DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Response to Amendment
This office action is in response to the amendment filed on 12/22/2020.
Claims 1-20 are pending for examination. Applicant amends claims 1-3, 8-11, and 14. The amendments have been fully considered and entered.

Response to Arguments
For convenience, the newly introduced limitations, as made by amendments, are marked as underlined.
Applicant’s arguments, see Remarks, filed 12/22/2020, with respect to the rejection of claims 1 and 14 under 35 U.S.C. § 103 have been fully considered but are not persuasive. The following is applicant arguments recited in the Remarks followed by Examiner's response:
a.	Applicant argues that Marino does not teach authenticating “a segregated memory space operating on the client device” because Marino does not use or 
Examiner respectfully disagrees. According to claim 1, the claim requires that the segregated memory space 1) operates on the client device and 2) includes a first application or process operating in the authenticated segregated memory space. With this understanding, examiner submits that Marino’s “application container” reads on the claimed “segregated memory space” because Marino’s “application container” 1) operates on the host computing system, i.e., the client device (see Fig. 2 element 218 and 206) and 2) isolates an application operating within the application container (see col. 7 lines 50-55). Furthermore, the application container is authenticated by confirming an identity of the application container (see col. 8 lines 30-33), which reads on “authenticating a segregated memory space”. Therefore, Marino reasonably teaches “authenticating a segregated memory space operating on the client device” as claimed in claim 1 and similarly in claim 14.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pai et al. (US 20170353496 A1; hereinafter “Pai”) in view of Petry et al. (US 20170180413 A1; hereinafter “Petry”) and further in view of Marino et al. (US 9729579 B1; hereinafter “Marino”).
As per claim 1, Pai discloses: a service provider network comprising one or more network devices, wherein the service provider network is configured to:
determine network isolation configuration information for a client device on a local area network (LAN), the client device associated with a client account, wherein the network isolation configuration information comprises an identification of a trusted network destination for the client device (Pai, [0015], policy is identified (i.e., network isolation configuration information is determined) for a user of a host device (i.e., client device), wherein the policy comprises known trusted network resources, [0073], wherein the host device is associated with a user account, [0022], wherein host device is on a LAN); 
send the network isolation configuration information to the client device (Pai, [0024], policy is provided/pushed to the host operating system 102); 
receive, from a first application or process operating in the segregated memory space of the client device, a first request to communicate with a first untrusted network destination (Pai, [0123], detect an application is attempting to access a network resource, [0121] and Fig. 6, because the set of acts in Fig. 6 are not limited to the specific order shown in Fig. 6, launching the application in the container (step 610) may come before detecting the application is attempting to access an untrusted network 
allow, based on the network isolation configuration information, the first application or process operating in the segregated memory space to communicate with the first untrusted network destination (Pai, [0124], [0121], and [0127], the application is allowed to communicate with the untrusted network resource after detecting an attempt to access an untrusted network resource which is based on looking up the network resource against one or more policies (i.e., based on the network isolation configuration information)).  
While Pai discloses network isolation configuration information comprising identification of trusted network destinations, Pai does not explicitly disclose, however, Petry teaches or suggests: the network isolation configuration information comprising an untrusted network destination for the client device (Petry, [0108], blacklist and whitelist of URLs (i.e., network destination), wherein the blacklist comprises harmful (i.e., untrusted) web content and the whitelist comprises safe (i.e., trusted) content). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).
The modified Pai does not explicitly disclose, however, Marino teaches or suggests: authenticating a segregated memory space operating on the client device 
allowing communications with the untrusted network destination based on the authentication of the segregated memory space (Marino, col. 9 lines 1-5, 10-20, and 44-58, a command to perform a deployment action (i.e., communicate with an untrusted network destination), is allowed or prohibited based on a security policy applied to the authenticated application container).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include authenticating the segregated memory space operating on the client device and allowing communications with the untrusted network destination based on the authentication of the segregated memory space as taught or suggested by Marino for the benefit of increasing security on computing systems that launch application containers by ensuring that application containers are authenticated before deployment (Marino, col. 1 lines 42-49).

