DETAILED ACTION


1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	Claims 1-20 presented for examination. 
3.	This Office Action is in response to application 16/782769 filed on February 5, 2020.
4.	Claims 7, 8, 10, 12-14, 17 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim (claims 1, 15 and 20) and any intervening claims (claim 17).  Also, Applicant to include necessary features for a smooth transition from feature to feature to prevent gaps/disconnects/relationship issues (i.e. potential 35 U.S.C. 112(b), 2nd paragraph rejection) between features.

Paper Submitted

5.	It is hereby acknowledged that the following papers have been received and placed of record in the file:
a.	Information Disclosure Statement as received on July 31, 2020 and February 5, 2020 were considered.


Claim Interpretations
6.	Claim 1 recites “to inject a [] policy metadata into [] data traffic.”  Instant specification [00089] states “as used herein the term ‘metadata,’ ‘policy metadata,’ or ‘metadata of an endpoint,’ shall be used to refer to any data related to the local operation and local policy enforcement of the endpoint in the network environment with respect to the data traffic both to and from that endpoint,” “such metadata can include current location of the endpoint, the battery level of the endpoint, the radio access of the endpoint, application that is generating traffic at the endpoint, unusual change in data traffic volume, and the security status of the endpoint, etc.,” [0096] states “endpoint 612 is configured to inject the first policy metadata by an external entity regarding which policy metadata to extract and how to encode it into data packets” and “or by the network operator,” and [0098] states “receive the first policy metadata injected into the data packets of the data traffic from the endpoint.”  The specification explanations provide the interpretation (“any data related to”) applied to all the claims.


7	Claim 7 recites “policy-agnostic metadata.”  Instant specification [0089] states “metadata can be either policy-specific metadata or policy-agnostic metadata” and “policy-agnostic metadata can include metadata that is generated without respect to a specific policy.  For example, the policy-agnostic metadata can include constanly tagging the traffic with the location of the endpoint.”  To further explain the recited “policy-agnostic metadata,” a brief search reveals prior arts Shelton (US Pub 20180046753), Szabo et al. (US Pub 20100058433), and Yang et al. (“End-to-End Policy-Agnostic Security for Database-Backed Application”, 2015) to further provide explanation to the recited “policy-agnostic.”

Prior art Shelton (US Pub 20180046753) [0061] states “process of associating the appropriate metadata and privacy directives associated therewith and indexing said information” and “privacy policy-agnostic (meaning that it takes no position on whether data that its systems and services help to regulate should be shared widely or maintained as being strictly confidential) so that consumers and data holders have less reason to doubt.”

Prior art Szabo et al. (US Pub 20100058433) [0004] states “sources, which contain knowledge about files and metadata, can pass events to policies when changes in data are detected.  The policies may then manage the data synchronization with other sources.  The sources are agnostic as to how the data is synchronized between sources.  Also, the policies are agnostic of the data that is being managed by sources.”

Prior art Yang et al. (“End-to-End Policy-Agnostic Security for Database-Backed Application”, 2015) (section 1. Introduction) states “we propose a policy-agnostic programming paradigm that allows the programmer to specify information flow policies separately from the rest of the applications.”

The instant specification and the prior arts provide the interpretation of “policy-agnostic metadata” applied to all the claims.

Claim Rejections - 35 USC § 103
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

9.	Claims 1-6, 9, 11, 15, 16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Yanovsky et al., US Pub 20160323323, hereinafter Yanovksy, and in view of Li et al., US 10367744, hereinafter Li.

