Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to the Amendment filed on 01/24/2022.  Claims 1-9, and 12-20 have been amended.  Claims 1-20 are pending in the case.  Claims 1 and 13 are independent claims.

Response to Arguments
Applicant's arguments filed 01/24/2022 have been fully considered but they are not persuasive. 
Applicant argues that Bansal in view of Zhao do not disclose the amended subject matter.
Examiner respectfully disagrees.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Bansal discloses a method for defining security groups in a network, (summary of Bansal, method of micro-segment security groups based on firewall rules) the method comprising:
 	in a user interface, displaying (i) a set of existing security groups ([0045]-[0050] of Bansal, receiving data regarding network flows between he filtered micro-segmentation of VMs which belongs to different security groups and [0105]-[0109] of Bansal, based on the existing fire wall rules, a set of existing security groups with existing configuration with one or more VM objects) that are used in security rules defined and implemented in the network to enforce network policies ([0054] of Bansal, the implemented policy is related to micro-segmentation policies for network traffic flows)and (ii) a set of recommended security groups that are recommended based on monitoring of network flows in the network and are not yet eligible for use in the security rules, (The current Specification do not give “eligible” a special meaning, under BRI, the Examiner will interpret the term as the updated rules will changes the formation the security group due to the updated rules and add in more due to the updated rules.  [0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change.  [0188] of Bansal, “Analytics engine 2415 retrieves data from the topology discovery component 2405 and the database 2445 populated by flow collector 2410 and determines the relationships between the VMs and groups the VMs. The GUl 2420 queries inventory from the compute manager 2435 and the flow data from analytics engine 2415 to provide a visual topology to the user for making rule recommendations and creating security groups. The GUI uses the interface 2430 (e.g., a plugin or an API) to interact with firewall configuration manager 2450 to configure distributed firewall rules. In some embodiments, the interface 2430 uses a set of representational state transfer (REST or RESTful) APIs with firewall configuration manager 2450 to perform DFW rules configuration and security group management. Firewall configuration manager 2450 in some embodiments is a component of the network virtualization manager (if a network virtualization manager is deployed in the datacenter)” hence the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules) each existing security group and recommended security group comprising at least one data compute node (DCN); ([0009] of Bansal, monitoring network flow of different groups based on firewall rules, and [0045] of Bansal, the groups of the micro-segmentation is formed by virtual machines/data computer nodes)
providing a user interface tool for (i) accepting recommended security groups to be part of the set of existing security groups ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change) and therefore eligible for use in the security rules and wherein security rules are defined and implemented in the network for DCNs belonging to existing security groups and not for recommended security groups that have not been accepted as existing security groups.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change) 
Even though Bansal discloses the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules (as explained above), but Bansal does not specifically disclose “(ii) adding a DCN from a recommended security group to which the DCN is assigned based on the monitoring of network flows in the network to an existing security group based on input from a user.”
However, Zhao discloses (ii) adding a DCN from a recommended security group to which the DCN is assigned based on the monitoring of network flows in the network to an existing security group based on input from a user ([0026]-[0030] of Zhao, adding virtual machines (VMs)/DCNs from a updated firewall rule to the security group.  In addition, [0188] of Bansal discloses the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules (as explained above)).
Therefore, the cited references disclose the claimed subject matter.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being obvious over Bansal et al (US 20180176261 A1) in view of Zhao et al (US 20180332006 A1).
	Referring to claim 1, Bansal discloses a method for defining security groups in a network, (summary of Bansal, method of micro-segment security groups based on firewall rules) the method comprising:
 	in a user interface, displaying (i) a set of existing security groups ([0045]-[0050] of Bansal, receiving data regarding network flows between he filtered micro-segmentation of VMs which belongs to different security groups and [0105]-[0109] of Bansal, based on the existing fire wall rules, a set of existing security groups with existing configuration with one or more VM objects) that are used in security rules defined and implemented in the network to enforce network policies ([0054] of Bansal, the implemented policy is related to micro-segmentation policies for network traffic flows)and (ii) a set of recommended security groups that are recommended based on monitoring of network flows in the network and are not yet eligible for use in the security rules, (The current Specification do not give “eligible” a special meaning, under BRI, the Examiner will interpret the term as the updated rules will changes the formation the security group due to the updated rules and add in more due to the updated rules.  [0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change.  [0188] of Bansal, “Analytics engine 2415 retrieves data from the topology discovery component 2405 and the database 2445 populated by flow collector 2410 and determines the relationships between the VMs and groups the VMs. The GUl 2420 queries inventory from the compute manager 2435 and the flow data from analytics engine 2415 to provide a visual topology to the user for making rule recommendations and creating security groups. The GUI uses the interface 2430 (e.g., a plugin or an API) to interact with firewall configuration manager 2450 to configure distributed firewall rules. In some embodiments, the interface 2430 uses a set of representational state transfer (REST or RESTful) APIs with firewall configuration manager 2450 to perform DFW rules configuration and security group management. Firewall configuration manager 2450 in some embodiments is a component of the network virtualization manager (if a network virtualization manager is deployed in the datacenter)” hence the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules) each existing security group and recommended security group comprising at least one data compute node (DCN); ([0009] of Bansal, monitoring network flow of different groups based on firewall rules, and [0045] of Bansal, the groups of the micro-segmentation is formed by virtual machines/data computer nodes)
providing a user interface tool for (i) accepting recommended security groups to be part of the set of existing security groups ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change) and therefore eligible for use in the security rules and wherein security rules are defined and implemented in the network for DCNs belonging to existing security groups and not for recommended security groups that have not been accepted as existing security groups.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change) 
Even though Bansal discloses the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules (as explained above), but Bansal does not specifically disclose “(ii) adding a DCN from a recommended security group to which the DCN is assigned based on the monitoring of network flows in the network to an existing security group based on input from a user.”
However, Zhao discloses (ii) adding a DCN from a recommended security group to which the DCN is assigned based on the monitoring of network flows in the network to an existing security group based on input from a user ([0026]-[0030] of Zhao, adding virtual machines (VMs)/DCNs from a updated firewall rule to the security group.  In addition, [0188] of Bansal discloses the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules (as explained above)).
Bansal and Zhao are analogous art because both references concern security group management system associated with computer resources.  Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bansal’s modify security groups with updated firewall policy with the ability to add more VMs/DCNs to the security group with the updated firewall policy as taught by Zhao.  The motivation for doing so would have been to enhance network traffic management associated with firewall rules with security groups and allow better DCNs/VMs communication with a destination network address (summary and [0042] of Zhao).

