Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner’s Note
Examiner called Applicant and discussed the case with the Applicant. Examiner pointed out some clarity issues in the independent claims 25, 36 & 44 and discussed how to fix them. He then proposed incorporating features of claims 30 & 31 to all the proposed revised amendment independent claims and filing of an eTD to obviate potential double patenting issue with the parent case which has been allowed. Examiner further stated that if the Applicant agreed to the recommendations proposed by the Examiner, the case will placed in allowable condition. The Applicant agreed to consider the suggestions and get back with a definite response shortly. Subsequently, the Applicant emailed the proposed amendment as suggested by Examiner ( please see the attached “Email from the Applicant” for details). Later on the Applicant also filed an eTD on 6/18/2021. The eTD has been approved. The case has been placed in allowable condition.
	EXAMINER’S AMENDMENT
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner's amendment was given via email from Dimitry Kagan (Reg. No.74,806) on 06/18/2021.. 
AMENDMENTS TO THE CLAIMS:
  THIS LISTING OF CLAIMS WILL REPLACE ALL PRIOR VERSIONS AND LISTINGS OF CLAIMS IN THE APPLICATION.

1-24. (Canceled).

25.      (Currently Amended) A  for secure data 
communications, comprising:
one or more memory devices;
one or more private network partitioned communication devices arranged in 
cloud environment; and
one or more processors executing instructions stored in the one or more memory 
devices to perform operations comprising:
assigning a range of network addresses to a first set of partitioned 
communication devices, wherein devices in the first set of partitioned communication 
devices are prevented from directly communicating with other communication devices 
outside of the first set of partitioned communication devices by rejecting direct inbound 
data communication from the other communication devices;
receiving, at the first set of partitioned communication devices, communication 
traffic containing (i) in-bound data for the first set of partitioned communication devices
 and (ii) out-bound data for a second set of partitioned communication devices;
routing out-bound data communication from the first set of partitioned communication 
devices to an external detection device; 



causing, the external detection device to selectively forward 
26. (Previously Presented) The system of claim 25, wherein routing the out-bound data communication further comprises adding a destination network address to the out-bound data communication.
27. (Currently Amended) The system of claim 26, wherein the 
28. (Currently Amended) The system of claim 25, wherein causing to selectively forward  received by the first set of partitioned communication devices is further associated with the originating communication device.
29. (Currently Amended) The system of claim 28, wherein only a first data communication from the originating communication device contains [[an]] the address.
30. -31. (Cancelled) 
set of partitioned communication devices and the second set communication devices. 
33. (Currently Amended) The system of claim 25, wherein causing to analyze  causing to review 
34. (Currently Amended) The system of claim 25, wherein analyzing a portion of the out-bound data communication having signs of network intrusion.
35. (Currently Amended) The system of claim 25, wherein selectively forwarding 
36. (Currently Amended) A method 
assigning a range of private network addresses to a first set of partitioned communication devices arranged in a cloud environment, wherein devices in the first set of partitioned communication devices are prevented from directly communicating with other communication devices outside of the first set of partitioned communication devices by rejecting direct inbound data communication from the other communication devices;
receiving, at the first set of partitioned communication devices, communication traffic containing (i) in-bound data for the first set of partitioned communication devices and (ii) out-bound data for a second set of partitioned communication devices;
reviewing, at the first set of partitioned communication devices, the in-bound data;
routing out-bound data communication from the first set of partitioned communication devices to an external detection device; 

causing the external detection device[[,]] to analyze the 
causing the external detection device to selectively forward  communication devices based on [[the]] external detection device analysis.
37. (Previously Presented) The method of claim 36, wherein routing the out-bound data communication further comprises adding a destination network address to the out-bound data communication.
38. (Currently Amended) The method of claim 36, wherein causing to selectively forward received by the first set of partitioned communication devices is further associated with the originating communication device.
39. – 40. (Cancelled) 
41. (Currently Amended) The method of claim 36, wherein the external detection device is in a geographically different location from the first set of partitioned communication devices and the second set communication devices.
42. (Currently Amended) The method of claim 36, wherein causing to analyze causing to review 
43. (Currently Amended) The method of claim 36, wherein causing to selectively forward causing to transmit the out-bound data communication to a communication device in a third set of partitioned communication devices.
44. (Currently Amended) A non-transitory computer-readable storage medium storing instructions that are executable by one or more processors to perform a method comprising:
assigning a range of private network addresses to a first set of partitioned communication devices arranged in a cloud environment, wherein devices in the first set of partitioned communication devices are prevented from directly communicating with other communication devices outside of the first set of partitioned communication devices by rejecting direct inbound data communication from the other communication devices;
receiving, at the first set of partitioned communication devices, communication traffic containing (i) in-bound data for the first set of partitioned communication devices and (ii) out-bound data for a second set of partitioned communication devices;
reviewing, at the first set of partitioned communication devices, the in-bound data;
routing out-bound data communication from the first set of partitioned communication devices to an external detection device; 

