Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
This communication is in response to the application filed on 09/12/2024 in which Claims 1-20 are presented for examination.
Drawings
The applicant’s drawings submitted on 09/12/2024 are acceptable for examination purposes.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 16-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
Claim 16 recites a “computer readable medium…” However, the usage of the phrase “computer readable medium” is broad enough to include both “non-transitory" and “transitory” (moving electrons, etc) media. The specification does not clearly limit the utilization of a non-transitory computer readable medium and, thus does not constitute functional descriptive material. Therefore, when the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter. See In re Nuijten, 500 F. 3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter).
The Examiner suggests that the Applicant replace the term “computer-readable medium” with the term “non-transitory computer-readable medium” to the medium as recited in the claim(s) in order to properly render the claim(s) in statutory form in view of their broadest reasonable interpretation in light of the originally filed specification. Applicant is suggested to review page 4 of the and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, Aug. 24, 2009, under section II. Subsection (c), which describes a “non-transitory computer readable medium” being patent-eligible subject matter.
As to dependent claims 17-20, they are rejected under 35 U.S.C. § 101 for depending upon the non-statutory subject matter recited by independent claim 16.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of pre-AIA 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.
Claims 1, 3-5, 7, 9-13, 16, 18 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Fandli U.S. Patent Application Publication No. 20210243158 A1 (hereinafter " Fandli"), in view of Silverlock 20240107294 A1.
As to claim 1, Fandli teaches a method to use a zero trust packet routing policy architecture to perform zero trust packet routing in one or more networks, the method comprising (Fandli Pa. [0034]) [the traffic filters 308 may comprise an Internet Protocol security (IPsec) engine that controls encryption and decryption of packets]: receiving a packet at an enforcement point within one or more networks that include a plurality of enforcement points (Fandli Pa. [0010]) [the policy management server obtains traffic data from the distributed enforcement modules without enforcing the segmentation policy to enable an administrator to build and/or test the segmentation policy]; accessing one or more rules associated with a policy that specifies how traffic flows through the enforcement point and other enforcement points of the one or more networks (Fandli Pa. [0035-0036]) [he traffic filters 308 apply a set of filtering rules to traffic to or from a workload 138 associated with the enforcement module 132. The set of filtering rules may be organizing in a rule chain 312 comprising a set of rules that are applied sequentially to inbound and outbound data packets. For each filtering rule of the rule chain 312, a specified action is taken in response to data packet matching a specified set of criteria. Generally, the rules in the rule chain 312 are permissive rules that each specify a set of criteria that, if matched, allow the data packet to be passed to or from the workload 138. The set of criteria may include, for example, the source and destination network addresses and ports, protocols associated with the communication, and a connection state…The segmentation configuration module 302 receives the segmentation rules and membership information from the policy management server 120 and translates the segmentation rules from a high level of abstraction to a low level of abstraction to configure the rule chain 312 of the traffic filters 308 based on the segmentation policy],
It is noted that Fandli does not explicitly disclose wherein the policy includes one or more layer 4 rules and one or more layer 7 rules; and enforcing the one or more rules associated with the policy at the enforcement point.
