DETAILED ACTION

Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement

The information disclosure statement (IDS) submitted on 6/3/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101

35 U.S.C. 101 reads as follows: 
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 19-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 

Claim 19 recites the limitation “a non-transient computer-readable storage memory…”  After close inspection, the Examiner respectfully notes that the Accordingly, various storage media, such as magnetic computer disks, optical disks, electronic memories or any other form of non-transient computer-readable storage memory, can be prepared that can contain information and instructions that can direct a device, such as a computer, to implement the above-described systems and/or methods. Such storage devices can be referred to as “computer program products” for practical purposes. Once an appropriate device has access to the information and programs contained on the storage media/computer program product, the storage media can provide the information and programs to the device, thus enabling the device to perform the above-described systems and/or methods. Unless otherwise expressly stated, “storage medium” is not an electromagnetic wave per se.”  The quoted paragraph fails to disclose the non-transient computer readable storage memory is not  signal per se.
The USPTO is obliged to give claims their broadest reasonable interpretation consistent with the specification during examination. The broadest reasonable interpretation of a claim drawn to a computer-readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is silent. See MPEP 2111.01. When the broadest reasonable interpretation of a claim per se, the claim must be rejected under 35 U.S.C. § 101 as covering non-statutory subject matter. 
Therefore, given the silence of the disclosure and the broadest reasonable interpretation, the machine readable medium of the claim may include transitory propagating signals. As a result, the claim pertains to non-statutory subject matter. 
However, the Examiner respectfully submits a claim drawn to such a machine readable medium that covers both transitory and non-transitory embodiments may be amended to narrow the claim to cover only statutory embodiments to avoid a rejection under 35 U.S.C. § 101 by adding the limitation "non-transitory" to the claim (or replacing “non-transient” with “non-transitory” which is a standard term). Such an amendment would typically not raise the issue of new matter, even when the specification is silent because the broadest reasonable interpretation relies on the ordinary and customary meaning that includes signals per se. 

Claim 20 is dependent claim of claim 19, the claim fails to cure the deficiency of claim 19, therefore, claim 20 is rejected for the same reasons as given to claim 19.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having 


Claims 1-7, 10-16 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 2017/0149792), hereinafter Smith in view of Bush et al. (US 2017/0214717), hereinafter Bush.

As for claim 1, Smith teaches a method for configuring a network that includes a plurality of heterogeneous network access devices (paragraphs [0015]-[0016] describe a method of using enhanced privacy identification (EPID) to manage IoT devices on a network), the method comprising:
creating a network enforcement profile based on at least one network enforcement policy (paragraphs [0010]-[0011] describe each device is issued with a unique individual  Enhanced Privacy ID (EPID) key (i.e. construed as a network enforcement profile), an EPID group is defined by the type of device employed, keys are issued to create group of credentials; paragraphs [0020]-[0021] describe a creation of an access control list (i.e. construed as a network enforcement policy) and an assignment of access rights to a group rather than to the individual devices, when a device sends a request for data exchange with a data partner device, the data exchange is enabled based on the access control list and an association between the device group and a set of permissions, e.g. verifying that the group certificate is valid and upon verifying the permissions contained in the access control list and that the certificate is valid, the data exchanged is approved);
determining a network access device group of the plurality of heterogeneous network access devices that are capable of managing the network enforcement profile 
Smith fails to teach
providing vendor-specific configuration parameters for at least one network access device of a network access device group so as to cause a network to manage a network enforcement profile; and
applying the vendor-specific configuration parameters to the at least one network access device.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
providing vendor-specific configuration parameters for at least one network access device of a network access device group so as to cause a network to manage a network enforcement profile (paragraph [0050] describes a set of vendor-and model-specific security configuration instructions is generated which, when implemented on respective industrial and networking devices, enforce a plant-wide security strategy defined by the user-provided device, zone and conduit information, the instructions are generated based on a stored model which includes vendor and model information from the devices; paragraph [0053] describes industrial devices are assigned to various 
applying the vendor-specific configuration parameters to the at least one network access device (paragraph [0054] describes a suitable set of security configuration instructions is generated for deployment to the user’s industrial assets).
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing device-level security configuration instructions to devices. The teachings of Bush, when implemented in the Smith system, will allow one of ordinary skill in the art to provide configuration instructions to different groups of devices. One of ordinary skill in the art would be motivated to utilize the teachings of Bush in the Smith system in order to implement a system-wide security policy based on the zone and conduit information associated with various devices defined by a user (Bush: paragraph [0046]).

