DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 02/14/2022. Claims 1-20, and 26 cancelled. Claims 21, 32, and 43 are amended. Claims 21-25, and 27-53 are pending in this examination.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.   This examination is in response to US Patent Application No. 16/542, 670.

                                                          Examiner note

Applicant is encouraged to schedule an interview with the examiner prior to the next communication to compact prosecution of the case 
Response to Argument
Applicant’s arguments with respect to independent claims for newly added limitation have been considered but are moot because the arguments do not apply to any of the references being used in the current rejection.
Double Patenting
With regard to the rejection of Claims 21-25, and 27-56 on the basis of non-statutory Double Patenting over Application No. 9,560,078, and 10,397,280, Examiner will maintain the Double Patenting and Double Patenting rejection is held in abeyance.

Claim Rejections - 35 USC § 103

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



Claims 21-26, 28-30, 32-37, 39-40, 42-48, and 50-52 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2015/0180730 issued to Felstaine et al (“Felstaine”) cited .
Regarding claim 21, Felstaine discloses receive a security monitoring policy [¶73, the NFV management system 411 may also include a policy management module 437 that enables a user to define and configure offline and/or real-time policy for controlling VNF and service related rules. The policy management module 437 may contain the preconfigured policies and activities as well as selection rules for the NFV-O process to determine the preferred policy or activity to be performed for a particular process event]; and

 form a part of secure channel using a configuration from a Security Controller [¶130, it is appreciated that the communication mechanisms described above are interlinked.  In that regard, the each part of the process memory carried by the communication is secured, encrypted, and authenticated]; and
 and provide at least a portion of the monitored telemetry data based on the security monitoring policy to a Security Monitoring Analytics System via communications in the secure channel for analysis [¶71, the NFV management system 411 may also include an assurance module 436 and a service management module 452 capable of gathering real time data on network elements' status and creating a consolidated view of services and network health], and [¶130, it is appreciated that the communication mechanisms described above are interlinked.  In that regard, the each part of the process memory carried by the communication is secured, encrypted, and authenticated]; and [¶81, the NFV management system 411 may also include a security management module 444 that provides the authentication authorization and accounting The security management module 444 may include, for example, an authentication module and function.  In one embodiment, the authentication module and function (e.g. including identity management, etc.) may authenticate the identity of each user defined in the system.  Each user may have a unique user identity and password.  The system may support password based authentication with flexible password policy. Integration with external authentication providers may be done via additional system enhancements.  The authorization module and function may support a role-based access control (RBAC) mechanism, where each user is assigned with one or more roles according to the business needs based on the least privileges concept (e.g. standard or administrator roles).  In one embodiment, the accounting and licensing module 442 may provide an audit of security events such as authentication or login events], and [¶130, it is appreciated that the communication mechanisms described above are interlinked.  In that regard, the each part of the process memory carried by the communication is secured, encrypted, and authenticated], and [¶¶72, 76].
 	
