DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The claims 1-20 are pending in this application.  This is a non-final office action in response to Application Number 16/675,678 filed on 6 November 2019.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Independent claims 1, 13, and 19 recite “equivalent networks” in line 2 (claim 1), line 3 (claim 13), and lines 5-6 (claim 19) and “two different networks that are equivalent to each other” in lines 3-4 (claim 1), lines 5-6 (claim 13), and lines 7-8 (claim 19), however it is unclear if “equivalent network” is meant to be a second network of the 
The dependent claims 2-12, 14-18, and 20 do not clarify this issue and are also rejected for the same reasons.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Yadav et al. (U.S. Patent 10,812,315) in view of Janakiraman et al. (U.S. Patent Publication 2020/0235990), hereinafter referred to as Jana.

Regarding claim 1, Yadav disclosed a computer-implemented method for comparing network security specifications for equivalent networks, the method comprising: 
receiving network security specifications (see Yadav Fig. 6 #600: collecting fabric data for two networks | 5:43-50: constructing network models including policies, security, and configurations | 7:63-8:4: configurations info includes security groups, etc. | 12:21-28: policy is a specification controlling behavior) for two different networks (see Yadav Fig. 5 #502, #504: two networks | 23:63-24:16: cross-domain assurance system for traffic between two networks) that are equivalent to each other (see Yadav 27:55-28:8: comparing policies of two networks for the same service to ensure that both networks implement the same policy, e.g. comparing the policy of the first network regarding allowing teachers to access a grading service with the policy of the second network regarding a grading service granting access to teachers), each network having one or more services (see Yadav 6:33-36: network includes application services | 11:20-21: consumer consumes a service | 12:36-38: provider provides a service), each service associated with a subnetwork (see Yadav-Jana combination below), each network security specification defining permitted connections between services of the corresponding network (see Yadav 27:4-23: correlating policies for the two networks | 8:48-64: firewall policies are used when classifying 
determining a mapping between corresponding pairs of subnetworks (see Yadav 21:30-32: every contract should specify a provider EPG and consumer EPG | 18:12-15: identifying duplicate subnets) of the two networks (see Yadav 27:4-23: correlating policies for the two networks) based on a mapping of corresponding services between the two networks (see Yadav 27:55-28:8: comparing policies of two networks for the same service, e.g. comparing the policy of the first network regarding allowing teachers to access a grading service with the policy of the second network regarding a grading service granting access to teachers | 21:30-32: every contract should specify a provider EPG and consumer EPG); 
comparing the two network security specifications (see Yadav 27:55-28:8: comparing policies of two networks for the same service | see Yadav Fig. 6 #604: correlate fabric data of two networks), comprising: 
for each network security specification (see Yadav 27:55-28:8: comparing policies of two networks), generating a representation (see Yadav 5:43-50: constructing network models that represent the network’s policies, configurations, security, applications, filters, ACLS, etc. | 12:60-13:12: management information tree is a tree of managed objects (resources) on the network and includes the policies) that, for each of a plurality of subnetworks identifies a set of other subnetworks (see Yadav-Jana combination below) that are permitted to connect with that subnetwork according to the network security specification, wherein the representation captures all of the permitted connections defined in the network security specification (see Yadav 5:43-50: constructing network models that represent the access control lists, etc. | 10:35-47: classifying and applying policies to traffic as well as defining relationships, applying filters or access control lists, and defining communication paths between endpoints | 11:45-57: “filter” refers to a parameter or configuration to allow communications, e.g. whitelist model | 28:48-54: identifying whether or not A can talk with B on a different network); 
comparing the representations of the two network security specifications (see Yadav 22:12-31: assurance appliance collects, analyzes, and determines equivalency of network models | 27:55-28:8: comparing policies of two networks for the same service, e.g. comparing the policy of the first network regarding allowing teachers to access a grading service with the policy of the second network regarding a grading service granting access to teachers) by matching corresponding pairs of subnetworks in the representations that are permitted to connect according to the representations, the corresponding pairs identified based on the mapping (see Yadav 10:35-47: classifying and applying policies to traffic as well as defining relationships, applying filters or access control lists, and defining communication paths A and B make up a pair); and 
identifying one or more discrepancies based on the matching (see Yadav 28:9-19: identifying mismatches between the policies of different networks), each discrepancy indicating a pair of subnetworks that is permitted to connect in one representation and not permitted to connect in the other representation (see Yadav 28:14-19: a policy of the first network permits student access to the grading service while a policy of the second network does not allow student access to the grading service); and 
generating a report describing the one or more discrepancies (see Yadav Fig. 6 #606-610: providing assurance of correlation as well as solutions to issues | 28:20-45: generating a mismatch event, notifying an administrator of the event, and suggesting specific steps to resolve the conflict).

