DETAILED ACTION
This non-final action is in response to application filed on August 26, 2020. Claims 1-20 are pending, with claims 1, 8 and 15 being independent. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/26/2020 and 12/08/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 4, 6-8, 11, 13-15 and 18-20 are rejected under 35 U.S.C. 102(a)( 2) as being anticipated by Kumar et al. (US 10,771,506, filed Jul. 31, 2017).
As per claim 1, Kumar discloses a method comprising: 

detecting a compromised element in communication with one or more of the network elements (Kumar, 13:59-62, security platform 230 may analyze the threat information to identify which device 215, 217 in monitored 60 network 210 may be affected by the threat (e.g., devices 215, 217 that are infected with malware)), the compromised element being associated with at least one network threat (Kumar, 13:59-62, security platform 230 may analyze the threat information to identify which device 215, 217 in monitored 60 network 210 may be affected by the threat (e.g., devices 215, 217 that are infected with malware)); and 
based on a defined network policy, applying one of a number of different access prevention schemes to the compromised element to prevent access to the network by the compromised element (Kumar, 11:45-51, enforcement device may be one or more devices (e.g., devices 215, 217) of a network (e.g., monitored network 210) capable of enforcing or implementing a security policy. For example, the enforcement device may be network device 217, such as a switch to quarantine an affected device and/or a firewall to prevent traffic to/from an affected client device 215).  


blocking the compromised element from accessing at least one network element of the network elements (Kumar, 11:45-51, enforcement device may be one or more devices (e.g., devices 215, 217) of a network (e.g., monitored network 210) capable of enforcing or implementing a security policy. For example, the enforcement device may be network device 217, such as a switch to quarantine an affected device and/or a firewall to prevent traffic to/from an affected client device 215); or 
quarantining the compromised element for a period of time, wherein the quarantining prevents any communication to and from the compromised element (Kumar, 11:45-51, enforcement device may be one or more devices (e.g., devices 215, 217) of a network (e.g., monitored network 210) capable of enforcing or implementing a security policy. For example, the enforcement device may be network device 217, such as a switch to quarantine an affected device and/or a firewall to prevent traffic to/from an affected client device 215).  

As per claim 6, Kumar discloses the method of claim 1. Kumar also discloses wherein the network threat is one of a known network IP address (Kumar, 10:4-11, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses) or a malware category.  



Claims 8, 11 and 13-14 are network element claims reciting similar subject matters to those recited in the method claims 1, 4 and 6-7 respectively, and are similarly rejected. Kumar also discloses a network element comprising: one or more memories having computer-readable instructions stored therein; and one or more processors configured to execute the computer-readable instructions to (Kumar Fig. 3, device 300 with memory 330 and processor 320).

Claims 15 and 18-20 are computer-readable media claims reciting similar subject matters to those recited in the method claims 1, 4 and 6-7 respectively, and are similarly rejected. Kumar also discloses one or more non-transitory computer-readable media comprising computer-readable instructions, which when executed by one or more processors, cause the one or more processors to (Kumar 1:29-33, a non-transitory computer-readable medium storing instructions, the instructions comprising one or more .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 2, 9 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US 10,771,506, filed Jul. 31, 2017) and Ganame et al. (US 2017/0099312, published Apr. 6, 2017).
As per claim 2, Kumar discloses the method of claim 1. Kumar does not explicitly disclose wherein detecting the compromised element comprises: 
identifying the at least one network threat in corresponding network traffic monitored with respect to at least one network element of the network elements; and 
marking the at least one network element as the compromised element.  
Ganame teaches:
identifying the at least one network threat in corresponding network traffic monitored with respect to at least one network element of the network elements (Ganame par. 97, The IP Matcher: Using the rules of the KBox, the IP Matcher of the ABox is able to do pattern matching only in IPs to detect in-out communication related 
marking the at least one network element as the compromised element (Ganame par. 108, IPMatcherAlert: It generates an alert when the ABox detects that an IP on the network traffic that matches an IP included on the Rules part of the KBox).  
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Kumar with the teaching of Ganame for detecting the compromised element comprises: identifying the at least one network threat in corresponding network traffic monitored with respect to at least one network element of the network elements; and marking the at least one network element as the compromised element. One of ordinary skilled in the art would have been motivated because it offers the advantage of detecting cyber threat, data breach, infected or compromised devices on a computer network.

