DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09/08/2021 has been entered.
 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/08/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
This office action is in response to the amendment filed on 09/08/2021.
Claims 1-20 are pending for examination. Applicant amends claims 1-2, 8-12, 14-15, and 19. The amendments have been fully considered and entered.

Response to Arguments
For convenience, the newly introduced limitations, as made by amendments, are marked as underlined.
Applicant’s arguments with respect to the rejection of claims 1 and 14 under 35 U.S.C. § 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Pai et al. (US 20170353496 A1; hereinafter “Pai”) in view of Petry et al. (US 20170180413 A1; hereinafter “Petry”) and further in view of Pratt (US 9386021 B1) as cited on the IDS filed on 09/08/2021.
As per claim 1, Pai discloses: a service provider network comprising one or more network devices, wherein the service provider network is configured to:
determine network isolation configuration information for a client device on a local area network (LAN), the client device associated with a client account, wherein the network isolation configuration information comprises an identification of a trusted network destination for the client device (Pai, [0015], policy is identified (i.e., network isolation configuration information is determined) for a user of a host device (i.e., client device), wherein the policy comprises known trusted network resources, [0073], wherein the host device is associated with a user account, [0022], wherein host device is on a LAN); 
send the network isolation configuration information to the client device (Pai, [0024], policy is provided/pushed to the host operating system 102); 
receive, from a first application or process operating in a segregated untrusted memory space of the client device, a first request to communicate with an untrusted network destination (Pai, [0123]-[0124], detecting an application (i.e., first application) that is attempting to access an untrusted network resource, [0121] and Fig. 6, because the set of acts in Fig. 6 are not limited to the specific order shown in Fig. 6, launching the application in the container (step 610) may come before detecting the application is attempting to access an untrusted network resource (steps 604 and 606), therefore, the application attempting to access the network resource is operating in the container (i.e., segregated untrusted memory space), [0014], wherein the container is “untrusted” because it contains untrusted network resources while providing full kernel isolation 
allow, based on the network isolation configuration information, the first application or process operating in the segregated untrusted memory space to communicate with the first untrusted network destination (Pai, [0124], [0121], and [0127], the application operating in the isolated container (i.e., segregated untrusted memory space) is allowed to communicate with the untrusted network resource after detecting an attempt to access an untrusted network resource which is based on looking up the network resource against one or more policies (i.e., based on the network isolation configuration information)).  
While Pai discloses network isolation configuration information comprising identification of trusted network destinations, Pai does not explicitly disclose, however, Petry teaches or suggests: the network isolation configuration information comprising an untrusted network destination for the client device (Petry, [0108], blacklist and whitelist of URLs (i.e., network destination), wherein the blacklist comprises harmful (i.e., untrusted) web content and the whitelist comprises safe (i.e., trusted) content). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).
untrusted memory space operating on the client device, wherein the segregated untrusted memory space is isolated from a trusted memory space operating on a workspace of the client device (Pratt, col. 15 lines 30-36 and Fig. 6, authenticating a guest OS 620/626 (i.e., segregated untrusted memory space) operating on a client device 610, col. 5 lines 17-62, wherein the guest operating system runs in a virtual machine and is isolated from host OS (i.e., trusted memory space) operating on its own resources of the client device, Abstract, wherein the host OS is “trusted” because the host OS does not have access to untrusted network destinations. Note: Pratt’s guest OS is analogous to Pai’s container because each run on the client device in a virtual machine and each have access to untrusted network destinations while isolating the host OS); and
allowing communications with the untrusted network destination based on the authentication of the segregated untrusted memory space (Pratt, col. 15 lines 30-36 and Fig. 6, allowing guest OS 620/626 (i.e., segregated untrusted memory space) access to any resources on an untrusted network upon being authenticated).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include allowing communications with the untrusted network destination based on the authentication of the segregated untrusted memory space as taught or suggested by Pratt for the benefit of ensuring the privacy and integrity of the host operating system (Pratt, col. 14 lines 66).

