Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2.	Applicant’s arguments filed on 3/8/2021, with respect to 35 U.S.C 101 rejection of claims 1, 13 and 18-35  have been fully considered and are persuasive.  The 101 rejection of claims 1, 13 and 18-35 has been withdrawn. 

3.	Applicant’s arguments filed on 03/08/2021, with respect to the 35 U.S.C. § 102(a)(1) and (2)  rejection of claims 1,13, and 18-35 for allegedly being anticipated by U.S. Pat. App. Publication No. 2017/0019302 to Lapiotis have been fully considered.  However, upon further consideration, a new ground(s) of rejection is made in view of amended claims.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1,13, and 18-35 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Publication No. 20170019302 hereinafter Lapiotis in view of U.S. Publication No. 20160182567 hereinafter Sood.

As per claim 1, Lapiotis discloses:
A method (para 0004 “The present patent disclosure is broadly directed to a scheme for providing analytics-driven dynamic network design and configuration with respect to a network, e.g., including one or more service functions (SFs) or virtual network functions (VNFs) in a service network.”),
comprising:
obtaining security orchestration information for one or more virtualized network functions (para 0004 “In one aspect, an embodiment of a method for network configuration comprises, inter alia, receiving, from a data analytics platform, a dynamic situation profile with respect to a particular situation defined in terms of one or more service user behavior events and/or one or more events pertaining to a state of a network servicing a plurality of service users.”);
determining, in response to the security orchestration information, network interfaces relevant to protection of the one or more virtualized network functions (para 0022 “Preferably, the network node or subsystem 102 may be configured to generate one or more controls signals for effectuating suitable dynamic design change actions with respect to (re)configuring the network 108 under a knowledge-based, user-trainable profile analysis and network ; para 0037 “A similarity index may be determined between the dynamic situation profile and a characteristic situation profile (CSP) corresponding to the particular situation, wherein the characteristic situation profile comprises allowable values (e.g., threshold values) with respect to the service user behavior events and the network state events defining the particular situation (block 606). If the similarity index is within an acceptable window, one or more control signals may be generated to effectuate a dynamic design change action for changing configuration of at least a part of the network operating to service user data flows of the service users (block 608). In one variation, the data analytics platform may be trained via adaptive learning to facilitate generating appropriately parameterized data relative to the situations defined for network (block 603). Similarly, an initial CSP set may be provisioned or otherwise configured in order to facilitate profile matching evaluations in the beginning stages of the process (block 605).”)
based at least in part on network topology information (Fig. 2, para 0020
“Regardless of the specific implementation, one skilled in the art will recognize that one or more embodiments of the present patent disclosure may involve a configurable network or a portion thereof, e.g., such as a service network having a plurality of network nodes (i.e., switches or elements interconnected in a topological arrangement) wherein one or more services or service functions having multiple instances (i.e., "service function replicas") may be placed for traversal by a plurality of subscriber data flows (generated by or Also see para 0024)
issuing a security instruction for the protection of the one or more virtualized network functions, according to the determined network interfaces (Fig, 6, para 0037 “If the similarity index is within an acceptable window, one or more control signals may be generated to effectuate a dynamic design change action for changing configuration of at least a part of the network operating to service user data flows of the service users (block 608).” Para 0061 “In broad terms, design change actions may be classified, but not limited, into the following general groups: (i) dynamic VNF topology design (e.g., placement of SF /VNFs or assignment of service nodes in a chain, (re)instantiation of additional VNFs, etc.); (ii) dynamic service chain network/topology design (e.g., (re)arranging the order or sequence of VNFs in a service chain); (iii) dynamic VNF management and orchestration, which also enables dynamic capacity planning and dynamic resource management (e.g., VM capacity management); and (iv) dynamic service chain management and orchestration (e.g., adding or terminating various end-to-end service chains within the network). In addition to the example design change actions set forth elsewhere in the present patent application, the following example actions may also be implemented in additional exemplary embodiments: (i) Tune Service Chaining-e.g., add a new DPI field based on the analytics-driven new dynamic profiles; (ii) Alter Service Chain VNF Members--e.g., add a new Security Service Function in Service Chain to prevent Distributed Denial-of-Service (DDOS) attacks based on information retrieved from analytics driven new dynamic profiles or set up Service Chain with minimal service
functions to cater to Emergency traffic.”).

