Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 10/21/2020 has been entered.
Claims 1-20 are pending.


Response to Arguments
Applicant’s arguments received 4/27/2020 are addressed as follows:
Regarding claims 1, 4 and 20, Applicant argues the cited prior art fails to teach: "receiving a notification of a detection of a compromised one of the plurality of endpoints on the subnet from a threat management facility outside the subnet, wherein address information in the subnet for the one of the endpoints is unavailable to the threat management facility" and "directing one or more of the plurality of endpoints on the subnet that are managed by the threat management facility to stop network communications on the subnet with the . 
The aforementioned limitations are being addressed in the present Office Action.


Information Disclosure Statement
The information disclosure statements (IDS) submitted 11/4/2020 and 1/6/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claims 1, 4 and 20 and their respective dependent claims recite “ address information ... for the one of the endpoints is unavailable ...”; there is no antecedent basis for “the one of the endpoints”, rendering the claim indefinite. For examination purposes, the limitations will be compromised one of the endpoints”. Correction is kindly requested.
Additionally, claim 3 recite “the plurality of heartbeats”, which lacks antecedent basis. For examination purposes, the limitation will be considered to be “a plurality of heartbeats”. Correction is kindly requested.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-9 and 14-20 are rejected under 35 USC as being unpatentable over US 9641434 to Laurence, hereinafter Laurence, in view of US 20150312266 to Thomas, hereinafter Thomas, and further in view US 20090031423 of Liu et al., hereinafter Liu.

Regarding claim 1, Laurence discloses
A computer program product comprising computer executable code embodied on a non- transitory computer readable medium that (col. 20, lines 30-52), when executing on one or more processors of a network translation device that couples a subnet including a plurality of endpoints to an enterprise network (Fig. 1 border devices couples to private network comprising endpoints 110, the private , causes the network translation device to perform the steps of: translating address information between a first routing prefix for the subnet and a second routing prefix for a network external to the subnet (the border device translate outgoing packets from the local network from IPV4 addresses to IPv6 addresses (col. 3, lines 20-42, Fig. 2A, Fig. 3) ); 
Laurence discloses performing the address translations hide the endpoints addresses in the private network, rendering DoS attacks impractical (col. 5, lines 1-14) but does not explicitly teach receiving a notification of a detection of` a compromised one of the plurality of endpoints on the subnet from a threat management facility outside the subnet; in response to the notification, blocking traffic between the compromised one of the plurality of endpoints and the enterprise network outside the subnet.
 In an analogous art, Thomas discloses a firewall or a gateway at the entry point of the enterprise network, communicating with a threat facility (Fig. 1). Thomas teaches receiving a notification of a detection of` a compromised one of the plurality of endpoints on the subnet from a threat management facility outside the subnet ([0036]: threat facility external to the enterprise network (Fig. 1) send notification of violation to the administration facility of the enterprise network (via the gateway or firewall which is the point of entry to the enterprise network ([0046])), the violation can be determination of malicious code within a file or application in an endpoint ([0030]); in response to the notification, blocking traffic between the compromised one of the plurality of endpoints and the enterprise network outside the subnet ([0036]: terminate the application, place the endpoint in isolation ... [0036]), one or more of the plurality of endpoints on the subnet that are managed by the threat management facility ([0067],[0073]). It would have been obvious to a skilled artisan before the effective filing date of the present application to receive notifications of compromise from an outside facility that manages the enterprise and block traffic as taught by Thomas to achieve the claim because using a detection/management facility external to the enterprise network would alleviate the enterprise network from performing such detection/management, and focus on enterprise operations, optimizing the computing resources within the enterprise. The combined teachings of Laurence and Thomas teaches: wherein address information in the subnet for the one of the endpoints is unavailable to the threat management facility (It would have been obvious to the skilled artisan to include the threat facility of Thomas into the external network in Laurence (Fig. 1), the threat facility/external network not being privy of the private addresses of endpoints in the enterprise network (col. 5, lines 1-14; col. 6, lines 30-43); one would have been motivated to combine the teachings because it would enhance protection of the enterprise network which uses private addresses only). 
Laurence in view of Thomas does not teach directing one or more of the plurality of endpoints other than the compromised one of the plurality of endpoints to stop network communications on the subnet with the compromised one of the plurality of endpoints while maintaining network communications on the subnet with other endpoints. In an analogous art, Liu discloses a worm containment method for an enterprise network that can seamlessly integrated with existing worm scan filtering (Abstract); A PWC manager receives notification of an infected host from an agent running on the infected host  and propagates the notification 