10.	Regarding claims 1, 15 and 20, Yanovsky teach a method comprising:
receiving, by a network device local to one or more endpoints in a network environment from a centralized network controller, one or more network-wide endpoint policies (“a network with a distributive policy enforcement and centralized policy programming”, “a global policy coordinator server” [0023] [0025], “a choke is a point along the path to the external access point of a network or sub-network (e.g., a firewall, a VPN client, a VPN server, an SSL concentrator, modem, bridge, router, switch, etc.)” [0024], “the chock points [] respectively have policy definition enforcement agents (PDEAS)”, ”host devices [] respectively have policy configuration implementation agents (PCIAs)” [0025], “transmits appropriate ones of the generated policy configurations to the appropriate PCIAs” [0028], “also transmits policy configuration identifiers that identify the transmitted policy configurations” [0030], “PDEAs [] enforce the policy definitions for their respective LANs by restricting external access of their LANs host devices that do not comply with their policy definition” [0031], item 11B host device and time 112B PCIA in fig 1);
Yanovsky do not teach inject a first policy metadata into first data traffic feature, but in a similar field of endeavor Li teach:
receiving (“receive traffic routing policy”, “insert hooks into”), by a network device local (“server 206”, “cloud security service [] server 206”) to one or more endpoints (“browsers”, “computing device 202”), one or more network-wide endpoint policies (“one or more modules 102”, “receive traffic routing policy 12 from server 206” col 5 lines 12-21, “insert hooks into browsers and/or operating systems of computing devices” col 7 lines 15-24, “traffic routing policy 122 may change over time”, “an update to a prior traffic routing policy” col 7 lines 49-55, “a cloud security service running on the server 206 may examine a FQDN and a resolved address to decide a destination”, “may examine metadata to determine if of a policy exists”, “computing device 202 [] receives an updated version of traffic routing policy”  col 7 lines 56-67);
configuring a first endpoint (“browsers”, “computing devices”) of the one or more endpoints to inject a first policy metadata (“changing [] address [] of a packet”) into first data traffic (“bypass traffic”) (“receiving [] a traffic routing policy”, “hook inserted [] metadata describing a traffic type” col 1 lines 31-35, “the metadata may identify [] a uniform resource locator, an internet protocol address, a fully-qualified domain name, a destination server name, [] a traffic category, [] an approved traffic category” col 1 lines 50-56, “sending the bypass traffic”, “modifying a routing table, inserting routing entries”, “changing a media access control address of a destination of a packet of the bypass traffic” col 1 lines 57-63, “network traffic routing to reduce service congestion at a server” col 3 lines 20-22, “insert hooks into browsers and/or operating systems of computing devices” col 7 lines 15-24, “directing bypass traffic away from cloud servers” col 3 lines 31-34, “traffic routing policy 122 may include instructions to route transaction 124 in a certain manner, based on metadata” col 7 lines 33-48, “compare metadata 128 with traffic routing policy 122 to determine transaction 124 is bypass traffic” col 8 lines 34-37);
receiving, by the network device from the first endpoint, the first policy metadata injected into the first data traffic (“receive, by the computing device, [] a traffic routing policy” col 1 lines 31-33, “cause computing device [] receive traffic routing policy” col 5 lines 12-20, “metadata identifies destination server names” col 8 lines 21-25);
determining, by the network device, one or more first endpoint-specific policies for the first endpoint by evaluating (“reset requirement”) the first policy metadata (“specific metadata”) with respect to the one or more network wide endpoint policies (“enforcing the prior traffic routing policy”, “a reset requirement in response to specific metadata” col 1 lines 39-45); and
applying (“a reset requirement”), by the network device, the one or more first endpoint-specific policies to control data traffic associated with the first endpoint (“a reset requirement in response to specific metadata” col 1 lines 39-45, “performing at least one security action in response to identifying the metadata” col 2 lines 9-10, col 7 lines 42-48).

Thus, it would have been obvious before the effective filing date of the claimed invention to a person of ordinary skill in the art to readily recognize the advantage of modifying Yanovsky’s system that provides the user a “centralized policy programming and distributive policy enforcement” (Yanovsky [0008]) with the features of Li’s system to provide “network traffic routing to reduce service congestion at a server” (Li col 1 lines 29-30). 

The motivation being a “centralized policy programming improves reliability of policy enforcement since the most current policy configurations are at a central location” (Yanovsky [0034]) which includes “changing a media access control address of a destination of a packet of the bypass traffic” (Li col 1 lines 59-63) and “may improve the functioning of computing devices by automatically reducing network traffic routed to cloud-based security services” (Li col 3 lines 42-46).

11.	Regarding claim 2, Yanovsky do not teach applying endpoint-specific policies received feature, but in a similar field of endeavor Li teach wherein the data traffic associated with the first endpoint includes the first data traffic received at the network device from the first endpoint, the method further comprising applying, by the network device, the one or more first endpoint-specific policies to the first data traffic received from the first endpoint (“a reset requirement in response to specific metadata” col 1 lines 39-45, “performing at least one security action in response to identifying the metadata” col 2 lines 9-10).

12.	Regarding claim 3, Yanovsky do not teach data traffic transmitted to the endpoint feature, but in a similar field of endeavor Li teach wherein the data traffic associated with the first endpoint includes data traffic transmitted to the first endpoint (“network traffic routing to reduce service congestion at a server” col 3 lines 20-25, “a computing device 202 in communication with server 206 via a network 204” col 5 lines 1-10, “may send and/or receive bypass traffic from computing devices to destinations” col 8 lines 38-40).

