DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

1.	This communication is in response to amendments filed on 12/20/2021.
	Claims 1, 3, 9, 11, 17, and 19 have been amended.
	Claims 1-20 remain pending.

Claim Objections
2.	Applicant’s amendments to claims 3, 11 and 19 in response to the previously raised claim objection have been considered and obviate previous objection, as such the objection is hereby withdrawn.

Response to Arguments

3.	Applicant’s arguments regarding the Fainberg1 and Singh references failing to disclose or render obvious: “determining, by the server, an intent of the endpoint device indicative of an expected behavior of the endpoint device, using the one or more component tags and the one or more activity tags that were assigned to the endpoint” as recited in independent claims 1, 9, and 17 have been considered but are moot because the new ground of rejection does not rely on these references teaching the limitation specifically challenged in the argument.

	The rejection of these claims is therefore maintained.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

4.	Claims 1-4, 9-12, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Fainberg et al. (US 2020/0007395, referred to herein as Fainberg1) in view of Cheng et al. (US 2016/0301707).

Regarding claim 1, Fainberg1 teaches a method comprising:  
2obtaining, by a service, one or more component tags (a printer can be tagged with a printer device tag. Similarly, a device that is classified, identified, or a combination therefore as an IP camera can be tagged an IP camera device tag, [0022]) and one or more activity tags (assign tags based on a fingerprint, entity behavior, [0024]) 3that were assigned to an endpoint device in a network (a policy engine evaluates each of the properties or characteristics associated with an entity to determine one or more tags to be assigned to the entity. The policy may be used to determine one or more tags for an entity continuously and in real time, [0069]) based on inspection of 4traffic associated with the endpoint device (adaptively, continuously, and in real-time categorize and tag entities automatically based on communications sent by 
5determining, by the service, an intent of the endpoint device, using the one or 6more component tags and the one or more activity tags that were assigned to the endpoint 7device (Based on the tags, network monitor device 280 is operable to determine a zone based on the tags determined for an entity. For example, if device 230 has an accounting department tag, a California office tag, a second floor tag, a wireless tag, a lab environment tag, the zone may be a wireless California office lab zone, [0058]; For example, an accounting server may be determined to be in a non-Internet zone meaning that it cannot access the Internet because of the sensitive data stored on the accounting server, [0070]);  
8translating, by the service, the intent of the endpoint device into a network 9segmentation policy (Based on the zone, network monitor device 280 is operable to determine enforcement points associated with the determined zone. For example, if device 230 is an accounting department device, switch 201 and firewalls 206 and 202 may be determined to be enforcement points associated with the zone determined for device 220, [0059]; one or more enforcement points associated with the entity is determined. The enforcement points may be determined based on the zone associated with the entity, [0071]); and 

However, Fainberg1 does not explicitly disclose deep packet inspection or that the intent of the endpoint device is indicative of an expected behavior of the endpoint device.
Cheng teaches tags assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device (The packet analysis based IoT device management system 106 can use deep packet inspection to model behavior of an IoT device and create a normal behavior device profile for the IoT device, [0046]; an event log, a system log, and an access log can be created from transaction data identified from deep packet inspection of data packets transmitted to and from the IoT device, [0160]); and 
determining an intent of the endpoint device indicative of an expected behavior of the endpoint device using the tags (Events can include applicable parameters related to operation of an IoT device, such as what data is sent to and from the IoT device, destinations and origins of data sent to and from the IoT device, identifications of the IoT device, geographic information relating to the IoT device, and interaction types corresponding to patterns of events, [0046]; The packet analysis based IoT device management system 106 can analyze an event log to determine historical normal behavior of an IoT device, [0046]; The IoT device profiling engine 608 can model 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize deep packet inspection for analyzing and recording device behavior in the system/method of Fainberg1 as suggested by Cheng in order to establish a baseline of normal behavior for a particular device profile. One would be motivated to combine these teachings in order to determine abnormal interactions related to a device using thorough inspection of packets communicated to and from the device. 

