DETAILED ACTION
In response to the communication filed on 09/04/2024, responded in following.
On this Office Action, claims 1-20, consisting of independent claims 1, 15, and 16.
Claims 1-20 are pending.
35 U.S.C. 112(f) is invoked with respect to claims 10, 11 and 14.
Claims 10, 11 and 14 are rejected under the 35 USC § 112.
Claims 12-14 are objected to because of informalities.
Claims 1-20 are rejected under the 35 USC § 103.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/28/2025. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
The drawings were received on 09/04/2024. These drawings are accepted.
Priority
Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d). The certified copy has been filed in parent Application No. IN202311059706, filed on 09/05/2023.
Claim Objections
Claims 12-14 are objected to because of the following informalities:
Claims 12-14 recite “the second one of the tunnels”. It should be “the second one of the number of tunnels.”
Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: authorization component in claim 8, authentication component in claim 9, tunnel scaling module in claims 10, 11, and 14.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 10, 11, 14, 16, 19, and 20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the applicant regards as the invention.
Claim limitations “component” and “module” in claims 10, 11 and 140 invoke 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification states, in paragraph 0119, that “The above systems, devices, methods, processes, and the like may be realized in hardware, software, or any combination of these suitable for a particular application.” Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA 35 U.S.C. 112, second paragraph.
Applicant may:
(a) Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph;
(b) Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(c) Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either:
(a) Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or
(b) Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 4, 8-9 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US 20240348459 A1, hereinafter “Narayanaswamy”) in view of Parla et al. (US 20250047759 A1, hereinafter “Parla”).
Regarding independent claim 1, Narayanaswamy discloses a system comprising:
a data plane for zero trust network access to an application, wherein (Narayanaswamy: [0048] System 100 includes organization network 102, data center 152 with secure access service edge (SASE) system 153 with security stack 154, Netskope cloud access security broker (N-CASB) 155 and cloud-based services 108. SASE system 153 comprises the amalgamation of network security functions N-CASB 155, as well as secure web gateway (SWG), zero trust network access (ZTNA); [0058] N-CASB 155 provides a variety of functions via a management plane 174 and a data plane 180; [0058] Data plane 180 includes an extraction engine 171, a classification engine 172, and a security engine 173, according to one implementation):
the application is hosted on a customer premises, the data plane is deployed in a cloud-based platform external to the customer premises (Narayanaswamy: [0057] For the disclosed technology, the data plane 180 POPs are hosted on the client's premises (“application is hosted on a customer premises”) or located in a virtual private network controlled by the client),
the data plane includes a plurality of connection servers configured to connect to the customer premises (Narayanaswamy: [0057] For the disclosed technology, the data plane 180 POPs are hosted on the client's premises (“customer premises”) or located in a virtual private network controlled by the client; [0064] FIG. 2 shows an architectural level schematic of a data plane point of presence (POP). FIG. 2 includes a data plane point of presence 205 (dashed-dotted box) connected to network A 252 and network B 258. These can be the same or different networks. Network A 252 is also connected to client devices such as mobile 132 and computer 112 (“customer premises”). Network B 258 is connected to the cloud service 208 (“a plurality of connection servers”)), and
a load balancer configured to retrieve connection information for the data plane, and to provide load balancing information to the service proxy specifying one of the plurality of connection servers to connect the user to the customer premises for use of the application (Narayanaswamy: [0064] The elements of data plane POP 205 include a firewall 244, a secure tunnel gateway 234, a load balancer 245, multiple proxies 236, 256, and 266 (each inspection proxy implements the policies according to the current configuration); [0066] Also shown in FIG. 2 is an example of the secure tunnel 232 used by mobile 132 and other mobile clients. In contrast, the data from computer 112 is routed directly from the firewall 244 to the load balancer 245).
