DETAILED ACTION


1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Claims 1-20 are allowed.

3.	This allowance of application 16/368695 is in response to Applicant’s claims filed on March 28, 2019.  

4.	Application 16368695 has benefit from provisional 62/770101.



Claim Interpretation
5.	Claim 1 recites “Access Control Entries (ACEs).”  Specification [0003] states “Access Control policies have been traditionally implemented using IP based Access Control Lists (ACLs).  An IP based ACL is a sequential collection of permit and deny conditions that apply to an IP packet.  A router tests packets against the conditions in the ACL one at a time,” [0022] states “grouping a plurality of canonical Access Control entries (ACEs), each comprising a plurality of data fields, into one or more candidate compression groups (CCGs); identifying, in each of the one or more CCGs, a plurality of equivalent canonical ACEs corresponding to a plurality of mismatching data values across a designated data field and a same data value across a plurality of remaining data fields; and merging together, in each of the one or more CCGs, the plurality of equivalent canonical ACEs in an iterative manner by varying the designated data field, to thereby convert the plurality of canonical ACEs, in each of the one or more CCGs, into one of more Object-group based or one or more security-group based ACEs,” [0025] states “although an Object-Group based ACL may have multiple Access Control Entries (ACEs), each single ACE in an Object-Group-based ACL may define an access control policy for an entire group of users to access a group of servers or services or to deny them from doing so,” and [0026] states “Object-Group based ACLs may furthermore improve network performance as compared with conventional IP-based ACLs, especially in situations of heavy inbound and outbound packet traffic.  Additionally, Object-Groups based Access Control Entries (OG-ACEs) may obviate the need to define an individual Access Control Entry (ACE) for every address and protocol pairing and therefore reduce the storage needed.”  Based on the specification, the ACL and the ACE are two different features.  This interpretation is applied to all the claims.


Reason for allowance
6.	The present invention is directed towards a plurality of canonical Access Control Entries (ACEs), each comprising a plurality of data fields, are grouped into a Candidate Compressions Group(s) (CCG(s)).  Within each of the CCG(s), a plurality of equivalent canonical ACEs are identified corresponding to a plurality of mismatching data value across a designated data field and a seam data value across a plurality of remaining data fields.  Within each of the CCG(s), the plurality of equivalent canonical ACEs are merged together in an iterative manner by varying the designated data field, to thereby convert the plurality of canonical ACEs, within each CCG(s), into an Object-group based ACE(s) or a Security-group based ACE(s).  Independent claims 1, 10 and 18 each identify the uniquely distinct combination of features:
grouping a plurality of canonical Access Control entries (ACEs), each comprising a plurality of data fields, into one or more candidate compression groups (CCGs);
identifying, in each of the one or more CCGs, a plurality of equivalent canonical ACEs corresponding to a plurality of mismatching data values across a designated data field and a same data value across a plurality of remaining data fields; and
merging together, in each of the one or more CCGs, the plurality of equivalent canonical ACEs in an iterative manner by varying the designated data field, to thereby convert the plurality of canonical ACEs, in each of the one or more CCGs, into at least one of one or more Object-group based ACEs or one or more Security-group based ACEs.