As per claim 2, claim 1 is incorporated and the modified Pai discloses: wherein the untrusted network destination is a first untrusted network destination (Pai, [0124]) and the service provider network is further configured to: 
receive, from a second application or process operating on the workspace of the client device, a second request to communicate with a second untrusted network destination, wherein the workspace is isolated from the authenticated segregated untrusted memory space (Pai, [0031], network filter 116 ensures that the host operating system 102 is prevented from accessing any untrusted network resources, that is, when a request to communicate with an untrusted network destination (i.e., first or second untrusted network destination) occurs from the host operating system (i.e., workspace), then network filter 116 prevents/blocks the communication from occurring, Abstract, wherein the host operating system 102 is isolated from the container); and 
prevent the second application or process operating on the workspace of the client device from communicating with the second untrusted network destination based on the second request being from outside the authenticated segregated untrusted memory space (Pai, [0031] and [0028], network filter 116 ensures that the host operating system 102 is prevented from accessing any untrusted network resources, that is, when a request to communicate with an untrusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 prevents/blocks the communication from occurring because the request is not coming from the container).  
The modified Pai does not disclose, however, Petry teaches or suggests: a blacklist of untrusted network destinations and a whitelist of trusted network destinations 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).

As per claim 3, claim 1 is incorporated and the modified Pai discloses: a firewall configured to block one or more of ports, protocols, or traffic between unauthenticated devices on the LAN and the untrusted network destination (Pai, [0068], network filter is built into a firewall that blocks network traffic from untrusted network destinations).  

As per claim 4, claim 1 is incorporated and the modified Pai discloses: wherein the LAN comprises a plurality of client devices associated with the client account, and a client portal associated with the client account (Pai, [0025], target set of computing devices associated with a user account, Fig. 7, plurality of client devices (716, 718, 720), [0028], application programming interfaces (i.e., client portal) associated with the user account); and

The modified Pai does not disclose, however, Petry teaches or suggests: the service provider network further configured to: implement a client portal associated with the client account (Petry, [0064], client interface to instantiate one or more secure web containers).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a client portal to allow a user of the device to modify the network isolation configuration information as taught or suggested by Petry for the benefit of increased web browsing security using dynamic security policy implementation (Petry, [0003]).

As per claim 5, claim 4 is incorporated and the modified Pai does not disclose, however, Petry teaches or suggests: wherein the client portal interface is configured to enable modification of the network isolation configuration information by the at least one of the plurality of client devices associated with the client account (Petry, [0079], user 102 set/modifies policies within a policy database associated with the secure analysis application). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a client portal to allow a user of the device to modify the network isolation 

As per claim 6, claim 4 is incorporated and the modified Pai discloses: push, via the client portal to the plurality of client devices, one or more of a patch, an update, or a security control (Pai, [0025], policy updates are pushed/sent to target set of computing devices).  

As per claim 7, claim 1 is incorporated and the modified Pai discloses: implementing, on the client device, a local firewall configured to prevent communications between the client device and other devices on the LAN (Pai, [0068], network filter 116 of the host operating system 102 is built into a firewall (i.e., local firewall) that intercepts, inspects, forward, modify, and block network traffic of the LAN).  

As per claims 8 and 19, claim 1 and claim 14 are incorporated, respectively, and the modified Pai does not explicitly disclose, however, Pratt teaches or suggests: wherein the service provider network is further configured to receive client credentials from the segregated memory space of the client device, and wherein the service provider network is configured to authenticate the segregated untrusted memory space operating on the client device using the client credentials (Pratt, col. 15 lines 30-36 and Fig. 6, receiving authentication credentials (i.e., client credential) from guest OS (i.e., 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include allowing communications with the untrusted network destination based on the authentication of the segregated untrusted memory space as taught or suggested by Pratt for the benefit of ensuring the privacy and integrity of the host operating system (Pratt, col. 14 lines 66).

