DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 1/28/2021.
Claims 21-100 have been canceled.
Claims 1 and 5 have been amended.
Claims 1-20 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 1/6/2021 and 3/4/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.




Terminal Disclaimer
The terminal disclaimer filed on 1/26/2021 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
The double patent rejection of claims 1-20 has been withdrawn as the terminal disclaimer filed on 1/26/2021 has been accepted and recorded.
Applicant's arguments with respect to 112 6th paragraph have been fully considered but they are not persuasive. 
Use of the word “means” (or “step for”) in a claim with functional language creates a rebuttable presumption that the claim element is to be treated in accordance with 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph).  The presumption that 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph) is invoked is rebutted when the function is recited with sufficient structure, material, or acts within the claim itself to entirely perform the recited function.  
Absence of the word “means” (or “step for”) in a claim creates a rebuttable presumption that the claim element is not to be treated in accordance with 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph).  The presumption that 35 U.S.C. 112(f) (pre-AIA  35 U.S.C. 112, sixth paragraph) is not invoked is rebutted when the claim element recites function but fails to recite sufficiently definite structure, material or acts to perform that function. 
Claim elements in this application that use the word “means” (or “step for”) are presumed to invoke 35 U.S.C. 112(f) except as otherwise indicated in an Office action.  
The limitations of claims 1, 2, 5 and 13-14 that recite “each of the endpoints configured to self-isolate …and to shun one of the other endpoints in the subnet; network address translation device configured to manage communications between the subnet; threat management facility configured to monitor the plurality of endpoints and to create the notification; each of the endpoints configured by a local security agent to self-isolate in response to a local detection of compromise, and to shun one of the other endpoints; the network device configured to manage communications between the subnet and the internetwork, and the network device configured to forward the notification; threat management facility configured to coordinate a remediation of the one or more; and the threat management facility configured to monitor the plurality of endpoints and create the notification of compromise” are being treated in accordance with 112(f) because the associated function is modified by a word (unit) that serves as a generic placeholder (i.e., the claim uses a term that is a substitute for “means”).
In conclusion, since the claim recites a generic place holder coupled with functional language but fails to recite sufficiently definite structure, material or acts to perform that function, the claim limitations are being interpreted as invoking 112 6th. 
Applicant’s arguments (i.e., “network address translation device configured to forward the notification of compromise from the gateway to a local security agent of one of the one or more of the plurality of endpoints in the subnet identifying one or more other ones of the plurality of endpoints in the subnet for which a compromise is detected”) with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-11, 13-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gukal et al. (US 2017/0353491, hereinafter Gukal) in view of Johnsen et al. (US 2017/0324616, hereinafter Johnsen), and further in view of Nataraj et al. (US 20190034254) (hereinafter Nataraj).
Regarding claim 1, Gukal discloses a system comprising: an enterprise network including a gateway to an external network, the enterprise network separated by routers into a number of logical subnets (Gukal: see figure 2; and paragraphs 0068, 0121, 0132 and 0135, “The customer network's site networks may be located in one geographic location, may be behind a common firewall, and/or may be multiple subnets within one network”… “the network 600 may include a sub-network that uses the electrical wiring in the house as a communication channel”… “a router or switch may be integrated into the gateway device”); a plurality of endpoints interconnected in a subnet of the enterprise network, each of the endpoints configured by a local security agent to self-isolate in response to a local detection of compromise, and to shun one of the other endpoints in the subnet in response to a notification of compromise of the one of the other endpoints (Gukal: paragraphs 0136, 0142, 0144 and 147-0148, “the security device 660, instead of being implemented as a standalone device, may be integrated into one or more of the appliances, home electronics, or computing devices (in this example network 600), or in some other device not illustrated here.” … “The security device 660 may also dynamically adjust the security mechanisms it has deployed in response to suspicious activity it has detected on the network”…“when an intrusion appears to have originated outside the network 600, the security device 660 may block the network's 600 access to the Internet 650, thus possibly cutting off the intrusion. As another example, when the intrusion appears to have originated from within the network 600, the security device 660 may isolate any apparently compromised devices, for example by disconnecting them from the network”; {The endpoints recited in the claims are broadly interpreted as one or more of the appliances, home electronics, or computing devices (in this example network 600), or in some other device not illustrated here}); and a network address translation device coupled in a communicating relationship with the subnet and the gateway, the network address translation device configured to manage communications between the subnet and the enterprise network(Gukal: see figure 6, items 648 and 660 
    PNG
    media_image1.png
    604
    840
    media_image1.png
    Greyscale
; and paragraphs 0136 and 0147-0149, “when an intrusion appears to have originated outside the network 600, the security device 660 may block the network's 600 access to the Internet 650, thus possibly cutting off the intrusion. As another example, when the intrusion appears to have originated from within the network 600, the security device 660 may isolate any apparently compromised devices, for example by disconnecting them from the network 600. When only its own security mechanisms are compromised, the security device 660 may isolate itself from the rest of the network”).