However, Narayanaswamy does not discloses, Parla teaches the system, wherein the data plane includes a service proxy configured to handle an incoming request from a user for the application (Parla: [0049] the first proxy node may be hosted at an edge of the cloud network and configured as an ingress proxy node, and the second proxy node may be hosted at an edge of the private enterprise/application network and configured as an egress proxy node).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Parla to include a service proxy handling an incoming request from a user for the application. One of ordinary skill in the art would have been motivated to make this modification because the ingress proxy node may be centralized entry point for external traffic, allowing for the implementation of security features such as IP allow/deny lists, Authentication and authorization checks and rate limiting to mitigate Denial of Service (DoS) attacks.
Regarding claim 2, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses the system of claim 1, wherein the plurality of connection servers include WebSocket servers (Narayanaswamy: [0048] Cloud services 108 includes cloud-based app hosting services 118, web email services 128, video, messaging and voice call services 138, streaming services 148, file transfer services 158, and cloud-based storage service 168 (“WebSocket servers”); [0059] Computers 112 a-n, tablets 122 a-n and mobile devices 132 a-n in organization network 102 include management clients with a web browser with a secure web-delivered interface (“WebSocket servers”) provided by N-CASB 155 to define and administer content policies 187, according to one implementation).
Regarding claim 4, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses the system of claim 1, further comprising a plurality of service proxies configured to receive load balancing information from the load balancer (Narayanaswamy: [0064] The elements of data plane POP 205 include a firewall 244, a secure tunnel gateway 234, a load balancer 245, multiple proxies 236, 256, and 266 (each inspection proxy implements the policies according to the current configuration), and an outbound network address translation clement-NAT 246).
Regarding claim 8, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses the system of claim 1, wherein the data plane includes an authorization component configured to provide zero trust network access authorization to a user requesting access to the application through the data plane (Narayanaswamy: [0048] System 100 includes organization network 102, data center 152 with secure access service edge (SASE) system 153 with security stack 154, Netskope cloud access security broker (N-CASB) 155 and cloud-based services 108. SASE system 153 comprises …, zero trust network access (ZTNA); [0051] Further describing system 100 of FIG. 1 , embodiments can also interoperate with single sign-on (SSO) solutions. For example, integration with a SSO solution can enforce client presence requirements before authorizing the sign-on. Other embodiments may use “proxy accounts” with the SaaS vendor—e.g., a dedicated account held by the system that holds the only credentials to sign in to the service).
Regarding claim 9, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses the system of claim 1, wherein the data plane includes an authentication component configured to provide user authentication to a user requesting access to the application through the data plane (Narayanaswamy: [0051] For example, integration with a SSO solution can enforce client presence requirements before authorizing the sign-on. Other embodiments may use “proxy accounts” with the SaaS vendor—e.g., a dedicated account held by the system that holds the only credentials to sign in to the service).
Regarding independent claim 15, Narayanaswamy discloses a computer program product comprising computer executable code embodied in non-transitory computer readable media that, when executing on one or more computing devices, performs the steps of:
providing a cloud-based data plane for zero trust network access to an application hosted on a customer premises (Narayanaswamy: [0048] System 100 includes organization network 102, data center 152 with secure access service edge (SASE) system 153 with security stack 154, Netskope cloud access security broker (N-CASB) 155 and cloud-based services 108. SASE system 153 comprises the amalgamation of network security functions N-CASB 155, as well as secure web gateway (SWG), zero trust network access (ZTNA); [0057] For the disclosed technology, the data plane 180 POPs are hosted on the client's premises or located in a virtual private network controlled by the client (“customer premises”); [0058] N-CASB 155 provides a variety of functions via a management plane 174 and a data plane 180 (“providing a cloud-based data plane for zero trust network access”));
connecting to the customer premises with a plurality of connection servers in the cloud-based data plane, each connection server configured to connect to the customer premises for zero trust network access to the application (Narayanaswamy: [0048] SASE system 153 comprises the amalgamation of network security functions N-CASB 155, as well as … , zero trust network access (ZTNA) (“for zero trust network access to the application”); [0050] N-CASB 155 further includes monitor 184 that includes … and data plane 180; [0057] For the disclosed technology, the data plane 180 POPs are hosted on the client's premises or located in a virtual private network controlled by the client (“customer premises”); [0064] FIG. 2 shows an architectural level schematic of a data plane point of presence (POP). FIG. 2 includes a data plane point of presence 205 (dashed-dotted box) connected to network A 252 and network B 258. These can be the same or different networks. Network A 252 is also connected to client devices such as mobile 132 and computer 112 (“customer premises”). Network B 258 is connected to the cloud service 208 (“a plurality of connection servers”)); and
load balancing access to the application in the cloud-based data plane by retrieving connection information for the cloud-based data plane and providing load balancing information to the service proxy specifying one of the plurality of connection servers to connect a user to the customer premises for use of the application (Narayanaswamy: [0064] The elements of data plane POP 205 include a firewall 244, a secure tunnel gateway 234, a load balancer 245, multiple proxies 236, 256, and 266 (each inspection proxy implements the policies according to the current configuration); [0066] Also shown in FIG. 2 is an example of the secure tunnel 232 used by mobile 132 and other mobile clients. In contrast, the data from computer 112 is routed directly from the firewall 244 to the load balancer 245).