 Even though Felstaine  discloses  NFV- based network in FIG. 2 with many components, however, it does not explicitly discloses a computer-readable medium comprising instructions stored thereon, that if executed by at least one processor, cause the at least one processor to perform a network functions virtualization (NFV) Security Services Agent (NFV SSA),   and  Barak discloses [¶59, referring to FIG. 3, an exemplary system includes two virtualization environments 210A, 210B in which a plurality of virtual machines 104 are deployed.  In the example illustrated in FIG. 3, virtual machines VM1, VM2 and VM3 are deployed in a first virtualization environment 210A, while virtual machines VM4 and VM5 are deployed in a second virtualization environment 210B. Each of the virtual machines includes a security agent 170 that stores, monitors and controls a security policy of the virtual machine], and  [¶90, security agent 170 in each virtual machine 104 computes a virtual machine sensitivity and security level (as a codified policy, for example), and sends this information to the monitor component 182 of a security controller 180 so that the information may be considered by the security controller 180 when it forms and/or updates security clusters.  Accordingly, the monitor component 182 monitors the virtualization environment in which the virtual machines are contained, collects security and sensitivity levels from the virtual machines, and provides this information to the controller component 184, which forms security clusters based on the information].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine with the teaching of Barak in order for operating a virtual computing system includes receiving at a security controller security data corresponding to a candidate virtual machine that is proposed to be included in a virtualization environment managed by a virtualization environment manager and maintaining the security of computing systems in virtual operating environments[ Barak, Abstract, ¶1].
	Monitor telemetry data of a platform and telemetry data of a virtualized network function (VNF) executed on the platform based on the security monitoring policy, wherein the security monitoring policy comprises monitoring rules used by the NFV SSA to monitor telemetry data of the platform and the telemetry data of the VNF 
	Even though Felstaine discloses this limitation as: [¶71, The NFV management system 411 may also include an assurance module 436 and a service management module 452 capable of gathering real time data on network elements' status and creating a consolidated view of services and network health…], and [¶72, The assurance module 436 and the service management module 452 provide the ability to monitor services' status and performance computing, storage, and networking, etc.) to receive the required information, analyze the information, and act upon each incident according to the defined policy.  The assurance module 436 and the service management module 452 are able to interact with analytics to enrich a policy assurance module. ], and [¶73, the NFV management system 411 may also include a policy management module 437 that enables a user to define and configure offline and/or real-time policy for controlling VNF and service related rules….], and  [¶64, each of the NFV-O modules 412 may include orchestration and workflow management 432 that is responsible for managing (i.e. orchestrating) and executing all NFV-O processes, including inbound and/or outbound communication and interfaces] and [¶82, the security management module 444 may use rules to protect sensitive information. For example, such rules may be used to ensure the data accessed is used for the specific purposes for which it was collected, sensitive information is encrypted when in storage/transit and masked/truncated on display and logs, and that the entire security system is deployed in the customer's intranet network (i.e. behind network/infrastructure measures), in an independent domain, etc], and [¶130, it is appreciated that the communication mechanisms described above are interlinked.  In that regard, the each part of the process memory carried by the communication is secured, encrypted, and authenticated], and [¶150, According to the orchestration support information relevant to the particular VNF instance, the VNF instance may report to the respective NFV-O module information relating to load, change of load, anticipated change of load, change or anticipated change of requirements such as requirements for resources, etc. The orchestration support information may therefore include orchestration support rules and orchestration support data… Orchestration support rules may be 
	Barak in his application discloses virtualized network function (VNF)  executed on the platform as: [¶3, A single hardware and/or software platform may host a number of virtual machines, each of which may have access to some portion of the platform's resources, such as processing resources, storage resources, etc.], and [¶59, Each of the virtual machines includes a security agent 170 that stores, monitors and controls a security policy of the virtual machine], and  [¶90, Referring still to FIG. 3, the security agent 170 in each virtual machine 104 computes a virtual machine sensitivity and security level (as a codified policy, for example), and sends this information to the monitor component 182 of a security controller 180 so that the information may be considered by the security controller 180 when it forms and/or updates security clusters].
