Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. 	Claims 21-43 are pending.
Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statue) so as to prevent the unjustified or improper time wise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim (s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed.Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Omum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).  A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (c may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO internet Web site contains terminal disclaimer forms which may be used. Please visit http://www.uspto.gov/forms/. The filling date of the application will determine what form should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp



A side-by-side comparison of claims 21, 24, 33, 36 of the pending application and the 10469536 patent is given in the following table to show their similarities and differences:

Pending Application
US Patent # 10469536
Claims 21, 24, 33-36:

A computer-implemented method, comprising: provisioning a plurality of virtual machine instances in a virtual network hosted by a computing resource service provider, wherein the plurality of virtual machine instances are associated with a customer of the computing resource service provider; 
identifying, based at least in part on an 

 filtering, by a firewall, based at least in part on a security policy associated with the subnet, 
 obtaining, based at least in part on the logging of the outgoing network traffic and the filtering of the incoming network traffic, network log information associated with the virtual machine instance of the subnet, wherein the network log information includes at least a timestamp, a source IP address, and a destination IP address;

 

And exporting the network log information to a destination accessible to the customer.




Claims 21

A computer-implemented method, comprising: receiving, at a computing resource service provider, a request to collect network log information related to a virtual computer system instance of a customer, the computing resource service provider managing a plurality of virtual computer system instances for different customers; 











obtaining the network log information by filtering the network traffic directed to the virtual computer system instance during the sampling period; retrieving, from the network log information, network information associated with the virtual computer system instance, the network information including at least a source internet protocol (IP) address, a destination IP address, and information identifying a protocol used; 

And providing the network log information to a destination associated with the customer.


Although the 10469536 patents does not disclose the following limitation(s), U.S. Patent # 9319272 discloses the following limitation(s): application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet service provider network that the appliance service provider provisions on behalf of the client 120 that requests the instance 110 of the appliance service (Brandwine , column 4, [lines 9-15]), via an API to a load balancer service provided by the service provider or some other entity, and also launches the resource instance(s) 214 for the backend node(s) in the customer's subnet 202 (column 6, [lines usage metric traffic from the appliance service instance 210 (column 5, [line16-17]), and further appliance service provider collect metrics to monitoring and management backend traffic flow over (column 10, [lines 39-45]).
The Supreme Court in KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007) identified a number of rationales to support a conclusion of obviousness which are consistent with the proper “functional approach” to the determination of obviousness as laid down in Graham. One such rational given by the Supreme Court and that may relied upon to support a conclusion of obviousness included: “combining prior art elements according to known methods to yield predictable results”. 
The 10469536 patent disclose all the structural elements of the claimed portable device and corresponding elements except application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet, which is disclosed in Brandwine.
Thus, one of ordinary skill in the art of portable devices would have been motivated, before the effective filing date of the claimed invention, to update the system of the 10469536 patent with application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet as disclosed in Brandwine in order to provide virtualized computing resources to multiple customers. 

5.	Claims 21, 24, 33, 36 rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 21, 34 of copending US Patent # 10157427 in view of Eric Brandwine (US 9319272).

A side-by-side comparison of claims 21, 24, 33, 36 of the pending application and the 10157427 patent is given in the following table to show their similarities and differences:

Pending Application
US Patent # 10157427
Claims 21, 24, 33-36:

A computer-implemented method, comprising: provisioning a plurality of virtual machine instances in a virtual network hosted by a computing resource service provider, wherein the plurality of virtual machine instances are associated with a customer of the computing resource service provider; 
identifying, based at least in part on an 

 filtering, by a firewall, based at least in part on a security policy associated with the subnet, incoming network traffic to the virtual machine instance  the subnet;
 obtaining, based at least in part on the logging of the outgoing network traffic and the filtering of the incoming network traffic, network log information associated with the virtual machine 




 

And exporting the network log information to a destination accessible to the customer.




Claims 21

A computer-implemented method, comprising: receiving a request from a customer of a computing resource service provider to enable logging for a virtual computer system instance of the customer, the virtual computer system instance from one of a plurality of virtual computer system instances managed by the computing resource service provider for different customers; 








filtering, by a firewall, network traffic directed to the virtual computer system instance


obtaining a set of network traffic logs generated by filtering network traffic directed to the virtual computer system instance; retrieving, from the set of network traffic logs, network information 

And providing the network log information to a destination associated with the customer.



