AGENTLESS NETWORK MONITORING FOR NETWORK MANAGEMENT, INCLUDING THE RECOMMENDATION AND IMPLEMENTATION OF SECURITY POLICIES IN A MICROSEGMENTED NETWORK ENVIRONMENT

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Priority This application claims a benefit of priority under 35 U.S.C. § 119 to Indian Provisional Patent Application No. 202441036062 filed on May 7, 2024, entitled “Policy Generation and Recommendation in Network Environments,” the entire contents of which are incorporated herein by reference in their entirety for all purposes. Examiner would like to note that Certified Copy of the internation application has not been received at the time of this Office Action. DETAILED ACTION This Office Action is in response to a Non-Provisional Patent Application received on 11/27/2023. In the application, claims 1-20 have been received for consideration and have been examined. Specification Applicant’s submitted specification has been reviewed and found to be in compliance. Drawings Applicant’s submitted drawings have been reviewed and found to be in compliance. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Mate et al., (US20030056001A1) in view of Mittal et al., (US20210152473A1). Regarding claim 1, Mate discloses: A method for network management, comprising: determining a set of groups in a network, each of the set of groups comprising one or more endpoints in the network (Mate discloses classifying traffic flows based on source and destination addresses corresponding to endpoints in a network. Hardware tables inherently group endpoints for classification and forwarding; see Mate [0012] The present invention relates to a method and system for supporting a plurality of data flows in a router using a ternary content addressable memory (TCAM) in which the number of accesses to the TCAM is optimized to improve efficiency of updating and subsequent look up … During subsequent TCAM look-up of a predetermined prefix of an incoming packet the MPLS or IP-VPN flow will subsume any matching policy based routing flow, such as flows classified by an access control list or traffic manager flows; Fig. 2)); receiving at a traffic mapper (i.e., a flow classifier and flow manager) in a network, packets received at network infrastructure devices comprising the network and mirrored to the traffic mapper (Mate discloses receiving packets at network devices and extracting header fields for classification; see [0030] Data plane 13 which can be implemented in hardware is comprised of flow classifier 20, IP forwarder 21 and label forwarder 22. IP traffic and IP control traffic 23 is received at flow classifier 20. Flow classifier 20 interacts with flow manager 15 and flow core control 17 for classifying and routing IP traffic and IP control traffic 23 and applying destination routes through label forwarder 22, in the case of MPLS flows, or IP forwarder 21 in the case of non-MPLS flows; [0035] In an embodiment of the present invention, an array of pointers and prefix trees are used to store MPLS and IP-VPN flows in flow index space 38, as shown in FIGS. 4A and 4B. Flows which are classified by connection index CIX and destination IP address (DA) fields of the packet header, are stored in CIX prefix tree 40. Each connection index (CIX1-CIX16K) is associated with node 41 a-41 n of prefix tree 40. A destination IP address based lookup is performed to find the longest match of a prefix stored in a respective node 41 a-41 n); determining, at the traffic mapper, a traffic map comprising a set of sessions observed in the network, wherein each of the set of sessions includes a source endpoint and a destination endpoint in the network ([0037-0042] Mate discloses flow tables store combinations of source/destination address information, which inherently represent sessions between communicating endpoints). Mate fails to disclose: determining a set of group based sessions based on the set of sessions in the traffic map and the set of groups, each group based session including a source group determined from the set of groups or a destination group determined from the set of groups and wherein each group based session summarizes each of the set of sessions of the traffic map observed in the network between one or more members of the source group of that group based session and one or more members of the destination group of that group based session; determining a set of group based security rules based on the set of group based sessions, wherein each of the group based security rules is based on a corresponding group based session of the set of group based sessions and includes the source group of the corresponding group based session, the destination group of the corresponding group based session, and an action; and transmitting the set of group based security rules to the network infrastructure devices for installation to enforce the set of group based security rules at the network infrastructure devices. However, Mittal discloses: determining a set of group based sessions based on the set of sessions in the traffic map and the set of groups, each group based session including a source group determined from the set of groups or a destination group determined from the set of groups and wherein each group based session summarizes each of the set of sessions of the traffic map observed in the network between one or more members of the source