As for claim 2, the combined system of Smith and Bush teaches the method further comprising:
creating a plurality of network enforcement profiles that together form a network enforcement profile set (Smith: paragraph [0010] describes each device is issued with its own individual  EPID key and an EPID group is defined by the type of device employed), wherein the plurality of network enforcement profiles together manage the at least one network enforcement policy (Smith: paragraphs [0037]-[0038] describe the access control list defines a set of permissions for the device group and includes the group certificate).

As for claim 3, the combined system of Smith and Bush teaches the method further comprising:
determining a respective network access device group of the plurality of heterogeneous network access devices that is capable of managing each network enforcement profile (Smith: paragraphs [0029]-[0030] describe devices may be commissioned into the network and each redundant device of similar device type is joined using EPI to create a unique private key for each device, the private key is used to authenticate with an upstream device of a workflow).

As for claim 4, Smith teaches all the limitations set forth above except providing vendor-specific configuration parameters for at least one network access device of each respective network access device group so as to cause a network to manage a network enforcement profile set.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
providing vendor-specific configuration parameters for at least one network access device of each respective network access device group so as to cause a network to manage a network enforcement profile set (paragraphs [0051]-[0054] describe a security model (i.e. construed as a network enforcement profile) is created for a user’s collection of networked industrial assets which is used by the system to generate device-specific security configuration instructions and a set device security 
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing device-level security configuration instructions to devices. The teachings of Bush, when implemented in the Smith system, will allow one of ordinary skill in the art to provide configuration instructions to different groups of devices. One of ordinary skill in the art would be motivated to utilize the teachings of Bush in the Smith system in order to implement a system-wide security policy based on the zone and conduit information associated with various devices defined by a user (Bush: paragraph [0046]).

As for claim 5, Smith teaches all the limitations set forth above except providing vendor-specific configuration parameters for all network access devices of each respective network access device group so as to cause a network to manage a network enforcement profile set.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
providing vendor-specific configuration parameters for all network access devices of each respective network access device group so as to cause a network to manage a network enforcement profile set (paragraph [0050] describes a set of vendor-and model-specific security configuration instructions is generated which, when implemented on 
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing device-level security configuration instructions to devices. The teachings of Bush, when implemented in the Smith system, will allow one of ordinary skill in the art to provide configuration instructions to different groups of devices. One of ordinary skill in the art would be motivated to utilize the teachings of Bush in the Smith system in order to implement a system-wide security policy based on the zone and conduit information associated with various devices defined by a user (Bush: paragraph [0046]).

As for claim 6, the combined system of Smith and Bush teaches wherein at least a first network access device group is different from a second network access device group (Smith: paragraphs [0053]-[0054] describe a first device group and a second device group).

As for claim 7, the combined system of Smith and Bush teaches wherein each network access device group is different from any other network access device group (Smith: paragraphs [0055]-[0056] describe a device belongs to a second device group is 

As for claim 10, the combined system of Smith and Bush teaches the method further comprising placing the at least one network enforcement policy into a service list of network enforcement policies (Smith: paragraph [0055] describes an access control list which defines a relationship between the first device group and create, read, update, delete, or notify permissions of the first device group with respect to the second device group, the ACL defines a set of permissions i.e. network enforcement policies).

As for claim 11, the combined system of Smith and Bush teaches wherein the network enforcement policy is a network access control policy that includes at least one restriction on network access (Smith: paragraph [0055] describes the ACL includes permissions such as create, read, update, delete granted to a group of devices).

