because Peretti teaches to alternatively, effectively and securely assign the order in which policies from different policy objects are applied and to address how conflicts between different policy objects are resolved and also assign relative priority to the rules such that adding a target rule into a policy groups only if no rule in the system whose priority is higher than the target rule – i.e. re-ordering the (new) target rule with the highest priority (see above) within the Kjelstrup’s system of auto-tuning permissions for an access control list (ACL) system using a learning mode (see above). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached at 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. --------------------------------------------------- /Longbit Chai/ Longbit Chai E.E. Ph.D. Primary Examiner, Art Unit 2431 No. #2578 – 2026 ---------------------------------------------------