DETAILED ACTION
A Request for Continued Examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on October 08, 2021 has been entered.  
Claims 1-20 are pending and are directed toward MACHINE LEARNING-BASED APPLICATION POSTURE FOR ZERO TRUST NETWORKING.
Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable over NELLEN (US 2019/0141015, Filed: Nov. 2, 2018), hereinafter referred to as NELLEN.
As per claim 1, NELLEN teaches a method comprising:
applying, by a gateway to a zero trust network, an access control policy to an endpoint device attempting to access a cloud-based application hosted by the zero trust network (Accordingly, cloud-based multi-function firewalls 112A-D and 154A-B can be network components (within cloud server 110) that not only can control a passage of network traffic by applying network-security functions, but also can control a routing path of allowed network traffic to provide a Zero Trust network, NELLEN, [0067]);
in response to the access control policy indicating that the endpoint device is allowed to access the cloud-based application (In some embodiments, configuration engine 138 can be configured to receive device information ( e.g., an IP address of user device 102A, a unique identifier associated with user device 102A, or a MAC address of user device 102A) and/or user information ( e.g., a user account identifier associated with a user operating user device 102A) from user device 102A. Based on the device information or user information, configuration engine 138 can verify that user device 102A is permitted to access the network-security functions provided by one or more cloud servers 112A-D. NELLEN, [0076]): acting, by the gateway, as a reverse proxy (Therefore, cloud-based multi-function firewalls 112A-D and 154A-B, as discussed herein, may provide various network and network-security functions that are typically associated with a secure web gateway (SWG) or a web proxy. NELLEN, [0068]) between the endpoint device and the cloud-based application (In some embodiments, individual policy 136 can include a plurality of rules or preferences specific to a user device, an edge device, or a user account. In some embodiments, these rules can include network-security function rules (as described above) and private virtual network (VN) rules. In some embodiments, network-security function rules can specify allowable and banned interactions ( e.g., inbound or outbound network requests) between devices on local network 104 and data sources 120 in an external network such as communication network 106. NELLEN, [0068]),
acting, by the gateway, as a reverse proxy between the endpoint device and the cloud-based application (Therefore, cloud-based multi-function firewalls 112A-D and 154A-B, as discussed herein, may provide various network and network-security functions that are typically associated with a secure web gateway (SWG) or a web proxy. NELLEN, [0068]), 
capturing, by the gateway, telemetry data regarding application traffic reverse proxied by the gateway between the endpoint device and the cloud-based application (In some embodiments, the cloud-based multi-function firewalls in secure cloud 110 can be configured to apply the network-security functions to ingress and egress network traffic of a protected device such that the device remains secure from potential threats carried in external network requests originating outside of an internal network (with respect to the protected device) as well as potential threats carried in internal network requests originating from the internal network. NELLEN, [0067]);
detecting, by the gateway, an anomalous behavior of the application traffic by comparing the captured telemetry data to a machine learning-based behavioral model for the application (In some embodiments, policy engine 132 can be configured to receive and process alerts generated by cloud-based multi-function firewalls 114A-D on one or more cloud servers 112A-D or generated by cloud-based multi-function firewall 154A-B from VPN nodes 150A-B. As will be further described with respect to FIG. 5B, an alert can indicate specific network traffic is associated with a detected threat or that the network traffic is suspicious or anomalous and may potentially be associated with a threat. NELLEN, [0089]); and
In some embodiments and in contrast to on-premise firewall implementations, the cloud-based multi-function firewall system has high availability, is highly configurable in the cloud, and provides the functionality to detect and mitigate many types of threats including malware as well as the functionality to enforce security policies regardless of what network the user device is connected to and without requiring a company to implement and maintain disparate, complex security solutions on premise and potentially across many segmented networks within the company's internal network. NELLEN, [0009]); and
in response to the access control policy indicating that the endpoint device is not allowed to access the cloud-based application (In some embodiments, configuration engine 138 can be configured to receive device information ( e.g., an IP address of user device 102A, a unique identifier associated with user device 102A, or a MAC address of user device 102A) and/or user information ( e.g., a user account identifier associated with a user operating user device 102A) from user device 102A. Based on the device information or user information, configuration engine 138 can verify that user device 102A is permitted to access the network-security functions provided by one or more cloud servers 112A-D. NELLEN, [0076]), blocking, by the gateway, the endpoint device from accessing the cloud-based application (For example, these rules may be associated with identifying and responding to the plurality of known threats stored in threat database 137. In another example, the rules may be associated with identifying and responding to certain network traffic. In some embodiments, a rule can include an associated action such as permit, block, flag, or log network traffic, or a combination thereof. NELLEN, [0081], see also: In some embodiments, these rules can be user configurable and allow one or more security policies to be applied to ingress and egress network requests on the internal network of local network 104. For example, a security policy may be to block social media sites such as "Facebook.com", which may or may not be associated with a malicious threat. NELLEN, [0083]).
As per claim 2, NELLEN teaches the method as in claim 1, wherein the mitigation action comprises blocking the application traffic or sending an alert to a user interface regarding the detected anomalous behavior (In step 207, the security client blocks one more network connections provided by user device 202. In some embodiments, a connection component (e.g., connection component 144 of FIG. 1) of security client detects one or more available network connections and blocks any detected network connections. In some embodiments, the connection component blocks all detected network connections to prevent user device 202 from accessing an external, insecure network (e.g., the Internet) before security client establishes a  secure connection to secure cloud 204, as will be described below. NELLEN, [0109]).
