Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the RCE filed by Applicant on 3/30/2021. Claims 1-20 are pending. This Office Action is Non-Final.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/30/2021 has been entered.
 
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 3/30/2021, is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.




Response to Arguments
	A) Applicant’s arguments with respect to claim(s) 1, 2, 18 and 20 have been considered but are moot because the new ground of rejection does not rely on the same exact references applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

	
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-6, 9-12, 15-18 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cheriton (US 7,900,251) in view of Dake (US 2011/0296231).

As per claim 1, Cheriton discloses a computer program product for identifying compromised assets in a local network, the computer program product comprising computer executable code embodied in a non-transitory computer readable medium that, when executed by a network device of an enterprise network that connects to the [[local]] network, performs the steps of (Cheriton, Col. 10 Lines 24-29 recites “The method may be embodied in a machine-readable and/or computer-readable medium for configuring a computer system to execute the method. Thus, the software modules may be stored within and/or transmitted to a computer system memory to configure the computer system to perform the functions of the module”): 
receiving a heartbeat from a [[ local security agent of a ]] first endpoint coupled to the local network (Cheriton, Col. 14 Lines 54-59 recites “In this approach, a logging module sends information on a regular basis, as a "heartbeat" of sorts, to a security monitor. This allows the security monitor to easily ascertain whether a given device (and/or its logging module) has become inoperative or otherwise unable to communicate for some reason”);
determining a health state of the first endpoint based on information encoded in the heartbeat (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.” Encoded simply means that’s data is in coded form, and all network communications would be considered to be encoded.). 
This embodiment of Cheriton fails to explicitly disclose a local security agent, and in response to detecting an identification of a compromised state in the heartbeat from the local security agent of the first endpoint with the network device, transmitting a notification with a local network broadcast message from the network device to one or more other devices on the local network to terminate communications with the first endpoint.
However, in an analogous art Dake teaches a local security agent (Dake, Paragraph 0020 recites “A virtual machine, thus, generally refers to a software implementation of a machine that executes programming instructions to perform operations and tasks as if executed by a physical machine, such as a personal computer. In some embodiments, virtual machine healthcheckers 223 and 233 are provided on the virtual machine hosting servers 220 and 230, respectively, which in turn checks the health of each virtual machine provisioned thereon. Healthchecking as used herein generally refers to monitoring a device (which may be physical or virtual) and detecting any abnormal event at the device or malfunctioning of the device. ”)
 in response to detecting an identification of a compromised state in the heartbeat from the local security agent of the first endpoint with the network device (Dake Paragraph 0013 recites “In some embodiments, a distributed healthchecking manager executable on a centralized server in a cluster system can assign nodes of the cluster system to at least some of the nodes for healthchecking. Then the distributed healthchecking manager may monitor the nodes performing healthchecking for reports of one or more failed nodes.” The healthchecking manger on a centralized server is interpreted to be the network device.  And each cluster is determined to be a local network.), 
transmitting a notification with a local network broadcast message from the network device to one or more other devices on the local network to terminate communications with the first endpoint (Dake, Paragraph 0028 recites “ In some embodiments, processing logic checks to determine if any report of failed nodes has arrived (processing block 312). If not, processing logic remains in processing block 312. Otherwise, if processing logic receives a report of a failed node, then processing block removes the failed node from the nodes to be monitored (processing block 314). Next, processing logic reassigns the remaining nodes to be monitored in the cluster system to at least some of the nodes (processing block 316). ” Where a failed node would be considered to be compromised.  And only the nodes in the cluster are informed the failed node.).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Dake’s distributed healthchecking mechanism with Cheriton’s Method and apparatus for securing a communications device using a logging module because the means of a centralized service would help manage smaller networks by saving on necessary resources.

Regarding claims 2 and 18, claims 2 and 18 are directed to a method and a computing device associated with the computer program product of claim 1. Claims 2 and 18 are of similar scope to claim 1, and are therefore rejected under similar rationale.

As per claim 3, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein the health state is based on an indicia of potential compromise contained in the heartbeat (Cheriton, Col. 14 Lines 54-59 recites “In this approach, a logging module sends information on a regular basis, as a "heartbeat" of sorts, to a security monitor. This allows the security monitor to easily ascertain whether a given device (and/or its logging module) has become inoperative or otherwise unable to communicate for some reason”).

As per claim 4, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein the network device includes at least one of the first endpoint, a second endpoint coupled to the network, a firewall, a router, a gateway, or a switch (Cheriton, Col. 7 Lines 43-46 recites “In the preferred embodiment, an network device of this invention such as a switch or router handles a well-defined vast majority of the data path activity in hardware carefully separated from software, similar to that provided in the Catalyst 4K Supervisor III.”).

As per claim 5, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein transmitting the notification includes transmitting the notification from at least one of a remote network service, the first endpoint, a router, a firewall, a gateway, or a switch (Cheriton, Col. 7 Lines 43-46 recites “In the preferred embodiment, an network device of this invention such as a switch or router handles a well-defined vast majority of the data path activity in hardware carefully separated from software, similar to that provided in the Catalyst 4K Supervisor III.”).