Regarding claim 12, Fainberg1 teaches the method as in claim 1, wherein determining the intent of the endpoint device 2comprises: 
determining3determining , at the service, an indication of one or more scalable group tags for the 4endpoint device (if an entity is a WindowsTM device on a third floor, [0073]); and 
sassociating, by the service, the one or more scalable group tags with the endpoint 6device (the device will be tagged with a third floor tag, [0073]).  
However, Fainberg1 does not explicitly disclose receiving the indication at the service.
Cheng teaches receiving, at a service, an indication of one or more scalable group tags for an endpoint (the IoT device clustering engine 606 functions to receive 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize an interface allowing an administrator to provide and configure device clusters in the system/method of Fainberg1 as suggested by Cheng in order to manage the features defining how IoT devices are grouped. One would be motivated to combine these teachings to enable the administrator to easily and intuitively control and manage the profiles applied to particular groups of the devices.

Regarding claim 13, Fainberg1 teaches the method as in claim 2, wherein translating the intent of the endpoint device into the network segmentation policy comprises:  27PATENT 0141458.U CPOL 1028072-US.01
3generating a security group access control list, based on the one or more scalable 4group tags associated with the endpoint device (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]); and wherein configuring the network 5overlay in the network comprises:  
6sending the security group access control list to networking equipment in the 7network (determining enforcement actions (e.g., rules, ACLs, etc.) for enforcement points (firewalls, routers, switches, etc.), and apply those enforcement actions to the enforcement points, [0030]; A next generation firewall can be updated with an ACL like policy regarding an entity accessing the Internet, [0039]; Firewall 202 and switch 210 

Regarding claim 14, Fainberg1 does not explicitly disclose the method as in claim 2, wherein indication of the one or more scalable group tags is 2received via a user interface.  
	Cheng teaches wherein indication of the one or more scalable group tags is received via a user interface (the IoT device clustering engine 606 can provide an interface through which an applicable entity, e.g. an administrator, can manually input new clustering factors, [0103]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize an interface allowing an administrator to provide and configure device clusters in the system/method of Fainberg1 as suggested by Cheng in order to manage the features defining how IoT devices are grouped. One would be motivated to combine these teachings to enable the administrator to easily and intuitively control and manage the profiles applied to particular groups of the devices.

Regarding claim 9, Fainberg1 teaches an apparatus, comprising: 28PATENT 0141458.U CPOL 1028072-US.01 
2one or more network interfaces to communicate with a network (Network Interface Device 508 of FIG. 5);  
3a processor coupled to the one or more network interfaces and configured to 4execute one or more processes (Processing Device 502 of FIG. 5); and  