However, Silverlock discloses wherein the policy includes one or more layer 4 rules and one or more layer 7 rules; and enforcing the one or more rules associated with the policy at the enforcement point (Silverlock Pa. [0015]) [ cloud computing network enforces identity-based policies including one or more of the following: Domain Name System (DNS) filtering on DNS requests received from the zero trust SIM device; enforcing policies to control network-level traffic received from the zero trust SIM device (e.g., layer 3 and/or layer 4 policies); enforcing policies to control application-level traffic received from the zero trust SIM device (e.g., HTTP, other layer 7 traffic); enforcing policies to secure inbound traffic to private applications or services; and enforcing policies to enforce browser isolation sessions for traffic received from the zero trust SIM device]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Silverlock to the zero trust packet routing system of Fandli would have yield predictable results and resulted in an improved system, namely, a system that would provide identity-based policy enforcement for SIM devices (Silverlock Pa. [0002])
As to claim 3, the combination of Fandli and Silverlock teaches wherein the enforcement points comprise network virtualization devices (NVDs) that include smartNICs and virtual interfaces that include gateways (Silverlock Pa. [0053]) [one or more network interfaces 640 (e.g., a wired and/or wireless interfaces) that allows the data processing system 600 to transmit data and receive data from other computing devices, typically across one or more networks (e.g., Local Area Networks (LANs), the Internet, etc.).]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Silverlock to the zero trust packet routing system of Fandli would have yield predictable results and resulted in an improved system, namely, a system that would provide identity-based policy enforcement for SIM devices (Silverlock Pa. [0002])
As to claim 4, Fandli teaches wherein enforcing the one or more rules comprises enforcing the one or more rules prior to a transmission of the packet to a next hop (Fandli Pa. [0020]) [Instead of enforcing the segmentation policy at a centralized device, the segmentation policy is instead enforced in a distributed manner by at least a subset of the hosts 130 and/or the network midpoint devices 180. To enable enforcement of the segmentation policy, the policy management server 120 generates a set of management instructions and distributes the management instructions to enforcement modules 132 that may be executed on the hosts 130 or on the network midpoint devices 180. The management instructions include the rules that when enforced, control communications between different groups of workloads 138 (e.g., specified by their label sets or directly by an identifier of the workload 138)]
As to claim 5, Fandli teaches further comprising preventing the packet from transmission to a next hop based on a failure of at least one of the one or more rules (Fandli Pa. [0003]) [enforcement policy instructions for causing the enforcement module to configure the one or more traffic filters with a default filtering rule to allow traffic associated with the first group of services that fails to meet any of the first set of filtering rules, and to block traffic associated with the second group of services that fails to meet any of the first set of filtering rules.]
As to claim 7, Fandli teaches further comprising distributing the one or more rules to the enforcement point and distributing other rules to other enforcement points within the one or more networks (Fandli Pa. [0041]) [The segmentation policy management module 420 furthermore distributes the rules relevant to services set to test or enforce states to the enforcement modules 132. For example, the segmentation policy management module 420 determines which segmentation rules are relevant to different enforcement modules 132 depending on the labels of the workloads 138 associated with each enforcement module 132 and distributes only relevant rules to each enforcement module 132]
As to claim 9, Fandli teaches wherein enforcing the one or more rules comprises generating an alert based on a failure of at least one of the rules (Fandli Pa. [0024]) [The policy management server 120 may generate alerts for observed traffic that is inconsistent with the segmentation policy and would be blocked if the segmentation policy was enforced]
As to claim 10, claim 10 recites he claimed that contain similar limitations as claims 1 and 2; therefore, it is rejected under the same rationale.
As to claim 11, the combination of Fandli and Silverlock teaches wherein the enforcement points include network virtualization devices (NVDs) that include smartNICs and virtual interfaces that include gateways (Silverlock Pa. [0053]) [one or more network interfaces 640 (e.g., a wired and/or wireless interfaces) that allows the data processing system 600 to transmit data and receive data from other computing devices, typically across one or more networks (e.g., Local Area Networks (LANs), the Internet, etc.).], and wherein enforcing the rules includes performing layer 4 processing and layer 7 processing (Silverlock Pa. [0015]) [ cloud computing network enforces identity-based policies including one or more of the following: Domain Name System (DNS) filtering on DNS requests received from the zero trust SIM device; enforcing policies to control network-level traffic received from the zero trust SIM device (e.g., layer 3 and/or layer 4 policies); enforcing policies to control application-level traffic received from the zero trust SIM device (e.g., HTTP, other layer 7 traffic); enforcing policies to secure inbound traffic to private applications or services; and enforcing policies to enforce browser isolation sessions for traffic received from the zero trust SIM device]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Silverlock to the zero trust packet routing system of Fandli would have yield predictable results and resulted in an improved system, namely, a system that would provide identity-based policy enforcement for SIM devices (Silverlock Pa. [0002])
As to claim 12, claim 12 recites he claimed that contain similar limitations as claim 3; therefore, it is rejected under the same rationale.
As to claim 13, Fandli teaches wherein enforcing the rules comprises enforcing the rules prior to a transmission of a packet to a next hop (Fandli Pa. [0020]) [Instead of enforcing the segmentation policy at a centralized device, the segmentation policy is instead enforced in a distributed manner by at least a subset of the hosts 130 and/or the network midpoint devices 180. To enable enforcement of the segmentation policy, the policy management server 120 generates a set of management instructions and distributes the management instructions to enforcement modules 132 that may be executed on the hosts 130.