As per claim 9, claim 1 is incorporated and while the modified Pai discloses network isolation configuration information comprising identification of trusted network destinations (i.e., a whitelist), Pai does not explicitly disclose, however, Petry teaches or suggests: the network isolation configuration information further comprises one or more of a whitelist that comprises a trusted network destinations and a blacklist that comprises the untrusted network destination (Petry, [0108], blacklist and whitelist of URLs (i.e., network destination), wherein the blacklist comprises harmful (i.e., untrusted) web content and the whitelist comprises safe (i.e., trusted) content). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).
untrusted memory space is a first segregated untrusted memory space, and wherein the service provider network is further configured to authenticate a second segregated untrusted memory space operating on a second client device on the LAN (Pratt, col. 16 lines 54-59, managing a plurality of computer client devices 610 and their corresponding guest OS to access untrusted network resources, col. 15 lines 30-36 and Fig. 6, wherein the guest OS is authenticated prior to accessing the untrusted network resources).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include allowing communications with the untrusted network destination based on the authentication of the segregated untrusted memory space as taught or suggested by Pratt for the benefit of ensuring the privacy and integrity of the host operating system (Pratt, col. 14 lines 66).

As per claim 10, claim 1 is incorporated and the modified Pai discloses: wherein the network isolation configuration information further comprises an identification of a trusted network destination, and the service provider network is further configured to: receive, from a second application or process operating on the workspace of the client device, a second request to communicate with a network destination, wherein the workspace is isolated from the authenticated segregated untrusted memory space (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a network 
determine, based on the network isolation configuration information, that the network destination is the trusted network destination (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a trusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 allows the communication to occur between the host operating system and a trusted destination); and 
allow the second application or process operating on the workspace of the client device to communicate with the trusted network destination (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a trusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 allows the communication between the host operating system and a trusted destination).

As per claim 11, claim 1 is incorporated and the modified Pai discloses: the service provider network further configured to: manage, using a server, the network isolation configuration information (Pai, [0024], management and monitoring service 104 is configured to manage and provide the policy); and 
untrusted memory space and the first untrusted network destination (Pai, [0022], host operating system 102 communicates with network resources via web proxy 106).  

As per claim 12, claim 1 is incorporated and the modified Pai does not disclose, however, Petry teaches or suggests: wherein the segregated untrusted memory space comprises a sandboxed computing environment enforced by a sandbox container process that enables an internal isolation firewall (Petry, [0065], web container comprises a sandbox environment, [0153], firewall is enabled).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a sandbox environment as taught or suggested by Petry for the benefit of increased web browsing security (Petry, [0003]).

As per claim 13, claim 1 is incorporated and the modified Pai discloses: receive, from the client device, a request for the network isolation configuration information (Pai, [0024], policy is obtained/pulled/requested from the management and monitoring service 104).
  
As per claim 14, Pai discloses: a host computer system comprising:
a memory (Pai, Fig. 7, memory/storage 712); and 
a processor (Pai, Fig. 7, processing system 704) configured to: 

communicate with a network destination via an Internet service provider (ISP) (Pai, [0022], host operating system 102 communicates with network resources via web proxy 106, [0023], wherein management and monitoring service 104 and web proxy 106 is implemented on a device (i.e., ISP) separate from the host operating system 102); 
receive, from the ISP, network isolation configuration information comprising an identification of a trusted network destination for the host computer system (Pai, [0024], management and monitoring service 104 is configured to provide policy (i.e., network isolation configuration information) to the host operating system 102, [0015], wherein the policy comprises known trusted network resources); 
implement a segregated untrusted memory space that is configured to enable operation of a set of one or more applications or processes, wherein the segregated untrusted memory space is isolated from a trusted memory space operating on a workspace of the host computer system (Pai, [0101] and [0116], activate a container that enables operation of an application, wherein the container is isolated from the host operating system (i.e., trusted memory space) operating on its own resources of the host device); 
communicate, using the set of one or more applications or processes operating on the segregated untrusted memory space with the untrusted network destinations via the ISP (Pai, [0124], [0121], and [0127], the virtual version of the application in the isolated container is allowed to communicate with the untrusted network resource); and 