Lapiotis does not disclose:
one or more virtualized network function from a first virtualization orchestration component within a cloud environment at a second virtualization orchestration component within the cloud environment; 
determining network interfaces relevant to protection of the one or more virtualized network functions based at least in part on network topology information accessible to the second virtualization orchestration component; 
and issuing a security instruction for the protection of the one or more virtualized network functions from the second virtualization orchestration component to a third virtualization orchestration component within the cloud environment, wherein the security instruction is issued

Sood discloses:
one or more virtualized network function from a first virtualization orchestration component within a cloud environment at a second virtualization orchestration component within the cloud environment (para 0009 “According to some examples, techniques to deliver security and/or network policies to VNFs are provided. In particular, various examples provide a secure environment to Para 0019 “The cloud infrastructure 100 further includes VNF managers 140-1 to 140-n and an orchestrator intelligent placement broker (IPB) 150. In general, the VNF managers 140-1 to 140-n and the orchestrator IPB 150 can be configured to perform supervisory and management functions for VNFs 124-1 to 124-n. The orchestrator IPB 150 may include a virtual security controller agent (VSCA) 152. The VSCA 152 can comprise computer executable instructions operative to cause the infrastructure 100 to perform the techniques described herein..” Para 0023 “The VNF managers 140-1 to 140-n may include policies 142-1 to 142-n and security group mappings 144-1 to 144-n. In general, the policies 142-1 to 142-n are security and/or network policies to be implemented by one or more of the VNFs 124-1 to 124-n. For example, the policies 142-1 to 142-n can be for any of a variety of network functions.” Para 0033 “The VSCA 152 may be executed by the virtual layer 120 and/or the TEE 119. In particular, the VSCA 152 may provision a VNF and connect the VNF to VMs within a security group corresponding to the VNF. The VSCA may instantiate a VNF and generate a VNF connector to connect the VNF to each of the VMs in the security group.”); 
determining network interfaces relevant to protection of the one or more virtualized network functions based at least in part on network topology para 0028 “and may configure the VNF to implement a network function according to the policy. For example, the policy agent may receive the policy 142-1 from the VNF manager 140-1 and may configure the VNF 124-1 to implement the policy 142-1. The policy agent 162 may communicate with the VNF 124-1 to configure the VNF 124-1 through a vSwitch (e.g., the vSwitch 126-1, or the like). In some examples, the vSwitch function may accessed through an embedded management controller, such as IME or IE, or via a host embedded controller interface (HECI), via a virtual network of the cloud-based OS 130, an open virtual switch (oVS), or the like.” Para 0038 “Various components of TEE 119, orchestrator IPB 150, and virtual layer 120 may be communicatively coupled to each other by various types of communications media to coordinate operations. The coordination may involve the uni-directional or bi-directional exchange of information. For instance, the components may communicate information in the form of signals communicated over the communications media. The information can be implemented as signals allocated to various signal lines. In such allocations, each message is a signal. Further embodiments, however, may alternatively employ data messages. Such data messages may be sent across various connections. Example connections include parallel interfaces, serial interfaces, and bus interfaces, virtual interfaces.”); 
and issuing a security instruction for the protection of the one or more virtualized network functions from the second virtualization orchestration component to a third virtualization orchestration component within the cloud para 0024 “The security group mappings 144-1 to 144-n include listings or mappings of VMs 122-1 to 122-n to form security groups for a particular VNF 122-1 to 122-n. For example, the VNF 124-1 may be used to implement an IPS network function and can be configured to implement the IPS function based on the policy 142-1 and to protect ones of the VMs 122-1 to 122-n specified in the security group mapping 144-1.” Para 0036 “Turning more specifically to FIG. 6, the VSCA 152 may be configured to provision a new VNF and corresponding new security group and move a VM from an existing security group to the new security group. For example, the VSCA 152 may receive an indication that the VNF 124-1 prevented an attack originating from the VM 122-6. As such, the VSCA 152 can quarantine the VM 122-6 by provision a new VNF 124-n+1 and security group 144-n+1. The VSCA 152 can move the VM 122-6 to the new security group 144-n+1. In particular, this may be useful to quarantine a particular VM or VMs and provision VNFs to protect the infrastructure 100 from the VM or VMs in quarantine. For example, the VNF 124-n+1 can be configured with a restrictive policy designed for quarantined VMs.”)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify a scheme for providing analytics-driven dynamic network design and configuration with respect to a network of Lapiotis to include the security implementation, as taught Sood.
The motivation would to coordinate protection for VNFs in order to properly secure the virtual cloud network.
As per claim 13, Lapiotis in view of Sood discloses:
The method according to claim 1, wherein the one or more virtualized network functions comprise a virtualized network function aggregate formed by a first group of the one or more virtualized network functions which are interdependent in their functionalities (Lapiotis Fig. 3, para 0029-0031).