Gukal discloses the enterprise network, routers and subnets.  Gukal does not explicitly disclose each subnet having a different routing prefix.  However, Johnsen discloses each subnet having a different routing prefix (Johnsen: paragraphs 0135 and 0145, “The embodiment supports both fabric local/internal subnet numbers as well 
Gukal and Johnsen are analogous art because they are from the same field of endeavor, data processing.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Gukal and Johnsen before him or her, to modify the system of Gukal to include a different subnet prefix value for each subnet of Johnsen for routing communications from one subnet to another subnet.  The suggestion/motivation for doing so would have been to maintain load-balancing and QOS constraints for different flows and workloads throughout the multi-subnet fabric (Johnsen: paragraph 0008).
Gukal and Johnsen does not explicitly disclose the following limitation which is disclosed by Nataraj, the network address translation device configured to forward the notification of compromise from the gateway to the local security agent of one of the one or more of the plurality of endpoints in the subnet identifying one or more other ones of the plurality of endpoints in the subnet for which a compromise is detected (Nataraj: paragraphs 0076 and 0111, “Controller 490 may be implemented as a remote server that communicates with agents located on one or more servers or machines”… “data from an IPS (external or internal) may be correlated with the application monitoring agents described above to monitor the impact of security vulnerabilities on business transactions. For instance, in one embodiment, the Application Intelligence Platform coordinates with or otherwise incorporates an external IPS (for example, the "Snort" application available from Cisco Systems, Inc.), which 
Regarding claim 5, claim 5 discloses a system claim that is substantially equivalent to the system of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 5 and rejected for the same reasons.
Regarding claim 2, Gukal as modified by Johnsen and Nataraj discloses the system of claim 1.  Gukal further discloses a threat management facility coupled in a communicating relationship with the gateway, the threat management facility configured to monitor the plurality of endpoints and to create the notification of compromise when a compromised endpoint is detected
Regarding claim 3, Gukal as modified by Johnsen and Nataraj discloses the system of claim 2.  Gukal further discloses wherein the threat management facility is a remote threat management facility accessible to the gateway through the external network (Gukal: paragraphs 0048, 0054 and 0119 and 0120, “the deception center 108 and the sensors 110 interact with a security services provider 106 located outside of the site network 104. The deception center 108 may also obtain or exchange data with sources located on the Internet”).
Regarding claim 4, Gukal as modified by Johnsen and Nataraj discloses the system of claim 4.  Gukal further discloses wherein the threat management facility is a local threat management facility executing within the enterprise network (Gukal: see figure 2A; and paragraphs 0070-0071, “where a deception center 208 is located within the customer network 202. In this example, being located within the customer network 202 means that the deception center 208 is connected to the customer network 202, and is able to function as a node in the customer network”).
Regarding claim 6, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the network device receives the notification of compromise from a firewall for the enterprise network (Nataraj: paragraphs 0076 and 0111, “data from an IPS (external or internal) may be correlated with the application monitoring agents described above to monitor the impact of security vulnerabilities on business transactions. For instance, in one embodiment, the Application Intelligence Platform coordinates with or otherwise incorporates an external IPS (for example, the "Snort" application available from Cisco Systems, Inc.), which 
Regarding claim 7, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the network device receives the notification of compromise from one of the plurality of endpoints (Gukal: paragraphs 0127 and 0145, “Once the security device 660 has detected an access to a security mechanism, the security device 660 may next attempt to confirm that an intrusion into the network 600 has taken place. An intrusion can be confirmed, for example, by monitoring activity at the security mechanism”, the security mechanism deployed at one of the devices inherently sends notification regarding a detected event to the security device).
Regarding claim 8, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the network device includes a switch (Gukal: paragraph 0134, “the security device 660 is a standalone device that can be added to the network 600 by connecting it to a router or switch”).
Regarding claim 9, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the network device includes a router (Gukal: paragraph 0134, “the security device 660 is a standalone device that can be added to the network 600 by connecting it to a router or switch”).
Regarding claim 10, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the network device includes a firewall (Gukal: paragraphs 0134-0135, “the security device 660 may be configured to connect between the gateway device 648 and the network's 600 primary router, and/or 
Regarding claim 11, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the network device includes a wireless access point (Gukal: paragraphs 0099 and 0102, “The wireless access point 428 provides wireless access to the enterprise network 400 for wireless-enabled network or client devices. Examples of wireless-enabled network and client devices include laptops 430, tablet computers 432, and smart phones 434, among others. In some implementations, the wireless access point 428 may also provide switching and/or routing functionality”).