As per claim 2, claim 1 is incorporated and the modified Pai discloses: wherein the untrusted network destination is a first untrusted network destination and the service provider network is further configured to: 
receive, from a second application or process operating on a workspace of the client device, a second request to communicate with a second untrusted network destination, wherein the workspace is isolated from the authenticated segregated memory space (Pai, [0031], network filter 116 ensures that the host operating system 
prevent the second application or process operating on the workspace of the client device from communicating with the second untrusted network destination based on the second request being from outside the authenticated segregated memory space (Pai, [0031] and [0028], network filter 116 ensures that the host operating system 102 is prevented from accessing any untrusted network resources, that is, when a request to communicate with an untrusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 prevents/blocks the communication from occurring because the request is not coming from the container).  
The modified Pai does not disclose, however, Petry teaches or suggests: a blacklist of untrusted network destinations and a whitelist of trusted network destinations where the system can use to verify trusted and untrusted network destinations that the client device is trying to communicate with (Petry, [0108], blacklist and whitelist of URLs (i.e., network destination), wherein the blacklist comprises harmful (i.e., untrusted) web content and the whitelist comprises safe (i.e., trusted) content). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of 

As per claim 3, claim 1 is incorporated and the modified Pai discloses: a firewall configured to block one or more of ports, protocols, or traffic between unauthenticated devices on the LAN and the untrusted network destination (Pai, [0068], network filter is built into a firewall that blocks network traffic from untrusted network destinations).  

As per claim 4, claim 1 is incorporated and the modified Pai discloses: wherein the LAN comprises a plurality of client devices associated with the client account, and a client portal associated with the client account (Pai, [0025], target set of computing devices associated with a user account, Fig. 7, plurality of client devices (716, 718, 720), [0028], application programming interfaces (i.e., client portal) associated with the user account); and
Docket No.: LCOMENTHOMEUSO 1provide, via the client portal, a client portal interface accessible by at least one of the plurality of client devices associated with the client account (Pai, [0028], application programming interfaces (i.e., client portal) associated with the user account).
The modified Pai does not disclose, however, Petry teaches or suggests: the service provider network further configured to: implement a client portal associated with the client account (Petry, [0064], client interface to instantiate one or more secure web containers).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai 

As per claim 5, claim 4 is incorporated and the modified Pai does not disclose, however, Petry teaches or suggests: wherein the client portal interface is configured to enable modification of the network isolation configuration information by the at least one of the plurality of client devices associated with the client account (Petry, [0079], user 102 set/modifies policies within a policy database associated with the secure analysis application). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a client portal to allow a user of the device to modify the network isolation configuration information as taught or suggested by Petry for the benefit of increased web browsing security using dynamic security policy implementation (Petry, [0003]).

As per claim 6, claim 4 is incorporated and the modified Pai discloses: push, via the client portal to the plurality of client devices, one or more of a patch, an update, or a security control (Pai, [0025], policy updates are pushed/sent to target set of computing devices).  

As per claim 7, claim 1 is incorporated and the modified Pai discloses: implementing, on the client device, a local firewall configured to prevent 

As per claims 8 and 19, claim 1 and claim 14 are incorporated, respectively, and the modified Pai does not explicitly disclose, however, Marino teaches or suggests: wherein the service provider network is further configured to receive client credentials from the segregated memory space of the client device, and wherein the service provider network is configured to authenticate the segregated memory space operating on the client device using the client credentials (Marino, col. 8 lines 30-33, authenticating/verifying an application container (i.e., segregated memory space) by confirming a received identity (i.e., client credentials) of the application container).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include authenticating the segregated memory space operating on the client device and allowing communications with the untrusted network destination based on the authentication of the segregated memory space as taught or suggested by Marino for the benefit of increasing security on computing systems that launch application containers by ensuring that application containers are authenticated before deployment (Marino, col. 1 lines 42-49).

