DETAILED ACTION

Claims 1-18 are presented for examination.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 07/06/2021 has been entered.
 

	Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For 

Claims 1-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,356,124 (in view of fig 3-4). Although the claims at issue are not identical, they are not patentably distinct from each other because: please the table below:

Instant Application
U.S. Patent No. 10,356,124
1. A method comprising: inserting, by a device in a network, a profile tag into an address request sent by an endpoint node in the network to a lookup service, wherein the lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of the services the endpoint node is expected to communicate with; receiving, by the device, an address response sent from the lookup service to 

2. The method as in claim 1, wherein the lookup service comprises a Domain Name System (DNS) lookup service, and 

3. The method as in claim 1, further comprising: profiling, by the device, traffic associated with the endpoint node; and requesting, by the device, the profile tag from an access policy server. 

4. The method as in claim 3, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy. 

5. The method as in claim 1, further comprising: intercepting, by the device, the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy. 

6. The method as in claim 1, wherein the lookup service identifies the one or more 

7. A method comprising: receiving, at a lookup service device in a network, an address request from an endpoint node in the network, wherein the address request includes profile tag for the endpoint node inserted into the address request by a networking device in the network; retrieving, by the lookup service device, a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of services the endpoint node is expected to communicate with; identifying, by the lookup service device, one or more addresses with which the endpoint node is authorized to communicate based on the profile for the endpoint node, wherein the one or more addresses are 

8. The method as in claim 7, wherein the lookup service device comprises a Domain Name System (DNS) lookup service device, and wherein the address request comprises a DNS lookup request. 



10. The method as in claim 9, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy. 

11. The method as in claim 7, wherein the one or more addresses with which the endpoint node is authorized to communicate is associated with a manufacturer of the endpoint node. 

12. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a 

13. The apparatus as in claim 12, wherein the lookup service comprises a Domain Name System (DNS) lookup service, and wherein the address request comprises a DNS lookup request. 

14. The apparatus as in claim 12, wherein the process when executed is further operable to: profile traffic associated with the endpoint node; and request the profile tag from an access policy server. 



16. The apparatus as in claim 12, wherein the process when executed is further operable to: intercept the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy. 

17. The apparatus as in claim 12, wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by: retrieving a profile for the endpoint node associated with the inserted profile tag from an access policy server. 

18. The apparatus as in claim 13, wherein the apparatus comprises at least one of: 
inserting, by a device in a network, a profile tag into an address request sent by an endpoint node in the network to a lookup service, wherein the lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of one or more services the endpoint node is expected to communicate with; receiving, by the device, an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate, wherein the one or more addresses are associated with the one or more services; determining, by the device, whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate; blocking, by the device, the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate; determining, by the device, whether a second communication between the endpoint node and a second particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to 

    2. The method as in claim 1, wherein the lookup service comprises a Domain Name System (DNS) lookup service, and wherein the address request comprises a DNS lookup request. 

    3. The method as in claim 1, further comprising: profiling, by the device, traffic associated with the endpoint node; and requesting, by the device, the profile tag from an access policy server. 

    4. The method as in claim 3, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy. 

    5. The method as in claim 1, further comprising: intercepting, by the device, the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy. 

    6. The method as in claim 1, wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by: retrieving a profile for the endpoint node associated with the inserted profile tag. 

    7. A method comprising: receiving, at a lookup service device in a network, an address request from an endpoint node in the network, wherein the address request includes profile tag for the endpoint node inserted into the address request by a 

    8. The method as in claim 7, wherein the lookup service device comprises a Domain Name System (DNS) lookup service device, and wherein the address request comprises a DNS lookup request. 

    9. The method as in claim 7, wherein retrieving the profile for the endpoint node associated with the inserted profile tag comprises: requesting, by the device, the profile from an access policy server using the profile tag. 

    10. The method as in claim 9, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy. 



    12. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: insert a profile tag into an address request sent by an endpoint node in the network to a lookup service, wherein the lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag, wherein the profile is indicative of one or 

    13. The apparatus as in claim 12, wherein the lookup service comprises a Domain Name System (DNS) lookup service, and wherein the address request comprises a DNS lookup request. 

    14. The apparatus as in claim 12, wherein the process when executed is further operable to: profile traffic associated with the endpoint node; and request the profile tag from an access policy server. 