Regarding claim 2, Laurence in view of Thomas and Liu discloses the computer program product of claim 1 wherein the detection of the compromised one of the plurality of endpoints is based on an omission of an expected heartbeat from the compromised one of the plurality of endpoints (Thomas teaches the gateway monitoring heartbeat of endpoints (Fig. 4, 404 [0077]) included in the enterprise network (Fig. 2, [0054]), the monitoring detects interruption of a heartbeat ([0078])). It would have been obvious to a skilled artisan before the effective filing date of the application to associate the comprised endpoint with an omission of the heartbeat as taught by Thomas, because the heartbeat is a reflection of the overall health of an endpoint (([0058][0063]),  and an omission of heartbeat may need to be remedied by the threat facility ([0079]) managing the enterprise.

Regarding claim 3, Laurence in view of Thomas and Liu discloses the computer program product of claim 1 wherein the detection of the compromised one of the plurality of endpoints is based on an error in content of a heartbeat from the compromised one of the plurality of heartbeats (Thomas,[0078]: error in the periodic signal, a malformed packet; see motivation to combine in claim 3).  

Regarding claim 4, the claim recites a subset of limitations in claim 1, all taught by the combined teachings of Laurence, Thomas and Liu, as presented in claim 1.

Regarding claim 5, Laurence in view of Thomas and Liu discloses the method of claim 4 wherein the detection of the compromised one of the plurality of endpoints includes receiving a notification from the compromised one of the plurality of endpoints (Liu, [0037][0038], see claim 1 for motivation).  

Regarding claim 6, Laurence in view of Thomas and Liu discloses the method of claim 4 wherein the detection of the compromised one of the plurality of endpoints includes receiving a notification from one of the plurality of endpoints other than the compromised one of the plurality of endpoints (Thomas [0040] Fig. 1: endpoint communicates through a router).

Regarding claim 7, Laurence in view of Thomas and Liu discloses the method of claim 4 wherein the detection of the compromised one of the plurality of endpoints includes detecting potentially malicious traffic to or from the compromised one of the 

Regarding claim 8, Laurence in view of Thomas and Liu discloses the method of claim 7 further comprising querying each of the endpoints coupled to the subnet to identify a source of the potentially malicious traffic (Liu, [0037][0039]: send the “smoking sign” to other hosts to determine if they are also infected with the worm, in order to improve security).  

Regarding claim 9, Laurence in view of Thomas and Liu discloses the method of claim 8 further comprising: when the source is identified, preventing communications through the network device by the source (Liu [0039]: when one of the other hosts is also infected, it becomes a source of contagion and implements containment (Liu [0073])); and when the source is not identified, preventing communications by any of the endpoints through the network device (Liu [0039]: when none of the other host is infected, the smoking sign is dropped, the first endpoint that forwarded the alert to the PWC manager is the only infected and block traffic ([0073]); it would have been obvious to a skilled artisan before the application was filed to implement the functionalities of the PWC manager into the guard device in order to allow self-inspection for other nodes in the subnet and apply self-containment or not, increasing security).  

Regarding claim 14, Laurence in view of Thomas and Liu discloses the method of claim 4; additionally Thomas discloses determining a security status of each of the 

Regarding claim 15, Laurence in view of Thomas and Liu discloses the method of claim 14 wherein the one or more security conditions include a presence of a secure heartbeat (Thomas, [0059]: secure the heartbeat by encryption or signing, in order to improve security).  

