ZERO TRUST PACKET ROUTING POLICY LANGUAGE

§101 §102 §103

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Claims 1-20 are presented for examination. Information Disclosure Statement The information disclosure statement (IDS) submitted on 01/06/2025, 12/11/2024 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Form PTO-1449 is signed and attached hereto. Drawings The drawings filed on 09/09/2024 are accepted by the examiner. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim 17-20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 17 recite “A computer readable medium comprising instructions that when executed, cause one or more processors to perform operations including: accessing a policy that includes policy statements defined according to a Zero Trust Packet Routing (ZPR) Policy Language (ZPL) that supports layer 4 policy statements and layer 7 policy statements that are used to define how traffic flows through one or more networks; determining, based on the policy, rules to enforce at enforcement points within the one or more networks; distributing the rules to the enforcement points within the one or more networks; and enforcing the rules associated with the policy at individual ones of the enforcement points …”, In specification of the instant application applicant recited that Computer-readable storage media 2322 can include any appropriate media known or used in the art, including storage media and communication media, such as but not limited to, volatile and non-volatile, removable and non-removable media implemented in any method or technology for storage and/or transmission of information. (para. [0314]), where storage does not have a specific definition and does not limit the claimed storage from being a transitory medium such as signal. Pending claims are interpreted as broadly as their terms reasonably allow. See In re Zletz, 893 F.2d 319 (Fed. Cir. 1989). The broadest reasonable interpretation of a claim drawn to a computer readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is silent (See MPEP 2111.01). When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. §101 as covering non-statutory subject matter. See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009; p. 2. A claim drawn to such a computer readable medium that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation “non-transitory” to the claim. Cf. Animals – Patentability, 1077 Off. Gaz. Pat. Office 24 (April 21, 1987) Claims 18-20 inherit the deficiencies of the base claim 17 and therefore are non-statutory by virtue of their dependency. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention. 1. Claims 1-3, 5-12, and 14-19 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Miriyala et al. (US Patent No. 11,700,236, hereinafter “Miriyala”). Regarding claim 1, Miriyala does disclose a method to perform zero trust packet routing in one or more networks, the method comprising: accessing policy statements defined according to a Zero Trust Packet Routing (ZPR) Policy Language (ZPL) that supports layer 4 policy statements and layer 7 policy statements that are used to define how traffic flows through the one or more networks (Miriyala, (col. 2 lines 8-17), a policy framework is provided to enable users to define tag-based policies to integrate NGFW firewalls with L4 firewalls to provide network security for a wider range of layers of the OSI model. In one example, a centralized controller (e.g., Software Defined Networking (SDN) controller) provides network function virtualization for a multi-tenant virtualized data center to steer network traffic of virtualized application workloads to a NGFW, such as a host-based filter (HBF); (col. 2 lines 1-3), other firewalls, typically referred to as next-generation firewalls (NGFWs) or L7 firewalls, provide security for the application layer (e.g., layer 7 (L7)); (col. 3 lines 3-10), the method further comprises obtaining, by a security controller that manages the HBF, the one or more tags from the SDN controller. Additionally, the method comprises receiving, by the security controller, one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF. The method further comprises configuring, by the security controller, the function of the HBF in accordance with the one or more firewall policies; (col. 7 lines 60-67), network system 2 provides a policy framework to enable users to define tag-based policies to integrate host-based services, such as HBFs 11 (e.g., L7 firewalls) with L4 firewalls. In the example of FIG. 1, HBF 11A is implemented on a virtual execution element (e.g., VM or container) hosted on server 12A); and enforcing rules associated with the policy statements at enforcement points within the one or more networks (Miriyala, (col. 8 line 65 – col. 9 line 3), distributed policy agents executing on computing devices, e.g., servers 12, that host the finance application workload may then apply the security policies to tagged objects that are members of categories to redirect traffic to HBF 11A and to apply the security functions provided by HBF 11A as defined by the firewall policies). Regarding claim 2, Miriyala further discloses the method of claim 1, wherein the policy statements include tags to identify data, resources, and users (Miriyala, (col. 6 lines 26-33), a “tag” may refer to information used to categorize an object of a data model for an application workload according to a particular value or set of values. Tags may, in some examples, categorize an object based on application type, application tier (e.g., web tier, application tier, database tier), deployment (e.g., development, QA, staging, or production