Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This Office Action is in responsive to application filed on 9/30/20. Claims 1-20 are pending.  

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/30/20, 3/11/21 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.

Under STEP 1 of the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG), independent Claims 1, 10 and 19 recite a “method”, “CRM”, “system”.  
Under STEP 2A Prong One, Claims 1-20, recite steps of “…[c] associating an object related to the network policy with the network fault, wherein the object defines a logical component that impacts how network traffic is treated by at least one network device of the plurality of network devices...  However these steps fall within the “Mental Processes” 2019 PEG grouping as concepts performed in the human mind.  For example, steps of "[c] associating an object related to the network policy with the network fault, wherein the object defines a logical component that impacts how network traffic is treated by at least one network device of the plurality of network devices.. the associating under its broadest reasonable interpretation covers performing via observation where human can visually or with use of pen and paper can point out which object is associated/link where the network fault occurred. Nothing in the claim element precludes the step from practically being performed in the human mind. Thus the claim recites a mental process.

Under STEP 2A Prong Two, This judicial exception is not integrated into a practical application. 
Claims 1-20 recite additional elements of “one or more processors …”, “[a] obtaining change log information corresponding to a network policy deployed into a network comprising a plurality of network devices; [b] obtaining fault log information corresponding to at least one network device of the plurality of network devices based on the change log information, the fault log information defining a network fault in response to deployment of the network policy into the network and [d] generating output indicating the association of the object to the network fault” , Certain methods of organizing” 2019 PEG grouping as Mental Processes” 2019 PEG grouping as concepts performed in the human mind. Accordingly, the claims recite an abstract idea.  

claims 1-20  is using generic computing device for monitoring networks faults rather than a technological solution is evidenced by the claim's failure to recite anything other than generic hardware outside of the abstract idea. See Specification ¶ [0186, 0191], which is operational with numerous other general purpose ... computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with computer system include, but are not limited to ... any of the above systems or devices, and the like"); Specification ¶ [0186, 0191] ("flowchart illustrations .. . can be implemented by computer readable program instructions ...instructions may be provided to a processor of a general purpose computer ... or other programmable data processing apparatus"). Spec, ¶ 0041, 0145.In Intellectual Ventures I LLC v. Erie Indem. Co., 850 F.3d 1315,1329 (Fed. Cir. 2017), the Federal Circuit concluded that claims directed to the use of an index to search for and Mental Processes” 2019 PEG grouping as concepts performed in the human mind.

Similarly, the Supreme Court in Alice (573 U.S. 208, at 226) reviewed a method claim requiring "the use of a computer to create electronic records, track multiple transactions, and issue simultaneous instructions." Id. at 224 ( citations omitted). The petitioner in Alice emphasized that the method claims "recite specific hardware configured to perform specific computerized functions." Id. at 226 ( citation and quotations omitted). The Alice court found But what petitioner characterizes as specific hardware-a "data processing system" with a "communications controller" and "data storage unit," ... is purely functional and generic. Nearly every computer will include a "communications controller" and "data storage unit" capable of performing the basic calculation, storage, and transmission functions required by the method
claims. Id. ( citations omitted).
Here, claims 1-20 does not recite additional details, functionality or specialized processes to the recited generic components noted supra to distinguish itself from the analysis in Alice.