Referring to claim 2, Bansal in view of Zhao disclose the method of claim 1, further comprising: via the user interface tool, receiving acceptance of a particular recommended security group; and based on the acceptance, adding the particular recommended security group to the set of existing security groups such that the particular recommended security group is eligible for use in the security rules. ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete  firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

Referring to claim 3, Bansal in view of Zhao disclose the method of claim 1, further comprising receiving, via the user interface tool, addition of a particular DCN to a particular existing security group.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 4, Bansal in view of Zhao disclose the method of claim 3, wherein the particular DCN was part of a recommended security group.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 5, Bansal in view of Zhao disclose the method of claim 3, wherein the particular DCN was not previously organized into a security group.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 6, Bansal in view of Zhao disclose the method of claim 1, further comprising: receiving, via the user interface tool, instructions to remove a particular existing security group; and removing the particular existing security group from the set of existing security groups. ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group)

 	Referring to claim 7, Bansal in view of Zhao disclose the method of claim 1, further comprising receiving, via the user interface tool, a merger of a particular recommended security group with a particular existing security group; and adding the DCNs of the particular recommended security group to the particular existing security group.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 8, Bansal in view of Zhao disclose the method of claim 1, wherein a subset of the security groups comprises sets of IP addresses.  ([0057] of Bansal, security group comprises of IP addresses)

 	Referring to claim 9, Bansal in view of Zhao disclose the method of claim 1, further comprising receiving, through the user interface, data designating a subset of the DCNs as seed nodes, ([0060] of Bansal, chose certain groups as seed VMs) wherein each seed node acts as a source node for micro-segmentation.  ([0045] of Bansal, the groups of the micro-segmentation is formed by virtual machines/data computer nodes and Fig. 14 and [0052] and [0088] of Bansal, providing a filtering tool for the network flows, where the user can use different filtering criteria, such as source, destination for different sets of flows through different set of VMs.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 10, Bansal in view of Zhao disclose the method of claim 1, further comprising displaying a set of recommended security rules.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group)