Although the 10157427 patent does not disclose the following limitation(s), U.S. Patent # 9319272 discloses the following limitation(s): application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet service provider network that the appliance service provider provisions on behalf of the client 120 that requests the instance 110 of the appliance service (Brandwine , column 4, [lines 9-15]), via an API to a load balancer service provided by the service provider or some other entity, and also launches the resource instance(s) 214 for the backend node(s) in the customer's subnet 202 (column 6, [lines 1-5]); and usage metric traffic from the appliance service instance 210 (column 5, [line16-17]), and appliance service provider collect metrics to monitoring and management backend traffic flow over (column 10, [lines 39-45]).
The Supreme Court in KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007) identified a number of rationales to support a conclusion of obviousness which are consistent with the proper “functional approach” to the determination of obviousness as laid down in Graham. One such rational given by the Supreme Court and that may relied upon to support a conclusion of obviousness included: “combining prior art elements according to known methods to yield predictable results”. 
The 10157427 patent disclose all the structural elements of the claimed portable device and corresponding elements except application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet, which is disclosed in Brandwine.
Thus, one of ordinary skill in the art of portable devices would have been motivated, before the effective filing date of the claimed invention, to update the system of the 10157427patent with application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet as disclosed in Brandwine in order to provide virtualized computing resources to multiple customers. 

6.	Claims 21, 24, 33, 36 rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1, 13 of copending US Patent # 9667656 in view of in view of Eric Brandwine (US 9319272).

A side-by-side comparison of claims 21, 24, 33, 36 of the pending application and the 9667656 patent is given in the following table to show their similarities and differences:


US Patent # 9667656
Claims 21, 24, 33-36:

A computer-implemented method, comprising: provisioning a plurality of virtual machine instances in a virtual network hosted by a computing resource service provider, wherein the plurality of virtual machine instances are associated with a customer of the computing resource service provider; 
identifying, based at least in part on an 

 filtering, by a firewall, based at least in part on a security policy associated with the subnet, incoming network traffic to the virtual machine instance  the subnet;

 obtaining, based at least in part on the logging of the outgoing network traffic and the filtering of the incoming network traffic, network log information associated with the virtual machine 

And exporting the network log information to a destination accessible to the customer.




Claim 1

receiving a request from a customer of a computing resource service provider to enable logging for a virtual computer system instance, the virtual computer system instance hosted by the computing resources service provider; 










filtering, by a firewall, at least a portion of network traffic directed to the virtual computer system instance based at least in part on one or more security policies maintained by the customer

obtaining network traffic log information and firewall decisions from the firewall associated with the virtual computer system instance;  retrieving network log information corresponding to the 


And providing the network log information to a destination associated with the customer.


Although the 9667656 patents does not disclose the following limitation(s), U.S. Patent # 9319272 discloses the following limitation(s): application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet service provider network that the appliance service provider provisions on behalf of the client 120 that requests the instance 110 of the appliance service (Brandwine , column 4, [lines 9-15]), via an API to a load balancer service provided by the service provider or some other entity, and also launches the resource instance(s) 214 for the backend node(s) in the customer's subnet 202 (column 6, [lines 1-5]); and usage metric traffic from the appliance service instance 210 (column 5, [line16-17]), and further appliance service provider collect metrics to monitoring and management backend traffic flow over (column 10, [lines 39-45]).
The Supreme Court in KSR Int’l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007) identified a number of rationales to support a conclusion of obviousness which are consistent with the proper “functional approach” to the determination of obviousness as laid down in Graham. One such rational given by the Supreme Court and that may relied upon to support a conclusion of obviousness included: “combining prior art elements according to known methods to yield predictable results”. 

Thus, one of ordinary skill in the art of portable devices would have been motivated, before the effective filing date of the claimed invention, to update the system of the 9667656 patent with application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances; logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet as disclosed in Brandwine in order to provide virtualized computing resources to multiple customers. 