7.	While the summary is on page 18, the closest prior art (Anantharamiah et al., US Pub 20070209058; Paramaguru, US Pub 20080037539; Herbach et al., US 7707642; Kirby et al., US 9369431; Lin et al., US Pub 20140029845; Belamaric et al., US 9736185 (3) (13) (19) (21) (24) (32); Chari et al., US Pub 20060072456 [0006] [0030] [0055] [0058] [0061] [0064] [0065]; Naldurg et al., US Pub 20080104665 [0038] [0040] [0048]; King et al., US Pub 20130305354 [0022]; Lin et al., US Pub 20150089052 [0029]; Zhang et al., “A Firewall Rules Optimized Model Based on Service-Grouping”, p 142 col 2, p 143 col 2, p 144 col 1, 2015; Liu et al., “Firewall Compressor:  An Algorithm for Minimizing Firewall Policies,” p 692 col 2; and Nimmagaddda et al., US Pub 20180176252) disclose a technique that simplifies managing and configuring firewalls by provisioning a Vendor-Neutral Firewall (VNF) in an Multi-Protocol Label Switching-Virtual Private Network (MPLS-VPN) service network.  In an embodiment, a VNF policy is created using a Service Activation Tool (SAT) residing in a host server.  One of the VPN(s) requiring the provisioning of the VNF in the MPLS-VPN service network is then selected.  The created VNF policy is then transformed to form a vendor-specific firewall policy associated with the selected one of the VPN(s).  With the growing popularity of the Internet and networks in general, there is a trend towards centralized network services, and centralized network service providers.  To be profitable, however, network service providers need to constantly maintain and if possible enlarge their customer base and their profits.  Network providers are offering NPVs to interconnect various customer sites that are geographically dispersed.  VPNs are of great interest to both provider and to their customers because they offer privacy and cost efficiency through network infrastructure sharing.  Today, a VPN virtually implementing, e.g., a company network on an Internet Protocol (IP) network is attracting increasing attention.  Existing firewall provisioning systems allow an operator of a service provider to configure the sites so that one site can talk to a second site and not to a third site.  In order to operate properly, it is desirable that the provisioning system be aware of the rules governing the communication between different sites of the VPN and allow configuration of the VPN based on those rules.  In an embodiment, a method is provided for provisioning firewalls in an MPLS-VPN service network by creating a VNF policy, selecting one of the VPN(s) that requires provisioning a VNF, and transforming the created VNF policy to a vendor-specific firewall policy as a function of the selected one of VPN(s).  The term “MPLS-VPN service network” refers to a private network that enables private communications between two or more private networks over a shared MPLS network.  In some embodiments, a VNF policy is created using an SAT.  The SAT is a workflow based mechanism that configures a service on a network/equipment.  In these embodiments, creation of VNF policy includes first forming an Access Control Lists (ACLs) in a vendor-neutral format using the SAT for each firewall.  A fix-up rule(s) associated with the formed ACL(s) in a vendor-neutral format are then configured using the SAT for each firewall.  In these embodiments, the SAT is a generic Graphical User Interface (GUI) tool that facilitates in configuring the VNF policy.  The GUI is used to create an Access Control Entries (ACEs), for each ACL, is generic and is designed to configure firewalls of various vendors by using the drop down menu provided for each ACE.  The drop down menus can be used to create the ACEs in a sequential order as a firewall module operate on packets when entering a network.  The sequence of processing each of the formed ACE(s) associated with an ACL is rearranged based on a customer specified order of firewall processing using a simple user friendly GUI.  In some embodiments, the customer specified order includes a hierarch of processing of the ACEs formed within an ACL.  It can be envisioned that such hierarchy can be changed easily using the GUI anytime as and when the needs of a customer changes.  A GUI that is used in re-sequencing an ACE within an ACL to prioritize ACEs.  The Up and Down buttons provided are used to sequence the ACEs where the user chooses and re-prioritizes the ACEs.  In an embodiment, each ACL comprises an ACE(s).  The SAT can be used to re-arrange sequence of processing of each formed ACE as a function of a customer specified order of firewall processing.  The above process provides a common policy to configure firewalls for router equipment from different vendors.  Further, the process provides a standardized approach for defining firewalls.  Furthermore, the process simplifies the creation and modification of software policies by keeping policy and actual configuration commands separate.  Further, a user can easily and quickly modify an existing firewall policy to meet any changes in vendor router equipment and customer needs.