group of that group based session and one or more members of the destination group of that group based session ([0047] In one embodiment of the invention, the source group (202) may refer to a classification assigned to the origination end point of a network traffic flow. The origination end point may be a physical or virtual source (e.g., a host, a virtual machine, etc.) of the network traffic flow. Further, the destination group (204) may refer to a classification assigned to the termination end point of the network traffic flow, where the termination end point may be a physical or virtual destination (e.g., a host, a virtual machine, etc.) for the network traffic flow. Both the source group (202) and the destination group (204) may be determined through lookups performed on one or more group tables (see e.g., FIGS. 2C and 2D); [0053] While FIG. 2C shows a configuration of data items (i.e., IP address (224) and subnet mask (226)), which map to group numbers (228), other data item configurations, including additional or alternative data items that map to group numbers (228), may be used without departing from the scope of the invention; [0056] While FIG. 2D shows a configuration of data items (i.e., MAC address (230)), which map to group numbers (228), other data item configurations, including additional or alternative data items that map to group numbers (228), may be used without departing from the scope of the invention); determining a set of group based security rules based on the set of group based sessions, wherein each of the group based security rules is based on a corresponding group based session of the set of group based sessions and includes the source group of the corresponding group based session, the destination group of the corresponding group based session, and an action ([0048] FIG. 2B shows a priority policy in accordance with one or more embodiments of the invention. A priority policy (210) may be a traffic management rule for handling certain, defined network traffic flows. A priority policy (210) may refer to a traffic management rule that may supersede any service policy (200) should the same network traffic flow be defined by both the priority policy (210) and the service policy (200); [0051] FIG. 2C shows a group table in accordance with one or more embodiments of the invention. The group table (220A) may refer to a data object or structure for storing bindings relating network layer (i.e., layer-3 (L3)) information to traffic flow group classifications. These bindings may be tracked in the form of one or more group table entries (222A-222N). Further, each group table entry (222A-222N) may specify an Internet Protocol (IP) address (224), a subnet mask (226), and a group number (228); [0094] In another embodiment of the invention, if it is alternatively determined that the traffic flow instruction(s) specify instructions other than the redirection of the defined network traffic flow to a service device, then the process may alternatively proceed to Step 560 (see e.g., FIG. 5A); [0095] On the other hand, if it is alternatively determined that the traffic flow instruction(s) specify a discarding action, then the process may alternatively proceed to Step 562. In Step 562, after determining (in Step 560) that the traffic flow instruction(s) (obtained in Step 530) specify a discarding action, the unicast MAC frame (received in Step 500) is dropped); and transmitting the set of group based security rules to the network infrastructure devices for installation to enforce the set of group based security rules at the network infrastructure devices ([0057] FIG. 2E shows a ternary content addressable memory (TCAM) in accordance with one or more embodiments of the invention … Each feature TCAM slice (242A-242N) reserves a subset of the TCAM (240) for the allocation of bindings significant to a particular feature configured onto a network element, where each binding may result from the installment of a service policy (see e.g., FIG. 2A), a priority policy (see e.g., FIG. 2B), or any other policy onto the network element). It would have been obvious to an ordinary skill in the art at the time of the invention to combine the teachings of Mate and Mittal as they all relate to traffic classification, session/flow identification, and enforcement of security policies in network infrastructure. The motivation to use aggregated groups and enforcement of action rules in a routine manner is to automate of the process, by retrieving service policies and instrumenting a forwarding mechanism, applications and hosts may be deployed independent of security constraints. Regarding claim 18, it is a system claim and recites similar subject matter as claim 1 and therefore rejected under similar ground of rejection. Claim(s) 1-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mate et al., (US20030056001A1) in view of Mittal et al., (US20210152473A1) and further in view of Ravi et al., (US20230179571A1). Regarding claim 2, the combination of Mate and Mittal fail to disclose: The method of claim 1, further comprising presenting the set of group based security rules to a user as a set of rule recommendations. However, Ravi discloses: presenting the set of group based security rules to a user as a set of rule recommendations ([0017] FIG. 3 conceptually illustrates a process of some embodiments for providing recommendations