7obtain one or more component tags (a printer can be tagged with a printer device tag. Similarly, a device that is classified, identified, or a combination therefore as an IP camera can be tagged an IP camera device tag, [0022]) and one or more activity tags (assign tags based on a fingerprint, entity behavior, [0024]) that were 8assigned to an endpoint device in a network (a policy engine evaluates each of the properties or characteristics associated with an entity to determine one or more tags to be assigned to the entity. The policy may be used to determine one or more tags for an entity continuously and in real time, [0069]) based on inspection of 9traffic associated with the endpoint device (adaptively, continuously, and in real-time categorize and tag entities automatically based on communications sent by the entity and the entity receiving the communications, [0025]; The monitoring of entities by network monitor device 102 may be based on a combination of one or more pieces of information including traffic analysis, [0043]; Traffic analyzer 408 is configured to perform analysis of network traffic (e.g., in real-time, with machine learning, etc.) to and from an entity thereby provide analysis of end to end communications of an entity, [0080]);  
10determine an intent of the endpoint device, using the one or more 11component tags and the one or more activity tags that were assigned to the 12endpoint device (Based on the tags, network monitor device 280 is operable to determine a zone based on the tags determined for an entity. For example, if device 230 has an accounting department tag, a California office tag, a second 
13translate the intent of the endpoint device into a network segmentation 14policy (Based on the zone, network monitor device 280 is operable to determine enforcement points associated with the determined zone. For example, if device 230 is an accounting department device, switch 201 and firewalls 206 and 202 may be determined to be enforcement points associated with the zone determined for device 220, [0059]; one or more enforcement points associated with the entity is determined. The enforcement points may be determined based on the zone associated with the entity, [0071]); and  
15configure a network overlay in the network that implements the network 16segmentation policy (Network monitor device 280, based on the enforcement points, can assign enforcement actions to enforcement points, [0060]; enforcement actions are assigned to the enforcement points based on the tags assigned to the entity, [0072]).  
However, Fainberg1 does not explicitly disclose deep packet inspection or that the intent of the endpoint device is indicative of an expected behavior of the endpoint device.
Cheng teaches tags assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device (The packet analysis based IoT device management system 106 can use deep packet inspection to model 
determining an intent of the endpoint device indicative of an expected behavior of the endpoint device using the tags (Events can include applicable parameters related to operation of an IoT device, such as what data is sent to and from the IoT device, destinations and origins of data sent to and from the IoT device, identifications of the IoT device, geographic information relating to the IoT device, and interaction types corresponding to patterns of events, [0046]; The packet analysis based IoT device management system 106 can analyze an event log to determine historical normal behavior of an IoT device, [0046]; The IoT device profiling engine 608 can model baseline behavior of IoT devices based on historical records of IoT devices. Baseline behavior includes ways an IoT device typical acts, users a device interacts with, and applications and/or operating system that are typically executed at the IoT device, [0107]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize deep packet inspection for analyzing and recording device behavior in the system/method of Fainberg1 as suggested by Cheng in order to establish a baseline of normal behavior for a particular device profile. One would be motivated to combine these teachings in order to determine abnormal interactions related to a device using thorough inspection of packets communicated to and from the device. 

Regarding claim 110, Fainberg1 teaches the apparatus as in claim 9, wherein the apparatus determines the intent of the 2endpoint device by:  
3deterdetermining an indication of one or more scalable group tags for the endpoint 4device (if an entity is a WindowsTM device on a third floor, [0073]); and  
sassociating the one or more scalable group tags with the endpoint device (the device will be tagged with a third floor tag, [0073]).  
However, Fainberg1 does not explicitly disclose receiving the indication.
Cheng teaches receiving an indication of one or more scalable group tags for an endpoint device (the IoT device clustering engine 606 functions to receive regarding new clustering factors and subsequently cluster the devices according to new clustering factors, [0103]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize an interface allowing an administrator to provide and configure device clusters in the system/method of Fainberg1 as suggested by Cheng in order to manage the features defining how IoT devices are grouped. One would be motivated to combine these teachings to enable the administrator to easily and intuitively control and manage the profiles applied to particular groups of the devices.

Regarding claim 111, Fainberg1 teaches the apparatus as in claim 10, wherein the apparatus translates the intent of the endpoint device into the network segmentation policy by:  29PATENT 0141458.U CPOL 1028072-US.01 

6sending the security group access control list to networking equipment in the 7network (determining enforcement actions (e.g., rules, ACLs, etc.) for enforcement points (firewalls, routers, switches, etc.), and apply those enforcement actions to the enforcement points, [0030]; A next generation firewall can be updated with an ACL like policy regarding an entity accessing the Internet, [0039]; Firewall 202 and switch 210 may be assigned enforcement actions (e.g., ACLs) to allow device 230 to access other accounting resources, [0060]).  

Regarding claim 112, Fainberg1 does not explicitly disclose the apparatus as in claim 11, wherein indication of the one or more scalable group 2tags is received via a user interface.  
	Cheng teaches wherein indication of the one or more scalable group tags is received via a user interface (the IoT device clustering engine 606 can provide an interface through which an applicable entity, e.g. an administrator, can manually input new clustering factors, [0103]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize an interface allowing an administrator to 