However, Narayanaswamy does not discloses, Parla teaches the system, wherein handling incoming requests for the application at the cloud-based data plane with a service proxy (Parla: [0049] the first proxy node may be hosted at an edge of the cloud network and configured as an ingress proxy node, and the second proxy node may be hosted at an edge of the private enterprise/application network and configured as an egress proxy node).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Parla to handle incoming requests for the application at the cloud-based data plane with a service proxy. One of ordinary skill in the art would have been motivated to make this modification because the ingress proxy node may be centralized entry point for external traffic, allowing for the implementation of security features such as IP allow/deny lists, Authentication and authorization checks and rate limiting to mitigate Denial of Service (DoS) attacks.
Regarding independent claim 16, Narayanaswamy discloses a computer-implemented method comprising:
providing a cloud-based data plane for zero trust network access to an application hosted on a customer premises (Narayanaswamy: [0048] System 100 includes organization network 102, data center 152 with secure access service edge (SASE) system 153 with security stack 154, Netskope cloud access security broker (N-CASB) 155 and cloud-based services 108. SASE system 153 comprises the amalgamation of network security functions N-CASB 155, as well as secure web gateway (SWG), zero trust network access (ZTNA); [0057] For the disclosed technology, the data plane 180 POPs are hosted on the client's premises or located in a virtual private network controlled by the client (“customer premises”); [0058] N-CASB 155 provides a variety of functions via a management plane 174 and a data plane 180 (“providing a cloud-based data plane for zero trust network access”));
executing a plurality of connection servers in the cloud-based data plane, each connection server configured to connect to the customer premises for zero trust network access to the application (Narayanaswamy: [0048] SASE system 153 comprises the amalgamation of network security functions N-CASB 155, as well as … , zero trust network access (ZTNA) (“for zero trust network access to the application”); [0050] N-CASB 155 further includes monitor 184 that includes … and data plane 180; [0057] For the disclosed technology, the data plane 180 POPs are hosted on the client's premises or located in a virtual private network controlled by the client (“customer premises”); [0064] FIG. 2 shows an architectural level schematic of a data plane point of presence (POP). FIG. 2 includes a data plane point of presence 205 (dashed-dotted box) connected to network A 252 and network B 258. These can be the same or different networks. Network A 252 is also connected to client devices such as mobile 132 and computer 112 (“customer premises”). Network B 258 is connected to the cloud service 208 (“a plurality of connection servers”));
executing a load balancing module in the cloud-based data plane, the load balancing module configured to retrieve connection information for the cloud-based data plane and to provide load balancing information to the service proxy specifying one of the plurality of connection servers to connect the user to the customer premises for use of the application.
