DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 01/30/2020, in which, claim(s) 1-20 are pending. Claim(s) 1, 8 and 15 are independent.

Drawings
The drawings filed on 01/30/2020 are accepted by The Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kung et al. (US 2018/0234459 A1) in view of Fainberg et al. (US 2020/0296139 A1).
Regarding Claims 1, 8, and 15, Kung discloses
storing, at a policy management server, a segmentation policy comprising a set of segmentation rules that specify a white list of permissible connections between workloads providing or consuming network-based services ([0069], “A white list communication policy explicitly defines the communication allowed between logical groups, particularly a source logical group and a destination logical group”, “White list communication policies (those including a rule with an “allow” action)”, [0150], “define micro-segmentation policies”, [0229], “infrastructure resources hosted by a cloud service provider by communicating with the cloud (policy) server”); 
storing, at the policy management server, an enforcement policy that specifies at least a first group of services for operating in a test state and at least a second group of services for operating in an enforced state ([0003], “enforce security policies”, “enforce network communication for their virtual machines and container instances”, [0006], “Enforcement mechanisms differ in the degree of isolation from the workload unit”, [0016], “a large enterprise may enforce global network security across multiple lines of business or departments while giving smaller groups within the enterprise the agility to deploy new application or modify security policies of existing applications” as enforcement policy for two different groups each with different state); 
generating, based on the segmentation policy, segmentation policy instructions for causing an enforcement module to configure one or more traffic filters with a first set of filtering rules that allow traffic associated with the first or second group of services meeting the segmentation rules of the segmentation policy ([0104], ““Host firewalls” are software firewalls implemented in host operating traffic to the host. These firewalls are configured in the same way as security group using “White list communication policies”, “that filters, monitors, and blocks HTTP traffic to and from a web application”, [0116], “allows finer control of the network policy rules that can separate network traffic for different workload units hosted on the same node”); 
generating, based on the enforcement policy, enforcement policy instructions for causing the enforcement module to configure the one or more traffic filter, and to block traffic associated with the second group of services that fails to meet any of the first set of filtering rules ([0070], “Black list communication policies (those including a rule with a “block” action) define communication that is explicitly not allowed between a source and a destination logical group. This type of policy can be enforced by disabling logical group membership of resources that have “white list communication” policies that violate (fails to meet) the black list communication policy”); and 
distributing the segmentation policy instructions and the enforcement policy instructions to the enforcement module ([0022], “FIG. 5 is a schematic representation of a contextual security platform communicating with security mechanisms native to the computer infrastructure hosting workload units that have been distributed between a data center and a private or public cloud service provider”).  
Kung does not explicitly teach but Fainberg teaches
with a default filtering rule to allow traffic associated with the first group of services that fails to meet any of the first set of filtering rules ([0010-0011], “filtering or dropping packets”, “use of traffic filters”, [0090], “after failing an anti-virus rules to only allow the device to communicate with anti-virus definitions”),
Kung and Fainberg are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Fainberg with the disclosure of Kung. The motivation/suggestion would have been for access control management (Fainberg, Abstract).

Regarding Claims 2, 9, and 16, the combined teaching of Kung and Fainberg teaches 
wherein the enforcement policy further specifies at least a third group of services for operating in a build state (Kung, [0201], “Building of maps that visually identify malicious and non-compliant activity in real-time”), and wherein generating the segmentation policy instructions comprises:  
determining a set of the segmentation rules associated with the first group of services operating in the test state and the second group of services operating in the enforce state; and generating the segmentation policy instructions only for the determined set of segmentation rules (Kung, [0003], “enforce security policies”, “enforce network communication for their virtual machines and container instances”, [0006], “Enforcement mechanisms differ in the degree of isolation from the workload unit”, [0016], “a large enterprise may enforce global network security across multiple smaller groups within the enterprise the agility to deploy new application or modify security policies of existing applications” as enforcement policy for two different groups each with different state”).

Regarding Claims 3, 10, and 17, the combined teaching of Kung and Fainberg teaches 
wherein the enforcement policy identifies the first group of services by one or more label sets identifying a group of workloads and service-identifying information associated with traffic relating to the first group of services (Kung, [0075], “Information about the infrastructure resources identified…workloads (labelled “WU”)”, [0171], “each data flow with identifiers for both endpoints or resources that are communicating in that flow”).

Regarding Claims 4, 11, and 18, the combined teaching of Kung and Fainberg teaches 
wherein the service-identifying information comprises at least one of: a port, a protocol, and a service identifier (Kung, [0171], “each data flow with identifiers for both endpoints or resources that are communicating in that flow”).

Regarding Claims 5, 12, and 19, the combined teaching of Kung and Fainberg teaches 
wherein at least one service of the first group of services operating in the test state and at least one service of the second group of services operating in the enforce state are provided by or consumed by a same workload (Kung, [0116], “allows finer control of the network policy rules that can separate network traffic for different workload units hosted on the same node”).

Regarding Claims 6, 13, and 20, the combined teaching of Kung and Fainberg teaches 
receiving from the enforcement modules, traffic data indicative of traffic meeting one of the filtering rules; and generating a traffic flow graph indicative of the traffic data (Kung, [0172], “Data flows with context information can be graphically visualized”, “This visualization exposes the required communication for the applications and services running in the environment”, [0199], “Generating visualizations of the entire hybrid/multi-cloud environment—not just cloud resources, but virtualized and bare metal environments as well”).

Regarding Claims 7, and 14, the combined teaching of Kung and Fainberg teaches 
receiving a state change instruction to change a service from a test state to an enforce state; updating the enforcement policy instructions in response to the state change instruction; and distributing updated enforcement policy instructions to the enforcement module (Kung, [0056], “when a workload is moved from an on premise datacenter to a public cloud provider the system model database can be updated with a new mapping of workload unit to node and compute environment”, [0060], “the corresponding network security enforcement rules are recomputed and updated on the corresponding enforcement points”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497