Regarding claim 117, Fainberg1 teaches a tangible, non-transitory, computer-readable medium storing program instructions that cause a service to execute a process comprising:  30PATENT 0141458.U 
CPOL 1028072-US.01	3obtaining, by the service, one or more component tags (a printer can be tagged with a printer device tag. Similarly, a device that is classified, identified, or a combination therefore as an IP camera can be tagged an IP camera device tag, [0022]) and one or more activity 4tags (assign tags based on a fingerprint, entity behavior, [0024]) that were assigned to an endpoint device in a network (a policy engine evaluates each of the properties or characteristics associated with an entity to determine one or more tags to be assigned to the entity. The policy may be used to determine one or more tags for an entity continuously and in real time, [0069]) based on 5inspection of traffic associated with the endpoint device (adaptively, continuously, and in real-time categorize and tag entities automatically based on communications sent by the entity and the entity receiving the communications, [0025]; The monitoring of entities by network monitor device 102 may be based on a combination of one or more pieces of information including traffic analysis, [0043]; Traffic analyzer 408 is configured to perform analysis of network traffic (e.g., in real-time, with machine learning, etc.) to and 
6determining, by the service, an intent of the endpoint device, using the one or 7more component tags and the one or more activity tags that were assigned to the endpoint 8device (Based on the tags, network monitor device 280 is operable to determine a zone based on the tags determined for an entity. For example, if device 230 has an accounting department tag, a California office tag, a second floor tag, a wireless tag, a lab environment tag, the zone may be a wireless California office lab zone, [0058]; For example, an accounting server may be determined to be in a non-Internet zone meaning that it cannot access the Internet because of the sensitive data stored on the accounting server, [0070]);  
9translating, by the service, the intent of the endpoint device into a network 10segmentation policy (Based on the zone, network monitor device 280 is operable to determine enforcement points associated with the determined zone. For example, if device 230 is an accounting department device, switch 201 and firewalls 206 and 202 may be determined to be enforcement points associated with the zone determined for device 220, [0059]; one or more enforcement points associated with the entity is determined. The enforcement points may be determined based on the zone associated with the entity, [0071]); and  
11configuring, by the service, a network overlay in the network that implements the 12network segmentation policy (Network monitor device 280, based on the enforcement points, can assign enforcement actions to enforcement points, [0060]; enforcement 
However, Fainberg1 does not explicitly disclose deep packet inspection or that the intent of the endpoint device is indicative of an expected behavior of the endpoint device.
Cheng teaches tags assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device (The packet analysis based IoT device management system 106 can use deep packet inspection to model behavior of an IoT device and create a normal behavior device profile for the IoT device, [0046]; an event log, a system log, and an access log can be created from transaction data identified from deep packet inspection of data packets transmitted to and from the IoT device, [0160]); and 
determining an intent of the endpoint device indicative of an expected behavior of the endpoint device using the tags (Events can include applicable parameters related to operation of an IoT device, such as what data is sent to and from the IoT device, destinations and origins of data sent to and from the IoT device, identifications of the IoT device, geographic information relating to the IoT device, and interaction types corresponding to patterns of events, [0046]; The packet analysis based IoT device management system 106 can analyze an event log to determine historical normal behavior of an IoT device, [0046]; The IoT device profiling engine 608 can model baseline behavior of IoT devices based on historical records of IoT devices. Baseline behavior includes ways an IoT device typical acts, users a device interacts with, and 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize deep packet inspection for analyzing and recording device behavior in the system/method of Fainberg1 as suggested by Cheng in order to establish a baseline of normal behavior for a particular device profile. One would be motivated to combine these teachings in order to determine abnormal interactions related to a device using thorough inspection of packets communicated to and from the device. 

Regarding claim 118, Fainberg1 teaches the computer-readable medium as in claim 17, wherein determining the intent of the 2endpoint device comprises:  
3determiningddetermining, at the service, an indication of one or more scalable group tags for the 4endpoint device (if an entity is a WindowsTM device on a third floor, [0073]); and  
sassociating, by the service, the one or more scalable group tags with the endpoint 6device (the device will be tagged with a third floor tag, [0073]).  
However, Fainberg1 does not explicitly disclose receiving the indication at the service.
Cheng teaches receiving, at a service, an indication of one or more scalable group tags for an endpoint (the IoT device clustering engine 606 functions to receive regarding new clustering factors and subsequently cluster the devices according to new clustering factors, [0103]).