Yadav did not explicitly disclose “each service associated with a subnetwork” and that the identified permitted connections is “a set of other subnetworks”.
In light of Yadav’s teachings regarding subnets being included within bridge domains (see Yadav 14:43), identifying duplicate subnets (see Yadav 18:12-15), as well as constructing endpoint groups (EPGs) according to applications (see Yadav 14:53-57), it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention that an application’s endpoint group (EPG) can be a subnet, i.e. “each service associated with a subnetwork”.  Furthermore, in light of 
However in a related art of normalizing policies from multiple networks (see Jana 0038), Jana disclosed describing a cloud EPG as a subnet (see Jana 0095) and that EPGs include applications and service chains (see Jana 0049) and are a logical grouping of specific application servers (see Jana 0051), i.e. “each service associated with a subnetwork”.  Jana also disclosed policies specifying that subnet S1 is allowed to communicate with other networks whereas subnet S2 is not allowed to communicate with other VPCs (see Jana 0120).  Jana also described assigning specific sets of routers to specific subnets (see Jana 0126) and mapping each endpoint’s address, e.g. subnet, in a cloud network 104, 106 with its corresponding endpoint in the on-premises network 102 (see Jana 0135), i.e. that the identified permitted connections is “a set of other subnetworks”.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Yadav and Jana to further describe types of different networks and how to normalize policies across the multiple networks. Doing so would ensure increased policy uniformity across disparate networks (see Jana 0038)

Regarding claim 13, the claim contains the limitations, substantially as claimed, as described in claim 1 above and is rejected under Yadav-Jana according to the rationale provided above.  Yadav-Jana further disclosed a non-transitory computer readable storage medium storing instructions that when executed by a computer processor cause the computer processor to perform the method of claim 1 above.

Regarding claim 19, the claim contains the limitations, substantially as claimed, as described in claim 1 above and is rejected under Yadav-Jana according to the rationale provided above.  Yadav-Jana further disclosed a computer system comprising:
a computer processor (see Yadav Fig. 9 #910 processor); and 
a non-transitory computer readable storage medium (see Yadav Fig. 9 #915 memory, #920 ROM, #925 RAM) storing instructions that when executed by the computer processor cause the computer processor to perform the method of claim 1 above.

Regarding claim 2, Yadav-Jana disclosed the method of claim 1, further wherein one of the networks is implemented in one or more data centers of an enterprise and the other network is implemented using a remote cloud based system (see Yadav 24:16-21: the two networks include an enterprise network and a data center network | Jana Fig. 3 #102 On-Premises network, #104-106: two public clouds).  The motivation to combine the teachings of Yadav and Jana is the same as that presented in claim 1 above.

Regarding claim 14, the claim contains the limitations, substantially as claimed, as described in claim 2 above and is rejected under Yadav-Jana according to the rationale provided above.  

Regarding claim 20, the claim contains the limitations, substantially as claimed, as described in claim 2 above and is rejected under Yadav-Jana according to the rationale provided above.  

Regarding claim 3, Yadav-Jana disclosed the method of claim 1, wherein the two different network security specifications are expressed using different languages (see Yadav 25:23-32: translating policies from one network in order to correlate the policies of two networks | 28:38-45: mismatch events include details regarding differences in semantics for the policies of the two networks | 14:19-25: using XML, JSON).

Regarding claim 4, Yadav-Jana disclosed the method of claim 1, wherein the two different network security specifications are expressed using different models for describing groupings of services (see Yadav 29:42-55: normalizing ACI and DNA network policies).



Regarding claim 5, Yadav-Jana disclosed the method of claim 1, wherein determining the mapping between corresponding pairs of subnetworks of the two networks comprises, repeatedly performing:
selecting a service in one of the two network security specifications (see Yadav 11:20-21: consumer consumes a service | 12:36-38: provider provides a service | 27:55-28:8: comparing policies of two networks for the same service, e.g. comparing the policy of the first network regarding allowing teachers to access a grading service with the policy of the second network regarding a grading service granting access to teachers. The service policy of the first network is inherently selected prior to being able to compare it to another network’s policy); 
identifying the service in the other of the two network security specifications (see Yadav 11:20-21: consumer consumes a service | 12:36-38: provider provides a service | 27:55-28:8: comparing policies of two networks for the same service, e.g. comparing the policy of the first network regarding allowing teachers to access a grading service with the policy of the second network regarding a grading service granting access to teachers. The same service in a second network is inherently identified in order to be able to compare the two networks’ policies for the same service); and 
creating an association between subnetworks associated with the service as specified by the two network security specifications (see Yadav 11:20-21: consumer consumes a service | 12:36-38: provider provides a service | 27:55-28:8: comparing policies of two networks for the same service, e.g. comparing the policy of the first network regarding allowing teachers to access a grading service with the policy of the second network regarding a grading service granting access to teachers. An association between the two network’s groups associated the service is inherently created in order for the two networks to communicate | Jana 0036: adding a new endpoint and mapping it to the applicable policy). 
The motivation to combine Yadav and Jana is the same as that provided in claim 1 above.