Under Step 2B, Claims 1-20 do not include additional elements that are sufficient to amount to significantly more than the judicial exception.  As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of using a “processor…” no more than mere instructions to apply the exception using a generic computer component.  Mere instructions to apply an exception using generic computer components cannot provide an inventive concept. These additional elements comprise well-understood, routine, conventional computing elements (see BASCOM Global Internet Services v. AT&T Mobility LLC, 827 F .3d 1341 (Fed. Cir. 2016) holding recites generic computer, network and Internet components, none of which is inventive by itself) see also Two-Way Media Ltd. V. Comcast Cable Communications, LLC, 2017 U.S. App. LEXIS 21706 at 14 (Fed. Cir. Nov. 1, 2017) finding “Nothing in the claims or their constructions, including the use of “intermediate computers,” requires anything other than conventional computer and network components operating according to their ordinary functions”, see also “simply implementing an abstract concept on a computer, without meaningful limitations to that concept, does not transform a patent-ineligible claim into a patent-eligible one.” Accenture Global Service v. Guidewire Software, Inc., 728 F.3d 1336 (Fed. Cir. 2013) at 1345; see also the prohibition against patenting an abstract principle by attempting to limit the use of the [principle] to a particular technological environment (see Diehr, 450 U.S. at 191; “attempts to limit the abstract concept to a computer implementation and to a specific industry thus do not provide additional substantive limitations to avoid preempting the abstract idea of [the] system” Accenture Global Service v. Guidewire Software, Inc., 728 F.3d 1336 (Fed. Cir. 2013)); Classen as an example case identifying a mental process. Specifically, "[c]oncepts relating to data comparisons that can be performed mentally or are analogous to human mental work." See MPEP § 2106.04(a)(2), sections III and III A.  Therefore, the additionally recited limitations individually or in combination as a whole in Claims 1-20 fail to amount to significantly more than the abstract idea.  Therefore, Claims 1-20 are not directed to patent-eligible subject matter.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).

For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of non-statutory obviousness-type double patenting rejection based on anticipation analysis as the claims of 1-20 of co-pending U.S. Patent 10812318 anticipates the claims 1-19 of instant application.  Although the claims at issue are not identical, they are not patentably distinct from each other because U.S. Patent 10812318 anticipates the instant claims. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Doppke et al. (US 2018/0077189 A1), hereinafter “Doppke”, in view of Mahajan et al. (US 20150358200 A1), hereinafter “Mahajan”.

As to claim 1, Doppke discloses a method (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-4A), comprising: 
obtaining change log information corresponding to a network policy deployed into a network comprising a plurality of network devices (The network monitor 152 can include physical and/or virtual components that perform passive or active network monitoring. Passive network monitoring can be performed, for example by a sniffer, a netflow capable device, or a component built into a network device, such as a router, switch, or end node host that use techniques, such as remote monitoring (RMON) and simple network monitoring protocol (SNMP), one or more portions of the network monitor 152 can be integrated with the protection system 150; The network monitor 152 further includes one or more physical and/or virtual alert components that detect alert conditions associated with the traffic measurements that indicate an attack has begun, or that a new stage of an attack has been detected, and output corresponding alert data to the protection system 150; The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data ) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-4A);  
obtaining fault log information corresponding to at least one network device of the plurality of network devices based on the change log information, the fault log information defining a network fault in response to deployment of the network policy into the network (The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data.  Signature information may refer to one or more patterns of text or bytes within a packet or flow that match a predetermined pattern.  Signature information can also refer to a checksum computed from content in one or more packets or flows.  For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data; protection system 150 may be standalone and may receive data from log files (e.g., security logs) associated with nodes in a computer network (e.g., computers, routers, switches etc.), auditing events collected via nodes associated with the computer network, stored traffic uploaded from files and sniffing real-time network traffic that flows in the computer network) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5);  
associating an object related to the network policy with the network fault (the network threats detected are categorized and the information about the categorization is output as violation data.  In embodiments, the traffic metric data, copied intercepted network traffic and/or associated alert data are analyzed to determine the network threat, such as to detect a signature.  The categorization can include determining which network policies were violated, such as by applying one or more filters.  Thus, a determination can be made as to which network threat was detected, e.g., which network policy was violated based on the detected signature.  The categorization of the network threats is output as violation data; The pop-up window 420 includes a time stamp 422 that indicates the time at which the associated network threat was first detected (e.g., by the network monitor 152 or by the protection system 150), the name of a network policy that was violated 424, a severity level 426, and a number of events 428, which refers to the number of times the corresponding policy has been violated based on criteria designed to aggregate similar violations.  For example, each consecutive violation occurring within a close time period and with similar features may be aggregated under a single policy alert ) (Doppke, ¶ [0030, 0035, 0047, 0052, 0076], figs. 3-5);  and 
generating output indicating the association of the object to the network fault ((Figs 3-5 display screen provides for generating for display, using protection system 150, screen 400, wherein the screen indicates additional information 442 which disclose the user selected elements that were determined by the protection system 150 to have violated a network policy)) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047]).

