DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 have been examined.

Information Disclosure Statement
The IDS received on 01/10/2020 and 05/04/2021 have been entered and references cited within carefully considered.
Drawings
The drawings are filled on 01/10/2020 are accepted. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103(a) are summarized as follows:
1.	Determining the scope and contents of the prior art.
2.	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
4.	Considering objective evidence present in the application indicating obviousness or nonobviousness.

	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bowling (US Pub. No.: 2019/0319950 A1) in view of Clark et al. (US Patent No.: 10,411,951 B2). 
Regarding claim 1, Bowling discloses a system, [Fig. 3, system 300], comprising: one or more processors; and one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, cause one or more switches to perform operations [Fig. 3, Para. 0138, see also Para. 0021], comprising: identifying a first end point using a protocol associated with the first end point (The system(s) may be generic and/or configured for general use. The system(s) may be specialized for enterprise function(s). The system(s) may include one or more than one enterprise system. The network(s) may include one or more than one enterprise network. The network(s) may be secure. The enterprise network(s) may be secure. The network(s) may include one or more than one secure subnetwork. The secure subnetwork(s) may include the enterprise network(s). The network(s) may include the system(s). The network(s) may include one or more than one insecure subnetwork, such as the determining a classification for the identified first end point based on one or more attributes of the first end point (The method may include using one or more than one authentication layer. Functioning of the authentication layer(s) may include locking the enterprise network/system (s) down to one or more than one predetermined type of communication with the IoT device(s), such as identified EioT device(s). Functioning of the authentication layer(s) may include designating type(s) of allowed communication (s) with the IoT device(s). Functioning of the authentication layer(s) may include restricting the network/system(s) to the communication type(s). The restricting may be executed via a gateway that factors EioT device characteristic(s) and/or network segment function(s) [Para. 0034, see also Para. 0040]); segmenting the first end point with the identified one or more related end points (Step 703 may include organizing network data into segments, as a micro-segmented network. Segment-specific security policies may be assigned to connected IoT devices and device applications, based on IoT device functions. IoT devices with functions unrelated to a specific set of network segments, may be prevented from communicating with those segments. Step 705 may include and applying one or more policies to the segmented first end point and the one or more related end points (Step 703 may include organizing network data into segments, as a micro-segmented network. Segment-specific security policies may be assigned to connected IoT devices and device applications, based on IoT device functions. IoT devices with functions unrelated to a specific set of network segments, may be prevented from communicating with those segments [Para. 0162]).
Although Bowling discloses everything as applied above, Bowling does not explicitly discloses identifying one or more related end points having the classification in common with the first end point. However, these concepts are well known in the art as taught by Clark.
In the same field of endeavor, Clark discloses identifying one or more related end points having the classification in common with the first end point (Further, some conditions may exist where the source or destination endpoint  a packet classification. In such a case, the source or destination endpoint identifier could be changed within the orthogonal network policy to indicate 'all' endpoints and additional criterion could be added to the classifier. This mechanism retains the same policy space, but shifts the matching criterion from one component of the policy space, such as source or destination endpoint identifier, to another such as classifier. One example of this optimization would be to replace the set of all source endpoint identifiers on VLAN X with an additional classifier expression which includes VLAN X as matching criteria. Network policy optimization can reduce the number of protocol-specific messages generated. For instance, if there are 100 destination endpoint identifiers on VLAN 5 and all 100 destinations are specified as match criterion in an orthogonal network policy's destination endpoint identifier, the orthogonal network policy could be modified to have 'all' as the destination endpoint identifier and VLAN=5 as part of the classifier [col. 8, lines 45-65]).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to include Clark method into Bowling invention. One of ordinary skill in the art would have been motivated to allow for detection of conflicts between network policies expressed in an intent format, resolution of the detected conflicts, and then translation of the resolved conflict into a protocol-specific format [Clark, col. 2, lines 37-40].

Regarding claim 2, Bowling/Clark disclose everything as discuss above, Bowling further discloses the operations further comprising: applying a policy to communicatively connect the first end point with the identified one or more related end points (the device identification may also be used for implementing a policy (e.g. security policy) to the device based on the device Identification ... ". For the feature of applying one or more policies to a group of identified devices, [see also Para. 0113]).