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

5.	Claims 24, 36. 37-43 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled 
	Claims 24 and 36 recited virtual network is assigned an identifier, however, there is no evidence that the specification contemplated or supported the claimed subject matter. For example, in paragraph 64, recite the on-demand data storage service 914 may operate as a key value store that associates data objects with identifiers of the data objects which may be used by the customer 904 to retrieve or perform other operations in connection with the data objects stored by the on-demand data storage service 914, but it does not look into the virtual network is assigned an identifier itself. Therefore, the recited claims are not adequately supported by the specification. See MPEP § 2161.01. 
	Examiner interprets virtual network identifier is network IP address. 
Claims 37-43 are depended on claims 24 and 36 and the claims 37-43 are rejected with the same reasons as applied to the aforementioned claims 24 and 36.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 21- 30, 32-43 are rejected under 35U.S.C 103 as being unpatentable over Eric Brandwine (US 9319272), in view of Eric Bloch (US 20110078309), hereinafter Bloch.

	Regarding claim 21:
 provisioned in a subnet of a customer's private network on a service provider network without provisioning the backend nodes in the customer's subnet (Abstract, [lines 2-3]), wherein the plurality of virtual machine instances are associated with a customer of the computing resource service provider a service provider may provide resource virtualization to the customers via one or more virtualization services that allow the customers to purchase, rent, or otherwise obtain instances of virtualized resources (column 3, [lines 15-20])
 identifying, based at least in part on an application programming interface (API) request by the customer, a subnet of the virtual network comprising a virtual machine instance of the plurality of virtual machine instances an appliance service instance 110 may be composed of one or more virtualized resources on the service provider network that the appliance service provider provisions on behalf of the client 120 that requests the instance 110 of the appliance service (column 4, [lines 9-15]), via an API to a load balancer service provided by the service provider or some other entity, and also launches the resource instance(s) 214 for the backend node(s) in the customer's subnet 202 (column 6, [lines 1-5])
logging outgoing network traffic for the subnet by capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet customer disallow outgoing usage metric traffic from the appliance service instance 210 (column 5, [line16-17]), and further appliance service provider collect metrics to monitoring and management backend traffic flow over (column 10, [lines 39-45]). Examiner interprets collecting metric is capturing information about outgoing Internet Protocol (IP) traffic going from the virtual machine instance of the subnet.
However, Brandwine fails to disclose filtering, by a firewall, based at least in part on a security policy associated with the subnet, incoming network traffic to the virtual machine instance the subnet; and 
obtaining, based at least in part on the logging of the outgoing network traffic and the filtering of the incoming network traffic, network log information associated with the virtual machine instance of the subnet, wherein the network log information includes at least a timestamp, a source IP address, and a destination IP address; and exporting the network log information to a destination accessible to the customer.
the traffic monitor 508 to consider all domains on the incoming list , and watches all traffic coming in or out of the client network (Bloch, para 164),and proxy appliance 506 comprises a core proxy 712 that can proxy client requests for network resources, to intercept the requests and responses to enable inspection of traffic (para 95), and further blocked by identifying the corresponding IP address from the list, and then providing input to a firewall, such as in the form of a rule or policy, to take an action for that IP address (e.g., to block access to the IP address, etc.) (Bloch, para 85).
Obtaining, based at least in part on the logging of the outgoing network traffic and the filtering of the incoming network traffic, network log information associated with the virtual machine instance of the subnet, wherein the network log information includes at least a timestamp verdict logging (including Timeout and Error verdicts) include: Timestamp; URL of request; SSE invoked; Verdict (comprising one of the Spyware categories above); Scan Duration in milliseconds; Threat ID; Vendor Threat Name; Vendor Category; Vendor Threat Level; Vendor Recommended Action. In an embodiment, some of the preceding values are determined according to TABLE 12 (para 351); a source IP address client IP address is checked against an administrator blacklist (para 71), and a destination IP address destination public IP address 914 (para 53). 
 and exporting the network log information to a destination accessible to the customer the traffic monitor 508 can be exposed to users using a Web interface and/or a command line interface (CLI) (Bloch, para 218), and packets can be examined for content and sessions reconstructed to facilitate tracking information and creating reports based on the specific protocols being used over which ports (Bloch, para 219). 
It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.