stage), geographic site, user, or compliance). Regarding claim 3, Miriyala further discloses the method of claim 1, wherein the policy statements include at least one policy statement enforced at both an L4 network layer and at an L7 network layer (Miriyala, (col. 7 lines 60-67), network system 2 provides a policy framework to enable users to define tag-based policies to integrate host-based services, such as HBFs 11 (e.g., L7 firewalls) with L4 firewalls. In the example of FIG. 1, HBF 11A is implemented on a virtual execution element (e.g., VM or container) hosted on server 12A. Similarly, HBF 11N is implemented on a virtual execution element hosted on server 12N). Regarding claim 5, Miriyala further discloses the method of claim 1, wherein the ZPL expresses both Networking policy statements and Identity and Access Management (IAM) policy statements (Miriyala, (col. 8 lines 10-14), administrator 24 may use policy controller 25 to define the security policy as: Tier=Web.fwdarw.Tier=App all traffic to HBF; (col. 8 lines 51-63), administrator 24 may define the firewall policy for HBF 11A to provide IPS for HTTPs traffic of the finance application workload, as shown below: Tier=Web.fwdarw.Tier=App service HTTPs to IPS (28) In some examples, administrator 24 may use policy controller 25 to define another firewall policy for different traffic of the finance application workload. For example, administrator may define a firewall policy for HBF 11A to provide malware detection for HTTP traffic of the finance application workload, as shown below: Tier=Web.fwdarw.Tier=App service HTTP to malware detection). Regarding claim 6, Miriyala further discloses the method of claim 1, wherein policy statements defined using ZPL are evaluated before one or more policy statements defined using other network policy statements (Miriyala, (col. 7 lines 10-14 and 23-25), administrator 24 may use the tags to control traffic of the finance application workload, such as to direct traffic from a web tier to an application tier; Tagged objects of the sales application workload may be used to define a security policy for the traffic, such as whether to allow or deny the traffic). Regarding claim 7, Miriyala further discloses the method of claim 1, wherein the ZPL includes an allow command and a deny command that specify whether to allow access or deny access to a resource (Miriyala, (col. 7 lines 10-14 and 23-25), administrator 24 may use the tags to control traffic of the finance application workload, such as to direct traffic from a web tier to an application tier; Tagged objects of the sales application workload may be used to define a security policy for the traffic, such as whether to allow or deny the traffic). Regarding claim 8, Miriyala further discloses the method of claim 1, wherein the ZPL includes a network keyword to restrict access over one or more gateways (Miriyala, (col. 7 lines 10-14 and 23-25), administrator 24 may use the tags (i.e. keyword) to control traffic of the finance application workload, such as to direct traffic from a web tier to an application tier; Tagged objects of the sales application workload may be used to define a security policy for the traffic, such as whether to allow or deny the traffic). Regarding claim 9, Miriyala further discloses the method of claim 1, wherein ZPL policy statements defer to policy statements using a different policy language (Miriyala, (col. 8 lines 10-14), administrator 24 may use policy controller 25 to define the security policy as: Tier=Web.fwdarw.Tier=App all traffic to HBF; (col. 8 lines 51-63), administrator 24 may define the firewall policy for HBF 11A to provide IPS for HTTPs traffic of the finance application workload, as shown below: Tier=Web.fwdarw.Tier=App service HTTPs to IPS (28) In some examples, administrator 24 may use policy controller 25 to define another firewall policy for different traffic of the finance application workload. For example, administrator may define a firewall policy for HBF 11A to provide malware detection for HTTP traffic of the finance application workload, as shown below: Tier=Web.fwdarw.Tier=App service HTTP to malware detection). Regarding claim 10, Miriyala does disclose the system, comprising: one or more networks that include enforcement points (Miriyala, figure 1); a policy that includes statements defined according to a Zero Trust Packet Routing (ZPR) Policy Language (ZPL) that supports layer 4 policy statements and layer 7 policy statements that are used to define how traffic flows through the one or more networks (Miriyala, (col. 2 lines 8-17), a policy framework is provided to enable users to define tag-based policies to integrate NGFW firewalls with L4 firewalls to provide network security for a wider range of layers of the OSI model. In one example, a centralized controller (e.g., Software Defined Networking (SDN) controller) provides network function virtualization for a multi-tenant virtualized data center to steer network traffic of virtualized application workloads to a NGFW, such as a host-based filter (HBF); one or more processors; and non-transitory computer-readable medium storing a set of instructions, the set of instructions when executed by the one or more processors cause processing to be performed comprising: determining, based on the policy, rules to enforce at the enforcement points within the one or more networks; distributing the rules to the enforcement points within the one or more networks (Miriyala, (col. 2 lines 1-3), other firewalls, typically referred to as next-generation firewalls (NGFWs) or L7 firewalls, provide security for the application layer (e.g., layer 