DETAILED ACTION
Response to Amendment
This action is in response to amendment filed April 20, 2022 for the application # # 16/713,025 filed on December 13, 2019. Claims 1-13 are pending and are directed toward PROCESSES AND SYSTEMS THAT TRANSLATE POLICIES IN A DISTRIBUTED COMPUTING SYSTEM USING A DISTRIBUTED INDEXING ENGINE.
Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Objections
Claims 2, 7 and 11 are objected to because of the following informalities:  “;” is expected after “by the users”.  Appropriate correction is required.
Claims 12 and 13 are objected to because of the following informalities:  plural “means” are modified by a singular verb. Appropriate correction is required.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 6-8 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claims 6-8 are directed to a system that include one or more processors; one or more data-storage devices; and machine-readable instructions stored in the one or more data-storage devices.  Each of these elements could be implemented as software, and therefore the claims encompass embodiments that are entirely software per se.  Computer software does not fall within any of the statutory classes of invention.  See Gottschalk v. Benson, 409 U.S. 63, 72, 175 USPQ 673, 676-77 (1972).  Software does not constitute a statutory process because the software itself is not a series of steps that are performed.  Software is also not a machine, article of manufacture, or composition of matter.  When a claim encompasses statutory and non-statutory embodiments, the claim as a whole is considered to be directed to non-statutory subject matter.  See MPEP § 2106. Additionally claims 6-8 claim one or more data-storage devices. The broadest reasonable interpretation of a claim drawn to a computer-readable medium typically covers both forms of non-transitory media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media (for example, as defined by usage in issued patents and published patent applications).  See Ex parte Mewherter, 107 USPQ2d 1857, 1859 (P.T.A.B. 2013).  A signal does not constitute statutory subject matter, because it is neither a process, a machine, an article of manufacture, nor a composition of matter, and therefore does not fall within any of the statutory classes of invention.  See In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007).  When a claim encompasses both statutory and non-statutory subject matter, the claim as a whole is considered to be directed to non-statutory subject matter.  See MPEP § 2106 I.  See also “Subject Matter Eligibility of Computer Readable Media”, 1351 Off. Gaz. Pat. Office.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 6 and 10 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over  Kazemian (HEADER SPACE ANALYSIS, thesis, 152 pages, June 2013 ), hereinafter referred to as Kazemian.
As per claim 1, Kazemian teaches in a process stored in one or more data-storage devices and executed using one or more processors of a computer system to translate policies (We have written a translator that converts such high-level policy specifications written in Prolog into 1) the placement of source nodes, 2) the placement of probe nodes, and 3) the  filter and test expressions for each probe node. In the example above, the translator generates two source nodes at Sam and Michael's ports and one probe node at the web server's port. The waypoint keyword is implemented by flowexp: .*(t=firewall). Kazemian, page 78) for virtual objects of a distributed computing system (Slicing a network is a way to share network resources among multiple entities. For example, two different banks may have branches in a  financial center and share the network equipments in the building. In order to make network slicing secure and practical, the slices should be isolated from one another. This is like virtualization of computer hardware, where different virtual machines are isolated from one another and are given the illusion of full control over the hardware resources. Also, network operators often limit the communication between different groups of hosts (or users) by putting them in different isolated slices. A common requirement for isolated slices is that traffic stay within its slice and not leak to another slice. Kazemian, page 40), the specific improvement comprising:
in response to a request to translate a policy to allow access to services of the virtual objects by computing devices located outside the distributed computing system (Unlike the Google WAN, there are a number of reachability restrictions enforced in the Stanford network by different ACLs. Examples of such policies include isolating machines belonging to a particular research group from the rest of the network, or limiting the type of traffic that can be sent to a server IP address. For example, all TCP traffic to the computer science department is blocked except for those destined to specific IP addresses or TCP port numbers. In addition, there is a global reachability goal that every edge router be able to communicate with the outside world via the uplink of a specified router called bbra_rtr. Finally, due to the topology of the network, the network administrators desired that all paths between any two edge ports be no longer than 3 hops long to minimize network latency. Kazemian, page 87), traversing an object graph that represents relationships between users of the computing devices and identity information of the computing devices and represents relationships between the virtual objects and identity information of the virtual objects to determine the identity information of the computing devices and the virtual objects (In this experiment, we test all of these policies. To do so, we connect 16 source nodes, one to each router in the rule dependency graph. To test the maximum-three-hop constraint, we connected 14 probe nodes, one to each operational zone (OZ) router. We also placed a probe node at a router called yoza_rtr to check reachability policies at the computer science department. NetPlumber took 0.5 second to create the initial rule dependency graph and 36 seconds to generate the initial check results. Kazemian, page 87);
presenting the identify information of the computing devices and the virtual objects in an application programming interface that enables creation of rules that control access to services provided the virtual objects by the computing devices (The NetPlumber management layer is the object that manages and controls different nodes and the rule dependency graph. It provides the following API for updating the NetPlumber state and checking policies, Kazemian, pages 81-82); and
distributing the rules to hosts of the distributed computing system that execute the rules, thereby allowing the computing devices located outside the distributed computing system to access the services and processes provided by the virtual objects (Our distributed implementation of NetPlumber is based on this observation. Each instance of NetPlumber is responsible for checking a subset of rules that belong to one cluster (i.e., a FEC). Rules that belong to more than one cluster will be replicated on all of the instances with which they interact (see Figure 5.5). Probe nodes are replicated on all instances to ensure global verification. The  final probe result is the aggregate of results generated by all the probes - that is, all probe nodes should meet their constraints in order for the constraint to be verified. The instances do not depend on each other and can run in parallel. The  final result will be ready after the last instance completes its job. Kazemian, page 80).