While Pai discloses network isolation configuration information comprising identification of trusted network destinations, Pai does not explicitly disclose, however, Petry teaches or suggests: the network isolation configuration information comprising an untrusted network destination for the client device (Petry, [0108], blacklist and whitelist of URLs (i.e., network destination), wherein the blacklist comprises harmful (i.e., untrusted) web content and the whitelist comprises safe (i.e., trusted) content). 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Pai to include a blacklist of untrusted network destinations along with the list of trusted network destinations (i.e., a whitelist) as taught or suggested by Petry for the benefit of increased web browsing security by preventing the client device from accessing untrusted network destinations on the blacklist (Petry, [0003]).
The modified Pai does not explicitly disclose, however, Pratt teaches or suggests: authenticating the segregated untrusted memory space with the ISP (Pratt, col. 15 lines 30-36 and Fig. 6, authenticating a guest OS 620/626 (i.e., segregated untrusted memory space) operating with the network device 650).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai 

As per claim 15, claim 14 is incorporated and the modified Pai discloses: wherein the processor is configured to operate the workspace that is enabled by and executed using the trusted memory space that is isolated from the segregated untrusted memory space (Abstract, wherein the host operating system 102 is isolated from the container). 
The modified Pai does not disclose, however, Petry teaches or suggests: wherein the segregated untrusted memory space comprises a sandboxed computing environment that is enforced by a sandbox container process that enables an internal isolation firewall (Petry, [0065], web container comprises a sandbox environment, [0153], firewall is enabled).  
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a sandbox environment as taught or suggested by Petry for the benefit of increased web browsing security (Petry, [0003]).

As per claim 16, claim 15 is incorporated and the modified Pai discloses: wherein the processor is further configured to: send, from an application or process operating on the workspace to the ISP, a request to communicate with a network 
on a condition that the network destination is identified as a trusted network destination in the network isolation configuration information, communicate with the network destination via the workspace and the ISP (Pai, [0031], network filter 116 ensures that the host operating system 102 only access trusted network resources, that is, when a request to communicate with a trusted network destination occurs from the host operating system (i.e., workspace), then network filter 116 allows the communication from occurring because the request is not coming from the container).  

As per claim 17, claim 14 is incorporated and the modified Pai discloses: wherein the host computer system is associated with a client account (Pai, [0073], user account).
The modified Pai does not disclose, however, Petry teaches or suggests: communicating with a client portal via a client portal interface associated with the client account (Petry, [0064], client interface to instantiate one or more secure web containers); and 
modifying, via the client portal interface, the network isolation configuration information (Petry, [0079], user 102 set/modifies policies within a policy database associated with the secure analysis application).


As per claim 18, claim 17 is incorporated and the modified Pai discloses: receive[, via the client portal,] one or more of patches, updates, or security controls associated with the client account (Pai, [0025]-[0026], policy update (i.e., modifying) via the application programming interface).  
The modified Pai does not disclose, however, Petry teaches or suggest: receiving updates or security controls via the client portal (Petry, [0079], user 102 set/modifies policies within a policy database associated with the secure analysis application).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of the modified Pai to include a client portal to allow a user of the device to modify the network isolation configuration information as taught or suggested by Petry for the benefit of increased web browsing security using dynamic security policy implementation (Petry, [0003]).

As per claim 20, claim 14 is incorporated and the modified Pai discloses: send, to the ISP, a request for the network isolation configuration information (Pai, [0024], policy is obtained/pulled/requested from the management and monitoring service 104).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art.	
Schultz et al. (US 10375111 B2) discloses host operating system running on a host device that prevents an application from accessing personal information (e.g., user information or corporate information) by activating an anonymous container that is isolated from the host operating system (Abstract).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALEXANDER R LAPIAN whose telephone number is (571)272-7552.  The examiner can normally be reached on M-F 9:30-6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 571-272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  


ALEXANDER R. LAPIAN
Examiner
Art Unit 2437



/ALEXANDER R LAPIAN/Examiner, Art Unit 2437   

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437