Regarding claim 119, Fainberg1 teaches the computer-readable medium as in claim 18, wherein translating the intent of the 2endpoint device into the network segmentation policy comprises:  
3generating a security group access control list, based on the one or more scalable 4group tags associated with the endpoint device (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]); and wherein configuring the network soverlay in the network comprises:  
6sending the security group access control list to networking equipment in the  network (determining enforcement actions (e.g., rules, ACLs, etc.) for enforcement points (firewalls, routers, switches, etc.), and apply those enforcement actions to the enforcement points, [0030]; A next generation firewall can be updated with an ACL like policy regarding an entity accessing the Internet, [0039]; Firewall 202 and switch 210 .  


5.	Claims 5-7, 13-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Fainberg1-Cheng in view of Fainberg et al. (US 2020/0007396, referred to herein as Fainberg2).

Regarding claim 15, Fainberg1 teaches the method as in claim 1, wherein the network overlay restricts the endpoint device to 2communicating only with a subset of senders or receivers via the network (For example, the IP camera may be restricted from communicating with other entities (e.g., other IoT devices, or the Internet) as part of a segmentation based on the categorization of the IP camera, [0027]; Cloud infrastructure (e.g., AWS security groups) can be updated to drop packets from the IP of the entity that have a destination outside the cloud, [0039]; the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).
However, Fainberg1-Cheng do not explicitly disclose wherein 3the network overlay further restricts the endpoint device to sending or receiving only a 4specific type of application traffic via the network.  
Fainberg2 teaches wherein a network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via a network (the orange indicator helps a user understand that the rule just created is blocking 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to limit the types of traffic allowed between devices in the system/method of Fainberg1-Cheng as suggested by Fainberg2 during management of network segmentation policies. One would be motivated to combine these teachings because limiting the types of communication between different types of devices can improve the security of the network.

Regarding claim 6, Fainberg1 teaches 1the method as in claim 5, wherein the one or more component tags are indicative of a 2physical location of the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]), and wherein one or more of the senders or 3receivers in the subset are also located in that physical location (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).  


	Fainberg2 teaches wherein an endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD) (For the OT environments, programmable logic controller (PLC), human interface machines (HMI), production floor centers, and other groups relevant to OT environments may be shown, [0043]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to recognize a PLC in an IoT environment such as Fainberg1-Cheng as suggested by Fainberg2 to enhance automation in production lines and machine functions in many industries and applications. One would be motivated to combine these teachings because industrial PLCs are durable and easy to program and control.

Regarding claim 113, Fainberg1 teaches the apparatus as in claim 9, wherein the network overlay restricts the endpoint 2device to communicating only with a subset of senders or receivers via the network (For example, the IP camera may be restricted from communicating with other entities (e.g., other IoT devices, or the Internet) as part of a segmentation based on the categorization of the IP camera, [0027]; Cloud infrastructure (e.g., AWS security groups) can be updated to drop packets from the IP of the entity that have a destination outside the cloud, [0039]; the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).

Fainberg2 teaches wherein a network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via a network (the orange indicator helps a user understand that the rule just created is blocking certain traffic while allowing other traffic between a printers group and a cameras group, [0040]; at the intersection of the groups on the matrix of whether the two groups are able to communicate and the associated communication properties (e.g., whether the groups are able to communicate on certain ports or with certain protocols). Based on the GUI presented by network monitor device 280, a user can then configure one or more rules to limit or block communication between the two groups, [0098]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to limit the types of traffic allowed between devices in the system/method of Fainberg1-Cheng as suggested by Fainberg2 during management of network segmentation policies. One would be motivated to combine these teachings because limiting the types of communication between different types of devices can improve the security of the network.

Regarding claim 114, Fainberg1 teaches the apparatus as in claim 13, wherein the one or more component tags are indicative 2of a physical location of the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]), and wherein one or more of the senders or 3receivers in the subset are 

Regarding claim 115, Fainberg1-Cheng do not explicitly disclose the apparatus as in claim 9, wherein the endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD).  
Fainberg2 teaches wherein an endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD) (For the OT environments, programmable logic controller (PLC), human interface machines (HMI), production floor centers, and other groups relevant to OT environments may be shown, [0043]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to recognize a PLC in an IoT environment such as Fainberg1-Cheng as suggested by Fainberg2 to enhance automation in production lines and machine functions in many industries and applications. One would be motivated to combine these teachings because industrial PLCs are durable and easy to program and control.