 	Referring to claim 11, Bansal in view of Zhao disclose the method of claim 10, wherein the security rules that are defined and implemented in the network for DCNs belonging to existing security groups comprise at least one recommended security rule from the set of recommended security rules.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group)

 	Referring to claim 12, Bansal in view of Zhao disclose the method of claim 1, wherein a subset of DCNs comprise unresolved DCNs (i) that have not been organized into any one of the plurality of existing or recommended security groups and (ii) that have not been assigned security rules.  ([0089] of Bansal, “FIG. 15 conceptually illustrates a reduced set of flows that are generated from the flows shown in FIG. 7. As shown in FIG. 15, the number of flows are reduced. For instance, in the example of FIG. 15, some flows from table 700 and 1500 that are originated from outside of the datacenter and are received at the "web server of application 1" 1505 are grouped together and the source is identified as "any" 1510. Other flows may be eliminated or hidden” hence, these VMs that doesn’t below to “any” of the sources, are being hidden are unresolved and doesn’t belong to any group)

Referring to claim 13, Bansal discloses a non-transitory machine readable medium storing a program which when executed by at least one processing unit defines security groups in a network, the program comprising sets of instructions for: in a user interface, displaying (i) a set of existing security groups ([0045]-[0050] of Bansal, receiving data regarding network flows between he filtered micro-segmentation of VMs which belongs to different security groups and [0105]-[0109] of Bansal, based on the existing fire wall rules, a set of existing security groups with existing configuration with one or more VM objects) that are used in security rules defined and implemented in the network to enforce network policies ([0054] of Bansal, the implemented policy is related to micro-segmentation policies for network traffic flows) and (ii) a set of recommended security groups that are recommended based on monitoring of network flows in the network and are not yet eligible for use in the security rules,; and (The current Specification do not give “eligible” a special meaning, under BRI, the Examiner will interpret the term as the updated rules will changes the formation the security group due to the updated rules and add in more due to the updated rules.  [0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change.  [0188] of Bansal, “Analytics engine 2415 retrieves data from the topology discovery component 2405 and the database 2445 populated by flow collector 2410 and determines the relationships between the VMs and groups the VMs. The GUl 2420 queries inventory from the compute manager 2435 and the flow data from analytics engine 2415 to provide a visual topology to the user for making rule recommendations and creating security groups. The GUI uses the interface 2430 (e.g., a plugin or an API) to interact with firewall configuration manager 2450 to configure distributed firewall rules. In some embodiments, the interface 2430 uses a set of representational state transfer (REST or RESTful) APIs with firewall configuration manager 2450 to perform DFW rules configuration and security group management. Firewall configuration manager 2450 in some embodiments is a component of the network virtualization manager (if a network virtualization manager is deployed in the datacenter)” hence the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules) each existing security group and recommended security group comprising at least one data compute node (DCN); ([0009] of Bansal, monitoring network flow of different groups based on firewall rules, and [0045] of Bansal, the groups of the micro-segmentation is formed by virtual machines/data computer nodes)
providing a user interface tool for (i) accepting recommended security groups to be part of the set of existing security groups ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change) and therefore eligible for use in the security rules and wherein security rules are defined and implemented in the network for DCNs belonging to existing  security groups and not for recommended security groups that have not been accepted as existing security groups.   ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change)
Even though Bansal discloses the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules (as explained above), but Bansal does not specifically disclose “(ii) adding a DCN from a recommended security group to which the DCN is assigned based on the monitoring of network flows in the network to an existing security group based on input from a user.”
However, Zhao discloses (ii) adding a DCN from a recommended security group to which the DCN is assigned based on the monitoring of network flows in the network to an existing security group based on input from a user ([0026]-[0030] of Zhao, adding virtual machines (VMs)/DCNs from a updated firewall rule to the security group.  In addition, [0188] of Bansal discloses the recommended security group is based on recommendation of rules and the rules can be modified by the user and updated to reflect with updated security group that fits the updated rules, and therefore some security group are not going to be used in the updated rules (as explained above))
Bansal and Zhao are analogous art because both references concern security group management system associated with computer resources.  Accordingly, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bansal’s modify security groups with updated firewall policy with the ability to add more VMs/DCNs to the security group with the updated firewall policy as taught by Zhao.  The motivation for doing so would have been to enhance network traffic management associated with firewall rules with security groups and allow better DCNs/VMs communication with a destination network address (summary and [0042] of Zhao).