	 And furthermore  RAO in his application discloses `monitor telemetry data of a platform  and  telemetry data of a virtualized network function (VNF)  executed on the platform[see FIG. 5A , ¶¶64-65, Firewall X service request, configuration information associated with the VNF, VNF sizing information, the service management module may determine( by monitoring) (e.g., based on information stored by the telemetry and analytics module) that cloud resource 260 has sufficient computing resources available to host the Firewall X VNF ( equated to VNF executed on a server /platform) on a server device, associated with cloud resource 260, identified as server 2( equated to executed on the platform)… the infrastructure controller may instruct a hypervisor, associated with cloud resource 260, to create the Firewall X VNF (e.g., VNF FX) on server 2.  As shown by reference two VNFs (e.g., VNF A and VNF B) on a first server device (e.g., server 1 with a capacity of 1 gigabit per second (Gbps)), and that cloud resource 260 hosts one VNF (e.g., VNF C) on a second server device (e.g., server 2 with a capacity of 10 Gbps).  Further, assume that VNF A, VNF B, server 1, VNF C, server 2, a hypervisor associated with cloud resource 260, and a virtual network associated with cloud resource 260 are configured to provide performance information( telemetry data), associated with VNF A, VNF B, and VNF C, to a telemetry and analytics module of cloud resource 260], and [¶84, As shown in FIG. 7A, and by reference number 705, the network controller may provide, to the telemetry and analytics module and a service assurance module of cloud resource 260, an indication that that the telemetry and analytics module and the service assurance module should begin to monitor VNF C (e.g., since VNF C was recently created and inserted into service provider network 270).  As shown by reference number 710, the telemetry and analytics module may begin to determine performance information associated with VNF C, along with performance information associated with VNF A, VNF B, server 1, server 2, the hypervisor, and the virtual network (e.g., as previously configured)], and [¶17,  The process described in FIG. 1B may be repeated such that the performance of VNFs hosted by the cloud resource are continuously monitored and modified to assure that network services are adequately provided], and [¶18], and [¶35, service provider network 270 may include network devices (e.g., base stations, gateways, routers, modems, 
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine and Barak with the teaching of RAO in order to the VNFs (e.g., VNF 1 through VNF N+1), the virtual network, 
the hypervisor, the computing device, provide performance information to the telemetry and analytics module,  the telemetry and analytics module may collect the performance information may provide the performance information (e.g., in the form of a correlated data set) to a 
service assurance module of the cloud resource, the service assurance module may perform, based on the performance information, local analytics to assure that network services are being 
adequately provided by the cloud resource (e.g., in accordance with a service 
level agreements (SLA) associated with the network services) [RAO, ¶¶15, 17-17, 84].
Felstaine and Barak discloses configure the NFV SSA with set name, security policy groups. and per-tenant policies as:
	Feldstein  discloses [¶66, the NFV management system 411 may also include a chain optimization module 434.  The chain optimization module 434 may be a part of deployment optimization module 433 and may enable a user to devise automatic mechanisms for optimizing the deployment of chains or groups of VNFs 450 and VNF instances.  A service provided by an NFV-based network is typically made of a particular chain or group of particular VNFs 450 and their respective VNF instances.  The chain optimization module 434 optimizes the deployment of chains or groups of services between hardware units according to the requirements and specifications associated with and/or adapted to the particular service, or chain, or a group], and [0072] The assurance module 436 and the service management module 452 provide the ability to The policy management may be multi-layered, including vendor policy, service policy, and operator policy, etc (set names policies). The policy mechanism may trigger the suitable policy layer (vendor/service/operator), and [ see FIG 5, ¶¶97-100, group or chain of the VNFs with list of requirements and specifications], and [¶181,For example, if several modules (and/or VNFs and/or VNF instances) have to use or share the same data stored within the communication 78, such as within procedure history 102, procedure memory 103, data/content 105, etc., then these modules should use the same encryption mechanism and keys.  This means that encryption keys should be generated and properly communicated between modules sharing particular data (equated to setting a security group policy)].
 And BARAK discloses :[¶59, Each of the virtual machines includes a security agent 170 that stores, monitors and controls a security policy of the virtual machine], and  [¶90, Referring security agent 170 in each virtual machine 104( per-tenant) computes a virtual machine sensitivity and security level (as a codified policy, for example), and sends this information to the monitor component 182 of a security controller 180 so that the information may be considered by the security controller 180 when it forms and/or updates security clusters( group policy)].
Felstaine and Barak do not explicitly disclose and SIF discloses the limitation as: [¶61, a variety of templates may be used for virtual network functions.  Policies are enforced by the tenant, and are specific to the group of users.  Some example templates include Template_MVNO(Tenant, SP), Template_EPC(Tenanat, ITDelegate, Capacity, Delay, MME, PGW, SGW), Template_Service(ServiceName, Tenanat, SP, ServiceID, EpcID, PolicyID, ApnID), Template_APN(ApnName, ApnID, Tenanat, SP), Template_Policy(PolicyName, PolicyID, Tenant, SP), Template_Subscriber(SubscriberProfileID, Tenant, SP)].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine, Barak and RAO with the teaching of SIF in order to implement Operation functions which include APN, subscriber, policy, security, reports scheduling, maintenance service level agreements (SLAs) and use variety of templates to enforce policies for virtual network functions [SIF, ¶¶58, 61].
	Felstaine, Barak, RAO, and SIF do not explicitly disclose, however, Firth discloses wherein the communications in the secure channel are protected using pairwise keys[¶64, 
In some embodiments, after authenticating of one or both of controller 420 and worker VM 442, a session key can be exchanged, and any data communicated between controller 420 and worker VM 442 can be encrypted based on the session key. As a result, the communication between controller 420 and worker VM 442 can be secured].