8.	Another prior art teach in an embodiment, a packet in a network is classified.  A header of the packet includes various fields.  Single-dimensional lookups are performed for each header field, based on a plurality of packet-classification rules.  The results obtained from single-dimensional lookups are merged to obtain a Resultant Bit Vector (RBV).  Thereafter, the RBV is processed using a Finite State Machine (FSM), based on the plurality of packet-classification rules.  In a typical network, packets a classified, in part, to ensure Quality of Service (QoS), and to provide differentiated services to classified flows.  Information relevant for classifying a packet is contained in a plurality of distinct header fields in the packet.  The header fields are the portion of the packet that precedes the body, which contains the data.  The header fields (e.g., header fields include version, traffic class, flow label, payload length, next header, hop limit, source address, destination address, etc.) also contain data, such as source and destination addresses, User Datagram Protocol (UDP), destination port, payload type, sequence number, timestamp, and other such details about the packet as well as control and timing information that are needed for successful transmission across the network.  In one conventional classification method, an Access Control List (ACL) format is used for packet classification.  The ACL format classifies a packet on the basis of the Internet Protocol (IP) header typically relying on a multi-dimensional lookup algorithm.  The ACL format comprises an ordered list of Access Control Entries (ACEs) with the header fields forming an ACE that is bound by logical operator ‘AND’.  The process of using the ACL format is simple, as all the header fields forming the ACE are bound only by the logical operator 'AND’.  In other classification methods, the header fields that define the packet-classification rules are bound by the logical operators AND, OR, and NOT.  In an embodiment, incoming packets are classified by a packet-classification module using a meta-rules algorithm.  The meta-rules algorithm classifies incoming packets using meta-rules.  The meta-rules are flexible rules that use other rules as a variable and contain information for using other rules.  The meta-rules are also used to control the usage of rules in certain situations.  The meta-rules include multiple levels of nested rules where a set of rules reside inside another set of rules.  The innermost rules of the meta-rules are called leaf rules.  These leaf rules are structured rules in an ACL format and fields in the leaf rules are bound to each other by a logical AND operator.  However, other nested meta-rules can have an undefined structure.  Rules with an un-defined structure can take the shape of arbitrary complex logical expressions.  Various embodiments classify a packet, based on packet-classification rules, which are meta-rules.  A network device uses FSM to implement the meta-rules.  FSM is capable of handling arbitrary logical expressions and uses an unknown operator to resolve the arbitrary logical expressions that are not handled well by FSM in a fast and scalable manner.

