Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 remain for examination. Claims 1, 16-20 have been amended. Applicant's arguments filed on 04/13/2026 have been fully considered but they are moot in view of the new ground(s) of rejection necessitated by the amendments. Accordingly, this action has been made final.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims General are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Fandli U.S. Patent Application Publication No. 20210243158 A1 (hereinafter " Fandli"), in view of Silverlock 20240107294 A1.
As to claim 1, Fandli teaches method to use a zero trust packet routing policy architecture to perform zero trust packet routing in one or more networks, the method comprising (Fandli Pa. [0034]) [the traffic filters 308 may comprise an Internet Protocol security (IPsec) engine that controls encryption and decryption of packets]: receiving a packet at an enforcement point within one or more networks that include a plurality of enforcement points (Fandli Pa. [0010]) [the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy]; accessing one or more rules associated with a policy that specifies how traffic flows through the enforcement point and other enforcement points of the one or more networks (Fandli Pa. [0035-0036]) [he traffic filters 308 apply a set of filtering rules to traffic to or from a workload 138 associated with the enforcement module 132. The set of filtering rules may be organizing in a rule chain 312 comprising a set of rules that are applied sequentially to inbound and outbound data packets. For each filtering rule of the rule chain 312, a specified action is taken in response to data packet matching a specified set of criteria. Generally, the rules in the rule chain 312 are permissive rules that each specify a set of criteria that, if matched, allow the data packet to be passed to or from the workload 138. The set of criteria may include, for example, the source and destination network addresses and ports, protocols associated with the communication, and a connection state…The segmentation configuration module 302 receives the segmentation rules and membership information from the policy management server 120 and translates the segmentation rules from a high level of abstraction to a low level of abstraction to configure the rule chain 312 of the traffic filters 308 based on the segmentation policy],,
It is noted that Fandli does not explicitly disclose determining a source of the packet based, at least in part, on a unique Origin ID included in the packet that identifies a source enforcement point of the plurality of enforcement points that transmitted the packet; wherein the policy includes one or more layer 4 rules and one or more layer 7 rules; and enforcing, based, at least in part, on the source of the packet determined from the unique Origin ID, the one or more rules associated with the policy at the enforcement point.
However, Silverlock discloses determining a source of the packet based, at least in part, on a unique Origin ID included in the packet that identifies a source enforcement point of the plurality of enforcement points that transmitted the packet (Silverlock Pa. [0019]) [When receiving a packet with the SIM identifier, the distributed cloud computing network 120 does a lookup to map the identifier included in the packet with the custom device identifier. The custom device identifier is then used to determine the identity and applicable policy(ies)]; wherein the policy includes one or more layer 4 rules and one or more layer 7 rules; and enforcing, based, at least in part, on the source of the packet determined from the unique Origin ID, the one or more rules associated with the policy at the enforcement point (Silverlock Pa. [0015]) [ cloud computing network enforces identity-based policies including one or more of the following: Domain Name System (DNS) filtering on DNS requests received from the zero trust SIM device; enforcing policies to control network-level traffic received from the zero trust SIM device (e.g., layer 3 and/or layer 4 policies); enforcing policies to control application-level traffic received from the zero trust SIM device (e.g., HTTP, other layer 7 traffic); enforcing policies to secure inbound traffic to private applications or services; and enforcing policies to enforce browser isolation sessions for traffic received from the zero trust SIM device]
Claims 2, 6, 8, 14-15, 17, 19-20 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Fandli U.S. Patent Application Publication No. 20210243158 A1 (hereinafter " Fandli"), in view of Silverlock 20240107294 A1, in further view of Fainberg US 20200007395 A1.
As to claim 2, Fainberg teaches further comprising: assigning unique Origin IDs to individual ones of the enforcement points (Fainberg Pa. [0071]) [The enforcement points may be one or more network devices (e.g., firewalls, routers, switches, hypervisor, SDN controller, virtual firewall, etc.) that are able to enforce rules, ACLs, or the like to control (e.g., allow or deny) communication and network traffic between the entity and one or more other entities communicatively coupled to a network. Note: obviously all of these network devices comprise network identifier that can be interpreted as “enforcement points ‘ID’”]; and associating the individual ones of the enforcement points with one or more tags (Fainberg Pa. [0073-0074) [different enforcement actions can be applied based on each tag using multiple enforcement points-0078-allow determination of one or more tags and assigning actions based on the tags or one or more enforcement points, as described herein]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Fainberg to the zero trust packet routing system of Fandli and Silverlock would have yield predictable results and resulted in an improved system, namely, a system for monitoring or securing a communication network in order to prevent unauthorized or rogue devices from accessing network resources (Fainberg Pa. [0002])
As to claim 6, the combination of Fandli, Silverlock and Fainberg teaches further comprising: determining a source of the packet based, at least in part, on an Origin ID; determining a destination of the packet; and wherein enforcing the rules includes preventing the packet from transmission to a next stop based, at least in part, on one or more of the source or the destination (Fainberg Pa. [0882]) [the entity is based on at least a source and a destination of a communication of the entity. In some embodiments, the instructions may further cause the processing device to determine a zone for the entity based on the one or more tags.]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Fainberg to the zero trust packet routing system of Fandli and Silverlock would have yield predictable results and resulted in an improved system, namely, a system for monitoring or securing a communication network in order to prevent unauthorized or rogue devices from accessing network resources (Fainberg Pa. [0002])
As to claim 8, the combination of Fandli, Silverlock and Fainberg teaches further comprising propagating one or more tags to the enforcement point (Fainberg Pa. [0073-0074) [different enforcement actions can be applied based on each tag using multiple enforcement points-0078-allow determination of one or more tags and assigning actions based on the tags or one or more enforcement points, as described herein]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Fainberg to the zero trust packet routing system of Fandli and Silverlock would have yield predictable results and resulted in an improved system, namely, a system for monitoring or securing a communication network in order to prevent unauthorized or rogue devices from accessing network resources (Fainberg Pa. [0002])
As to claim 14, claim 14 recites he claimed that contain similar limitations as claim 6; therefore, it is rejected under the same rationale.