However, Narayanaswamy does not discloses, Parla teaches the computer-implemented method, wherein executing a service proxy in the cloud-based data plane, the service proxy configured to handle an incoming request from a user for the application (Parla: [0049] the first proxy node may be hosted at an edge of the cloud network and configured as an ingress proxy node, and the second proxy node may be hosted at an edge of the private enterprise/application network and configured as an egress proxy node).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Parla to execute a service proxy in the cloud-based data plane, the service proxy configured to handle an incoming request from a user for the application. One of ordinary skill in the art would have been motivated to make this modification because the ingress proxy node may be centralized entry point for external traffic, allowing for the implementation of security features such as IP allow/deny lists, Authentication and authorization checks and rate limiting to mitigate Denial of Service (DoS) attacks.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US 20240348459 A1, hereinafter “Narayanaswamy”) in view of Parla et al. (US 20250047759 A1, hereinafter “Parla”) as applied to claims above, and further in view of Rodriguez Natal et al. (US 20240214319 A1, hereinafter “Rodriguez Natal”).
Regarding claim 3, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. However, the combination does not teach, Rodriguez Natal, in a same field of endeavor, discloses the system of claim 1, wherein the service proxy includes an Envoy proxy (Rodriguez Natal: [0041] the control plane information 106 is received from the modules 104 (e.g., modules, software components, etc.) associated with the proxies 102. In some examples, the proxies 102 may be Envoy proxies and the modules 104 may be Envoy Filters).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Rodriguez Natal to includes an Envoy proxy. One of ordinary skill in the art would have been motivated to make this modification because Envoy Proxy provides high-performance networking for cloud-native applications, offering advanced traffic routing, security, and observability in a lightweight, extensible package.
Claims 5-7 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US 20240348459 A1, hereinafter “Narayanaswamy”) in view of Parla et al. (US 20250047759 A1, hereinafter “Parla”) as applied to claims above, and further in view of Filsfils et al. (US 20220174004 A1, hereinafter “Filsfils”).
Regarding claim 5, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses “the secure tunnel” in paragraph 0066, However, the combination does not teach, Filsfils, in a same field of endeavor, discloses the system of claim 1, wherein the connection information includes a connection count for each of a number of secure tunnels from the plurality of connection servers to the customer premises (Filsfils: [0057] the local processing metadata 420 can include a path identifier for identifying a path loss. The path identifier is a unique identifier that is mapped to a network parameter (e.g., a network slice, a network connection, etc.) used to count traffic and determine path loss between the ingress router and the egress router. The ingress router and egress router maintain a counter and path loss of the tunnel can be determined based on a comparison of the counter in the ingress router and the counter in the egress router).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Filsfils to includes a connection count for each of a number of secure tunnels from the plurality of connection servers to the customer premises. One of ordinary skill in the art would have been motivated to make this modification because monitoring the connection count for each secure tunnel offers numerous benefits for network management and security, providing visibility into usage patterns, aiding in performance optimization and capacity planning, and facilitating the early detection of security threats or anomalies.
Regarding claim 6, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses “the secure tunnel” in paragraph 0066, However, the combination does not teach, Filsfils, in a same field of endeavor, discloses the system of claim 1, wherein the connection information includes load balancing based on connection counts for each of a number of tunnels between the plurality of connection servers and the customer premises (Filsfils: [0056-0057] In some examples, the local processing metadata 420 can include extended entropy bits that are used in the data plane for load-balancing. In some examples, the local processing metadata 420 can include a path identifier for identifying a path loss. The path identifier is a unique identifier that is mapped to a network parameter (e.g., a network slice, a network connection, etc.) used to count traffic and determine path loss between the ingress router and the egress router. The ingress router and egress router maintain a counter and path loss of the tunnel can be determined based on a comparison of the counter in the ingress router and the counter in the egress router).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Filsfils to include load balancing based on connection counts for each of a number of tunnels between the plurality of connection servers and the customer premises. One of ordinary skill in the art would have been motivated to make this modification because monitoring the connection count for each secure tunnel offers numerous benefits for network management and security, providing visibility into usage patterns, aiding in performance optimization and capacity planning, and facilitating the early detection of security threats or anomalies.