    15. The apparatus as in claim 14, wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy. 

    16. The apparatus as in claim 12, wherein the process when executed is further operable to: intercept the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy. 

    17. The apparatus as in claim 12, wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by: retrieving a profile for the endpoint node associated with the inserted profile tag from an access policy server. 




This is a provisional nonstatutory double patenting rejection.

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Reddy et al. (US Patent Application No. 20160080395) (Hereinafter Reddy) in view of “Data Formats for In-band OAM draft-brockners-inband-oam-data-00”;” F. Brockners, S. Bhandari, C. Pignataro, Cisco,  H. Gredler.” , July 8, 2016; pages 1-21 (Hereinafter Draft) in further view of Gupta et al. (US 2016/0359673) (Hereinafter Gupta).

As per claim 1, Reddy discloses a method comprising: inserting, by a device in a network, a profile tag into an address request sent by an endpoint node in the network to a lookup service (para 21, inserting metadata), wherein the lookup service is 
receiving, by the device, an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate, wherein the one or more addresses are associated with the services (fig 3, para 36); 
determining, by the device, whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate (fig 3, para 36, 40, suspicion level is low interpreted as authorizing); and
 automatically blocking, by the device, the communication based on a determination that the particular network address is not in the one or more addresses with which the endpoint node is authorized to communicate by dropping the communication (para 22, data packets are blocked based on the policy). 
Reddy does not disclose endpoint profile. However, Draft discloses endpoint profile (page 12. All nodes maintain POT profile). 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Reddy and Ren. The motivation would have been to build the network that provide endpoint security solutions (both hardware and software based).  Reddy in view of Ren does not explicitly disclose 

As per claim 2, claim is rejected for the same reasons as claim 1, above. In addition, Reddy discloses wherein the lookup service comprises a Domain Name System (DNS) lookup service, and wherein the address request comprises a DNS lookup request (fig 3, para 18). 

As per claim 3, claim is rejected for the same reasons as claim 1, above. In addition, Reddy discloses profiling, by the device, traffic associated with the endpoint node; and requesting, by the device, the profile tag from an access policy server (para 18, 21, requiring metadata).

As per claim 4, claim is rejected for the same reasons as claim 1, above. In addition, Draft discloses wherein the access policy server comprises a Manufacturer Usage Description (MUD) proxy (Introduction, page 3, 6; Manufacturer Usage Descriptions). 

As per claim 5, claim is rejected for the same reasons as claim 1, above. In addition, Draft discloses further comprising: intercepting, by the device, the profile tag from a communication between the endpoint node and a Manufacturer Usage Description (MUD) proxy (Introduction, page 3, 6; Manufacturer Usage Descriptions). 
 
As per claim 6, claim is rejected for the same reasons as claim 1, above. In addition, Draft discloses wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by: retrieving a profile for the endpoint node associated with the inserted profile tag (pages 5, 8). 

As per claims 7 and 12, claims are rejected for the same reasons as claim 1, above. 

As per claims 8 and 13, claims are rejected for the same reasons as claim 2, above. 

As per claims 9 and 14, claims are rejected for the same reasons as claim 3, above. 

As per claims 10 and 15, claims are rejected for the same reasons as claim 4, above. 

As per claims 11, claim is rejected for the same reasons as claim 1, above.  In addition, Draft discloses wherein the one or more addresses with which the endpoint node is authorized to communicate is associated with a manufacturer of the endpoint node (page 11, mapping between IP address and domain name). 

As per claims 16, claim is rejected for the same reasons as claim 5, above. 

As per claim 17, claim is rejected for the same reasons as claim 1, above. In addition, Reddy discloses wherein the lookup service identifies the one or more addresses with which the endpoint node is authorized to communicate by: retrieving a profile for the endpoint node associated with the inserted profile tag from an access policy server (para 18, 21, 36, requiring metadata). 

As per claim 18, claim is rejected for the same reasons as claim 1, above. In addition, Draft discloses wherein the apparatus comprises at least one of: a network switch, a network router, or a network access point (page 6, para 2, Service Delivery Model).

Response to Arguments

Applicant’s arguments with respect to claim(s) 1-18 have been considered but are moot because the new ground of rejection, see above. 



Conclusion

Please see the attached PTO-892 for the prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD A SIDDIQI whose telephone number is (571)272-3976.  The examiner can normally be reached on Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private 






/MOHAMMAD A SIDDIQI/Primary Examiner, Art Unit 2493