9.	Another prior art teach systems and techniques relating to document access auditing.  Traditional document control systems have included servers that store and manage encryption keys for documents secured by the system, providing persistent protection for documents by requiring the server to be contacted before a secured document can be opened.  Conventional document management systems have included document permissions information associated with documents that allow different groups of individuals to have different permissions, and conventional document viewing software applications have also included software plug-ins designed to translate document permissions information from a document management system format to a format used by the software application (i.e., a separate software plug-in required for each integration with a document management system.).  The eXtensible Rights Markup Language (XrML) allows a document viewing application to understand resources and permissions from any system that complies with the XrML rules (XrML is a trademark of ContentGuard Holdings, Inc.).  Many different encryption schemes have been used to secure documents.  Additionally, both document management systems and document control systems have included document access tracking functionality, where document access information is recorded in a central location and used in auditing document access.  Enabling a user to generate an audit of actions performed on a document that has been tracked by a system can have substantial benefits.  In an embodiment, audit information for documents of interest can be made available even if the document tracking system responsible for generating and maintaining the audit information becomes decommissioned or otherwise unavailable.  In the context of a document control system, a non-secured document can be produced that is identical to the source document but with an appendix that describes audit events and various aspects of the document’s life cycle through the document control system.  The document can be published and/or archived as a free-standing document with audit history that, when signed by a document control server, extends the systems’ auditing guarantees outside the realm of the document control system.  The invention can facilitate use of a document approval workflow, allowing one or more authenticated users to authorize a document or aspect of a document within the document tracking system.  Additionally, consent-based auditing can provide a better guarantee that a user has actually read a document, understands, and/or agrees to it.  In an embodiment, an authentication service provider can be used to authenticate a user.  In the context of computer security, authentication is the procedure by which a programmable machine confirms the identity of another machine, and/or the other machine’s current user, from which a communication has been received.  There are many types of systems in which authentication can be used, and there are many types of events that can trigger an authentication process, depending on the needs of a particular implementation.  The authentication process represents a software program having instructions operable to cause a machine to perform operations effecting an authentication procedure.  The authentication process can use an existing interface provided by the client to communicate authentication information to a server (e.g., a document viewing application can include a security handler component that communicates with the authentication process).  Thus, the client can be transparently updated with a new authentication process as a result of sending a request to the server.  If an administrator changes the authentication procedure to be used for a document, all clients that attempt to perform an action that requires the specified authentication with respect to the document can be automatically and transparently updated to be able to authenticate using the newly specified mechanism.  An authentication procedure can even be changed between sequential actions on a document, and thus a new request can result in a new authentication process being delivered for the same action to be performed on an already delivered document.  In response to the request, an authentication process is sent to the client for use in identifying a current user and controlling the action with respect to the electronic document based on the current user and Document-Permissions Information (DPI) associated with the electronic document.  Thus, the authentication mechanism can be specified on the server and the appropriate code can be downloaded to the client dynamically, as needed, in a manner that is transparent to the client.  An authentication interface can provide either a text-based username-password description or a single authentication library.  The authentication provider can implement its own defense against force attacks, and can have the option to deny authentication even if the correct credentials are presented.  Implementations can also return an authentication reply that specifies whether the user is successfully authenticated (verified).  A token to be used in future authentication attempts can be returned, although the server can ignore this.  The username should also be returned for verified attempts such that the server can understand who has authenticated.  An Access Control List (ACL) service provider should be able to take this username and canonicalize it.  The canonical form of the username corresponds to a defined format that allows consistent use of usernames across workflows; the definition(s) governing canonical form(s) in the system can vary with implementation.  In addition to the authentication systems and techniques described, document control systems and techniques can be provided.  A document source can be a document repository and/or a document handling system (e.g., an email system).  In general, the document source can be considered one of two types:  where document is expected to be retained and accessible, and where a document should not be expected to be retained and accessible.  When the document source is of the first type, DPI can be retained at the document source.  When the document source is of the second type, the DPI can be generated at the document source, or at the client, when the document is secured to create a secured document, and the DPI can be retained at the permissions/broker server.  The DPI can be ACL that defines the types of actions that are authorized for the document.  Moreover, DPI can specify access permissions at a level of granularity smaller than the document itself (e.g., controlling access to specific pages, paragraphs and/or words in the document).  In an embodiment, a securing client can retrieve a document from the repository.  A document identifier can also be retrieved and passed to the server.  The server can communicate with the repository using the document identifier to obtain DPI (e.g., an ACL from a Content Management System (CMS) or file permissions information from a file system).  The obtained DPI can be used by the server to generate an initial ACL for the document.  A set of data that can include the initial ACL, the document identifier, and a key generated by the server, can be sent back to the securing client. The current ACL reflects the current state of the document in the repository.  In an embodiment, an Access Control Infrastructure (ACI) as can be implemented in a document control system.  An access control service provider can be implemented, where access control can be defined in terms of Access Control Lists (ACLs).  ACLs can map permissions (e.g., can print, can view, etc.) to principals (e.g., users and groups), and vice versa.  Access control service providers can be implemented for various systems.  Moreover, the ACI can support shared ACLs (e.g., one ACL to be shared amongst multiple documents; such shared ACLs can be referred to as policies).  In another embodiment, an authentication service provider can be implemented as described elsewhere herein, and an access control service provider can effect the ACI.  ACLs can include a set of Access Control Entries (ACEs) and a send of properties.  ACL properties can apply to the ACL as a whole (e.g., expiration date).  An ACE can map principals to rules and can include a list of principals, a rule, and a validity period for the ACE.  When an ACL is evaluated, only ACEs that are within their validity period need be considered.  Validity periods can allow different users and groups to be granted permissions to view a document at different times.  For example, an ACE can specify that “only members of the public relations staff may view a document before its release data, after which anyone can view the document.”  The server side evaluation of ACLs for a specific user at a specific point in time (e.g., for online viewing, revocation, document audit retrieval, etc.) can be implemented within the server directly.  The server can examine the ACL, looking for ACEs that are currently valid and that also contain either the authenticated user or group in which the user is a member, and then extract the permissions and properties.  The server infrastructure to handle canonicalization within the server can have three tiers.  An access control service provider can include a set of principle modules that provide the canonical form of some set of non-canonical strings.  These principle modules can also specify whether the canonical form corresponds to a canonical group or a canonical user.  For a given user or group, the canonical name of the user or group can be obtained.  A document control system can thus address both issues of document security and version management in one system.  If a different version of a distributed document should be viewed in place of the distributed version, this can be defined and controlled in a document control server that can be defined and controlled in a document control server that also handles document security for distributed documents.  