As per claim 3, NELLEN teaches the method as in claim 1, wherein the gateway applies the access control policy to the endpoint device (In some embodiments, a secure cloud 404 provides a cloud-based multi-function firewall to user device 402 to protect user device 402 from threats in an insecure network 406 as well as to enforce security policies on network traffic between user device 402 and insecure network 406. In some embodiments, method 400 may be performed by various components of system 100 as described with respect to FIG. 1. For example, user device 402, secure cloud 404, and insecure network 406 may correspond to user device 102A, secure cloud 110, and communication network 106, respectively, as shown in FIG. 1. NELLEN, [0157]) based on a user profile associated with the endpoint device, a device profile of the endpoint device, and the cloud-based application (In some embodiments, profile database 139 can store profile information 135 specific to a user device (e.g., user device 102A or 107) or a user account (e.g., a user account may be associated with one or both of user devices 102A and 107, or the user account may be associated with edge device 105). Profile information 135 associated with the user device, such as user device 102A, can include telemetry data transmitted from the user device to policy engine 132. In some embodiments, the telemetry data of, for example, user device 102A can include file information at user device 102A, process information at user device 102A, and network traffic information at user device 102A. NELLEN, [0087]).
As per claim 4, NELLEN teaches the method as in claim 1, wherein the telemetry data is indicative of a flow data rate of the application traffic (In some embodiments, telemetry data includes information gathered at user device 102A including one or more of the following: file information at user device 102A, process information at user device 102A, and network traffic information at user device 102A. NELLEN, [0126]).
As per claim 5, NELLEN teaches the method as in claim 1, further comprising: obtaining a training dataset that includes application traffic between the cloud-based application and a plurality of endpoint devices; and using the training dataset to train the machine learning-based behavioral model for the application (In some embodiments, the policy engine inputs the plurality of attributes associated with the alert and an input indicating the alert is not associated with a threat into the one or more machine learning algorithm described with respect to steps 604 or 610. By doing so, the one or more machine learning algorithm of steps 604 or 610 can be continuously trained to increase accuracy the more alerts that are processed, according to some embodiments. In some embodiments, the policy engine can update the global policy to include a rule indicating that the one or more attributes (in the alert) does not indicate a true threat. NELLEN, [0206]).
claim 6, NELLEN teaches the method as in claim 1, wherein the machine learning-based model comprises a supervised learning-based classifier (To perform threat detection using an anomaly-based technique, the IPS can be configured classify the network traffic as including a potential threat based on heuristics or rules. In some embodiments, the IPS implement one or more machine learning algorithms (e.g., neural networks, learning classifier systems, association rule learning, artificial immune systems, etc.), strict mathematical models, data mining methods, or a combination thereof to detect anomalous attributes associated with the network traffic. NELLEN, [0189]).
As per claim 7, NELLEN teaches the method as in claim 1, wherein detecting the anomalous behavior of the application traffic by comparing the captured telemetry data to the machine learning-based behavioral model for the application further comprises: using the captured telemetry data and user profile information associated with the endpoint device as input to the classifier (In step 514, the cloud-based multi-function firewall routes the network traffic to a data file analyzer for processing. For example, as shown in method 500B, the network traffic may be routed from the IPS described in step 508 to the data file analyzer. As discussed above, however, other routing sequences may be possible. The data file  analyzer can be configured to scan the data file to determine whether an actual or potential threat exists. In some embodiments, the data file analyzer compares the data file against a plurality of signatures known to be associated with threats (e.g., malware, keyloggers, botnets, etc.) to determine whether the network traffic is associated with a known threat. In some embodiments, the data file analyzer implements heuristic-based detection or behavior-based detection to determine whether the data file is associated with a potential threat. NELLEN, [0191]).
Claims 8-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above. 
Response to Arguments
Applicant’s arguments with regards to claims 1-20 have been fully considered, but they are not persuasive.
“fails to teach” argument – Applicant argues that even assuming, arguendo, Nellen's cloud-based multi-function firewalls 112AD and 154A-B may be reasonably construed as "acting as a reverse proxy," Nellen fails to teach that the cloud-based multi-function firewalls 112A-D and 154A-B acts as a reverse proxy in response to an access control policy indicating that the endpoint device is allowed to access a cloud-based application, as presently claimed. Furthermore, Nellen fails to teach that an endpoint device is blocked from accessing a cloud-based application in response to an access control policy indicating that the endpoint device is not allowed to access the cloud-based application, as presently claimed. While Nellen teaches in paragraph [0067] that the cloud-based multi-function firewalls 112A-D and 154A-B may apply "network-security functions," the disclosure of Nellen is entirely silent with respect to specific actions taken in response to the "network-security functions" indicating that an endpoint device is either allowed or not allowed to access a cloud-based application (REMARKS, page 9).
Response: NELLEN teaches new limitations of currently amended claims at least at [0068], [0076], [0081], and [0083] as was mapped in rejecting Claim 1 above.
Conclusion -Therefore, in view of the above reasons, Examiner maintains rejections.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492