 Regarding claim 3, Bowling/Clark disclose everything as discuss above, Bowling further discloses wherein the one or more switches comprise a virtual machine, and wherein the virtual machine is operable to perform the operations [Para. 0033, i.e. The translating layer may include one or more than one virtual machine] comprising identifying the first end point using the protocol associated with the first end point (The system(s) may be generic and/or configured for general use. The system(s) may be specialized for enterprise function(s). The system(s) may include one or more than one enterprise system. The network(s) may include one or more than one enterprise network. The network(s) may be secure. The enterprise network(s) may be secure. The network(s) may include one or more than one secure subnetwork. The secure subnetwork(s) may include the enterprise network(s). The network(s) may include the system(s). The network(s) may include one or more than one insecure subnetwork, such as the internet. The method may include utilizing one or more than one layer of data processing. The layer may include one or more steps and/or processes. The steps may be manual and/or automatic. The method may include using one or more than one identification layer. The identification layer may include identifying the device(s). The identification layer may include identifying one 
Although Bowling discloses everything as applied above, Bowling does not explicitly discloses identifying the one or more related end points having the classification in common with the first end point. However, these concepts are well known in the art as taught by Clark.
In the same field of endeavor, Clark discloses identifying the one or more related end points having the classification in common with the first end point (Further, some conditions may exist where the source or destination endpoint identifier may be wholly represented by a packet classification. In such a case, the source or destination endpoint identifier could be changed within the orthogonal network policy to indicate 'all' endpoints and additional criterion could be added to the classifier. This mechanism retains the same policy space, but shifts the matching criterion from one component of the policy space, such as source or destination endpoint identifier, to another such as classifier. One example of this optimization would be to replace the set of all source endpoint identifiers on VLAN X with an additional classifier expression which includes VLAN X as matching criteria. Network policy optimization can reduce the number of protocol-specific messages generated. For instance, if there are 100 destination endpoint identifiers on VLAN 5 and all 100 destinations are specified as match criterion in an orthogonal network policy's destination endpoint identifier, the orthogonal network policy could be modified to  'all' as the destination endpoint identifier and VLAN=5 as part of the classifier [col. 8, lines 45-65]).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to include Clark method into Bowling invention. One of ordinary skill in the art would have been motivated to allow for detection of conflicts between network policies expressed in an intent format, resolution of the detected conflicts, and then translation of the resolved conflict into a protocol-specific format [Clark, col. 2, lines 37-40].

Regarding claim 4, Bowling/Clark disclose everything as discuss above, Bowling further discloses creating a secure network overlay for the first end point and the identified one or more related end points [Para. 0166-0168].  

Regarding claim 5, Bowling/Clark disclose everything as discuss above, Bowling further discloses the operations further comprising: enforcing network policies on the first end point and across the secure network overlay (Step 901 may include organizing enterprise network data into segments, as a micro-segmented enterprise network. Segment-specific security policies may be assigned to connected IoT device(s) and device application(s), based on IoT device function(s). IoT devices with function(s) unrelated to a specific set of network segment(s), may be prevented from communicating with those segment(s) [Para. 0174, Para. 0026]). 

Regarding claim 6, Bowling/Clark disclose everything as discuss above, Bowling further discloses the operations further comprising: integrating the first end point and the identified one or more related end points in a software-defined wide area network (SD-WAN) (At step 507, auditing of the enterprise system network and/or of connected IoT devices may be performed. The auditing may be manual and/or automated. The auditing may include analyzing IoT device behaviors. The auditing may include determining typical network behavior between and/or within segments of a micro-segmented system network, such as the enterprise system network. The auditing may include and/or involve machine learning. The auditing may include scanning for atypical network requests, such as by an integrated IoT device. The auditing may result in quarantining of an aberrantly behaving device [Para. 0155]. The method may include simulating of network(s). The method may involve software-defined networking (SDN). The method may include using one or more VLAN protocols, such as 4095 VLANs and/or 16M VLANs. The method may include one or more than one encapsulation protocol. The encapsulation protocol may be for running one or more than one overlay network. The method may include Shortest Path Bridging (SPB). The method may involve Virtual Extensible LAN (VXLAN) [Para. 0019]).