However, Doppke doesn’t explicitly disclose wherein the object defines a logical component that impacts how network traffic is treated by at least one network device of the plurality of network devices.
In an analogous art, Mahajan discloses wherein the object defines a logical component that impacts how network traffic is treated by at least one network device of the plurality of network devices (The predetermined maximum number of faults may be set by an entity operating the fault handling service 102 or an entity that manages the network 104 or a particular function of the network 104 such as packet forwarding (e.g., a traffic engineering application or controller).  As discussed above, the fault handling service 102 implements a proactive approach to handling faults in a network 104.  For instance, the fault handling service 102 may compute an amount of traffic to be communicated via one or more paths associated with a flow such that freedom from congestion is realized for up to a predetermined maximum number of faults.  Stated another way, the fault handling service 102 spreads traffic in the network such that no congestion occurs, e.g., a link does not exceed a bandwidth capacity, as long as a total number of faults that occur is less than or equal to the predetermined maximum number of allowed faults) (Mahajan, ¶ [0015-0016], figs. 2-3).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention was made to implement Mahajan’s teachings into Doppke’s teaching of wherein the object defines a logical component that impacts how network traffic is treated by at least one network device of the plurality of network devices. This combination allows enables to reduce network congestion by reducing the number of faults.

As to claim 2, Doppke-Mahajan discloses the method of claim 1, wherein the object is part of a plurality of objects that localize faults within the network policy (The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data.  Signature information may refer to one or more patterns of text or bytes within a packet or flow that match a predetermined pattern.  Signature information can also refer to a checksum computed from content in one or more packets or flows.  For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

As to claim 3, Doppke-Mahajan discloses the method of claim 1, wherein the network fault is associated with an update failure from switch to rule memory in the network in response to deployment of the network policy (Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data; protection system 150 may be standalone and may receive data from log files (e.g., security logs) associated with nodes in a computer network (e.g., computers, routers, switches etc.), auditing events collected via nodes associated with the computer network, stored traffic uploaded from files and sniffing real-time network traffic that flows in the computer network) (Doppke, ¶ [0035, 0047, 0076, 0089], figs. 3-5). 

As to claim 4, Doppke-Mahajan discloses the method of claim 1, wherein the network fault is associated with an update failure from controller to switch in the network in response to deployment of the network policy (The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data.  Signature information may refer to one or more patterns of text or bytes within a packet or flow that match a predetermined pattern.  Signature information can also refer to a checksum computed from content in one or more packets or flows.  For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

As to claim 5, Doppke-Mahajan discloses the method of claim 1, wherein the change log information includes information describing policy changes at one or more of the plurality of network devices in response to deployment of the network policy into the network (The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data.  Signature information may refer to one or more patterns of text or bytes within a packet or flow that match a predetermined pattern.  Signature information can also refer to a checksum computed from content in one or more packets or flows.  For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data; protection system 150 may be standalone and may receive data from log files (e.g., security logs) associated with nodes in a computer network (e.g., computers, routers, switches etc.), auditing events collected via nodes associated with the computer network, stored traffic uploaded from files and sniffing real-time network traffic that flows in the computer network) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

As to claim 6, Doppke-Mahajan discloses the method of claim 1, further comprising identifying the fault log information as a subset of fault log information from a set of fault log information based on a relevance of the fault log information to deployment of the network policy (The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data.  Signature information may refer to one or more patterns of text or bytes within a packet or flow that match a predetermined pattern.  Signature information can also refer to a checksum computed from content in one or more packets or flows.  For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data; protection system 150 may be standalone and may receive data from log files (e.g., security logs) associated with nodes in a computer network (e.g., computers, routers, switches etc.), auditing events collected via nodes associated with the computer network, stored traffic uploaded from files and sniffing real-time network traffic that flows in the computer network) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