Bloch discloses exporting the network log information to the destination accessible to the customer comprises exporting copies of log entries from the network log information, wherein the API request submitted by the customer indicates which log entries from the network log information to select and the destination to export traffic monitor 508 logs events that enable generating reports about outbound traffic directed to the list of known destinations (Bloch, para 197), and the traffic monitor 508 can be exposed to users using a Web interface and/or a command line interface (CLI) (Bloch, para 218), and packets can be examined for content and sessions reconstructed to facilitate tracking information and creating reports based on the specific protocols being used over which ports (Bloch, para 219). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

Regarding claim 23:
Bloch discloses comprising obtaining network log information from the virtual machine instance of the subnet regardless of whether obtaining outgoing network traffic from the virtual machine instance the subnet violates the security policy identifying the corresponding IP address from the list, and then providing input to a firewall, such as in the form of a rule or policy, to take an action for that IP address (e.g., to block access to the IP address, etc.) (Bloch, para 85). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

Regarding claim 24:
 an appliance service instance 110 may be composed of one or more virtualized resources on the service provider network that the appliance service provider provisions on behalf of the client 120 that requests the instance 110 of the appliance service (column 4, [lines 9-15]), via an API to a load balancer service provided by the service provider or some other entity, and also launches the resource instance(s) 214 for the backend node(s) in the customer's subnet 202 (column 6, [lines 1-5]), wherein the virtual network is assigned an identifier each VM 1024 may be provided with one or more private IP addresses (para 60).
enabling, based at least in part on the API request from the customer, flow logging for a subnet of the virtual network, wherein the subnet comprises a virtual machine instance customer disallow outgoing usage metric traffic from the appliance service instance 210 (column 5, [line16-17]), and further appliance service provider collect metrics to monitoring and management backend traffic flow over (column 10, [lines 39-45]).
However, Brandwine fails to disclose applying a plurality of firewall policies to allow or deny traffic to or from the plurality of virtual machine instances of the virtual network; obtaining network log information, based at least in part on a firewall policy of the plurality of firewall policies applicable to the virtual machine instance, corresponding to traffic to or from the subnet and exporting the network log information to the customer, wherein exporting the network log information comprises selecting a subset of the network log information to export to a destination accessible by the customer.
Bloch discloses applying a plurality of firewall policies to allow or deny traffic to or from  the plurality of virtual machine instances of the virtual network using the internal list of IP addresses to domains, additional information about the domains, such as a list of domains considered to be undesirable (e.g., they are known to be sources of spyware, phishing attacks, or other web-based malware), those domains can be blocked by identifying the corresponding IP address from the list, and then providing input to a firewall, such as in the form of a rule or policy, to take an action for that IP address (e.g., to block access to the IP address, etc.) (Bloch, para 85).
proxy appliance 506 comprises a core proxy 712 that can proxy client requests for network resources, to intercept the requests and responses to enable inspection of traffic (para 95), and further  traffic monitor 508 logs events that enable generating reports about outbound traffic directed to the list of known destinations (Bloch, para 197). Examiner interprets network resources are virtual machine instances.
and exporting the network log information to the customer, wherein exporting the network log information comprises selecting a subset of the network log information to export to a destination accessible by the customer the traffic monitor 508 can be exposed to users using a Web interface and/or a command line interface (CLI) (Bloch, para 218), and packets can be examined for content and sessions reconstructed to facilitate tracking information and creating reports based on the specific protocols being used over which ports (Bloch, para 219). 
It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

	Regarding claim 25:
 Bloch discloses wherein the network log information provides the customer with information to determine traffic changes and to perform network analysis as tested at step 906, then a notification of blocking is sent to the client. For example, the proxy appliance 506 can return an HTML document to the client indicating that the request cannot be transmitted and optionally providing other information (Bloch, para 70). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy 

	Regarding claim 26:
	Brandwine discloses wherein the flow logging is enabled for all interfaces on a virtual machine instance with multiple interfaces at least the front-end node instance may be provided with multiple interfaces at least two of the interfaces face different subnets, with one facing the customer subnet and the other facing the backend subnet operated by the appliance service provider in which the backend node instances are implemented (Brandwine, abstract, [lines 7-11]).

