DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 17-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 17 recites “…A computer-readable storage medium…”. The broadest reasonable interpretation of a claim drawn to a storage medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is absent an explicit definition or is silent. See MPEP 2111.01. When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter. The Examiner suggests amending the claim to include non-transitory computer-readable storage medium.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Tahan (Pub. No. US 2002/075877) in view of Fainberg et al (Pub. No. US 2020/0007395).

As per claims 1, 9, 17, Tahan discloses a method, comprising:
for each of a plurality of compute resources: analyzing network data packets received by the compute resource from a plurality of network addresses based on a classification model to determine a subset of the plurality of network addresses that are non-malicious (…a trusted administrator configures two sets of addresses for each interface: (1) the Attached Address Set (AAS), which are the addresses on the attached network or networks, and (2) the Peer Address Set (PAS), which are the addresses on other networks or within the MCN with which the nodes on the attached network or networks may communicate…MCN includes a Multi-Community Application process which is assumed to be trusted not to leak data between communities…see par. 34, 63); grouping the plurality of compute resources into clusters based on a first measure of similarity between the network addresses associated with their respective subsets; associating with each cluster a first set of network addresses that is obtained by combining the subsets associated with its compute resources (…see fig. 5, two association are maintained in the community information base…the Network Interface-Community Association that specifies, for each of Multi-Community Application’s network interfaces, the associated user community or community set, and the Network Address-Community Association that specifies for each network address used by MCN, the associated user community or community set…see par. 93-95). Tahan does not explicitly disclose outputting a tag that represents at least one of the first sets of network addresses, the tag being suitable for use in configuring a firewall application to allow access by the at least one of the first sets of network addresses to the plurality of compute resources. However Fainberg discloses outputting a tag that represents at least one of the first sets of network addresses, the tag being suitable for use in configuring a firewall application to allow access by the at least one of the first sets of network addresses to the plurality of compute resources (…network monitor device is configured to determine one or more tags based on the characteristics of devices…the tags can include…a firewall tag…based on the tags, network monitor device is operable to determine a zone…based on the zone, the network monitor device is operable to determine enforcement points associated with the determined zone…network monitor device may configure enforcement actions on firewalls…to allow device to access the internet using HTTP ports only…see par. 57-60). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Fainberg in Tahan for including the above limitations because one ordinary skill in the art would recognize it would further improve the security of network communication, see Fainberg, par. 9.





As per claims 2, 10, 18, the combination of Tahan and Fainberg discloses wherein the first measure of similarity is based on a number of network addresses in the subsets that are the same or within a distance metric, wherein said grouping comprises:
grouping the plurality of compute resources into clusters based on whether the number of network addresses in the subsets that are the same or within the distance metric exceeds a threshold (Tahan: see par. 95).


As per claims 3, 11, 19, the combination of Tahan and Fainberg discloses wherein said grouping the plurality of compute resources into clusters based on the first measure of similarity between the network addresses associated with their respective subsets comprises: determining one or more network addresses of the first set of network addresses for a particular cluster that are not in all the subsets that are combined to form the first set of network addresses; determining whether a number of the determined one or more network addresses exceeds a threshold; in response to determining that the number of the determined one or more network addresses exceeds the threshold, deallocating the particular cluster group by ungrouping its compute resources; and
in response to determining that the number of the determined one or more network addresses does not exceed the threshold, maintaining the particular cluster (Tahan: see par. 146-148).


As per claims 4, 12, 20, the combination of Tahan and Fainberg discloses grouping the clusters into cluster groups based on a second measure of similarity between the first sets of network addresses associated with their respective clusters; and associating with each cluster group a second set of network addresses that is obtained by combining the first sets of network addresses associated with its clusters, wherein the tag represents the second set of network addresses, the tag being suitable for use in configuring the firewall application to allow access by the second set of network addresses to the plurality of compute resources (Tahan: see par. 93-95).