As to claim 7, Doppke-Mahajan discloses the method of claim 6, further comprising identifying the fault log information from the set of fault log information based on timestamps associated with fault logs in the set of fault log information ((Figs 3-5 display screen provides for generating for display, using protection system 150, screen 400, wherein the screen indicates additional information 442 which disclose the user selected elements that were determined by the protection system 150 to have violated a network policy)) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

As to claim 8, Doppke-Mahajan discloses the method of claim 1, wherein the fault log information includes information related to network policy changes occurring in the network in response to deployment of the network policy (For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data; protection system 150 may be standalone and may receive data from log files (e.g., security logs) associated with nodes in a computer network (e.g., computers, routers, switches etc.), auditing events collected via nodes associated with the computer network, stored traffic uploaded from files and sniffing real-time network traffic that flows in the computer network; (Figs 3-5 display screen provides for generating for display, using protection system 150, screen 400, wherein the screen indicates additional information 442 which disclose the user selected elements that were determined by the protection system 150 to have violated a network policy)) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

As to claim 9, Doppke-Mahajan discloses the method of claim 1, wherein the object is a policy object of a plurality of policy objects that describe communication relationships among either or both physical and logical entities in the network (The policy violation can be detected, for example based on signature information determined by the violation analysis module 154 from the copy of intercepted traffic and/or the alert data.  Signature information may refer to one or more patterns of text or bytes within a packet or flow that match a predetermined pattern.  Signature information can also refer to a checksum computed from content in one or more packets or flows.  For example, policy violations can be determined by comparing the signature information to rules associated with the one or more network policies for network communication.  As previously stated, the rules of these network policies can be stored in one or more storage areas, such as the storage medium of the protection system 150.  Categorization of the particular network threat, e.g., the network policy that was violated, can be output by the violation analysis module 154 as violation data; protection system 150 may be standalone and may receive data from log files (e.g., security logs) associated with nodes in a computer network (e.g., computers, routers, switches etc.), auditing events collected via nodes associated with the computer network, stored traffic uploaded from files and sniffing real-time network traffic that flows in the computer network) (Doppke, ¶ [0026, 0028, 0030, 0035, 0047], figs. 3-5). 

Claims 10-18 list all the same elements of claims 1-9, but in a system comprising: one or more processors (Doppke, ¶ [0022-0023, figs. 1-2);  and a computer-readable medium comprising instructions stored therein, which when executed by the one or more processors (Doppke, ¶ [0022-0023, figs. 1-2), cause the one or more processors (Doppke, ¶ [0022-0023, figs. 1-2) to carry out the steps of rather than method form.  Therefore, the supporting rationale of the rejection to claims 1-9 applies equally as well to 10-18.

Claims 19-20 list all the same elements of claims 1, 3-4 but in a non-transitory computer-readable storage medium comprising instructions stored therein, which when executed by one or more processors, cause the one or more processors (Doppke, ¶ [0022-0023, figs. 1-2) to carry out the steps of rather than method form.  Therefore, the supporting rationale of the rejection to claims 1, 3-4 applies equally as well to 19-20.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892.

Hilton et al. (US Patent 8,934,495 B1) – Systems and methods are disclosed that allow for improved management and control of packet forwarding in network systems.  Network devices and tool optimizers and a related systems and methods are disclosed for improved packet forwarding between network sources and destination tools in a network monitoring environment.  The network devices and tool optimizers disclosed can include a graphical user interfaces (GUIs) through which a user can create and modify filters and select associated filter criteria for forwarding packets from input ports to output ports.  The network devices and tool optimizers can also automatically generate filter rules and apply them to the appropriate filter engines so that packets are forwarded as desired by the user.  The GUI can be configured to provide other features as well.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HITESH R PATEL whose telephone number is (571)270-5442.  The examiner can normally be reached on Monday-Friday 7am-3pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on 571-270-3618.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.







/Hitesh Patel/Primary Examiner, Art Unit 2419                                                                                                                                                                                                        
7/12/21