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine, Barak, RAO, and SIF with the teaching of Firth in order to  establish a secured connection for each worker VM between the individual worker VM and controller [ Firth ¶¶60, 64],

Regarding claim 22, Felstaine, RAO, SIF, Firth do not explicitly discloses, however, Barak discloses  wherein the NFV SSA is to execute in an independent security engine [¶59, referring to FIG. 3, an exemplary system includes two virtualization environments 210A, 210B in which a plurality of virtual machines 104 are deployed.  In the example illustrated in FIG. 3, virtual machines VM1, VM2 and VM3 are deployed in a first virtualization environment 210A, while virtual machines VM4 and VM5 are deployed in a second virtualization environment 210B. Each of the virtual machines includes a security agent 170 that stores, monitors and controls a security policy of the virtual machine], and  [¶90, Referring still to FIG. 3, the security agent 170 in each virtual machine 104 computes a virtual machine sensitivity and security level (as a codified policy, for example), and sends this information to the monitor component 182 of a security controller 180 so that the information may be considered by the security controller 180 when it forms and/or updates security clusters.  Accordingly, the monitor component 182 monitors the virtualization environment in which the virtual machines are contained, collects security and sensitivity levels from the virtual machines, and provides this information to the controller component 184, which forms security clusters based on the information].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine ,RAO, SIF, and Firth with the teaching of Barak in order for operating a virtual computing system includes receiving at a 
Regarding claim 23, Felstaine discloses, wherein telemetry data of the platform comprises telemetry data of one or more: an I/O subsystem, network interface card (NIC), or switch [¶71, the NFV management system 411 may also include an assurance module 436 and a service management module 452 capable of gathering real time data on network elements' status and creating a consolidated view of services and network health], and [¶64, each of the NFV-O modules 412 may include orchestration and workflow management 432 that is responsible for managing (i.e. orchestrating) and executing all NFV-O processes, including inbound and/or outbound communication and interfaces], and [¶¶72, 232, switch].
Barak discloses this limitation as [¶37, output devices such as printers].
Rao discloses this limitation as: [¶35, network devices (e.g., base stations, gateways, routers, modems, switches, network interface cards ("NIC"), hubs, bridges, servers, etc.)].
Regarding claim 24, Felstaine discloses, wherein the telemetry data of a VNF comprises one or more of information related to a virtual router, a virtual switch, a firewall, network address translation (NAT), an evolved packet core (EPC), a mobility management entity (MME), a packet data network gateway (PGW), a serving gateway (SGW), or a billing function
Regarding claim 25, Felstaine, RAO, SIF, Firth do not explicitly discloses, however, Barak discloses comprising instructions stored thereon, that if executed by at least one processor, cause the at least one processor to perform a VNF that is to perform one or more of firewall services, network address translation (NAT) services, load-balancing services, deep packet inspection (DPI) services, transmission control protocol (TCP) optimization services, intrusion detection services [¶46, virtual machines may be grouped into clusters in order to provide load balancing across multiple servers].
Regarding claim 26, Felstaine discloses, comprising instructions stored thereon, that if executed by at least one processor, cause the at least one processor to perform an NFV SSA that is to receive personalization data and one or more of set name, security policy groups, or per-tenant policies [¶66, the NFV management system 411 may also include a chain optimization module 434.  The chain optimization module 434 may be a part of deployment optimization module 433 and may enable a user to devise automatic mechanisms for optimizing the deployment of chains or groups of VNFs 450 and VNF instances.  A service provided by an NFV-based network is typically made of a particular chain or group of particular VNFs 450 and their respective VNF instances.  The chain optimization module 434 optimizes the deployment of chains or groups of services between hardware units according to the requirements and specifications associated with and/or adapted to the particular service, or chain, or a group].
Regarding claim 28, Felstaine discloses, wherein the VNF comprises a service function chain [¶41, the term service usually applies to a group of VNFs (or the functionality provided by the group of VNFs) but may also apply to a single VNF (or the functionality provided by the VNF).  The term "continuity" indicates that the session or the service is not interrupted], and [¶66, The chain optimization module 434 may be a part of deployment optimization module 433 
Regarding claim 29, Felstaine discloses, wherein the telemetry data  of the platform and the telemetry data of VNFcomprises one or more of: security statistics, configuration and health data from hardware or virtual resources, header portion, payload portion, portion of a flow associated with a virtual local area network (VLAN), layer two (L-2), or layer three (L-3) tags [¶71, the NFV management system 411 may also include an assurance module 436 and a service management module 452 capable of gathering real time data on network elements' status and creating a consolidated view of services and network health…  The assurance module 436 and the service management module 452 may monitor the health of the network and may execute fault recovery activities]; and [see FIG.2 and 4 and correspond text for detail], and [¶81-82, security management module].