Regarding claim 7, Bowling/Clark disclose everything as discuss above, Bowling further discloses the operations further comprising: extending the one or more policies applied to the first end point (Step 901 may include organizing enterprise network data into segments, as a micro-segmented enterprise network. Segment-and the one or more related end points across one or more clouds (Step 703 may include organizing network data into segments, as a micro-segmented network. Segment-specific security policies may be assigned to connected IoT devices and device applications, based on IoT device functions. IoT devices with functions unrelated to a specific set of network segments, may be prevented from communicating with those segments [Para. 0162]).

Regarding claims 8, 9, and 11-14, they are substantially the same as claims 1, 2 and 4-7, except claims 8, 9, and 11-14 are in method claim format.  Because the same reasoning applies, claims 8, 9, and 11-14 are rejected under the same reasoning as claims 1, 2 and 4-7.

Regarding claims 15-20, they are substantially the same as claims 1, 2 and 4-7, except claims 15-20 are in computer-readable non-transitory storage media claim format.  Because the same reasoning applies, claims 15-20 are rejected under the same reasoning as claims 1, 2 and 4-7, wherein one or more computer-readable non-transitory storage media [Fig. 3, memory 315,] embodying instructions that, when executed by a processor, cause one or more switches to perform operations comprising: [Fig. 3, Para. 0138-0139].

Regarding claim 10, Bowling/Clark disclose everything as discuss above, Bowling further discloses collecting telemetry data from a plurality of end points, wherein the plurality of end points comprises the first end point, the one or more related end points [col. 4, lines 33-62], and one or more unrelated end points that do not have the classification in common with the first end point (For example, a source endpoint identifier and/or a destination endpoint identifier can specify that the policy pertains to all employees within the network. Similarly, a source endpoint identifier and/or a destination endpoint identifier can specify that the policy pertains to any employees that share a common trait, such as, being in a particular physical location. In another example, a source endpoint identifier and/or an destination endpoint identifier can specify that the network policy pertains to only employees, and/or only non-infected hosts within the network. While examples are provided herein, describing source endpoint and destination endpoint identifiers, examples are not so limited, and other identifiers can be provided that identify the group and/or groups to which a network policy applies [col. 4, lines 49-62]); and grouping a subset of the telemetry data indicating performance of a segment [col. 4, lines 55-67 and col. 5, lines 1-12], wherein the subset of the telemetry data comprises telemetry data associated with the first end point and telemetry data associated with the one or more related end points, and excludes telemetry data associated with the unrelated end points (In some examples, the set of orthogonal policies returned from getOrthogonalPolicies( ) above, may be optimized using an optimization engine and/or an optimization 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure. (1) Du et al. (US Pub. No.: 2019/0387011 A1) teaches techniques for providing Internet of Things (IoT) security are disclosed. An applicable system includes profiling IoT devices to limit the number of network signatures applicable to the IoT devices and performing pattern matching using a pattern that is appropriate for the profile of a given IoT device. (2) Seed et al. (US Pub. No.: US 2017/0041231 A1) teaches methods, system, and apparatuses may support end-to-end (E2E) quality of service (QoS) through the use of service layer (SL) sessions. For example, an application can communicate with a targeted device based on application specified schedule, latency, jitter, error rate, throughput, level of security, and cost requirements. (3) Wood (US Patent No.: 10,826,996 B2) teaches an improved Internet of Things (IoT) system and method providing a plurality of IoT devices with syndicated vendor-independent IoT data from a IoT syndication data server having informational data that is IoT supplier-independent, formatting the received IoT informational data into syndicated IoT data messages, creating syndicated IoT channels, transmitting by broadcasting over a point-to-multipoint non-addressed transport bearer channel, with the IoT devices monitoring the received point-to-multipoint non-addressed transport bearer channels of the different syndicated IoT channel transport networks, identifying a received IoT channel by comparing to the stored IoT message or channel selection .
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DHARMESH J PATEL whose telephone number is (571)272-2690.  The examiner can normally be reached on Monday-Friday 8:00AM-5:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marsha D Banks-Harold can be reached on (571) 272-7905.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


DHARMESH J. PATEL
Examiner
Art Unit 2465


/DHARMESH PATEL/
Examiner, Art Unit 2465

	
/MARSHA D BANKS HAROLD/Supervisory Patent Examiner, Art Unit 2465