Regarding claim 13, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses a threat management facility configured to coordinate a remediation of the one or more other ones of the plurality of endpoints for which a compromise is detected
Regarding claim 14, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses a threat management facility coupled in a communicating relationship with the network device, the threat management facility configured to monitor the plurality of endpoints and create the notification of compromise when a compromised endpoint is detected (Gukal: paragraph 0147, “When only its own security mechanisms are compromised, the security device 660 may isolate itself from the rest of the network 600. As another example, when the security device 660 is able to determine that the intrusion very likely included physical intrusion into the house, the security device 660 may alert the authorities”)
Regarding claim 15, Gukal as modified by Johnsen and Nataraj discloses the system of claim 14.  Gukal further discloses wherein the threat management facility is a remote threat management facility accessible to the network device through an external network (Gukal: paragraphs 0048, 0054 and 0119 and 0120, “the deception center 108 and the sensors 110 interact with a security services provider 106 located outside of the site network 104. The deception center 108 may also obtain or exchange data with sources located on the Internet”).
Regarding claim 16, Gukal as modified by Johnsen and Nataraj discloses the system of claim 14.  Gukal further discloses wherein the threat management facility is a local threat management facility executing within the enterprise network 
Regarding claim 18, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Johnsen further discloses wherein the subnet is a logical subnet having a different routing prefix than a remaining portion of the enterprise network (Johnsen: paragraphs 0135 and 0145, “The embodiment supports both fabric local/internal subnet numbers as well as "global" subnet numbers so that inter -subnet traffic within a single fabric configuration can use a different subnet prefix value than traffic between different fabrics”).  The same motivation to modify Gukal in view of Johnsen, as applied in claim 1 above, applies here.
Regarding claim 19, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Johnsen further discloses wherein the subnet is a physical subnet having a different routing prefix than a remaining portion of the enterprise network (Johnsen: paragraphs 0135 and 0145, “The embodiment supports both fabric local/internal subnet numbers as well as "global" subnet numbers so that inter -subnet traffic within a single fabric configuration can use a different subnet prefix value than traffic between different fabrics”).  The same motivation to modify Gukal in view of Johnsen, as applied in claim 1 above, applies here.
Regarding claim 20, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  Gukal further discloses wherein the endpoints include at least one of a desktop computer, a laptop computer, a mobile phone, and a tablet (Gukal: paragraph 0053, “The site network 104 may also include computing systems, such as servers, desktop computers, laptop computers, tablet computers, personal digital assistants, and smart phones, among others. The site network 104 may also .

Claim 12 are rejected under 35 U.S.C. 103 as being unpatentable over Gukal in Johnsen in view of Nataraj, and further in view of Teng at al. (US 20160308762, hereinafter Teng).
Regarding claim 12, Gukal as modified by Johnsen and Nataraj discloses the system of claim 5.  The combination does not explicitly disclose wherein the network device includes a network address translation device.
However, Teng discloses wherein the network device includes a network address translation device (Teng: paragraphs 0080 and 0081, “A cloud exchange point 303 NAT device(s) that applies NAT service 718 performs NAT (or NAPT), which may also or alternatively include carrier-grade NAT ("CG-NAT" or "CGN"), to translate the cloud exchange point 303 addresses and CSP routes and/or to translate the cloud exchange point 303 addresses and customer routes”).
The combination of Gukal, Johnsen and Nataraj and Teng are analogous art because they are from the same field of endeavor, data processing.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Gukal in view of Johnsen in view of Nataraj and Teng before him or her, to modify the system of Gukal in view of Johnsen in view of Nataraj to include the NAT service of Thomas for routing and translating communications.  The suggestion/motivation for doing so would have been to simplify .

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Gukal in view of Johnsen in view of Nataraj, and further in view of Thomas (US 2015/0312266, hereinafter Thomas).
Regarding claim 17, Gukal in view of Johnsen in view of Nataraj disclose discloses the system of claim 14.  The combination does not explicitly disclose wherein the threat management facility monitors a heartbeat from each of the plurality of endpoints, the threat management facility configured to detect the compromise based on at least one of contents of the heartbeat or an absence of the heartbeat.  
However, Thomas discloses wherein the threat management facility monitors a heartbeat from each of the plurality of endpoints, the threat management facility configured to detect the compromise based on at least one of contents of the heartbeat or an absence of the heartbeat (Thomas: paragraphs 0058 and 0061-0063, “The endpoint 202 may use a heartbeat 226 to periodically and securely communicate status to the gateway”… “Configured in this manner, the heartbeat 226 can provide secure, tamper-resistant instrumentation for status of the endpoint 202, and in particular an indication that the endpoint 202 is online and uncompromised. A disappearance of the heartbeat 226 from the endpoint 202 may indicate that the endpoint 202 has been compromised; however this may also simply indicate that the endpoint 202 has been powered off or intentionally disconnected from the network”).  
.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form, e.g., Hiebert (US 20180233021) disclose techniques that are described relating to alert propagation in a virtualized computing environment; Ray (US 20150312268) discloses a method for detection of advanced persistent threat and similar malware; and Liu (US 20090031423) discloses the detection and removal of malicious computer code and, in particular, to a signature-free system and method for detecting worm-related scan activity in the form of sustained faster-than-normal connection attempts to distinct destination addresses.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/TRANG T DOAN/Primary Examiner, Art Unit 2431