Regarding claim 30, Felstaine, RAO,SIF, and Firth do not explicitly discloses, however, Barak discloses comprising instructions stored thereon, that if executed by at least one processor, cause the at least one processor to perform an NFV SSA that is to: update an applicable security monitoring policy [¶59, referring to FIG. 3, an exemplary system includes two virtualization environments 210A, 210B in which a plurality of virtual machines 104 are deployed.  In the example illustrated in FIG. 3, virtual machines VM1, VM2 and VM3 are deployed in a first virtualization environment 210A, while virtual machines VM4 and VM5 are deployed in a second virtualization environment 210B. Each of the virtual machines includes a security agent 170 that stores, monitors and controls a security policy of the virtual machine], and  [¶90, Referring still to FIG. 3, the security agent 170 in each virtual machine 104 computes a virtual machine sensitivity and security level (as a codified policy, for example), and sends this monitor component 182 of a security controller 180 so that the information may be considered by the security controller 180 when it forms and/or updates security clusters.  Accordingly, the monitor component 182 monitors the virtualization environment in which the virtual machines are contained, collects security and sensitivity levels from the virtual machines, and provides this information to the controller component 184, which forms security clusters based on the information].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine, RAO, SIF, and Firth with the teaching of Barak in order for operating a virtual computing system includes receiving at a security controller security data corresponding to a candidate virtual machine that is proposed to be included in a virtualization environment managed by a virtualization environment manager and maintaining the security of computing systems in virtual operating environments[ Barak, Abstract, ¶1].
Regarding claims 32 and 43, this claim is interpreted and rejected for the same rational set forth in claim 21.
Regarding claims 34 and 44 this claim is interpreted and rejected for the same rational set forth in claim 22.
Regarding claims 35 and 45, this claim is interpreted and rejected for the same rational set forth in claim 23.
Regarding claims 36 and 46, this claim is interpreted and rejected for the same rational set forth in claim 24.
Regarding claims 33 and 47, this claim is interpreted and rejected for the same rational set forth in claim 25.
Regarding claims 37 and 48, this claim is interpreted and rejected for the same rational set forth in claim 26.
Regarding claims 39 and 50, this claim is interpreted and rejected for the same rational set forth in claim 28.
Regarding claims 40 and 51, this claim is interpreted and rejected for the same rational set forth in claim 29.
Regarding claim 41, this claim is interpreted and rejected for the same rational set forth in claim 31.
Regarding claim 42, Felstaine discloses further comprising: the Security Controller in communication with the network interface controller; and the Security Monitoring Analytics System in communication with the network interface controller [see FIG.2 and corresponding text for more detail].
Regarding claim 52, Felstaine discloses wherein the security monitoring policy is received from the Security Controller via a network [see FIG 4, security management (444), ¶81, the system may support password-based authentication with flexible password policy.  Integration with external authentication providers may be done via additional system enhancements].
Claims 27, 38, 49, and 53 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2015/0180730 issued to Felstaine et al (“Felstaine”) cited in IDS filed on 10/09/2019 in view of US Patent No. US2014/0026231 to Barak et al. (“Barak”) cited in IDS filed on 10/09/2019 and further in view of US Patent No. US2015/0326535 to RAO et al. (“RAO”) and  further in view of US Patent No. US2015/0063166 to SIF et al. (“SIF”) and .
Regarding claim 27, Felstaine, Barak, RAO , SIF and Firth do not explicitly discloses, however, Prasad discloses comprising instructions stored thereon, that if executed by at least one processor, cause the at least one processor to run a bootstrap to deploy the NFV SSA [¶42, Bootstrapping--for virtualization, the NF Group has its own boot loader that understands the needs of the VNF VMs to automatically come up and be attached to networks]; and [¶86, at 1202, orchestration manager 1200 sends the appropriate OVA image and bootloader parameters to the targeted VIM 1210 requesting the VM be started correctly].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine, Barak, RAO, SIF, and Firth with the teaching of Prasad in order to provide the required management and deployment support to allow arrangements of different types of related network functions/elements [Prasad, ¶6].
Regarding claim 38, this claim is interpreted and rejected for the same rational set forth in claim 27.
Regarding claim 49, this claim is interpreted and rejected for the same rational set forth in claim 27.
Regarding claim 53, this claim is interpreted and rejected for the same rational set forth in claim 27