Regarding claim 16, Laurence in view of Thomas and Liu discloses the method of claim 14 wherein the one or more security conditions include an indication of security compliance from a local security agent (Thomas [0058]: health monitor on endpoint checks on compliance of antivirus or other security software, in order to improve security).  
Regarding claim 17, Laurence in view of Thomas and Liu discloses the method of claim 4 further comprising translating network traffic at the network device between a first routing prefix for the subnet and a second routing prefix for a network external to the subnet (Laurence col. 3, lines 20-42, Fig. 2A, Fig. 3).  
Regarding claim 18, Laurence in view of Thomas and Liu discloses the method of claim 4 wherein the network device includes a network address translation device (Laurence, Fig. 1, col. 2, lines 52-65: the border device translate outgoing packets from the local network from IPV4 addresses to IPv6 addresses (col. 3, lines 20-42, Fig. 2A, Fig. 3) and vice versa 9Fig. 2B), using NAT technology (col. 3, lines 56-65))

Regarding claim 19, Laurence in view of Thomas and Liu discloses the method of claim 4 wherein the network device includes at least one of a router and a gateway (Laurence col. 4, lines 43-44).  

Regarding claim 20, the claim recites substantially the same content as claim 1 and is rejected using the rationales for rejecting claim 1; Laurence additionally discloses the border device (claimed network device) comprises a first interface to an external network and a second interface to a subnet (Fig. 1),  one or more processors (Fig. 13).

Claim 10 is rejected under 35 USC 103 as being unpatentable over Laurence, Thomas and Liu in view of US 20150150072 to Doctor et al., hereinafter Doctor.
Regarding claim 10, Laurence in view of Thomas and Liu discloses the method of claim 4, but does not teach:  wherein the detection of the compromised one of the 
In an analogous art, Doctor describes an enterprise network divided into subnets, each subnet includes a scanner to scan for vulnerabilities and report to a scanner manager the results of the scans ([0028], Fig. 1 and 2). Each subnet communicates with devices out of the subnets via a firewall (Fig. 2, [0027]) i.e. each scanner reports from a subnet to the scanner manager thru a firewall. Therefore, it would have been obvious to a skilled artisan before the invention was filed to have the guard device receives notifications from a firewall controlling the subnet, teaching the claim. Receiving a notification from a firewall would increase security, as the firewall would filter any malicious packet.

Claims 11-13 are rejected under 35 USC 103 as being unpatentable over Laurence, Thomas and Liu, in view of US 20170034190 to May, hereinafter May.
Regarding claim 11, Laurence in view of Thomas and Liu discloses the method of claim 4 further comprising, in response to receiving notification of the compromised one of the plurality of endpoints, directing communications from the one or more of the plurality of endpoints other than the compromised one of the plurality of endpoints (Liu [0037]-[0039], see claim 1) .
Laurence in view of Thomas and Liu discloses the enterprise network is a private network, but does not explicitly teach communications through a virtual private network. However, implementing VPN in an enterprise network is well common, as taught by May. May discloses an enterprise network connected to the internet by a router or 

Regarding claim 12, Laurence in view of Thomas, Liu and May discloses the method of claim 11, wherein the virtual private network physically passes through the network device (May, Fig. 1, network security device is a physical device (see Fig. 2), see claim 11 for motivation).
   
Regarding claim 13, Laurence in view of Thomas, Liu and May discloses the method of claim 11 wherein the virtual private network physically circumvents the network device (May [0030], Fig. 1: wireless devices 102, 104, 106, 108 communicate within the enterprise network through an access point, i.e circumvent the network security device, because the access point allows the mobile devices to communicate). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Natarajan et al 2011027702 disclose an internal network monitored by a monitoring dev external to the internal network;
Brandywine et al 9781012 disclose a data plane hosting a NAT device  and web services (internal network), in communication with a control plane (external network)  including a monitoring, that communicates periodically with the data plane, monitor heartbeats, usage, status ... 
Eastlake 20070180511 discloses a firewall protecting an internal network, intercepting pings to hosts in internal network, stores responses or lack of responses to the pings from the hosts, and report to external server.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        1/15/2021