Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used.
A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 2 and 12 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 37, 44 and 51 of U.S. Patent No. 11,777,993.
Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the present application are anticipated by the claims of the parent patent, USPN 11,777,993. For example, claim 2 of the present application and corresponding claim 37 of the parent is compared below.
USPN 11,777,993 – Claim 37
Application 19/006,088 – Claim 2
A system for providing cloud-based network security, the system including: a cloud access security broker (CASB) component that runs on cloud-based hardware and is configured for providing security with respect to access to a cloud-based resource by users within an organization, via processing of one or more received packets being communicated between said users of said organization and said cloud-based resource in a particular stream, in compliance with a unified security policy; a secure web gateway (SWG) component that runs on the cloud-based hardware and is configured for providing security with respect to access to a web accessible destination by said users within an organization, via processing of one or more received packets being communicated between said users of said organization and said web accessible destination ,in compliance with the unified security policy;
a set of firewall components that run on the cloud-based hardware and are configured for providing packet-level and protocol-level traffic inspection and access control, with respect to received packets;
a router component that runs on the cloud-based hardware and is configured for routing each packet of said received packets, to each of said components as may apply to said each packet, said components including said cloud access security broker (CASB) component, said secure web gateway (SWG) component and said firewall components, and wherein said router component is further configured for routing received packets for processing to said firewall components prior to routing said received packets for processing by either of said cloud access security broker (CASB) component and secure web gateway (SWG) component, and for selectively forwarding said received packets to the CASB and SWG dependent on a type of stream to which said received packets belong; and
a restrictive state analyzer that runs on the cloud-based hardware and is configured to be in communication with each of said components, and that is configured for determining if and what action should be performed with respect to said each packet, in response to said communication with at least one of said components, in compliance with the unified security policy.
A computer-implemented policy application device for a cloud-based security system that manages packet routing through cloud-based unified components of a cloud access security broker (CASB) component, a secure web gateway (SWG) component, and firewall components, which run on cloud-based hardware, according to a unified security policy, wherein the CASB processes packets exchanged between users and cloud-based resources, the SWG handles access to web accessible destinations, and the firewall components provide packet-level and protocol-level traffic inspection and access control, the policy application device including:
a computing processor that runs on the cloud-based hardware;
a router component, running on the computing processor, configured for routing each packet of streams of received packets to the components including the CASB, the SWG, and the firewall components and is configured for selectively forwarding the received packets to the CASB and SWG dependent on a type of stream to which the received packets belong;
a restrictive state analyzer, running on the computing processor and is configured to be in communication with each of the components, and is configured for determining if and what action should be performed with respect to the each packet, in response to the communication with at least one of the components, in compliance with the unified security policy.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2-10, 12-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gobena et al (“Gobena” US 2022/0103597 A1), published on March 31, 2022 in view of Reisbick (US 2021/0329062 A1), published on October 21, 2021 in further view of Mushtaq et al (“Mushtaq” US 9,430,646 B1), published on August 30, 2016.
As to claim 2, Gobena teaches “A computer-implemented policy application device for a cloud-based security system that manages packet routing through cloud-based unified components of a cloud access security broker (CASB) component, a secure web gateway (SWG) component, and firewall components, which run on cloud-based hardware, according to a unified security policy” in par. 0026, figure 1 (“FIG. 1 illustrates a system-architecture diagram 100 of an example secure access service edge (SASE) network optimization controller (NOC) (herein referred to as a SNOC) 102, according to an example of the principles described herein. A SASE 104 may include hardware and software that provide network security functions including, for example, a domain name system (DNS) layer security 106 service, a secure web gateway (SWG) 108 service, firewall 110 service, a cloud access security broker (CASB) 112 service, and an interactive threat intelligence (ITI) 114 service, among other network and security services”).
Gobena teaches “wherein the CASB processes packets exchanged between users and cloud-based resources” in par. 0031 (“…A CASB 112 may be any on-premises or cloud-based software that sits between cloud service users and cloud applications and monitors all activity and enforces security policies…”).
Gobena teaches “the SWG handles access to web accessible destinations, and the firewall components provide packet-level and protocol-level traffic inspection and access control” in par. 0029 (“…The SWG 108 service provides, for example, safe internet access to users who do not use a corporate networks or virtual private networks (VPNs) to connect to remote data centers …”), and par. 0049 (“…it may be determined that the destination IP address is a malicious IP address … further inspection on the traffic if it is determined to be communicating on port 80/443…”. Noting that “destination IP address” corresponding packet-level inspection, and further inspection on a specific port corresponding to protocol-level traffic inspection and access control).
Gobena teaches “the policy application device including: a computing processor that runs on the cloud-based hardware” in figure 1 (policy configuration 116, policies 118).
Gobena teaches “a router component, running on the computing processor, configured for routing each packet of streams of received packets to the components including the CASB, the SWG, the firewall components” in figure 1, paragraphs [0060-0061] (router component to route messages to SASE including firewall, CASB and SWG).
It appears Gobena does not explicitly teach “is configured for selectively forwarding the received packets to the CASB and SWG dependent on a type of stream to which the received packets belong”.
However, Reisbick teaches “is configured for selectively forwarding the received packets to the CASB and SWG dependent on a type of stream to which the received packets belong” in par. 0028 (“…The router 125 can pass the input device data streams 113 (or appropriate data parsed from those streams) to mapping subsystem 140 components, such as the customer mapper 145 and the tier processor 150, thereby associating the input device data streams 113 with rule-based routing tiers…”. Noting that the router 125 forwards receiving data streams to proper components according to rule-based routing).
