DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/248828. Although the claims at issue are not identical, they are not patentably distinct from each other because they are each drawn toward a system /method comprising creating and updating security templates based on workload data and creating and deploying a security policy based on the template.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.

Claim Objections
Claim 1, 11, and 20 are objected to because of the following informalities:  
Claim 1 recites “intend-based security” which should read “intent-based security”.  
Claims 1, 11, and 20 recite “the security rules at least one of” which should read “the security rules including at least one of”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-6 and 10-16, and 20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claims recite a series of steps which can be performed mentally or by hand.  
For example, claims 1, 11, and 20 recite (in summary):
 receiving a target… (can be performed by reading a screen for example)
identifying nodes and edges in a graph database… (can be performed by mentally identifying by looking at the database)
getting a security intent… (can be performed by looking at a screen or someone telling you the intent)
obtaining a security template (can look at screen)
applying the security template to the identified nodes and edges to produce security rules for the security policy (can look at information and tell someone the rules)
This judicial exception is not integrated into a practical application because it is only producing rules.  It is not applying those rules to deploy the security policy in any way or using them to protect any devices, communications etc. The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception because there are no other limitations outside of the abstract ideas.  Regarding claims 11 and 20, merely implementing the method using a processor, memory, or system is not significantly more than the abstract idea because these are routine and conventional in the computing field.
The examiner notes that claims 7 and 17 (and claims 8, 9, 18, and 19 which are assumed to depend from claims 7 and 17, see 112 rejection) integrate the abstract idea into a practical application by deploying the security policy in the cloud computing environment, which is known to protect the computing environment, which is a practical application.  

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim limitation “means for receiving”, “means for identifying”, “means for getting”, “means for obtaining”, and “means for applying” in claim 20 invoke 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. The specification is silent as to what these structures are.  Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).
If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claims 1, 11, and 20 recite “the security policy”, “the cloud computing environment” and “the graph database” which lack antecedent basis.
Claims 3 and 13 recite that the attribute can be “Internet”.  It is unclear how an attribute can be Internet.  
Claims 8, 9, 18, and 19 recite “the data” and “the deploying” which lack antecedent basis.  It appears that these should be dependent on claims 7 and 17 instead of claims 1 and 11 and will be interpreted in that manner.
Claims 2 and 12 recite “the identifying nodes and edges in the graph database finds nodes…”  It is unclear how “identifying” can “find” something.  It appears applicant may mean “the identifying nodes and edges in the graph database includes finding nodes…”
Claims 4, 6, 14, and 16 contains the trademark/trade names “Jinja, Jinja2, JavaScript Object Notation, YAML Ain’t Markup Language, Open Policy Agent”.  Where a trademark or trade name is used in a claim as a limitation to identify or describe a particular material or product, the claim does not comply with the requirements of 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph.  See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982).  The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product.  A trademark or trade name is used to identify a source of goods, and not the goods themselves.  Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name.  In the present case, the trademark/trade name is used to identify/describe a computing language and, accordingly, the identification/description is indefinite.
Claims 18 and 19 recite “The computer implemented method of claim 11”.  However, claim 11 is a system claim.  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 9-16, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley et al. (US 2016/0234250), in view of Lang et al. (US 2015/0269383), and further in view of Kumar et al. (US 2016/0350105).
Regarding claims 1, 11, and 20, Ashley teaches a computer implemented method (and corresponding systems) for template driven, intent based security, the method comprising:	
Receiving a target, the target specifying workloads of a plurality of workloads to be included in the security policy, the plurality of workloads being associated with the cloud computing environment (Workload definition document (i.e., target) for cloud environment defines configurations for appliances and shows relation to security policy) – see abstract.
Getting a security intent, the security intent including a high level security objective in a natural language (Workload definition is parsed to extract attributes of each network appliance, including security policy to be applied to each appliance.  Security templates have been prepared by an expert familiar with different security requirements of different types of possible workloads.  A Heat template describes the infrastructure for a cloud application in a text file that is readable and writable by humans) – see abstract, [0034], and [0040].
Obtaining a security template associated with the security intent (Access or building of workload specific security templates based on the workload type, requirements, and other attributes (i.e., based on the security intent).  Security templates have been prepared by an expert familiar with different security requirements of different types of possible workloads) – see [0038] and [0040].
Applying the security template produce security rules for the security policy, the security rules including at least one of allowing and denying communications between the target and other workloads of the plurality of workloads (Create a security policy protecting a specific type of workload.  Security policy instantiated, and then instantiates filtering rules such as virtual machines to which certain traffic filtering rules apply) – see [0041] and [0042].
Ashley do not teach identifying nodes and edges in the graph database using the target, the graph database representing the plurality of workloads as nodes and relationships between the plurality of workloads as edges, or applying the security templates to the identified nodes and edges.  
Kumar teaches a communications mapping system to generate a relational communications graph.  The graph includes nodes and edges which connects two nodes and shows relationships between the nodes – see [0078] – [0080].  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Ashley by identifying the policies by using nodes and edges in a graph database that shows relationships between the nodes, for the purpose of defining and identifying relationships in the network properly, based upon the beneficial teachings provided by Kumar.  These modifications would result in increased accuracy for the specifying of the workloads.  