causing to analyze the 
causing the external detection device to selectively forward communication devices based on [[the]] external detection device analysis.

Allowable Subject Matter
	Claims 25-29. 32-38 & 41-44 are allowed.
	The following is an examiner’s statement of reasons for allowance:
		Regarding claims 25, 36 & 44, although the prior art of record teaches (such as, Arregoces (US20170104755 in paragraph 0023, as mentioned in IDS dated 10/17/2019) assigning a range of network addresses to a first set of communication devices, none of the prior art, alone or in combination teaches receiving, at the first set of partitioned communication devices, communication traffic containing (i) in-bound data for the first set of partitioned communication devices and (ii) out-bound data for a second set of partitioned communication devices; routing out-bound data communication from the first set of partitioned communication  devices to an external detection device; causing the external detection device to analyze the; in view of other limitations of claims 25, 36 & 44.
	The closest prior art (patent publications) made of records are: 
Arregoces (US20170104755 as mentioned in IDS dated 10/17/2019) teaches, that a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network. 
Cloud (US20190273720) teaches a firewall manager periodically accesses a set of servers to identify the various services currently active on each server. The firewall manager also periodically accesses a set of firewalls configured to protect those servers to identify various firewall rules implemented by those firewalls. The firewall manager then compares the services data with the rules data to identify any obsolete firewall rules that are (i) defined based on an IP address not currently allocated to any of the servers or (ii) defined based on a port of an active server that is not associated with any service running on server. Such rules are considered obsolete. Upon identifying any obsolete firewall rules, the firewall manager accesses the firewalls associated with those rules and then removes the obsolete rules. 
 Adams (US9787638) teaches that a device may receive data from a first endpoint device. The device may identify a network protocol. The network protocol may be associated with receiving the data. The device may identify a format. The format may be associated with encoding textual information in the data. The device may determine, based on the format and the network protocol, text in the data. The device may determine whether the text includes a reference from a plurality of references. The plurality of references may identify addresses associated with malicious devices. The device may selectively forward the data to a second endpoint device based on determining whether the text includes the reference.  
Aziz (US9306960) teaches that a computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems. 
Mohanty (US20170078314) teaches that the disclosed computer-implemented method for detecting security anomalies in a public cloud environment using network activity monitoring, application profiling, and self-building host mapping may include (1) collecting host information that identifies (A) at least one communication channel that has previously facilitated communication between at least one host computing platform within a cloud computing environment and at least one additional computing platform and/or (B) at least one application that has previously run on the host computing platform, (2) monitoring network traffic involving the host computing platform, (3) detecting, while monitoring the network traffic, network activity that is inconsistent with the collected host information, and then (4) determining that the detected network activity represents a potential security threat within the cloud computing environment due at least in part to the detected network activity being inconsistent with the collected host information. Various other methods, systems, and computer-readable media are also disclosed. 
Hwang (US20160337317) discloses a method, a computer program product, and a computer system for automatically migrating servers into an environment of multiple firewalls. A computer creates a graph representing the servers and connectivity, based on connectivity strengths and resource requirements. The computer groups the servers into multiple groups by using a graph based partitioning algorithm which considers the connectivity strengths and the resource requirements. The computer creates two adjacency matrices, one for local rules and the other for global rules. The computer adds endpoints to a local adjacency list, in response to determining that the endpoints are in a respective one of the multiple groups. The computer adds endpoints to a global adjacency list, in response to determining that the endpoints are not in respective one of the multiple groups. The computer converts the adjacency lists to firewall rules for the respective one of the multiple groups
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHER KHAN whose telephone number is (571)272-8574.  The examiner can normally be reached on Monday-Friday-8:00am - 5:00pm (EST).If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on 571-272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHER A KHAN/           Primary Examiner, Art Unit 2497