for an existing security policy that is implemented in a network; [0039] The rule modification recommendation engine 131 is one example of such a data processing engine. Upon request from a user (and specification of a particular application for which to perform analysis), the rule modification engine 131 identifies flows sent to, from, or between DCNs of the application that are not matched by existing security policy rules for the application; [0040] The visualization engine 132 of some embodiments generates a graphical user interface through which an administrator can interact with and control the analysis appliance 100. In some embodiments, input to the rule modification recommendation engine 131 is provided by a user (e.g., a security administrator) through the visualization engine; [0062] FIG. 3 conceptually illustrates a process 300 of some embodiments for providing recommendations for an existing security policy that is implemented in a network; [0077] Once all of the rules have been analyzed, the process 300 provides (at 355) recommended modifications (e.g., modified and new rules, new groups of compute machines) to the policy, and ends). It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention and modify Mate in view of Mittal and include a network analysis appliance that automatically updates (or automatically provides recommendations for updating) an existing security policy (e.g., a set of firewall rules) implemented in a network based on observed flows, while respecting the rules in the existing policy, as disclosed by Ravi. The motivation to include the system which provides recommendations to existing security policies to the administrator is to enhance an optimal set of groups to add to the source and/or destination match conditions (Ravi: [0010]). Regarding claim 3, the combination of Mate, Mittal and Ravi discloses: The method of claim 2, wherein the action of the set of group based security rules comprises a permit action (Ravi: [0003-0004]). Regarding claim 4, the combination of Mate, Mittal and Ravi discloses: The method of claim 1, wherein each of the set of sessions, set of group based sessions, and group based security rules is associated with a service such that each group based session summarizes each of the set of sessions occurring between one or more members of the source group and one or more members of the destination group according to the service (Mittal: [0041-0042]). Regarding claim 5, the combination of Mate, Mittal and Ravi discloses: The method of claim 4, wherein mirrored packets are determined based on a monitoring rule installed at the network infrastructure devices (Ravi: [0028] & [0050]). Regarding claim 6, the combination of Mate, Mittal and Ravi discloses: The method of claim 5, wherein the monitoring rule specifies any source and any destination and any service (Ravi: [0025]). Regarding claim 7, the combination of Mate, Mittal and Ravi discloses: The method of claim 6, wherein the monitoring rule specifies a location of the traffic mapper in the network (Mate: [0030]). Regarding claim 8, the combination of Mate, Mittal and Ravi discloses: The method of claim 5, wherein the monitoring rule is a last monitoring rule specifying an action of drop and monitor (Ravi: [0049]). Regarding claim 9, the combination of Mate, Mittal and Ravi discloses: The method of claim 5, wherein the monitoring rule is an initial monitoring rule specifying an action of monitor (Ravi: [0049]). Regarding claim 10, the combination of Mate, Mittal and Ravi discloses: The method of claim 1, wherein the set of group based security rules are installed in a ternary content addressable memory (TCAM) at the network infrastructure device (Mittal: [0057]). Regarding claim 11, the combination of Mate, Mittal and Ravi discloses: The method of claim 10, wherein each of the set of group based security rules is installed in the TCAM as a corresponding tag based rules, each tag based rule comprising a source tag representing the source group of the corresponding group based security rule or a destination tag representing the destination group of the corresponding group based security rule (Mittal: [0060-0061]). Regarding claim 12, Mate discloses: A network management system, comprising: a traffic mapper, comprising a processor, wherein the traffic mapper is adapted to: receive packets mirrored to the traffic mapper from network infrastructure devices comprising a network (Mate discloses receiving packets at network devices and extracting header fields for classification; see [0030] Data plane 13 which can be implemented in hardware is comprised of flow classifier 20, IP forwarder 21 and label forwarder 22. IP traffic and IP control traffic 23 is received at flow classifier 20. Flow classifier 20 interacts with flow manager 15 and flow core control 17 for classifying and routing IP traffic and IP control traffic 23 and applying destination routes through label forwarder 22, in the case of MPLS flows, or IP forwarder 21 in the case of non-MPLS flows; [0035] In an embodiment of the present invention, an array of pointers and prefix trees are used to store MPLS and IP-VPN flows in flow index space 38, as shown in FIGS. 4A and 4B. Flows which are classified by connection index CIX and destination IP address (DA) fields of the packet header, are stored in CIX prefix tree 40. Each connection index (CIX1-CIX16K) is