As per claims 5, 13, the combination of Tahan and Fainberg discloses wherein the second measure of similarity is based on a number of network addresses in the first sets of network addresses that are the same or within a second distance metric, wherein said grouping comprises: grouping the clusters into cluster groups based on whether the number of network addresses in the first sets of network addresses that are the same or within the second distance metric exceeds a threshold (Tahan: see fig.5 par. 93-95).


As per claims 6, 14, the combination of Tahan and Fainberg discloses wherein said grouping the clusters into cluster groups based on the second measure of similarity between the first sets of network addresses associated with their respective clusters comprises: determining one or more network addresses of the second set of network addresses for a particular cluster group that are not in all the first sets of network addresses that are combined to form the second set of network addresses;
determining whether a number of the determined one or more network addresses of the second set of network addresses exceeds a second threshold; in response to determining that the number of the determined one or more network addresses of the second set of network addresses exceeds the second threshold, deallocating the particular cluster group by ungrouping its clusters; and in response to determining that the number of the determined one or more network addresses of the second set of network addresses does not exceed the threshold, maintaining the particular cluster group (Tahan: see par. 143-145).




Claims 7-8, 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Tahan (Pub. No. US 2002/075877) in view of Fainberg et al (Pub. No. US 2020/0007395) as applied to claims 1, 9 above and in further view of Chen et al (Pub. No. US 2018/0131711).


As per claims 7, 15, the combination of Tahan and Fainberg does not explicitly disclose
wherein the classification model is determined based on: identifying one or more first patterns associated with second network data packets received by second compute resources from a second plurality of network addresses; identifying one or more second patterns associated with third network data packets that were prevented from being received by the second compute resources from a third plurality of network addresses; and providing the one or more first patterns and the one or more second patterns as inputs to a supervised machine learning algorithm that generates the classification model based on the one or more first patterns and the one or more second patterns, the one or more first patterns being characteristic of non-malicious network data packets and the one or more second patterns being characteristic of malicious network data packets. However Chen discloses wherein the classification model is determined based on: identifying one or more first patterns associated with second network data packets received by second compute resources from a second plurality of network addresses; identifying one or more second patterns associated with third network data packets that were prevented from being received by the second compute resources from a third plurality of network addresses; and providing the one or more first patterns and the one or more second patterns as inputs to a supervised machine learning algorithm that generates the classification model based on the one or more first patterns and the one or more second patterns, the one or more first patterns being characteristic of non-malicious network data packets and the one or more second patterns being characteristic of malicious network data packets (…a monitoring computing device configured to provide to the network device information identifying a source application of a network traffic flow from the monitoring computing device…monitoring computing devices may be configured to track applications that are generating network traffic and generate a separate or modified communication that provides that information to a network device…a semi-supervised application on the network device (e.g. learning module) may learn to associate traffic flow characteristics of traffic flows with a characterization or description of a network traffic flow…this association of information from the monitoring computing devices with certain network traffic flow characteristics may be achieved using a machine learning by observing a large number of network traffic flows as well as information about the network traffic flows provided by the monitoring computing devices…see par. 49, 53). Therefore one ordinary skill in the art would have found it obvious before the effective filling date of the claimed invention to use Chen in the combination of Tahan and Fainberg for including the above limitations because one ordinary skill in the art would recognize it would further enhance the security of computing devices from vulnerable exploitation…see Chen, par. 3.


As per claims 8, 16, the combination of Tahan, Fainberg, and Chen discloses wherein said analyzing network data packets received by the compute resource from the plurality of network addresses based on the classification model to determine the subset of the plurality of network addresses that are non-malicious comprises: determining one or more features associated with each of the plurality of network addresses based on the analysis of network data packets;
providing the one or more features to the classification model; and receiving an output generated by the classification model that indicates whether each of the plurality of network addresses is non-malicious or malicious based on the one or more features (Chen: see par. 53-54).





Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure (see PTO-form 892).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GHAZAL B SHEHNI whose telephone number is (571)270-7479.  The examiner can normally be reached on Mon-Fri 9am-5pm PCT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 5712724219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished 






/GHAZAL B SHEHNI/Primary Examiner, Art Unit 2436