7 (L7)); (col. 3 lines 3-10), the method further comprises obtaining, by a security controller that manages the HBF, the one or more tags from the SDN controller. Additionally, the method comprises receiving, by the security controller, one or more firewall policies expressed in terms of the one or more tags, wherein each of the one or more firewall policies specifies a function of the HBF. The method further comprises configuring, by the security controller, the function of the HBF in accordance with the one or more firewall policies; (col. 7 lines 60-67), network system 2 provides a policy framework to enable users to define tag-based policies to integrate host-based services, such as HBFs 11 (e.g., L7 firewalls) with L4 firewalls. In the example of FIG. 1, HBF 11A is implemented on a virtual execution element (e.g., VM or container) hosted on server 12A); and enforcing the rules associated with the policy at individual ones of the enforcement points (Miriyala, (col. 8 line 65 – col. 9 line 3), distributed policy agents executing on computing devices, e.g., servers 12, that host the finance application workload may then apply the security policies to tagged objects that are members of categories to redirect traffic to HBF 11A and to apply the security functions provided by HBF 11A as defined by the firewall policies). Regarding claim 11, the substance of the claimed invention is similar to that of claim 2. Accordingly, this claim is rejected under the same rationale. Regarding claim 12, the substance of the claimed invention is similar to that of claim 3. Accordingly, this claim is rejected under the same rationale. Regarding claim 14, the substance of the claimed invention is similar to that of claim 6. Accordingly, this claim is rejected under the same rationale. Regarding claim 15, the substance of the claimed invention is similar to that of claim 7. Accordingly, this claim is rejected under the same rationale. Regarding claim 16, the substance of the claimed invention is similar to that of claim 8. Accordingly, this claim is rejected under the same rationale. Regarding claim 17, the substance of the claimed invention is similar to that of claim 10. Accordingly, this claim is rejected under the same rationale. Regarding claim 18, the substance of the claimed invention is similar to that of claim 3. Accordingly, this claim is rejected under the same rationale. Regarding claim 19, the substance of the claimed invention is similar to that of claim 7. Accordingly, this claim is rejected under the same rationale. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 2. Claims 4, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Miriyala et al. (US Patent No. 11,700,236, hereinafter “Miriyala”) in view of Peles (US Pub No. 2006/0029016, hereinafter “Peles”). Regarding claim 4, Miriyala does disclose, the method of claim 1. Miriyala does not explicitly disclose but the analogous art Peles discloses, providing a debugging mode that logs information associated with enforcement of the policy statements (Peles, (para. [0035]), the networking system comprising: (a) at least one application debugging switch facilitating communication between one or more clients and at least one application server and collecting statistics comprising network response times and application response times associated with the server; … … (c) at least one record logging server receiving collected statistics operated on according to a predefined policy in the at least one policy logging server). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Miriyala by including providing a debugging mode that logs information associated with enforcement of the policy statements taught by Peles for the advantage of actively detect performance problems, locate the potential source of the problem and assist in fixing and bypassing the failure (Peles, (para. [0019])). Regarding claim 13, the substance of the claimed invention is similar to that of claim 4. Accordingly, this claim is rejected under the same rationale. Regarding claim 20, the substance of the claimed invention is similar to that of claim 4. Accordingly, this claim is rejected under the same rationale. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US Publication No. 2024/0314106, “the distributed cloud computing network may perform one or more services for the traffic including a routing service, a security service, and/or a performance service. The security service may, for example, apply policies to the traffic including layer 3, layer 4, and/or layer 7 policies that may be defined by the customer (including identity-based policies), perform denial of service detection and mitigation, perform bot detection and mitigation, perform browser isolation, rate limiting, quality of service traffic shaping, intrusion detection and mitigation, data loss prevention, and/or anomaly detection. The performance service may, for example, provide one or more performance features including acting as a content delivery network, image resizing, video streaming, TLS termination, serverless web applications, and/or load balancers. The routing service may include, for example, intelligent routing”. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MORSHED MEHEDI whose telephone number is (571) 270-7640. The examiner can normally be reached on M - F, 8:00 am to 4:00 pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Linglan Edwards can be reach on (571) 270-5440. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from their Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (In USA or Canada) or 571-272-1000. /MORSHED MEHEDI/Primary Examiner, Art Unit 2408