As for claim 12, Smith teaches a system for configuring a network that includes a plurality of heterogeneous network access devices (Fig. 6; paragraph [0069] describes a computing apparatus using enhanced privacy identification (EPID) to manage IoT devices on a network), the system comprising a processor and a memory communicatively coupled to the processor, the memory containing instructions that cause the processor to (Fig. 6, processor 602 and instructions 624; paragraphs 
create a network enforcement profile based on at least one network enforcement policy (paragraphs [0010]-[0011] describe each device is issued with a unique individual  enhanced privacy ID (EPID) key (i.e. construed as a network enforcement profile), an EPID group is defined by the type of device employed, keys are issued to create group of credentials; paragraphs [0020]-[0021] describe a creation of an access control list (i.e. construed as a network enforcement policy); paragraphs [0020]-[0021] describe a creation of an access control list (i.e. construed as a network enforcement policy) and an assignment of access rights to a group rather than to the individual devices, when a device sends a request for data exchange with a data partner device, the data exchange is enabled based on the access control list and an association between the device group and a set of permissions, e.g. verifying that the group certificate is valid and upon verifying the permissions contained in the access control list and that the certificate is valid, the data exchanged is approved);
determine a network access device group of the plurality of heterogeneous network access devices that are capable of managing the network enforcement profile (paragraphs [0011] and [0017]-[0018] describe a key issuer joins each IoT device by issuing the device a unique private EPID key which is used by the device to be authenticated, the grouping is based on a shared attribute of the devices, and a group certificate is generated for the device group, the devices’ EPID key is authenticated using the group key).
Smith fails to teach

apply the vendor-specific configuration parameters to the at least one network access device.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
provide vendor-specific configuration parameters for at least one network access device of a network access device group so as to cause a network to manage a network enforcement profile (paragraph [0050] describes a set of vendor-and model-specific security configuration instructions is generated which, when implemented on respective industrial and networking devices, enforce a plant-wide security strategy defined by the user-provided device, zone and conduit information, the instructions are generated based on a stored model which includes vendor and model information from the devices; paragraph [0053] describes industrial devices are assigned to various security zones, each zone is a grouping of logical or physical assets that share common security requirements); and
apply the vendor-specific configuration parameters to the at least one network access device (paragraph [0054] describes a suitable set of security configuration instructions is generated for deployment to the user’s industrial assets).
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing 

As for claim 13, the combined system of Smith and Bush teaches wherein the instructions further cause the processor to (Smith: paragraph [0069] describes the processor executes instructions to perform operations): create a plurality of network enforcement profiles that together form a network enforcement profile set (Smith: paragraph [0010] describes each device is issued with its own individual  EPID key and an EPID group is defined by the type of device employed), wherein the plurality of network enforcement profiles together manage the at least one network enforcement policy (Smith: paragraphs [0037]-[0038] describe the access control list defines a set of permissions for the device group and includes the group certificate).

As for claim 14, the combined system of Smith and Bush teaches wherein the instructions further cause the processor to (Smith: paragraph [0069] describes the processor executes instructions to perform operations): determine a respective network access device group of the plurality of heterogeneous network access devices that is capable of managing each network enforcement profile (Smith: paragraphs [0029]-[0030] describe devices may be commissioned into the network and each redundant 

As for claim 15, Smith teaches wherein the instructions further cause the processor to perform operations (paragraph [0069] describes the processor executes instructions to perform operations).
Smith fails to teach wherein an operation includes provide vendor-specific configuration parameters for at least one network access device of each respective network access device group so as to cause a network to manage a network enforcement profile set.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
wherein an operation includes provide vendor-specific configuration parameters for at least one network access device of each respective network access device group so as to cause a network to manage a network enforcement profile set (paragraphs [0051]-[0054] describe a security model (i.e. construed as a network enforcement profile) is created for a user’s collection of networked industrial assets which is used by the system to generate device-specific security configuration instructions and a set device security parameters for individual devices, devices are grouped into security zones respectively, each zone is a grouping of logical or physical assets that share common security requirements).