	Regarding claim 27:
	Brandwine discloses the plurality of virtual machine instances (please see claim 1), and further Bloch discloses wherein the network log information is aggregated with other network log information obtained from filtering network traffic associated the proxy appliance can employ other techniques as well, such as web reputations filters that analyze different web traffic and network-related parameters to evaluate the trustworthiness of a given URL (Bloch, para 59). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

	Regarding claim 28:
	Brandwine discloses receiving an additional API request from the customer the request to the service may specify the number of interfaces (e.g., two, three, or more) (Brandwine, column 11, [lines 4-7]), but fails to disclose to disable flow logging for the virtual machine instance. Bloch teaches the UI provides an option for the administrator to enable or disable response scanning by multiple scan engines (Bloch, para 375). It would have been obvious to someone skilled in the art before the 

	Regarding claim 29:
Brandwine discloses wherein the network log information includes network traffic sent from the virtual machine instance to a second virtual machine instance of the subnet FIG. 10, at least some networks in which embodiments may be implemented may include hardware virtualization technology that enables multiple operating systems to run concurrently on a host computer (e.g., hosts 1020A and 1020B of FIG. 10), i.e. as virtual machines (VMs) 1024 on the hosts 
1020.  The VMs 1024 may, for example, be rented or leased to customers of a network provider (Brandwine, column 14, [lines 10-20]).

	Regarding claim 30:
	Bloch discloses wherein log entries from the network log information are sampled to reduce the number of log entries determine the verdict for the content by examining a fraction of the overall content, the amount of data transferred  to the SSE to obtain a verdict can be significantly reduced (Bloch, para 120). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

Regarding claim 32:
Bloch discloses wherein a portion of the traffic directed to the virtual machine instance is logged if permitted by the firewall policy of the plurality of firewall policies and remaining traffic is blocked and not logged if not permitted by the firewall policy the proxy appliance converts the reputation score value, based on internally maintained threshold values, into a determination whether the request should be allowed, blocked, or is gray (uncertain), depending on rules or policies established by the administrator, if the result of step 436 is BLOCK, then control transfers to step 412 in which the "access denied" error page is sent (Bloch, para 75 &76). It would have been obvious to someone skilled in the art before the effective filling date of claimed invention to combine the teaching of Bloch with that of Brandwine in order to determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

	Regarding claim 33:
Claim 33 is rejected under the same reason set forth in rejection of claim 21.

 	Regarding claim 34:
Claim 34 is rejected under the same reason set forth in rejection of claim 22.

Regarding claim 35:
Claim 35 is rejected under the same reason set forth in rejection of claim 23.

Regarding claim 36:
Claim 36 is rejected under the same reason set forth in rejection of claim 24.

Regarding claim 37:
Claim 37 is rejected under the same reason set forth in rejection of claim 25.

Regarding claim 38:
Claim 38 is rejected under the same reason set forth in rejection of claim 26.


Claim 39 is rejected under the same reason set forth in rejection of claim 27.

Regarding claim 40:
Claim 40 is rejected under the same reason set forth in rejection of claim 28.

Regarding claim 41:
Claim 41 is rejected under the same reason set forth in rejection of claim 29.

Regarding claim 42:
Claim 42 is rejected under the same reason set forth in rejection of claim 30.

Regarding claim 43:
Claim 43 is rejected under the same reason set forth in rejection of claim 32.

7.	Claim 31 is rejected under 35U.S.C 103 as being unpatentable over Eric Brandwine (US 9319272), in view of Eric Bloch (US 20110078309), and further in view of David Doyle (US 20100031156), hereinafter Doyle.

	Regarding claim 31:
Brandwine and Bloch teach wherein the network log information (please see claim 1), but fails to disclose it is provided to the customer as a network flow diagram. However, Doyle teaches FIGS. 16A-16D shows an exemplary user interface 200 for reporting of network events and their impact of various devices within the network. The user interface 200 includes a problem Summary portion 202, a traffic comparison portion 220, an impacted infrastructure and applications portion 240, an impact details portion 250, and an action portion 270. The portions 202,220,240,250, and 270 provide a collection of information (Doyle, para 16). It would have been obvious to someone skilled in 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685.  The examiner can normally be reached on Monday-Friday 8:00a.m to 5p.m. EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nickerson Jeffrey L can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/THANH H LE/Examiner, Art Unit 2432                                                                                                                                                                                                        

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436