As per claim 6, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein transmitting the notification includes transmitting the notification to one or more other endpoints coupled to the local network (Cheriton, Col. 8 Lines 44-47 recites “If security monitor 345 determines that a network device is not "trustworthy," security monitor 345 disconnects the device from the network and/or notify a network administrator.”).



As per claim 9, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein determining the health state includes extracting health state information from the heartbeat (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.”). 

As per claim 10, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein determining the health state includes inferring health state information based on a characteristic of the heartbeat (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.”). 

As per claim 11, Cheriton in combination with Dake teaches the method of claim 10, Cheriton further teaches wherein the characteristic includes an omission of a subsequent heartbeat from the first endpoint concurrent with other network traffic from the first endpoint (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.”). 

As per claim 12, Cheriton in combination with Dake teaches the method of claim 10, Cheriton further teaches wherein the characteristic includes a replay of a prior (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.”). 

As per claim 15, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches, when the health state is determined to be a compromised health state based on the heartbeat, querying the first endpoint to verify the health state (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.”). 

As per claim 16, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein transmitting the notification includes transmitting the notification of the compromised state to a threat management facility for the enterprise network (Cheriton, Col. 8 Lines 44-47 recites “If security monitor 345 determines that a network device is not "trustworthy," security monitor 345 disconnects the device from the network and/or notify a network administrator.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use two embodiments of Cheriton’s Method and apparatus for securing a communications device using a logging module because it offers the advantage of preventing any further communications with a potential harmful device.

As per claim 17, Cheriton in combination with Dake teaches the method of claim 2, Cheriton further teaches wherein transmitting the notification includes transmitting an instruction to a gateway for the enterprise network to block traffic to and from the first endpoint through the gateway (Cheriton, Col. 8 Lines 44-47 recites “If security monitor 345 determines that a network device is not "trustworthy," security monitor 345 disconnects the device from the network and/or notify a network administrator.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use two embodiments of Cheriton’s Method and apparatus for securing a communications device using a logging module because it offers the advantage of preventing any further communications with a potential harmful device.
 
As per claim 20, Cheriton discloses A network device of an enterprise network that connects to a [[local network]] comprising: a first interface configured to couple in a communicating relationship with a first endpoint through the [[local]] network;
a second interface configured to couple in a communication relationship with one or more other network devices through the enterprise network; a memory; (Cheriton, Col. 10 Lines 24-29 recites “The method may be embodied in a machine-readable and/or computer-readable medium for configuring a computer system to execute the method. Thus, the software modules may be stored within and/or transmitted to a computer system memory to configure the computer system to perform the functions of the module”): 
and a processor configured by computer executable code stored in the memory to identify compromised assets in the [[local]] network by performing the steps of receiving a heartbeat from the first endpoint (Cheriton, Col. 14 Lines 54-59 recites “In this approach, a logging module sends information on a regular basis, as a "heartbeat" of sorts, to a security monitor. This allows the security monitor to easily ascertain whether a given device (and/or its logging module) has become inoperative or otherwise unable to communicate for some reason”);
determining a health state of the first endpoint based on the heartbeat (Cheriton, Col. 15 Lines 13-24 recites “This approach also has the added benefit of being able to identify a compromised or failed network device by detecting a lack of heartbeat. In this scenario, a network device's existence is identified by the security monitor's receipt of configuration information. If the periodic transmission of configuration information ceases, the security monitor detects the cessation (e.g., through the use of a timer), and changes the status of the compromised/failed network device to "untrustworthy". Should the network device's heartbeat return, a decision can then be made as to whether to return its status to "trustworthy" or leave the network device's status in the "untrustworthy" state.”). 
 This embodiment of Cheriton fails to explicitly disclose a local network and if the health state is a compromised state, preventing further communications on the enterprise network by the first endpoint through the network device. 
However, in an analogous art Dake teaches a local network and if the health state is a compromised state, preventing further communications on the enterprise network by the first endpoint through the network device (Dake, Paragraph 0020 recites “A virtual machine, thus, generally refers to a software implementation of a machine that executes programming instructions to perform operations and tasks as if executed by a physical machine, such as a personal computer. In some embodiments, virtual machine healthcheckers 223 and 233 are provided on the virtual machine hosting servers 220 and 230, respectively, which in turn checks the health of each virtual machine provisioned thereon. Healthchecking as used herein generally refers to monitoring a device (which may be physical or virtual) and detecting any abnormal event at the device or malfunctioning of the device. ” Paragraph 0013 recites “In some embodiments, a distributed healthchecking manager executable on a centralized server in a cluster system can assign nodes of the cluster system to at least some of the nodes for healthchecking. Then the distributed healthchecking manager may monitor the nodes performing healthchecking for reports of one or more failed nodes.” The healthchecking manger on a centralized server is interpreted to be the network device.  And each cluster is determined to be a local network. And Paragraph 0028 recites “ In some embodiments, processing logic checks to determine if any report of failed nodes has arrived (processing block 312). If not, processing logic remains in processing block 312. Otherwise, if processing logic receives a report of a failed node, then processing block removes the failed node from the nodes to be monitored (processing block 314). Next, processing logic reassigns the remaining nodes to be monitored in the cluster system to at least some of the nodes (processing block 316). ” Where a failed node would be considered to be compromised.  And only the nodes in the cluster are informed the failed node.).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Dake’s distributed healthchecking mechanism with Cheriton’s Method and apparatus for securing a communications device using a logging module because the means of a centralized service would help manage smaller networks by saving on necessary resources.