Claims 31 and 41 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2015/0180730 issued to Felstaine et al (“Felstaine”) cited in IDS filed on 10/09/2019 in view of US Patent No. US2014/0026231 to Barak et al. (“Barak”) cited in IDS filed on 10/09/2019 .
Regarding claim 31 and 41, Felstaine, Barak, RAO, SIF, and Firth do not explicitly discloses, however, Wood discloses, wherein the at least one processor is provided in the platform and the platform comprise comprising a network interface controller with a PCI Express compatible interface [Abstract, An apparatus and method for supporting PCI Express is disclosed.  A physical layer has a PCI Express interface for receiving data from a PCI Express compatible communication medium], and [¶¶2-3].
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Felstaine, Barak, RAO, SIF, and Firth with the teaching of Wood in order to provide and keep up with the increased I/O bandwidth required by current processors.  PCI Express addresses the high demands placed by current software applications such as video-on-demand and audio re-distribution on the platform hardware and the I/O subsystems [Wood, ¶2].

					  Conclusion
                                                                                                                                             The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

WO2014092534A1( Abstract, session key virtual machine, secure communication].
Huyuh(US9780965)[ see claim 1, network virtualization layer, session keys , encrypted traffic].
Farina(US20140123221)[¶32, virtual machine, session key, communications between the first and the second virtual machine may be cryptographically isolated from other virtual machines, particularly virtual machines owned by other tenants in the network].
Shatzkamer( US2014/0317293) [¶¶ 31, 81, 79]
Young( US2016/0212012) [¶¶ 121, 123, and  [¶133, In some embodiments, embodiment a cloud controller is integrated with a 3.sup.rd party controller via an API such that the cloud controller can provision a virtual service container into a tenant network and that virtual service container instance can then be personalized with service modules during initial configuration and throughout the service lifecycle as a result of a secure 
Kraemer (US7, 516, 476) [Methods and apparatus for automated creation of security                       policy, read whole document].
Kraemer (US2013/0111547) [Security Policy Deployment and Enforcement System for the Detection and Control of Polymorphic and Targeted Malware].

Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20
                                                                                                                                                                                                        
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SHAHRIAR ZARRINEH/Examiner, Art Unit 2496