Regarding claim 120, Fainberg1 teaches the computer-readable medium as in claim 19, wherein the network overlay restricts 2the endpoint device to communicating only with a subset of senders or receivers via the 3network (For example, the IP camera may be restricted from communicating with other entities (e.g., other IoT devices, or the Internet) as part of a segmentation based on the categorization of the IP camera, 
	However, Fainberg1-Cheng do not explicitly disclose wherein the network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via the network.
Fainberg2 teaches wherein a network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via a network (the orange indicator helps a user understand that the rule just created is blocking certain traffic while allowing other traffic between a printers group and a cameras group, [0040]; at the intersection of the groups on the matrix of whether the two groups are able to communicate and the associated communication properties (e.g., whether the groups are able to communicate on certain ports or with certain protocols). Based on the GUI presented by network monitor device 280, a user can then configure one or more rules to limit or block communication between the two groups, [0098]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to limit the types of traffic allowed between devices in the system/method of Fainberg1-Cheng as suggested by Fainberg2 during management of network segmentation policies. One would be motivated to combine these teachings because limiting the types of communication between different types of devices can improve the security of the network.


6.	Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Fainberg1-Cheng in view of Nellen (US 2019/0141015).

Regarding claim 18, Fainberg1-Cheng do not explicitly disclose the method as in claim 1, wherein the network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in the network.  
	Nellen teaches wherein a network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in a network (to create and simultaneously manage the plurality of private VNs on secure cloud 110, PVN managers 115A-D and 152A-B can implement Virtual Extensible LAN (VXLAN) protocols to overlay the private VN on top of the network in secure cloud 110, [0096]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement VXLAN in the system/method of Fainberg1-Cheng as suggested by Nellen to enhance scalability. One would be motivated to combine these teachings because utilizing VXLAN would allow for flexibility in managing the segmentation of a large number of endpoint devices on a network.

Regarding claim 116, Fainberg1-Cheng do not explicitly disclose the apparatus as in claim 9, wherein the network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in the network.  
Nellen teaches wherein a network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in a network (to create and simultaneously 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement VXLAN in the system/method of Fainberg1-Cheng as suggested by Nellen to enhance scalability. One would be motivated to combine these teachings because utilizing VXLAN would allow for flexibility in managing the segmentation of a large number of endpoint devices on a network.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Joffe				US 9,356,942 – packet inspection to establish expected behaviors of individual devices and identify deviations from the expected behaviors.

Bisht et al.			US 10,771,489 – model and profile a baseline behavior expected from one of the client devices.

Desai et al.			US 2003/0188189 – correlating events across a plurality of devices for identifying normal and abnormal behavior patterns.



Crowley			US 2014/0053265 – deep packet inspection for predicting behavior of a network device based on a history of profile matches.

Donnelly et al.		US 2016/0006755 – storing a history based on a device activity over time and device propensity to exhibit suspicious or normal behavior.

Srivastava			US 2016/0063387 – dashboard identifying anomalous user devices, application data associated with user devices, and information identifying predicted future behavior.

Liu et al.			US 2018/0092151 – packet inspection for traffic pattern records for IoT devices and detection of irregular IoT device behavior.

Weis et al.			US 2018/0332053 – deep packet inspection to monitor traffic and determine if a node does not behave in accordance with expected behavior.

Dezent et al.			US 2018/0375887 – deep packet inspection and determining IoT devices that exhibit malicious or defective or abnormal behavior.



Fry et al.			US 2019/0306182 – using deep packet inspection to monitor traffic and determine if monitored traffic constitutes expected behavior for each device.

Ekambaram			US 2020/0045073 – a deep packet inspection engine and analyzer to identify an abnormal behavior of a device from expected behavior.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chris Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHU WOOLCOCK
Examiner
Art Unit 2451



/MADHU WOOLCOCK/Primary Examiner, Art Unit 2451