DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/22/2021 has been entered.

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

The application has been amended as follows: 

 1. (Currently Amended) A non-transitory computer readable medium comprising instructions that when executed cause at least one processor to:

analyze the traffic flow for at least including at least a security assessment of the device
determine whether to classify the traffic flow, based on the analysis of the traffic flow, as anomalous; and 
in response to the traffic flow being classified as anomalous, restricting the traffic flow to the destination according to the classification of the traffic flow and an application access policy by a change of authorization on the network device, wherein the application access policy includes at least one restriction for the traffic flow.  

2. (Currently Amended) The non-transitory computer readable medium of claim 1, wherein 

3. (Cancelled)  

4. (Currently Amended) The non-transitory computer readable medium of claim 1, wherein the traffic flow is analyzed according to an application context, wherein the application context pertains to where the application is located in the network, and the access profile for the application.  

5. (Currently Amended) The non-transitory computer readable medium of claim 1, wherein the access policy takes into account whether a user account has access privileges to access [[the application that is a destination of the access flow, and whether the device context are sufficient to access the application. 

6. (Currently Amended) The non-transitory computer readable medium of claim 1, wherein the instructions to restrict the traffic flow according to the classification of the traffic flow and [[an]] the application access policy include instructions to provide the [[a]] change of authorization to discontinue authorization to access the application after a session with the application has already been initiated. 

7. (Previously Amended) The non-transitory computer readable medium of claim 1, wherein the instructions to classify the traffic flow include instructions to use a machine learning classifier to classify the traffic flow. 

8. (Currently Amended) The non-transitory computer readable medium of claim [[1]]7, wherein the machine learning classifier is at least one of a random forest classifier or an isolation forest classifier. 

s an untrusted device on an untrusted network, and the classification of the traffic flow is a trusted traffic flow.  

10. (Currently Amended) The non-transitory computer readable medium of claim 1, wherein the s an untrusted device on a trusted network.  

11. (Currently Amended) The non-transitory computer readable medium of claim 1, wherein the s a trusted device on an untrusted network.  

12. (Currently Amended) The non-transitory computer readable medium of claim 10, wherein the s an untrusted user.

13.  (Currently Amended) A system comprising: 
an identity service configured to analyze a traffic flow of an application through a network for including at least a security assessment of the device
a threat detection agent configured to receive the traffic flow, and to classify the traffic flow based on the analysis of the traffic flow by the identify service, and in response to the traffic flow being classified as anomalous, the identify services is configured to restrict the traffic flow to a destination in the network according to the classification of by a change of authorization on the network device, wherein the application access policy includes at least one restriction for the traffic flow, and wherein the active threat detection agent is executing on a network device on a route of the traffic flow from the device to the destination.  

14. (Cancelled) 


15. (Cancelled).

16. (Currently Amended) The system of claim 13, wherein the identity service is configured to provide the [[a]] change of authorization to discontinue authorization to access the application after a session with the application has already been initiated.

17.  (Currently Amended) A method comprising:
receiving an traffic flow of an application through a network from a device by an active threat detection agent, wherein the active threat detection agent is executing on a network device on a route of the traffic flow from the device to a destination in the network;
analyzing the traffic flow for including at least a security assessment of the device
determining whether to classifying the traffic flow based on the analysis of the traffic flow, as anomalous; and 
by a change of authorization on the network device, wherein the application access policy includes at least one restriction for the traffic flow.  

18. (Currently Amended) The method of claim 17, wherein is based in part on whether the device is an enterprise issued device, what type of network the device is connected to, where the device is located, and a user account associated with the device.  

19. (Cancelled) 

20. (Currently Amended) The method of claim 17, wherein the instructions to restrict the traffic flow according to the classification of the traffic flow and [[an]] the application access policy include instructions to provide the [[a]] change of authorization to discontinue authorization to access the application after a session with the application has already been initiated.

21. (Cancelled) 

22. (New) The non-transitory computer readable medium of claim 1, wherein the traffic flow is analyzed for at least a user context or application context.   



24. (New) The method of claim 17, wherein the traffic flow is analyzed for at least a user context or application context.

Reasons for Allowance
This communication warrants no examiner’s reason for allowance, as applicant’s reply makes evident the reason for allowance, satisfying the record as whole as required by rule 37 CFR 1.104 (e). In this case, the substance of applicant’s remarks in the Amendment filed on 12/22/2021 with respect to the amended claim limitations and the attached interview summary, point out the reason claims are patentable over the prior art of record. Thus, the reason for allowance is in all probability evident from the record and no statement for examiner’s reason for allowance is necessary (see MPEP 13202.14).
	
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.


Beam et al. US 2017/0126727 Ai is yet another one of the most pertinent art in the field of invention and discloses, techniques for taking direct actions, such as selectively blocking or allowing traffic and applications, while monitoring events from a graphical representation of threats.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TAUQIR HUSSAIN whose telephone number is (571)270-1247. The examiner can normally be reached M-F 7:00 - 8:00 with IFP.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian J Gillis can be reached on 571 272-7952. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Tauqir Hussain/Primary Examiner, Art Unit 2446