As to claim 16, claim 16 recites he claimed that contain similar limitations as claim 1; therefore, it is rejected under the same rationale.
As to claim 18, claim 18 recites he claimed that contain similar limitations as claim 3; therefore, it is rejected under the same rationale.
Claims 2, 6, 8, 14-15, 17, 19-20 are rejected under pre-AIA 35 U.S.C. 103(a) as being unpatentable over Fandli U.S. Patent Application Publication No. 20210243158 A1 (hereinafter " Fandli"), in view of Silverlock 20240107294 A1, in further view of Fainberg US 20200007395 A1.
As to claim 2, Fainberg teaches further comprising: assigning unique Origin IDs to individual ones of the enforcement points (Fainberg Pa. [0071]) [The enforcement points may be one or more network devices (e.g., firewalls, routers, switches, hypervisor, SDN controller, virtual firewall, etc.) that are able to enforce rules, ACLs, or the like to control (e.g., allow or deny) communication and network traffic between the entity and one or more other entities communicatively coupled to a network. Note: obviously all of these network devices comprise network identifier that can be interpreted as “enforcement points ‘ID’”]; and associating the individual ones of the enforcement points with one or more tags (Fainberg Pa. [0073-0074) [different enforcement actions can be applied based on each tag using multiple enforcement points-0078-allow determination of one or more tags and assigning actions based on the tags or one or more enforcement points, as described herein]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Fainberg to the zero trust packet routing system of Fandli and Silverlock would have yield predictable results and resulted in an improved system, namely, a system for monitoring or securing a communication network in order to prevent unauthorized or rogue devices from accessing network resources (Fainberg Pa. [0002])
As to claim 6, the combination of Fandli, Silverlock and Fainberg teaches further comprising: determining a source of the packet based, at least in part, on an Origin ID; determining a destination of the packet; and wherein enforcing the rules includes preventing the packet from transmission to a next stop based, at least in part, on one or more of the source or the destination (Fainberg Pa. [0882]) [the entity is based on at least a source and a destination of a communication of the entity. In some embodiments, the instructions may further cause the processing device to determine a zone for the entity based on the one or more tags.]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Fainberg to the zero trust packet routing system of Fandli and Silverlock would have yield predictable results and resulted in an improved system, namely, a system for monitoring or securing a communication network in order to prevent unauthorized or rogue devices from accessing network resources (Fainberg Pa. [0002])
As to claim 8, the combination of Fandli, Silverlock and Fainberg teaches further comprising propagating one or more tags to the enforcement point (Fainberg Pa. [0073-0074) [different enforcement actions can be applied based on each tag using multiple enforcement points-0078-allow determination of one or more tags and assigning actions based on the tags or one or more enforcement points, as described herein]
Thus, it would have been recognized by one of ordinary skill in the art before the effective filing date of the claimed invention, that applying the known technique taught by Fainberg to the zero trust packet routing system of Fandli and Silverlock would have yield predictable results and resulted in an improved system, namely, a system for monitoring or securing a communication network in order to prevent unauthorized or rogue devices from accessing network resources (Fainberg Pa. [0002])
As to claim 14, claim 14 recites he claimed that contain similar limitations as claim 6; therefore, it is rejected under the same rationale.
As to claim 15, claim 15 recites he claimed that contain similar limitations as claim 8; therefore, it is rejected under the same rationale.
As to claim 17, claim 17 recites he claimed that contain similar limitations as claim 2; therefore, it is rejected under the same rationale.
As to claim 19, claim 18 recites he claimed that contain similar limitations as claim 6; therefore, it is rejected under the same rationale.
As to claim 20, claim 20 recites he claimed that contain similar limitations as claim 8; therefore, it is rejected under the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EVANS DESROSIERS whose telephone number is (571)270-5438. The examiner can normally be reached Monday -Friday 8:00 am - 5:30 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amir Mehrmanesh can be reached at (571)270-3351. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/EVANS DESROSIERS/Primary Examiner, Art Unit 2491