As per claim 18, the implementation of the method of claim 1 will execute the apparatus of claim 18. The claim is analyzed with respect to claim 1.

As per claim 19, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the determined network interfaces comprise at least one of: network interfaces at which protector virtualized network functions need to be placed (Lapiotis para 0061)

As per claim 20, Lapiotis in view of Sood discloses:
The apparatus according to claim 18 wherein the security orchestration information further comprises at least a security command for at least one of: activating protection of at least a first virtualized network function of the one or more virtualized network functions (Lapiotis para 0061).

As per claim 21, Lapiotis in view of Sood discloses:
The apparatus according to claim 20, wherein the protection of the first virtualized network function is activated by placing one or  para 0027, 0029, 0061, and 0063).

As per claim 22, Lapiotis in view of Sood discloses:
The apparatus according to claim 20, wherein the protection of the second virtualized network function is deactivated by removing protector virtualized
network functions from the determined network interfaces for the second virtualized network function (Lapiotis para 0027, 0032,0036 and 0061).

As per claim 23, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the one or more virtualized network functions comprise at least a group of topologically contiguous virtualized network functions, and wherein the protection of the group of the topologically contiguous virtualized network functions is performed by wrapping the group of the topologically contiguous virtualized network functions with protector virtualized network functions (Lapiotis Fig. 3, para 0029-0032 and 0036).

As per claim 24, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least further to: verify whether a  Figs. 7 and 6, para 0037 and 0062).

As per claim 25, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the security instruction further indicates at least one of: instantiating at least one protector virtualized network function (Lapiotis para 0061 and 0062).

As per claim 26, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the security instruction comprises at least a network routing related operation information (Lapiotis para 0024, 0061 and 0062).

As per claim 27, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least further to: monitor one or more protector virtualized network functions instantiated for the protection of the one or more virtualized network functions (Lapiotis para 0004, 0023, and 0064).

As per claim 28, Lapiotis in view of Sood discloses:
 para 0004, 0023, and 0064).

As per claim 29, Lapiotis in view of Sood discloses:
The apparatus according to claim 28, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least further to: instruct the one or more protector virtualized network functions to take actions, based at least in part on the received reporting information (Lapiotis Fig. 7, para 0062).

As per claim 30, Lapiotis in view of Sood discloses:
The apparatus according to claim 18, wherein the one or more virtualized network functions comprise at least a virtualized network function aggregate formed by a first group of the one or more virtualized network functions which are interdependent in their functionalities (Lapiotis Fig. 3, para 0029-0031).

As per claim 31, Lapiotis in view of Sood discloses:
The apparatus according to claim 30, wherein the at least one memory and the computer program code are further configured to, with the at least  para 0062 and 0063).

As per claim 32, Lapiotis in view of Sood discloses:
The apparatus according to claim 31, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least further to: instantiate the second group of virtualized network functions, in response to the monitored security violation; and replace the virtualized network function aggregate with the second group of instantiated virtualized network functions (Lapiotis Fig. 7, para 0004, 0023, 0062 and 0063)

As per claim 33, Lapiotis in view of Sood discloses:
The apparatus according to claim 32, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least further to: terminate the virtualized network function aggregate, in response to the second group of  Figs. 6 and 7, para 0061 and 0062).

As per claim 34, Lapiotis in view of Sood discloses:
The apparatus according to claim 33, wherein the at least one memory and the computer program code are further configured to, with the at least one processor, cause the apparatus at least further to: analyze the terminated virtualized network function aggregate for creating preventative measures against the monitored security violation (Lapiotis Figs. 6 and 7, para 0061 and 0062).

As per claim 35, the implementation of claim 1 will execute the non-transitory computer program product (para 0006). The claim is analyzed with respect to claim 1.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to GARY S GRACIA whose telephone number is (571)270-5192.  The examiner can normally be reached on Monday-Friday 9am-6pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/GARY S GRACIA/Primary Examiner, Art Unit 2491