Regarding claim 7, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses “the load balancer” in paragraph 0064, However, the combination does not teach, Filsfils, in a same field of endeavor, discloses the system of claim 1, wherein the load balancing information specifies a route for connecting the user to the application through the data plane (Filsfils: [0056-0057] In some examples, the local processing metadata 420 can include extended entropy bits that are used in the data plane for load-balancing. In some examples, the local processing metadata 420 can include a path identifier for identifying a path loss. The path identifier is a unique identifier that is mapped to a network parameter (e.g., a network slice, a network connection, etc.) used to count traffic and determine path loss between the ingress router and the egress router. The ingress router and egress router maintain a counter and path loss of the tunnel can be determined based on a comparison of the counter in the ingress router and the counter in the egress router).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Filsfils to include the load balancing information that specifies a route for connecting the user to the application through the data plane. One of ordinary skill in the art would have been motivated to make this modification because monitoring the connection count for each secure tunnel offers numerous benefits for network management and security, providing visibility into usage patterns, aiding in performance optimization and capacity planning, and facilitating the early detection of security threats or anomalies.
Regarding claim 17, it is a method claim that corresponds to claim 5. Therefore, the claim is rejected for at least the same reasons as the system of claim 5.
Regarding claim 18, it is a method claim that corresponds to claim 6. Therefore, the claim is rejected for at least the same reasons as the system of claim 6.
Claims 10-13 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US 20240348459 A1, hereinafter “Narayanaswamy”) in view of Parla et al. (US 20250047759 A1, hereinafter “Parla”) as applied to claims above, and further in view of Patil et al. (US 20210126965 A1, hereinafter “Patil”).
Regarding claim 10, the combination of Narayanaswamy and Parla teaches all elements of the current invention as stated above. Narayanaswamy discloses “the secure tunnel gateway” in paragraph 0064, However, the combination does not teach, Patil, in a same field of endeavor, discloses the system of claim 1, further comprising a tunnel scaling module configured to:
in response to a new connection request, add a new tunnel between the data plane and the customer premises when each of a number of tunnels between the data plane and the customer premises meets a predetermined threshold for a number of user connections (Patil: [0025] For example, monitoring module 130 may be configured to monitor network metrics, such as number of secure tunnels or connections, CPU usage, bandwidth utilization, response time, memory utilization, and/or usage of other computing resources, and compare values of the metrics with predetermined thresholds to determine whether lower limits of the predetermined thresholds are met or exceeded), and
in response to the new connection request, add a new connection to one of the number of tunnels when the one of the number of tunnels does not meet the predetermined threshold (Patil: [0025] if the monitoring module 130 determines that the number of tunnel sessions to server 140C is equal to or less than a predetermined threshold (e.g., 10, 100 or 1,000 tunnel sessions), the monitoring module 130 runs a scaling down or auto-shrink routine to transfer all connections or tunnel sessions from server 140C (e.g., minimally loaded security GW instance) to other available servers (e.g., security GW instances)).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Patil to add a new tunnel, in response to a new connection request, between the data plane and the customer premises when each of a number of tunnels between the data plane and the customer premises meets a predetermined threshold for a number of user connections; and add a new connection, in response to the new connection request, to one of the number of tunnels when the one of the number of tunnels does not meet the predetermined threshold. One of ordinary skill in the art would have been motivated to make this modification because the threshold may allow server to be subsequently terminated without negatively affecting secure connections or tunnel sessions (para. [0025]).
Regarding claim 11, the combination of Narayanaswamy, Parla and Patil teaches all elements of the current invention as stated above. Patil discloses the system of claim 10, wherein the tunnel scaling module is further configured to take down one of the number of tunnels between the data plane and the customer premises in response to a second one of the number of tunnels meeting a predetermined criterion (Patil: [0025] if the monitoring module 130 determines that the number of tunnel sessions to server 140C is equal to or less than a predetermined threshold (e.g., 10, 100 or 1,000 tunnel sessions), the monitoring module 130 runs a scaling down or auto-shrink routine to transfer all connections or tunnel sessions from server 140C (e.g., minimally loaded security GW instance) to other available servers (e.g., security GW instances)).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Patil to take down one of the number of tunnels between the data plane and the customer premises in response to a second one of the number of tunnels meeting a predetermined criterion. One of ordinary skill in the art would have been motivated to make this modification because the threshold may allow server to be subsequently terminated without negatively affecting secure connections or tunnel sessions (para. [0025]).