Regarding claim 15, the claim contains the limitations, substantially as claimed, as described in claim 5 above and is rejected under Yadav-Jana according to the rationale provided above.  

Regarding claim 6, Yadav-Jana disclosed the method of claim 1, wherein each subnetwork is represented as one or more internet protocol (IP) ranges (see Yadav 28:55-29:7: mapping endpoints within each group, subnet range of IP addresses).

Regarding claim 7, Yadav-Jana disclosed the method of claim 1, wherein the representation comprises: for each subnetwork, a tree data structure having a root node representing that subnetwork and a plurality of leaf nodes, each leaf node representing a leaf subnetwork, wherein the leaf subnetwork is permitted to connect to the root subnetwork (see Yadav 12:60-13:12: management information tree is a tree of managed objects (resources) on the network and includes the policies, root, and leaf nodes | Jana 0095: cloud EPG as a subnet).

Regarding claim 16, the claim contains the limitations, substantially as claimed, as described in claim 7 above and is rejected under Yadav-Jana according to the rationale provided above.  

Regarding claim 8, Yadav-Jana disclosed the method of claim 7, wherein each leaf node is associated with a port, wherein the leaf subnetwork is permitted to connect to the root subnetwork at the port (see Yadav 13:57-59: configuring leaf access policy based on ports).

Regarding claim 9, Yadav-Jana disclosed the method of claim 1, wherein the representation comprises: for each subnetwork, a plurality of tree data structures, each tree data structure for a communication protocol (see Yadav 22:12-31: assurance appliance collects, analyzes, and determines equivalency of network models, i.e. a plurality of model trees | 12:60-13:12: management information tree is a tree of managed objects (resources) on the network and includes the policies, root, and leaf nodes | 13:47-59: multiple protocols for the nodes within the management tree), each tree data structure having a root node representing a root subnetwork and a plurality of leaf nodes, each leaf node representing a leaf subnetwork, wherein the leaf subnetwork is permitted to connect to the root subnetwork (see Yadav 12:60-13:12: management information tree is a tree of managed objects (resources) on the network and includes the policies, root, and leaf nodes) using the communication protocol corresponding to the tree data structure (see Yadav 13:47-59: nodes are permitted to communicate via the specified protocol).
Regarding claim 17, the claim contains the limitations, substantially as claimed, as described in claim 9 above and is rejected under Yadav-Jana according to the rationale provided above.  

Regarding claim 10, Yadav-Jana disclosed the method of claim 1, wherein generating the representation for a network security specification comprises:
identifying a pair of subnetworks in the network security specification, the pair comprising a consumer subnetwork and a provider subnetwork such that the consumer subnetwork is permitted to connect to the provider subnetwork (see Yadav 21:20-25: provider and consumer pair | 11:20-21: consumer consumes a service | 12:36-38: provider provides a service); and
adding the consumer subnetwork to the set of subnetworks that are permitted to connect to the provider subnetwork (see Jana 0036: adding a new endpoint and mapping it to the applicable policy | Yadav 21:20-25: provider and consumer pair | 11:20-21: consumer consumes a service | 12:36-38: provider provides a service).

Regarding claim 18, the claim contains the limitations, substantially as claimed, as described in claim 10 above and is rejected under Yadav-Jana according to the rationale provided above.  

Regarding claim 11, Yadav-Jana disclosed the method of claim 10, wherein adding the consumer subnetwork to the set of subnetworks that are permitted to connect to the provider subnetwork (see Jana 0036: adding a new endpoint and 
The motivation to combine Yadav and Jana is the same as that presented in claim 1 above.

Regarding claim 12, Yadav-Jana disclosed the method of claim 10, wherein adding the consumer subnetwork to the set of subnetworks that are permitted to connect to the provider subnetwork comprises:
responsive to determining that the consumer subnetwork is a superset of an existing subnetwork of the set, replacing the existing subnetwork by the consumer subnetwork (see Jana 0080: adding additional resources to an existing network | 0081: adding additional endpoints, i.e. replacing the existing group with the new group that includes the existing group).
The motivation to combine Yadav and Jana is the same as that presented in claim 1 above.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Angela Widhalm de Rodriguez whose telephone number is (571)272-1035. The examiner can normally be reached M-F: 6am-2:30pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on (571) 272-6967. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/A.W.R./Examiner, Art Unit 2452                                                                                                                                                                                                        5 November 2021



/Patrice L Winder/Primary Examiner, Art Unit 2452