As to claim 15, claim 15 recites he claimed that contain similar limitations as claim 8; therefore, it is rejected under the same rationale.
As to claim 17, claim 17 recites he claimed that contain similar limitations as claim 2; therefore, it is rejected under the same rationale.
As to claim 19, claim 18 recites he claimed that contain similar limitations as claim 6; therefore, it is rejected under the same rationale.
As to claim 20, claim 20 recites he claimed that contain similar limitations as claim 8; therefore, it is rejected under the same rationale.
Response to Arguments
Arguments
It is argued that:
Among other differences, the cited references fail to teach or suggest at least the above recitations. For example, the Fandli reference generally describes managing "enforcement of a segmentation policy" [0003]. At [0035], Fandli recites that:
For each filtering rule of the rule chain 312, a specified action is taken in
response to data packet matching a specified set of criteria. Generally, the rules in
the rule chain 312 are permissive rules that each specify a set of criteria that, if
matched, allow the data packet to be passed to or from the workload 138. The set
of criteria may include, for example, the source and destination network addresses
and ports, protocols associated with the communication, and a connection state.
While Fandli describes the use of "source and destination network addresses", Fandli is silent with regard to the amended recitations of claim 1 for "determining a source of the packet based, at least in part, on a unique Origin ID included in the packet that identifies a source enforcement point of the plurality of enforcement points that transmitted the packet", and "enforcing, based, at least in part, on the source of the packet determined from the unique Origin ID, the one or more rules associated with the policy at the enforcement point". In contrast to the recitations of amended claim 1, Fandli does not teach, suggest, or describe including a unique Origin ID into a packet to identify a "source enforcement point" that is received by a downstream enforcement point. The addition of the Silverlock reference fails to cure the deficiencies of Fandli. At [0015], Silverlock recites that a
distributed cloud computing network enforces identity-based policies
including one or more of the following: Domain Name System (DNS)filtering on
DNS requests received from the zero trust SIM device; enforcing policies to
control network-level traffic received from the zero trust SIM device (e.g., layer 3
and/or layer 4 policies); enforcing policies to control application-level traffic
received from the zero trust SIM device (e.g., HTTP, other layer 7 traffic)
The SIM device described by Silverlock is identified by a "SIM identifier" that is "associated with an identity ( e.g., a user identity, a device identity, a machine identity) at the distributed cloud computing network". This identifier is not the same, nor does it teach or Page 7 of 8
suggest, the "Origin ID" as recited in amended claim 1. For example, the "Origin ID" recited in claim 1 "identifies a source enforcement point of the plurality of enforcement points that transmitted the packet". For at least these reasons, claim 1 is proposed to be allowable. Claims 10 and 16 have been similarly amended and are proposed to be allowable for at least the reasons presented above. The dependent claims are proposed to be allowable as they depend on a valid base claim. The Applicant respectfully requests withdrawal of the § 103 rejection of these claims.
Examiner’s response
In response to applicant's argument, Examiner respectfully submits that claimed limitation is to be given their broadest reasonable interpretation during prosecution, and the scope of a claim cannot be narrowed by reading disclosed limitations into the claim. See In re Morris, 127 F.3d 1048, 1054, 44 USPQ2D 1023, 1027 (Fed. Cir. 1997); In re Zletz, 893 F.2d 319, 321, 13 USPQ2D 1320, 1322 (Fed. Cir. 1989); In re Prater, 415 F.2d 1393, 1404, 162 USPQ 541,550 (CCPA 1969).
In addition, Silverlock clearly disclose the claimed limitation determining a source of the packet based, at least in part, on a unique Origin ID included in the packet that identifies a source enforcement point of the plurality of enforcement points that transmitted the packet (Silverlock Pa. [0019]) [When receiving a packet with the SIM identifier, the distributed cloud computing network 120 does a lookup to map the identifier included in the packet with the custom device identifier. The custom device identifier is then used to determine the identity and applicable policy(ies), note: obviously the identifier of Silverlock can identify the source of the packet]
Therefore, the Applicant’s is moot.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Friday 8:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EVANS DESROSIERS/Primary Examiner, Art Unit 2491