As per claim 9, claim 1 is incorporated and while the modified Pai discloses network isolation configuration information comprising identification of trusted network destinations (i.e., a whitelist), Pai does not explicitly disclose, however, Petry teaches or suggests: the network isolation configuration information further comprises one or more of a whitelist that comprises a trusted network destinations and a blacklist that comprises the untrusted network destination (Petry, [0108], blacklist and whitelist of URLs (i.e., network destination), wherein the blacklist comprises harmful (i.e., untrusted) web content and the whitelist comprises safe (i.e., trusted) content). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).
The modified Pai does not disclose, however, Marino teaches or suggests: wherein the client device is a first client device, wherein the segregated memory space is a first segregated memory space, and wherein the service provider network is further configured to authenticate a second segregated memory space operating on a second client device on the LAN (Marino, col. 8 lines 30-33, authenticating/verifying an application container (i.e., segregated memory space) by confirming a received identity (i.e., client credentials) of the application container, Fig. 4, wherein the authentication can be done for a second application container 218(4) (i.e., second segregated memory space) on a second host computing systems 206(2) (i.e., second client device)).


As per claim 10, claim 1 is incorporated and the modified Pai discloses: wherein the network isolation configuration information further comprises an identification of a trusted network destination, and the service provider network is further configured to: receive, from a second application or process operating on a workspace of the client device, a second request to communicate with a network destination, wherein the workspace is isolated from the authenticated segregated memory space (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a network destination occurs from one or more applications of the host operating system (i.e., workspace), the network filter 116 allows the communication to occur between the host operating system and a trusted destination or prevents the communication from occurring because the request is not coming from the container, Abstract, wherein the host operating system 102 is isolated from the container); 
the trusted network destination (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a trusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 allows the communication to occur between the host operating system and a trusted destination); and 
allowing the second application or process operating on the workspace of the client device to communicate with the trusted network destination (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a trusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 allows the communication between the host operating system and a trusted destination).

As per claim 11, claim 1 is incorporated and the modified Pai discloses: the service provider network further configured to: manage, using a server, the network isolation configuration information (Pai, [0024], management and monitoring service 104 is configured to manage and provide the policy); and 
proxy communications, using a proxy device, between the authenticated segregated memory space and the first untrusted network destination (Pai, [0022], host operating system 102 communicates with network resources via web proxy 106).  

As per claim 12, claim 1 is incorporated and the modified Pai does not disclose, however, Petry teaches or suggests: wherein the segregated memory space comprises a sandboxed computing environment enforced by a sandbox container process that enables an internal isolation firewall (Petry, [0065], web container comprises a sandbox environment, [0153], firewall is enabled).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a sandbox environment as taught or suggested by Petry for the benefit of increased web browsing security (Petry, [0003]).

As per claim 13, claim 1 is incorporated and the modified Pai discloses: receive, from the client device, a request for the network isolation configuration information (Pai, [0024], policy is obtained/pulled/requested from the management and monitoring service 104).
  