Claims 7, 8 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cheriton (US 7,900,251) in view of Dake (US 2011/0296231) and further view of Kennedy (US 2011/0209196).

As per claim 7, Cheriton in combination with Dake teaches the method of claim 2, but fails to teach wherein the local network provides local area networking among the first endpoint and the one or more other devices. 
(Kennedy, Paragraph 0207 recites “Furthermore, while the exemplary aspects, embodiments, and/or configurations illustrated herein show the various components of the system collocated, certain components of the system can be located remotely, at distant portions of a distributed network, such as a LAN and/or the Internet, or within a dedicated system.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kennedy’s flexible security requirements in an enterprise network with Cheriton’s Method and apparatus for securing a communications device using a logging module because it offers the advantage of having the ability to work with a smaller number a devices.

As per claim 8, Cheriton in combination with Dake and Kennedy teaches he method of claim 7, Kennedy further teaches  wherein transmitting the notification includes broadcasting the notification.
However, in an analogous art Kennedy teaches wherein transmitting the notification includes broadcasting the notification (Kennedy, Paragraph 0177 recites “In a ninth example, the policy enforcement server 136 broadcasts alerts to the members of a defined group when intrusive treats or malware inside or outside the firewall are detected and provides the alerts via the most effective mode and/or media. This can be done by integrating firewall intrusion detection access control systems into the control flow of the communications, such as by incorporating this type of system into a policy agent 190 in a firewall or gateway.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kennedy’s flexible security requirements in an enterprise network with Cheriton’s Method and apparatus for securing a communications device using a logging module because it offers the advantage of having the ability to work with a smaller number a devices.

As per claim 19, Cheriton in combination with Dake the network device of claim 18, but fails to teach wherein the network device includes at least one of a gateway for the local network to the enterprise  network and a router for local area network coupling the first endpoint to the one or more other network devices.  
	However, in an analogous art Kennedy teaches wherein the network device includes at least one of a gateway for the local network to the enterprise  network and a router for local area network coupling the first endpoint to the one or more other network devices (Kennedy, Paragraph 0177 recites “In a ninth example, the policy enforcement server 136 broadcasts alerts to the members of a defined group when intrusive treats or malware inside or outside the firewall are detected and provides the alerts via the most effective mode and/or media. This can be done by integrating firewall intrusion detection access control systems into the control flow of the communications, such as by incorporating this type of system into a policy agent 190 in a firewall or gateway.” And  Paragraph 0207 recites “Furthermore, while the exemplary aspects, embodiments, and/or configurations illustrated herein show the various components of the system collocated, certain components of the system can be located remotely, at distant portions of a distributed network, such as a LAN and/or the Internet, or within a dedicated system.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Kennedy’s flexible security requirements in an enterprise network with Cheriton’s Method and apparatus for securing a communications device using a logging module because it offers the advantage of having the ability to work with a smaller number a devices.

Claims 13 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cheriton (US 7,900,251) in view of Dake (US 2011/0296231) and in further view of Shanbhogue (US 20120222114).

As per claim 13, Cheriton in combination with Dake the method of claim 10, but fails to teach wherein the characteristic includes a signature defect in the heartbeat.
	However, in an analogous art Shanbhogoue teaches wherein the characteristic includes a signature defect in the heartbeat (Shanbhogue, Paragraph 0050 recites “To protect against this type of attack, the UOS EIT driver 210 provides a heartbeat to indicate that it is alive. In an embodiment, the heartbeat is in the form of a message that includes a sequence number and a secure hash of the sequence number--[Sq, H[Sq].sub.k] --where H is a hash function that hashes the sequence number Sq using key `k`.”).


As per claim 14, Cheriton in combination with Dake the method of claim 2, but fails to teach wherein the heartbeat includes a cryptographically secured heartbeat containing signed information about the health state of the first endpoint. 
However, in an analogous art Shanbhogue teaches wherein the heartbeat includes a cryptographically secured heartbeat containing signed information about the health state of the first endpoint (Shanbhogue, Paragraph 0050 recites “To protect against this type of attack, the UOS EIT driver 210 provides a heartbeat to indicate that it is alive. In an embodiment, the heartbeat is in the form of a message that includes a sequence number and a secure hash of the sequence number--[Sq, H[Sq].sub.k] --where H is a hash function that hashes the sequence number Sq using key `k`.”).
It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Shanbhogue’s method and apparatus for network filtering and firewall protection on a secure partition with Cheriton’s Method and apparatus for securing a communications device using a logging module because it offers the advantage of ensuring that the heartbeat signal is authentic.

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


RODERICK . TOLENTINO
Examiner
Art Unit 2439