Gobena and Reisbick are analogous art because they are in the same field of endeavor, data streaming applications. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claim invention to route receiving data streams (as disclosed by Gobena) including “is configured for selectively forwarding the received packets to the CASB and SWG dependent on a type of stream to which the received packets belong”, as suggested by Reisbick in order to route data streams to a predefined components based on rules (see Reisbick par. 0028).
It appears Gobena and Reisbick do not explicitly teach “a restrictive state analyzer, running on the computing processor and is configured to be in communication with each of the components, and is configured for determining if and what action should be performed with respect to the each packet, in response to the communication with at least one of the components, in compliance with the unified security policy”.
However, Mushtaq teaches “a restrictive state analyzer, running on the computing processor and is configured to be in communication with each of the components, and is configured for determining if and what action should be performed with respect to the each packet, in response to the communication with at least one of the components, in compliance with the unified security policy” in col. 9: 3-18 (“…The deep packet inspection logic 176 analyses the packet headers of captured packets for anomalies or other evidence indicating the packets may constitute malware. The deep packet inspection 176 may include protocol anomaly matching, as described elsewhere herein. In some embodiments, if the deep packet inspection logic 176 does not detect any anomalies (or, in some embodiments, only de minimus or minor ones), the packet may be dropped from further analysis…”).
Gobena, Reisbick and Mushtaq are analogous art because they are in the same field of endeavor, data streaming applications. It would have been obvious to one of ordinary skill in the art before the effective filling date of the claim invention to route receiving data streams (as disclosed by Gobena) including “a restrictive state analyzer, running on the computing processor and is configured to be in communication with each of the components, and is configured for determining if and what action should be performed with respect to the each packet, in response to the communication with at least one of the components, in compliance with the unified security policy” in order to alert when malware is confirmed (see Mushtaq col. 9).
As to claim 12, it is rejected for similar reason as claim 2.
As to claim 3, Mushtaq teaches “the restrictive state analyzer is configured for determining if and what action should be taken is in dependence on a packet state, a malicious signature state, a threat destination state, and compromise state, respectively as first, second, third, and fourth restrictive states” in col. 9: 43-50 (malicious signature state), col. 4: 55-60 (compromise state), col. 5: 42-67 (threat destination state).
As to claim 13, it is rejected for similar reason as claim 3.
As to claim 4, Mushtaq teaches “wherein at least one of the firewall components is configured to set the first restrictive state in dependence on determining whether the packets are well-formed or malformed and whether the packets are inspectable” in col. 9: 3-18 (packet inspection for anomalies).
As to claim 14, it is rejected for similar reason as claim 4.
As to claim 5, Mushtaq teaches “wherein at least one of the firewall components is configured to set the second restrictive state in dependence on whether the packets contain a malicious signature” in col. 9: 45-50 (the second stage filter logic to set a malicious signature).
As to claim 15, it is rejected for similar reason as claim 5.
As to claim 6, Mushtaq teaches “wherein the SWG component is configured to set the third restrictive state in dependence on whether the packets are part of an HTTP/S stream seeking access to a cloud application and whether the packets are directed to a threat destination” in col. 5: 15-25 (to find suspicious anomalies).
As to claim 16, it is rejected for similar reason as claim 6.
As to claim 7, Gobena teaches “wherein the CASB is configured to set the fourth restrictive state in dependence on the packets are directed to a cloud app and whether content-containing activity is compromising or not” in par. 0050 (“…The policy configurations may then be used to ensure that both performance and security of the client device is not entirely compromised…”).
As to claim 17, it is rejected for similar reason as claim 7.
As to claim 8, Mushtaq teaches “wherein the restrictive state analyzer is further configured to take one or more restrictive steps, in dependence on whether any of the first, second, third, or fourth restrictive states have been set, wherein restrictive steps include of blocking packets, alerting of restrictions, bypassing, encrypting, and coaching” in col. 13: 49-53 (“…the local analyzer 200 may issue an alert to the effect that the correspond communication contains a callback, and may declare the presence of malware (e.g., a bot) in the computer device that initiated the communication (source)…”).
As to claim 18, it is rejected for similar reason as claim 8.
As to claim 9, Mushtaq teaches “wherein the router component is configured to route packets to the SWG when the packets are part of an HTTP/S stream” in col. 6: 10-20 (HTTP protocol for web page interaction corresponding to the SWG (secure web gateway)).
As to claim 19, it is rejected for similar reason as claim 9.
As to claim 10, Mushtaq teaches “wherein the router component is configured to route packets to the CASB when the packets are seeking access to a Software as a Service application” in col. 8: 21-25 (“One embodiment of the invention takes advantage of “software as a service” (“SaaS”) principles of business, in which the central analyzer 110 may be a cloud-based server providing services to one or more service subscribers…”).
As to claim 20, it is rejected for similar reason as claim 10.
Allowable Subject Matter
Claims 11 and 21 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicants’ disclosure:
. Vivekanandan (US 2021/0258348 A1)
. Sarukkai et al (US 11089064 B1)
. HINES et al (US 2021/0120013 A1)
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Loc Tran whose telephone number is 571-272-8485. The examiner can normally be reached on Mon-Fri. 7:30am-5pm; First Fri Off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Amy Ng can be reached on (571)-270-1698. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/LOC TRAN/
Primary Examiner, Art Unit 2164