As per claim 14, Pai discloses: a host computer system comprising:
a memory (Pai, Fig. 7, memory/storage 712); and 
a processor (Pai, Fig. 7, processing system 704) configured to: 
connect to a local area network (LAN) (Pai, [0022] and Fig. 1, host operating system 102 is connected to LAN 108); 
communicate with a network destination via an Internet service provider (ISP) (Pai, [0022], host operating system 102 communicates with network resources via web 
receive, from the ISP, network isolation configuration information comprising an identification of a trusted network destination for the host computer system (Pai, [0024], management and monitoring service 104 is configured to provide policy (i.e., network isolation configuration information) to the host operating system 102, [0015], wherein the policy comprises known trusted network resources); 
implement a segregated memory space that is configured to enable operation of a set of one or more applications or processes (Pai, [0101] and [0116], activate a container that enables operation of an application); 
communicate, using the set of one or more applications or processes operating on the segregated memory space with the untrusted network destinations via the ISP (Pai, [0124], [0121], and [0127], the virtual version of the application in the isolated container is allowed to communicate with the untrusted network resource); and 
implement a local firewall that is configured to prevent communications between the host computer system and other computer systems connected to the LAN (Pai, [0068], network filter 116 of the host operating system 102 is built into a firewall (i.e., local firewall) that intercepts, inspects, forward, modify, and block network traffic of the LAN).  
While Pai discloses network isolation configuration information comprising identification of trusted network destinations, Pai does not explicitly disclose, however, Petry teaches or suggests: the network isolation configuration information comprising an untrusted network destination for the client device (Petry, [0108], blacklist and whitelist 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).
The modified Pai does not explicitly disclose, however, Marino teaches or suggests: authenticating the segregated memory space with the ISP (Marino, col. 8 lines 30-33, authentication module 104 of the policy-enforcement proxy authenticates/verifies an application container (i.e., segregated memory space) by confirming an identity of the application container).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include authenticating the segregated memory space operating on the client device and allowing communications with the untrusted network destination based on the authentication of the segregated memory space as taught or suggested by Marino for the benefit of increasing security on computing systems that launch application containers by ensuring that application containers are authenticated before deployment (Marino, col. 1 lines 42-49).

As per claim 15, claim 14 is incorporated and the modified Pai discloses: wherein the processor is configured to operate a workspace that is enabled by and executed using a memory space that is isolated from the segregated memory space (Abstract, wherein the host operating system 102 is isolated from the container). 
The modified Pai does not disclose, however, Petry teaches or suggests: wherein the segregated memory space comprises a sandboxed computing environment that is enforced by a sandbox container process that enables an internal isolation firewall (Petry, [0065], web container comprises a sandbox environment, [0153], firewall is enabled).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a sandbox environment as taught or suggested by Petry for the benefit of increased web browsing security (Petry, [0003]).

As per claim 16, claim 15 is incorporated and the modified Pai discloses: wherein the processor is further configured to: send, from an application or process operating on the workspace to the ISP, a request to communicate with a network destination (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a trusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 allows the communication from occurring because the request is not coming from the container); and 


As per claim 17, claim 14 is incorporated and the modified Pai discloses: wherein the host computer system is associated with a client account (Pai, [0073], user account).
The modified Pai does not disclose, however, Petry teaches or suggests: communicating with a client portal via a client portal interface associated with the client account (Petry, [0064], client interface to instantiate one or more secure web containers); and 
modifying, via the client portal interface, the network isolation configuration information (Petry, [0079], user 102 set/modifies policies within a policy database associated with the secure analysis application).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a client portal to allow a user of the device to modify the network isolation configuration information as taught or suggested by Petry for the benefit of increased web browsing security using dynamic security policy implementation (Petry, [0003]).

As per claim 18, claim 17 is incorporated and the modified Pai discloses: receive[, via the client portal,] one or more of patches, updates, or security controls associated with the client account (Pai, [0025]-[0026], policy update (i.e., modifying) via the application programming interface).  
The modified Pai does not disclose, however, Petry teaches or suggest: receiving updates or security controls via the client portal (Petry, [0079], user 102 set/modifies policies within a policy database associated with the secure analysis application).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a client portal to allow a user of the device to modify the network isolation configuration information as taught or suggested by Petry for the benefit of increased web browsing security using dynamic security policy implementation (Petry, [0003]).

As per claim 20, claim 14 is incorporated and the modified Pai discloses: send, to the ISP, a request for the network isolation configuration information (Pai, [0024], policy is obtained/pulled/requested from the management and monitoring service 104).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.	

Li et al. (US 20140282890 A1) discloses a high trust container that stores content associated with whitelist sites, a low trust container that stores content from sites that are considered potentially untrustworthy, and a trash container that stores content from blacklist sites ([0012]).

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437   

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437