	Referring to claim 14, Bansal in view of Zhao disclose the non-transitory machine readable medium of claim 13, wherein the program further comprises sets of instructions for: via the user interface tool, receiving acceptance of a particular recommended security group; and based on the acceptance, adding the particular recommended security group to the set of existing security groups such that the particular recommended security group is eligible for use in the security rules.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete  firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 15, Bansal in view of Zhao disclose the non-transitory machine readable medium of claim 13, wherein the program further comprises a set of instructions for receiving, via the user interface tool, addition of a particular DCN to a particular existing security group.  ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 16, Bansal in view of Zhao disclose the non-transitory machine readable medium of claim 15, wherein the particular DCN was part of a recommended security group.   ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules.  [0122] of Bansal, “the traffic pattern defined by a firewall rule includes a group of possible flow records. For example, a firewall rule like "tcp from 192.168.1.1 to 10.0.0.1:80 accept" can match any TCP connections from 192.168.1.1:1 to 10.0.0.1 port 80 because the rule omits the source port attribute in the flow records”)

 	Referring to claim 17, Bansal in view of Zhao disclose the method of claim 1, wherein the program further comprises sets of instructions for: receiving, via the user interface tool, instructions to remove a particular existing security group; and removing the particular existing security group from the set of existing security groups   ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group)

 	Referring to claim 18, Bansal in view of Zhao disclose the non-transitory machine readable medium of claim 13, wherein the program further comprises a set of instructions for receiving, via the user interface tool, a merger of a recommended security group with an existing security group.   ([0105]-[0109] of Bansal, fire wall rules can be changed and [0138] of Bansal, user can select (by using the selection buttons 2550) any of the recommended rules, and the user can also use the GUI to edit, add or delete firewall rules, and then the configuration of the existing groups associated with the existing fire wall rules will change and therefore adding additional VMs into the new recommended group based on the new recommended fire wall rules and there will be some changes in what VMs are included that has already existed in the existing group and some VMs will not be included in the already existed group)

 	Referring to claim 19, Bansal in view of Zhao disclose the non-transitory machine readable medium of claim 13, wherein the program further comprises a set of instructions for receiving, through the user interface, data defining designating a subset of the DCNs as seed nodes, ([0060] of Bansal, chose certain groups as seed VMs) wherein each seed node acts as a source node for micro-segmentation.   ([0045] of Bansal, the groups of the micro-segmentation is formed by virtual machines/data computer nodes and Fig. 14 and [0052] and [0088] of Bansal, providing a filtering tool for the network flows, where the user can use different filtering criteria, such as source, destination for different sets of flows through different set of VMs)

 	Referring to claim 20, Bansal in view of Zhao disclose the non-transitory machine readable medium of claim 13, wherein a subset of DCNs comprise unresolved DCNs (i) that have not been organized into any one of the plurality of security groups and (ii) that have not been assigned firewall rules.  ([0089] of Bansal, “FIG. 15 conceptually illustrates a reduced set of flows that are generated from the flows shown in FIG. 7. As shown in FIG. 15, the number of flows are reduced. For instance, in the example of FIG. 15, some flows from table 700 and 1500 that are originated from outside of the datacenter and are received at the "web server of application 1" 1505 are grouped together and the source is identified as "any" 1510. Other flows may be eliminated or hidden” hence, these VMs that doesn’t below to “any” of the sources, are being hidden are unresolved and doesn’t belong to any group)

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
	Choudhury et al (US 20180329958 A1):  A query graph, which includes vertices and edges, represents a query on graph-structured data. The query graph is decomposed into query subgraphs. A network analysis tool performs continuous subgraph matching queries to facilitate analysis of computer network traffic, social media events, or other streams of data represented as a dynamic data graph (graph-structured data). This can help identify emerging trends in the data.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAIMEI JIANG whose telephone number is (571)270-1590. The examiner can normally be reached M-F 9-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Adam Queler can be reached on 571-272-4140. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/YONGJIA PAN/Primary Examiner, Art Unit 2145