DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
This is a reply to the amendment filed on 01/04/2021, in which, claim(s) 1-30 are pending. Claim(s) 1, 11 and 21 are amended. No claim(s) are cancelled or newly added.

Examiner’s Note
A message was left on January 25th, 2021 to the attorney Abhijit P. Adisesh (Reg. 75,261) for the purpose of compact prosecution. No response was received.

Response to Arguments
Specification Objection: 
Applicant’s arguments with respect to specification objection have been considered. The specification objection have been withdrawn in view of the amendment to the specification (Abstract and [0011]).

Double Patenting Rejection:
Applicant submitted 3 terminal disclaimers on 01/04/2021 to overcome DP rejection issued in the previous office action. All 3 terminal disclaimers have been approved. The DP rejection issued in the previous Office action has been withdrawn.

Claim Rejections - 35 U.S.C. § 101:
Applicants’ arguments, see pages 11-13 of the Remarks, filed 01/04/2021, with respect to claim(s) 1-30 have been fully considered but they are not persuasive.  
Applicants argue that “claim 1 is directed to a method for confirming… and thus improves the technological operation of computing systems related to network connection management and security” (see page 11 of 18 of the Remarks).
Examiner respectfully disagrees as how the claimed features of detecting one or more differences by comparing two files, which could be performed mentally, will improve the technological operation especially security.
Applicants further argue that “additional features of claim 1 serve to integrate the recited judicial exception into a practical application of the exception” (see page 12 of 18 of the Remarks).
Examiner respectfully disagrees; additional elements such as “storing a list of expected connections…” are considered as data gathering which do not integrate the abstract idea into a practical application because it does not impose a meaningful limit on practicing the abstract idea.
Examiner has also consulted a QAS for the 101 rejection on 01/25/2021 based on the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG). Therefore, the rejection of 35 USC §101 regarding claim(s) 1-30 is maintained. 

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 14-17, filed 01/04/2021, regarding the U.S.C.  1-30 have been fully considered and are not persuasive.
Applicants argue that Dudfield does not disclose "a list of expected connections among…” as recited in claim 1, but instead discloses…. and Dudfield is silent on "detecting, by one or more processors, one or more differences…” as recited in claim 1. Berenberg does not cure and is not cited to cure the critical deficiencies of Dudfield (see pages 14 & 16 of the Remarks).
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Besides, a prior art reference must be considered in its entirety, i.e., as a whole, including portions that would lead away from the claimed invention. W.L. Gore & Assoc., Inc. v. Garlock, Inc., 721 F.2d 1540, 220 USPQ 303 (Fed. Cir. 1983), cert. denied, 469 U.S. 851 (1984). See MPEP § 2141.02.
Applicants also argue that Dudfield is also silent on… defining "a protocol and a service associated with communication between the first endpoint and a second endpoint…” as recited in claim 1 (see page 15 of the Remarks).
Applicant’s interpretation of the reference has been noted; however, examiner respectfully disagrees.  Dudfield teaches a protocol and a service associated with each connection is stored in the list of expected connections ([0067] and Fig. 5).
Therefore, the rejection is maintained.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-30 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e. an abstract idea) without significantly more.
Analyzing under Step 2A Prong One:
Claims 1, 11 and 21 recite the limitations “detecting one or more differences between the list of expected connections and actual connections among the plurality of endpoints by comparing” is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic processors. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. The human mind can observe and note specific events. Accordingly, the claims recite an abstract idea. 
Analyzing under Step 2A Prong Two:
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because processors and storage media 
Analyzing under Step 2B:
The recited claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to the integration of the abstract idea into a practical application, the additional element(s) of processors and storage media to carry-out the storing, and detecting by comparing as they apply to the exception cannot provide an inventive concept. Therefore, the claims are not patent eligible.
Claims 2-10, 12-20 and 22-30 don't cure the deficiency of claims 1, 11 and 21 and are rejected under 35 U.S.C. 101 for their dependency upon claims 1, 11 and 21.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
Claims 1-7, 10-17, and 20-27, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield et al. (US 2004/0215975 A1) in view of Berenberg et al. (US 2014/0313975 A1, cited by the applicant in the 07/24/2020 IDS).
Regarding Claims 1, 11, and 21, Dudfield teaches
storing a list of expected connections among a plurality of endpoints, wherein each expected connection in the list defines a first endpoint and a second endpoint between which the expected connection exists ([0010], “connection pairs (i.e. a first endpoint and a second endpoint) from a connection table (i.e. a list of expected connections among a plurality of endpoints)”, [0058], “Referring to FIG. 4, the connection table 40 is a data structure that maps each host (e.g., identified by IP address) to a "host object" that stores information about all traffic to or from that host”), as well as a protocol and a service associated with communication between the first endpoint and a second endpoint between which the expected connection exists ([0067], “Referring to FIG. 5… the contents of the host object 40a in the connection table 40 include a measure… Data is broken down per-protocol for every well-known transport protocol”, also see Fig. 5, “Services provided by A (Web Server) to B (Desktop)”, i.e. a protocol and a service associated with each connection is stored in the list of expected connections); and 
detecting, by one or more processors, one or more differences between the list of expected connections and actual connections among the plurality of endpoints by comparing each expected connection in the list of expected connections with one or more of the actual connections ([0010], “detecting unauthorized access in a computer network”, “determine whether that one host attempting to gain access has accessed the other host accessed previously”, [0050], “compares these to historical data”, [0099], “the scan detect process 70 accesses 73 the time slice connection table 41 to determine 74 new host pairs (i.e. actual connections between two endpoints) that the process had not determined before in the profile”, i.e. determined differences by comparing the actual connection with the expected connection”).  
Dudfield does not explicitly teach but Berenberg teaches 
the one or more actual connections indicated by configuration files of a first endpoint and a second endpoint between which the expected connection exists ([0020], “a node may be configured to receive and/or store a configuration data (file) … that identifies preferred connections between the node and other nodes” therefore indicating the actual connections).
Dudfield and Berenberg are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect the differences between the list of expected connections and actual connections (as disclosed by Dudfield) indicated by endpoint configuration data (as taught by Berenberg). The motivation/suggestion would have been to improve the reliability and/or performance of the network (Berenberg, [0017]).