associated with node 41 a-41 n of prefix tree 40. A destination IP address based lookup is performed to find the longest match of a prefix stored in a respective node 41 a-41 n); and determine a traffic map comprising a set of sessions observed in the network, wherein each of the set of sessions includes a source endpoint, a destination endpoint in the network and a service ([0037-0042] Mate discloses flow tables store combinations of source/destination address information, which inherently represent sessions between communicating endpoints). Mate fails to disclose: a central network manager, comprising: a data store including a definition of a set of groups in a network, each of the set of groups comprising one or more endpoints in the network; determining a set of group based sessions based on the set of sessions in the traffic map and the set of groups, each group based session including a source group determined from the set of groups or a destination group determined from the set of groups and wherein each group based session summarizes each of the set of sessions of the traffic map observed in the network between one or more members of the source group of that group based session and one or more members of the destination group of that group based session according to the service; determining a set of group based security rules based on the set of group based sessions, wherein each of the first group based security rules is based on a corresponding group based session of the set of group based session and includes the source group of the corresponding group based session, the destination group of the corresponding group based session, and an action; presenting the set of group based security rules as rule recommendations to a user; and installing the set of group based security rules on the network infrastructure devices to enforce the set of group based security rules at the network infrastructure devices. However, Mittal discloses: a central network manager, comprising: a data store including a definition of a set of groups in a network, each of the set of groups comprising one or more endpoints in the network ([0033] FIG. 1 shows a system in accordance with one or more embodiments of the invention. The system (100) may include multiple network elements (106A-106N) operatively connected to one another and a control plane service (CPS) (102) through a layer-3 (L3) fabric (104). Further, each network element (106A-106N) may be directly-connected to one or more hosts (110A-110N)); determining a set of group based sessions based on the set of sessions in the traffic map and the set of groups, each group based session including a source group determined from the set of groups or a destination group determined from the set of groups and wherein each group based session summarizes each of the set of sessions of the traffic map observed in the network between one or more members of the source group of that group based session and one or more members of the destination group of that group based session according to the service [0047] In one embodiment of the invention, the source group (202) may refer to a classification assigned to the origination end point of a network traffic flow. The origination end point may be a physical or virtual source (e.g., a host, a virtual machine, etc.) of the network traffic flow. Further, the destination group (204) may refer to a classification assigned to the termination end point of the network traffic flow, where the termination end point may be a physical or virtual destination (e.g., a host, a virtual machine, etc.) for the network traffic flow. Both the source group (202) and the destination group (204) may be determined through lookups performed on one or more group tables (see e.g., FIGS. 2C and 2D); [0053] While FIG. 2C shows a configuration of data items (i.e., IP address (224) and subnet mask (226)), which map to group numbers (228), other data item configurations, including additional or alternative data items that map to group numbers (228), may be used without departing from the scope of the invention; [0056] While FIG. 2D shows a configuration of data items (i.e., MAC address (230)), which map to group numbers (228), other data item configurations, including additional or alternative data items that map to group numbers (228), may be used without departing from the scope of the invention); determining a set of group based security rules based on the set of group based sessions, wherein each of the group based security rules is based on a corresponding group based session of the set of group based sessions and includes the source group of the corresponding group based session, the destination group of the corresponding group based session, and an action ([0048] FIG. 2B shows a priority policy in accordance with one or more embodiments of the invention. A priority policy (210) may be a traffic management rule for handling certain, defined network traffic flows. A priority policy (210) may refer to a traffic management rule that may supersede any service policy (200) should the same network traffic flow be defined by both the priority policy (210) and the service policy (200); [0094] In another embodiment of the invention, if it is alternatively determined that the traffic flow instruction(s) specify instructions other than the redirection of the defined network traffic