Regarding claims 2 and 12, Ashley teaches that the target includes an attribute (Workload definition (i.e., target) is parsed to extract attributes of each network appliance.  Further, Kumar teaches identifying nodes and edges in a graph database, as discussed above.  Therefore, the combination suggests identifying the nodes and edges in the graph database by finding nodes that match the attribute.

Regarding claims 3 and 13, Ashley teaches that the attribute can be at least one of an application name, application function, business organization, realm, location, and Internet (IP address) – see [0024] – [0028].

Regarding claims 4, 6, 14, and 16, Ashley teaches that the security template/policy is in JavaScript Object Notation (JSON) – see [0038].

Regarding claims 5 and 15, Ashley teaches that the security intent can be at least one of whitelist isolation, whitelist separation, best practices for an application type, regulatory requirement, and user-specified template (Security templates have been prepared by an expert familiar with different security requirements of different types of possible workloads (i.e., best practices for application type) – see [0040].

Regarding claims 9 and 19, Ashley teaches that the deploying is performed by a cloud driver using a topology and inventory  of the cloud computing environment, the cloud driver communicating with the cloud computing environment using an API of the cloud computing environment – see [0032] – [0034].

Regarding claim 10, Ashley teaches that the cloud computing environment is hosted by a plurality of different cloud services – see figure 8 and [0076].

Claims 7, 8, 17, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Ashley et al. (US 2016/0234250), in view of Kumar et al. (US 2016/0350105), and further in view of Barkol et al. (US 2013/0097138).
The teachings of Ashley and Kumar are relied upon for the reasons set forth above.
Regarding claims 7 and 17, Ashley further teaches deploying the security policy in the cloud computing environment.
Regarding claims 7, 8, 17, and 18, Ashley and Kumar do not teach gathering data about the cloud computing environment or updating the graph database using the data, or that the data includes at least one of streaming telemetry from network logs, events from a cloud control pane, and inventory from a configuration management database.
Barkol teaches a system wherein configuration information for a network is collected pertaining to different graph parts such as nodes and edges in order to update configuration information pertaining to graph parts that have changed since a previous update.  This is used for managing policies – see [0013].  The data is from a configuration management database – see [0013].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Ashley and Kumar by gathering data (inventory from CMDB) about the environment and updating the graph database using the data, for the purpose of keeping an up to date database, based upon the beneficial teachings provided by Barkol.  




Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LISA C LEWIS whose telephone number is (571)270-7724.  The examiner can normally be reached on Monday - Thursday 7am-2pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/LISA C LEWIS/Primary Examiner, Art Unit 2495