Regarding Claims 2, 12, and 22, the combined teaching of Dudfield and Berenberg teaches providing a notification indicating the detected one or more differences between the list of expected connections and the actual connections among the plurality of endpoints (Dudfield, [0131], “The process notifies the operator of a new host in the network”, i.e. the detected difference).  

Regarding Claims 3, 13, and 23, the combined teaching of Dudfield and Berenberg teaches obtaining, for each of one or more of the plurality of endpoints, a configuration file indicating one or more actual connections maintained by the endpoint (Berenberg, [0020], “a node may be configured to receive and/or store a configuration data (file) … that identifies preferred connections between the node and other nodes” therefore indicating the actual connections).

Regarding Claims 4, 14, and 24, the combined teaching of Dudfield and Berenberg teaches wherein the one or more differences comprise: 
a number of the actual connections among the plurality of endpoints that are missing from the list of expected connections (Dudfield, [0099], “the scan detect process 70 accesses 73 the time slice connection table 41 to determine 74 new host pairs that the process had not determined before in the profile”, i.e. actual connections missing from the list of expected connections); and
a number of the expected connections from the list of expected connections that are missing a corresponding actual connection (Dudfield, [0099], “The process 70 checks if the number of historical host pairs in the profile is smaller 77 

Regarding Claims 5, 15, and 25, the combined teaching of Dudfield and Berenberg teaches wherein each of the one or more detected differences indicates an unauthorized connection or an inaccuracy of the list of expected connections (Dudfield, [0010], “detecting unauthorized access in a computer network”, “determine whether that one host attempting to gain access has accessed the other host accessed previously”).  

Regarding Claims 6, 16, and 26, Dudfield teaches
wherein comparing an expected connection in the list of expected connections comprises determining whether the expected connection has a matching connection among the one or more actual connections ([0099], “the scan detect process 70 accesses 73 the time slice connection table 41 to determine 74 new host pairs (i.e. actual connections between two endpoints) that the process had not determined before in the profile”, i.e. the actual connection has no matching with the expected connections). 
Dudfield does not explicitly teach but Berenberg teaches 
the one or more actual connections indicated by configuration files of the first endpoint and the second endpoint between which the expected connection exists ([0020], “a node may be configured to receive and/or store a configuration data (file) … that identifies preferred connections between the node and other nodes” therefore indicating the actual connections).
Dudfield and Berenberg are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect the differences between the list of expected connections and actual connections (as disclosed by Dudfield) indicated by endpoint configuration data (as taught by Berenberg). The motivation/suggestion would have been to improve the reliability and/or performance of the network (Berenberg, [0017]).

Regarding Claims 7, 17, and 27, the combined teaching of Dudfield and Berenberg teaches wherein each of the actual connections among the plurality of endpoints comprises a protocol, a port number, a port number range, or a security group (Dudfield, [0047], “The collector devices 12 collect information such as source and destination addresses, transport protocol, source and destination ports”, [0048], “efficiently partitions hosts on a network into groups”).  

Regarding Claims 10, 20, and 30, the combined teaching of Dudfield and Berenberg teaches wherein the notification is provided to one or more of a notification area of a user interface (Dudfield, [0195], “Referring to FIG. 29, an overview graphical user interface 302 (GUI), provides an operator with an aggregated view of network status”, “for issuing an event notification”).

Claims 8, 18, and 28 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield et al. (US 2004/0215975 A1) in view of Berenberg et al. (US 2014/0313975 A1, cited by the applicant in the 07/24/2020 IDS) further in view of MacNeil et al. (US 2017/0163502 A1, cited by the applicant in the 07/24/2020 IDS).
Regarding Claims 8, 18, and 28, the combined teaching of Dudfield and Berenberg does not explicitly teach but MacNeil teaches wherein the list of expected connections is stored in human readable data-serialization language format ([0031], “A list of identified network nodes and connections between the nodes may be generated and stored…The data may also be stored in an electronic file and formatted as an ASCII-based structured data object defined using a standard or custom markup or data definition language, such as but not limited to, XML, JSON, or YANG”, as JSON is a well-known human readable data-serialization language format).
Dudfield, Berenberg and MacNeil are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect the differences between the list of expected connections and actual connections indicated by endpoint configuration data (as taught by the combined teaching of Dudfield and Berenberg) and the list is stored in human readable data-serialization language format (as taught by MacNeil). The motivation/suggestion would have been for providing graphical visualization of a telecommunications network topology (MacNeil, Abstract).

Claims 9, 19, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Dudfield et al. (US 2004/0215975 A1) in view of Berenberg et al. (US .
Regarding Claims 9, 19, and 29, the combined teaching of Dudfield and Berenberg does not explicitly teach but Zuk teaches providing version tracking and control of the list of expected connections ([0054], “updated versions of the policy” therefore tracking the version and control of the list of network connections).
Dudfield, Berenberg and Zuk are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to detect the differences between the list of expected connections and actual connections indicated by endpoint configuration data (as taught by the combined teaching of Dudfield and Berenberg) and provide version tracking and control of the list of expected connections (as taught by Zuk). The motivation/suggestion would have been to help for detecting and preventing security breaches on a network (Zuk, [0001]).

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is .
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.                                                                        
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Examiner, Art Unit 2497