10.	Another prior art teach a Security Device Controller (SDC) that includes receiving a Configuration Policy (CP) in a vendor neutral language; and automatically configuring a plurality of security devices on a heterogeneous network based on the CP.  Security devices (e.g., firewalls, routers, etc.) are typically configured with rules or routing Access Control Lists (ACLs).  Firewall rules and routing ACLs are generally sensitive and complex elements of networked systems.  Their sensitivity derives from the importance of hardened external access to a company’s data center and enterprise network.  Their complexity generally derives from the wide array of firewall infrastructure devices that may be in use in any company along with the rules logic in every security device. Firewall performance often matches effective policies in importance; a poorly defined rule base or configuration mistakes can cause performance and security issues.  Rule lists are frequently thousands of entries in length, which adds to the complexity for network/security administrators who are responsible for managing such rules and tracking change management of such rules and configuration.  In some embodiments, an SDC includes receiving a CP in a vendor neutral language; and automatically configuring a plurality of security devices on a heterogeneous network based on the CP.  In some embodiments, the configuration policy can include a security configuration for a firewall and/or a routing configuration for a router.  For example, a CP can include a rule-list (e.g., including routing ACLs for a router, a security policy for a firewall such as allow/block rules based on various criteria such as port numbers and protocols, etc.).  A rule can include an Access Control Entry (ACE) inside an ACL or a rule inside a security policy (e.g., a firewall policy).  Generally, a rule provides a description of a network flow and/or a filtering access (e.g., allow or deny, such as to allow/deny from <Source> to <Destination> for Service).  In some embodiments, the SDC implements workbooks to specify rule lists (e.g., a set of firewall rules, routing ACLs, zones, interfaces, policies, etc.).  Users can search, add security rules, or create alerts against these devices.  In some embodiments, a filter set is an ordered set of rules (e.g., also referred to as a rule list).  For example, firewall rules can be organized by rule lists, and security/firewall policy can include a set of rule lists.  For router configurations, ACLs can be understood as being equivalent to rule lists.  In some embodiments, the SDC can provide for changing firewall rules and routing ACLs (e.g. for a firewall, security appliance, router, routing switch, or another security network device).

11.	And, another prior art teach an apparatus for processing an image.  A buffer is provided and separated into a series of Storage Units (SUs).  Each SU has a fixed size.  The image is divided into Pixel Groups (PGs), and each PG corresponds to one SU.  Each PG is compressed by one of candidate compression methods to obtain compressed data so that the compressed data of each PG fits the corresponding SU.  In an embodiment, a display apparatus includes a mapping device and a compressor.  The mapping device divides the image into a plurality of PGs, each PG corresponding to one of SUs with a fixed size in a buffer.  The compressor device compresses each PG by one of candidate compression methods to obtain 1st compressed data so that the 1st compressed data of each PG fitting the corresponding SU.

12.	According to Merriam-Webster dictionary, “canonical” is defined as “conforming to a general rule or acceptable procedure” and “reduced to canonical form.”

13.	According to Wikipedia, “canonical” in computing is “canonical name record (CNAME record), a type of Domain Name System record.”

14.	In summary, nowhere do Anantharamiah, Paramaguru, Herbach, Kirby, Lin, Belamaric, Chari, Naldurg, King, Lin, Zhang, Liu, and Nimmagadda explicitly mention or disclose the unique combination of elements listed above.  The definitions provided above provide explanation/clarification to some critical features (e.g., canonical).  The prior art, either singularly or in combination fails to anticipate or render obvious the present invention.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

15.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992.  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	February 8, 2021