Regarding claim 12, the combination of Narayanaswamy, Parla and Patil teaches all elements of the current invention as stated above. Patil discloses the system of claim 11, wherein the predetermined criterion for taking down the second one of the tunnels includes each of the connections associated with the tunnel meeting a timeout threshold (Patil: [0030] acts 225-265 occur on all connections or tunnel sessions associated with server 140C and may result in transfer of all connections or tunnel sessions from server 140C to server 140A within a timeframe of a few minutes).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Patil to include the predetermined criterion for taking down the second one of the tunnels includes each of the connections associated with the tunnel meeting a timeout threshold. One of ordinary skill in the art would have been motivated to make this modification because if a single tunnel remains active on a minimally loaded GW instance, then the minimally loaded GW instance remains active until such time the connection is terminated by the connected device (para. [0012]).
Regarding claim 13, the combination of Narayanaswamy, Parla and Patil teaches all elements of the current invention as stated above. Patil discloses the system of claim 11, wherein the predetermined criterion for taking down the second one of the tunnels includes a minimum threshold for the number of connections for the second one of the tunnels (Patil: [0025] if the monitoring module 130 determines that the number of tunnel sessions to server 140C is equal to or less than a predetermined threshold (e.g., 10, 100 or 1,000 tunnel sessions), the monitoring module 130 runs a scaling down or auto-shrink routine to transfer all connections or tunnel sessions from server 140C (e.g., minimally loaded security GW instance) to other available servers (e.g., security GW instances)).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Patil to include the predetermined criterion for taking down the second one of the tunnels includes a minimum threshold for the number of connections for the second one of the tunnels. One of ordinary skill in the art would have been motivated to make this modification because the threshold may allow server to be subsequently terminated without negatively affecting secure connections or tunnel sessions (para. [0025]).
Regarding claim 19, it is a method claim that corresponds to claim 10. Therefore, the claim is rejected for at least the same reasons as the system of claim 10.
Regarding claim 20, it is a method claim that corresponds to claim 11. Therefore, the claim is rejected for at least the same reasons as the system of claim 11.
Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US 20240348459 A1, hereinafter “Narayanaswamy”) in view of Parla et al. (US 20250047759 A1, hereinafter “Parla”) Patil et al. (US 20210126965 A1, hereinafter “Patil”) as applied to claims above, and further in view of Gupta et al. (US 20190327312 A1, hereinafter “Gupta”).
Regarding claim 14, the combination of Narayanaswamy, Parla and Patil teaches all elements of the current invention as stated above. However, the combination does not teach, Gupta, in a same field of endeavor, discloses the system of claim 11, wherein the tunnel scaling module is further configured to migrate one or more remaining connections in the second one of the tunnels to one or more other ones of the number of tunnels (Gupta: [0052] as shown in FIG. 3A, in response to determining that the second instance 114b is not connected to the edge device 105 via a functioning second VPN connection 106b, the first gateway coordinator 122a of the first instance 114a can migrate the first VPN connection 106b from the first instance 114a to the second instance 114b).
Before the effective filing date of the claimed invention, it would have been obvious for one of ordinary skill in the art to have modified the Data Center disclosed by Narayanaswamy with the teachings of Gupta to migrate one or more remaining connections in the second one of the tunnels to one or more other ones of the number of tunnels. One of ordinary skill in the art would have been motivated to make this modification because migrating to a new connection of secure tunnels may ensure data integrity during transit, and provide better scalability.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Vexler et al. (US 20100174939A 1): [0131] Database load-balancer 42 serves to balance the load (a) of multiple data-proxy devices 10 acting as a cluster, and (b) of database server 4 via database-connection manager 20 as a way of scaling out a database. When data responses are served to application server 2, the data is first prepared for delivery via data-preparation module 44, and then transferred to application server 2 via data-streaming module 46.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524. The examiner can normally be reached 9:00 AM- 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached at (571) 272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ANDREW SUH/Examiner, Art Unit 2493