flow to a service device, then the process may alternatively proceed to Step 560 (see e.g., FIG. 5A); [0095] On the other hand, if it is alternatively determined that the traffic flow instruction(s) specify a discarding action, then the process may alternatively proceed to Step 562. In Step 562, after determining (in Step 560) that the traffic flow instruction(s) (obtained in Step 530) specify a discarding action, the unicast MAC frame (received in Step 500) is dropped). It would have been obvious to an ordinary skill in the art at the time of the invention to combine the teachings of Mate and Mittal as they all relate to traffic classification, session/flow identification, and enforcement of security policies in network infrastructure. The motivation to use aggregated groups and enforcement of action rules in a routine manner is to automate of the process, by retrieving service policies and instrumenting a forwarding mechanism, applications and hosts may be deployed independent of security constraints. The combination of Mate and Mittal fails to disclose: presenting the set of group based security rules as rule recommendations to a user; and installing the set of group based security rules on the network infrastructure devices to enforce the set of group based security rules at the network infrastructure devices. However, Ravi discloses: presenting the set of group based security rules as rule recommendations to a user; and installing the set of group based security rules on the network infrastructure devices to enforce the set of group based security rules at the network infrastructure devices ([0017] FIG. 3 conceptually illustrates a process of some embodiments for providing recommendations for an existing security policy that is implemented in a network; [0039] The rule modification recommendation engine 131 is one example of such a data processing engine. Upon request from a user (and specification of a particular application for which to perform analysis), the rule modification engine 131 identifies flows sent to, from, or between DCNs of the application that are not matched by existing security policy rules for the application; [0040] The visualization engine 132 of some embodiments generates a graphical user interface through which an administrator can interact with and control the analysis appliance 100. In some embodiments, input to the rule modification recommendation engine 131 is provided by a user (e.g., a security administrator) through the visualization engine; [0062] FIG. 3 conceptually illustrates a process 300 of some embodiments for providing recommendations for an existing security policy that is implemented in a network; [0077] Once all of the rules have been analyzed, the process 300 provides (at 355) recommended modifications (e.g., modified and new rules, new groups of compute machines) to the policy, and ends). It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention and modify Mate in view of Mittal and include a network analysis appliance that automatically updates (or automatically provides recommendations for updating) an existing security policy (e.g., a set of firewall rules) implemented in a network based on observed flows, while respecting the rules in the existing policy, as disclosed by Ravi. The motivation to include the system which provides recommendations to existing security policies to the administrator is to enhance an optimal set of groups to add to the source and/or destination match conditions (Ravi: [0010]). Regarding claim 13, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 12, wherein the action comprises a permit action (Ravi: [0025]). Regarding claim 14, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 12, wherein the central network manager is adapted to install a monitoring rule at the network infrastructure devices, wherein packets are mirrored to the traffic mapper based on the monitoring rule (Ravi: [0028] & [0050]). Regarding claim 15, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 14, wherein the monitoring rule specifies any source and any destination and any service (Ravi: [0025]). Regarding claim 16, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 14, wherein the monitoring rule specifies a location of the traffic mapper in the network (Mate: [0030]). Regarding claim 17, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 14, wherein the monitoring rule is a last monitoring rule specifying an action of drop and monitor or an initial monitoring rule specifying an action of monitor (Ravi: [0049]). Regarding claim 19, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 18, wherein the network infrastructure device comprises a ternary content addressable memory (TCAM) and the network infrastructure device is adapted to install the set of group based rules in the TCAM (Mittal: [0057-0058). Regarding claim 20, the combination of Mate, Mittal and Ravi discloses: The network management system of claim 19, wherein the network infrastructure device is adapted to install each of the set of group based rules in the TCAM as a corresponding tag based rules using tags determined based on the definition of the set of groups (Mittal: [0061] & [0073]). Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William Korzuch can be reached at 571-272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /SYED M AHSAN/Primary Examiner, Art Unit 2491