Claim 9 is network element claim reciting similar subject matters to those recited in the method claim 2, and is similarly rejected. 

Claim 16 is computer-readable media claims reciting similar subject matters to those recited in the method claim 2, and is similarly rejected.

Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US 10,771,506, filed Jul. 31, 2017), Ganame et al. (US 2017/0099312, published Apr. 6, 2017) and Rostami-Hesarsorkh et al. (US 2017/0251003, published Aug. 31, 2017, hereinafter “Rostami”).
As per claim 3, Kumar-Ganame discloses the method of claim 2. Kumar also discloses wherein identifying the at least one network threat comprises: 
receiving a list of known network threats (Kumar 10:4-19, security platform 230 may receive threat notifications from a Command and Control (CnC) feed indicating a list of identified malicious entities, a Geographical Internet Protocol (Geo IP) feed indicating a list of locations and/or internet protocol (IP) addresses associated with locations (e.g., countries, regions, etc.) that may include malicious entities, a Malware feed indicating a list of identified malicious files (or hashes of files), an Infected Host feed indicating a list of entities (e.g., internal entities, such as client devices 215 of monitored network 210) that have been identified as infected with malware, a Distributed Denial of Service (DDoS) feed indicating a list of malicious entities ( e.g., external entities) that may be attacking or attempting to attack a device 215, 217 of monitored network 210, or the like). 
Kumar-Ganame does not explicitly disclose: 
generating tags for identifying the known network threats; and 
identifying the at least one network threat using the tags.  
Rostami teaches:
generating tag for identifying the known network threat (Rostami par. 169, a tag can be defined based on a collection of search criteria that together indicate a known or possible threat; Rostami par. 364, a new tag can be generated based on the features determined to be associated with the new malware family); and 

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to further modify the method of Kumar with the teaching of Rostami for generating tags for identifying the known network threats; and identifying the at least one network threat using the tags. One of ordinary skilled in the art would have been motivated because it offers the advantage of allowing user to search and create alerts based on tags.

Claim 10 is network element claim reciting similar subject matters to those recited in the method claim 3, and is similarly rejected. 

Claim 17 is computer-readable media claims reciting similar subject matters to those recited in the method claim 3, and is similarly rejected.

Claims 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Kumar et al. (US 10,771,506, filed Jul. 31, 2017) and Tobin (US 2019/0166095, published May 30, 2019).
As per claim 5, Kumar discloses the method of claim 1. Kumar also discloses accessing a workloads on one or more of the network elements (Kumar 4:39-42, Network device 217 includes one or more devices (e.g., one or more traffic transfer devices) capable of processing and/or transferring traffic between client devices 215 and/or cloud computing environment 220).
Kumar does not explicitly disclose:
wherein the one of the number of different access prevention schemes includes blocking the compromised element from accessing a first 40Docket Number: 085115-655130 - CPOL1028202 workload on one or more of the network elements while allowing the compromised element to access a second workload on the one or more of the network elements.  
Tobin teaches:
the one of the number of different access prevention schemes includes blocking the compromised element from accessing a first40Docket Number: 085115-655130 - CPOL1028202 workload on one or more of network elements while allowing the compromised element to access a second workload on the one or more of the network elements (Tobin par. 25, These security measures include, but are not limited to, quarantining the compromised node, restricting the compromised node's access to certain or all resources in the system).  
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to modify the method of Kumar with the teaching of Tobin for the one of the number of different access prevention schemes includes blocking the 

Claim 12 is network element claim reciting similar subject matters to those recited in the method claim 5, and is similarly rejected. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20190312887 A1; Secure Endpoint In A Heterogenous Enterprise Network
An endpoint in an enterprise network is configured to respond to internal and external detections of compromise in a manner that permits the endpoint to cooperate with other endpoints to secure the enterprise network.
US 20210344690 A1; Distributed Threat Sensor Analysis And Correlation
A distributed threat sensor analysis and correlation service obtains significance scores for different sources of the interactions with the plurality of threat sensors. The service determines which of the sources are malicious actors based on the significance scores.
US 20210051162 A1; Network Threat Detection And Information Security Using Machine Learning


Any inquiry concerning this communication or earlier communications from the examiner should be directed to KHANG DO whose telephone number is (571)270-7837. The examiner can normally be reached Monday-Friday 8:00 - 5:00 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571)272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KHANG DO/Primary Examiner, Art Unit 2492