As for claim 16, Smith teaches wherein the instructions further cause the processor to perform operations (paragraph [0069] describes the processor executes instructions to perform operations).
Smith fails to teach wherein an operation includes provide vendor-specific configuration parameters for all network access devices of each respective network access device group so as to cause a network to manage a network enforcement profile set.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
wherein an operation includes provide vendor-specific configuration parameters for all network access devices of each respective network access device group so as to cause a network to manage a network enforcement profile set (paragraph [0050] describes a set of vendor-and model-specific security configuration instructions is 
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing device-level security configuration instructions to devices. The teachings of Bush, when implemented in the Smith system, will allow one of ordinary skill in the art to provide configuration instructions to different groups of devices. One of ordinary skill in the art would be motivated to utilize the teachings of Bush in the Smith system in order to implement a system-wide security policy based on the zone and conduit information associated with various devices defined by a user (Bush: paragraph [0046]).

As for claim 18, the combined system of Smith and Bush teaches wherein the network enforcement policy is a network access control policy that includes at least one restriction on network access (Smith: paragraph [0055] describes the ACL includes permissions such as create, read, update, delete granted to a group of devices).

As for claim 19, Smith teaches a non-transient computer-readable storage memory containing a plurality of instructions such that, when operated upon by a processing system that includes a processor and a memory communicatively coupled to 
create a plurality of network enforcement profiles that together form a network enforcement profile set (paragraphs [0010]-[0011] describe an EPID key is issued for each device and an EPID group key is also issued), wherein the plurality of network enforcement profiles together manage the at least one network enforcement policy (paragraph [0021] describe devices are authenticated using the EPID group certificate when there is a request for data exchange, an access gate checks an access control list to verify that a device group has permission to exchange data with a device and validates the signature created using the private device certificate of the device using the group certificate);
determine a respective network access device group of the plurality of heterogeneous network access devices that is capable of managing each network enforcement profile (paragraphs [0029]-[0030] describe devices may be commissioned into the network and each redundant device of similar device type is joined using EPID to create a unique private key for each device, the private key is used to authenticate with an upstream device of a workflow).
Smith fails to teach
provide vendor-specific configuration parameters for at least one network access device of a network access device group so as to cause a network to manage each network enforcement profile.

Bush discloses
provide vendor-specific configuration parameters for at least one network access device of a network access device group so as to cause a network to manage a network enforcement profile (paragraph [0050] describes a set of vendor-and model-specific security configuration instructions is generated which, when implemented on respective industrial and networking devices, enforce a plant-wide security strategy defined by the user-provided device, zone and conduit information, the instructions are generated based on a stored model which includes vendor and model information from the devices; paragraph [0053] describes industrial devices are assigned to various security zones, each zone is a grouping of logical or physical assets that share common security requirements).
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing device-level security configuration instructions to devices. The teachings of Bush, when implemented in the Smith system, will allow one of ordinary skill in the art to provide configuration instructions to different groups of devices. One of ordinary skill in the art would be motivated to utilize the teachings of Bush in the Smith system in order to implement a system-wide security policy based on the zone and conduit information associated with various devices defined by a user (Bush: paragraph [0046]).


Smith fails to teach wherein an operation includes provide vendor-specific configuration parameters for all network access devices of each respective network access device group so as to cause a network to manage a network enforcement profile set.
However, it is well known in the art, to provide device-level security configuration instructions to devices, as evidenced by Bush.
Bush discloses
wherein an operation includes provide vendor-specific configuration parameters for all network access devices of each respective network access device group so as to cause a network to manage a network enforcement profile set (paragraph [0050] describes a set of vendor-and model-specific security configuration instructions is generated which, when implemented on respective industrial and networking devices, enforce a plant-wide security strategy defined by the user-provided device, zone and conduit information, the instructions are generated based on a stored model which includes vendor and model information from the devices; paragraph [0053] describes industrial devices are assigned to various security zones, each zone is a grouping of logical or physical assets that share common security requirements).
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Bush for providing device-level security configuration instructions to devices. The teachings of Bush, when .

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Smith (US 2017/0149792) in view of Bush et al. (US 2017/0214717) further in view of Pusateri et al. (US 2009/0216867), hereinafter Pusateri.