13.	Regarding claims 4 and 16, Yanovsky do not teach on-path in a traffic flow to or from the endpoint feature, but in a similar field of endeavor Li teach wherein the network device is on-path (“route path”, “cloud path”, “ ‘direct-to-net’ paths”) in one or more traffic flows to or from the first endpoint and the network device receives the first policy metadata with the first data traffic through at least one of the one or more traffic flows (“modify route path and/or interface information” col 8 lines 41-42, “allowed genres are identified and should bypass the cloud path” col 9 lines 26-27, “may direct traffic [] through ‘direct-to-net’ paths which bypass cloud servers” col 9 lines 57-60). 

14.	Regarding claim 5, Yanovsky do not teach endpoint-specific policies are derived from network-wide endpoint polices base on policy metadata feature, but in a similar field of endeavor Li teach wherein the one or more first endpoint-specific policies are derived (“mapped”) from the one or more network-wide endpoint policies based on the first policy metadata (“an initial traffic routing policy” col 7 lines 49-52, “in examples, metadata identifies destination server names, [] destination applications” col 8 lines 21-25, “mapping a URL to a route and/or mapping an IP address for an outbound connection”, “to a destination other than” col 8 line 63 –to- col 9 line 5).


15.	Regarding claim 6, Yanovsky do not teach data describing local operation of endpoint with respect to data traffic feature, but in a similar field of endeavor Li teach wherein the first policy metadata includes data describing local operation (“VxLAN”) of the first endpoint in the network environment with respect to the first data traffic (“metadata identifies destination server names, [] destination applications” col 8 lines 21-25, “comparing metadata to ‘white lists’ to designate transactions as bypass traffic” col 8 lines 30-37, “sending the bypass traffic from computing device 202 to a destination other than server 206 may include modifying a routing table, [] and/or changing a media access control (MAC) address of a destination of a packet of bypass traffic”, “may include [] a virtual extensible local area network (VxLAN)”  col 8 lines 49-62 ).

16.	Regarding claim 9, Yanovsky do not teach past policy metadata injected into past data traffic feature, but in a similar field of endeavor Li teach:
identifying, by the network device, past policy metadata injected into past data traffic (“exists”, “prior traffic routing”, “prior version”) and received from the first endpoint (“network traffic routing” col 1 lines 26-28, “traffic routing policy 122”, “prior traffic routing policy”, “may examiner metadata to determine of a policy exists – a lack of applicable policy” and “enforcing a prior version of traffic routing policy” col 7 lines 56-67); and
determining, by the network device, the one or more first endpoint-specific policies for the first endpoint by evaluating the first policy metadata and the past policy metadata (“exists”, “prior traffic routing”, “prior version”) with respect to the one or more network-wide endpoint policies (“network traffic routing” col 1 lines 26-28, “traffic routing policy 122”, “prior traffic routing policy”, “may examiner metadata to determine of a policy exists – a lack of applicable policy” and “enforcing a prior version of traffic routing policy” col 7 lines 56-67).

17.	Regarding claims 11 and 18, Yanovsky do not teach network-wide endpoint policies provided are selected based on the first endpoint feature, but in a similar field of endeavor Li teach  wherein the one or more network-wide endpoint policies are selected (“to decide”) and provided from a centralized network controller to the network device based on the first endpoint (“initial version [] to computing device 202”) (“initial version of traffic routing policy 122 may be based on DNS requests passing thru server 206 prior to sending the initial version of traffic routing policy 122 to computing device 202”, “examiner [] a resolved address to decide a destination” col 7 lines 49-58).



Conclusion
11.	The prior art made of record and not relied upon, but are considered pertinent to applicant's disclosure comprise:
	Aysolia et al., US Pub 20150341285 [0075] [0085-to-[0092]; 
	Buddhikot et al., US Pub 20160219588 [0033]; and 
Yang et al., “End-to-End Policy-Agnostic Security for Database-Backed Applications”, 2015, Abstract and section 1.1.
Applicant is reminded that in amending in response to a rejection of claims, the patentable novelty must be clearly shown in view of the state of the art disclosed by the references cited and the objection made.  Applicant must show how the amendments avoid such references and objections.  See 37 CFR 1.111(c).

13.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992 (via email:  Ondrej.Vostal@uspto.gov  “without a written authorization by applicant in place, the USPTO will not respond via internet e-mail to an Internet correspondence” MPEP 502.02 II and https://www.uspto.gov/sites/default/files/documents/sb0439.pdf ).  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-270-4992.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the Public PAIR system, see http://portal.uspto.gov/pair/PublicPair.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	April 9, 2021