As for claim 8, the combined system of Smith and Bush teaches all the limitations set forth above except wherein a first network access device group includes a network access device from a first vendor, and a second network access device group includes a network access device from a second vendor.
However, it is well known in the art, to include devices that belong to different vendors, as evidenced by Pusateri.
Pusateri discloses wherein a first network access device group includes a network access device from a first vendor, and a second network access device group includes a network access device from a second vendor (paragraphs [0043]-[0044] describe at least one of the network devices is from different vendor than the other devices and devices belong to a vendor shares similar software, hardware configuration information, each of the network devices includes respective sets of configuration information and a management software interface; paragraph [0059] 
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Pusateri for grouping devices belong to different vendors. The teachings of Pusateri, when implemented in the Smith and Bush system, will allow one of ordinary skill in the art to provide configuration to different groups of devices. One of ordinary skill in the art would be motivated to utilize the teachings of Pusateri in the Smith and Bush system in order to enable a network configuration tool to interact with devices from disparate vendors, thereby alleviating substantially the burden associated with configuring and troubleshooting a large network comprised a large number of devices from different vendors (Pusateri: paragraph [0068]).

Claims 9 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Smith (US 2017/0149792) in view of Bush (US 2017/0214717) further in view of Sharp-Paul et al. (US 2016/0182296), hereinafter Sharp-Paul.

As for claim 9, the combined system of Smith and Bush teaches all the limitations set forth above except placing a data structure that includes at least one network enforcement policy, a respective network enforcement profile set, and each respective network access device group into a service list accessible to a network administrator.

Sharp-Paul discloses
placing a data structure that includes at least one network enforcement policy, a respective network enforcement profile set, and each respective network access device group into a service list accessible to a network administrator (paragraph [0015] describes node configuration includes information represents properties or characteristics of the node, e.g. hardware, software properties, groups to which the nodes belongs , access control lists corresponding to the node; paragraph [0021] describes a node configuration and node objects are selected to create a policy; paragraphs [0027] describes a network administrator is provided with a list of objects identified by a policy).
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Sharp-Paul for providing a node object/configuration to an administrator. The teachings of Sharp-Paul, when implemented in the Smith and Bush system, will allow one of ordinary skill in the art to provide configuration to devices. One of ordinary skill in the art would be motivated to utilize the teachings of Sharp-Paul in the Smith and Bush system in order to enable the administrator to configure a target node (Sharp-Paul: paragraph [0027]).

As for claim 17, the combined system of Smith and Bush teaches all the limitations set forth above except wherein instructions further cause a processor to: place a data structure that includes at least one network enforcement policy, a 
However, it is well known in the art, to provide access control policies and attributes associated with entities to an administrator, as evidenced by Sharp-Paul.
Sharp-Paul discloses
place a data structure that includes at least one network enforcement policy, a respective network enforcement profile set, and each respective network access device group into a service list accessible to a network administrator (paragraph [0015] describes node configuration includes information represents properties or characteristics of the node, e.g. hardware, software properties, groups to which the nodes belongs , access control lists corresponding to the node; paragraph [0021] describes a node configuration and node objects are selected to create a policy; paragraphs [0027] describes a network administrator is provided with a list of objects identified by a policy).
One of ordinary skill in the art before the effective filing date of the claimed invention would have recognized the ability to utilize the teachings of Sharp-Paul for providing a node object/configuration to an administrator. The teachings of Sharp-Paul, when implemented in the Smith and Bush system, will allow one of ordinary skill in the art to provide configuration to devices. One of ordinary skill in the art would be motivated to utilize the teachings of Sharp-Paul in the Smith and Bush system in order to enable the administrator to configure a target node (Sharp-Paul: paragraph [0027]).

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Saxena et al. (US 2019/032727) teach automated access control management for computing systems
Odenwald Jr. et al. (US 2010/0115073) teach method for serial attached SCSI (SAS) zoning management of a domain using end device grouping
Crabtree et al. (US 2021/0099490) teach privilege assurance of enterprise computer network environments

Any inquiry concerning this communication or earlier communications from the examiner should be directed to L. T N. whose telephone number is (571)272-1013.  The examiner can normally be reached on M & Th 5:30 am - 2:30 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TONIA DOLLINGER can be reached on 571-272-4170.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/LINH T. NGUYEN/Examiner, Art Unit 2459