Claims 6 and 10 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
 Allowable Subject Matter
Claims 2-5, 7-9 and 11-13 are indicated as allowable over prior art.
The following is a statement of reasons for the indication of allowable subject matter:  
Examiner considers the cited NPL by Kazemian, as well as Bedi et al. (US 2018/0144004, Pub. Date: May 24, 2018), and Pabla et al. (US 2004/0064693, Pub. Date: Apr. 1, 2004) to be closest prior art references to the claimed invention.
None of the cited references teaches limitation “constructing the object graph that represents relationships between users of the computing devices and the identity information of the computing devices and represents relationships between the virtual objects and the identity information of the virtual objects” of Claim 2 and similar of other dependent claims. As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).
Examiner suggestion to Applicant is to include constructing step of claim 2 indicated as allowable as limitation in claim 1, and similar for other independent claims.
Response to Arguments
Applicant’s arguments with regards to claims 1-13 have been fully considered, but they are not persuasive.
“plain language” argument – Applicant argues that first the preamble of claim 6 clearly explains that claims 6-8 are directed to a computer system, which is a machine under the plain language of35 U.S.C. §101. Second. processors, data-storage devices, and machine-readable instructions stored in the data-storage devices are not software. There is no evidence anywhere in the Application itself to support such an interpretation of claims 6-8. Processors, data-storage devices, and machine-readable instructions are physical (REMARKS, page 7).
RESPONSE: Examiner points Applicant’s attention to his own disclosure. For example virtual switches, routers, load balancers and NICs are all separate from hardware layer as clearly shown at FIG. 13. Further Applicant uses plain language such as “Like a VM or a container, a virtual network is a software-defined approach that presents logical network services, such as switching, routing, firewalls, load balancing, and private networks to connected workloads. The network and security services are created in software that uses IP packet forwarding from the underlying physical network. The workloads may be connected via a logical network, implemented by an overlay network, which allows for virtual networks to be created in software. Network virtualization decouples network services from the underlying hardware by replicating network components and functions in software.” (Specification, [0060]). Thus the deficiency of claims 6-8 are because of lack of claiming the underlying hardware.
“page 87” argument – Applicant argues that the elements of the first step are "a response," "a request to translate a policy to allow access to services of the virtual objects,'' "virtual objects of computing devices," and "an object graph.'' In rejecting claim 1. the Examiner cited page 87 of Kazemian as evidence that Kazemian anticipates the firs step. First, the Examiner did not provide an analysis that maps the elements of the first step to terms in the paragraphs on page 87 of Kazemian. As a result, Applicants are left guessing as to how the Examiner reads the first step onto the description on page 87. Second, Kazemian mentions virtual machines and virtual networks on pages 40 and 62 but does not mention virtual machines or any virtual objects on page 87. In other ,vords, there is no connection in the description of page 87 to the virtual machines mentioned on pages 40 and 62. Third, there is no mention of performing an action in response to a request to translate a policy in the description on page 87. Fourth, the header on page 87 mentions ··4.5.3 checking policy in Stanford network." Kazemian mentions "we test all of these policies.'' But page 87 does no describe translating the policies in the Stanford network to allow access to services of the virtual machines mentioned on pages 40 and 62. There is also no mention of an object graph, or the equivalent of object graph, with the limitations described in the first step of claim 1. For instance, Kazemian mentions a "dependency graph.'' But Kazemian does not state that the dependency graph "represents relationships between users of the computing devices and identity information of the computing devices and represents relationships between the virtual objects and identity information of the virtual objects to determine the identity information of the computing devices and the virtual objects.'' Therefore, there is no evidence that Kazemian de.scribes the identical invention in as complete detail as is contained in the first step of claim 1 (REMARKS, page 10).
RESPONSE: 
1 Kazemian teaches a computer system to translate policies (a translator that converts such high-level policy specifications, page 78);
2 Kazemian teaches virtual machines and virtual networks (Slicing a network is a way to share network resources among multiple entities… In order to make network slicing secure and practical the slices should be isolated from one another. This is like virtualization of computer hardware, where different virtual machines are isolated from one another and are given the illusion of full control over the hardware resources. Also, network operators often limit the communication between different groups of hosts ( or users) by putting them in different isolated slices. Page 40);
3 Kazemian teaches the connection in the description of page 87 to the virtual machines mentioned on pages 40. Compare “Examples of such policies include isolating machines belonging to a particular research group from the rest of the network,”(page 87) with “In order to make network slicing secure and practical the slices should be isolated from one another. This is like virtualization of computer hardware, where different virtual machines are isolated from one another” (page 40);
4 As was cited Kazemian teaches a policy translator. Further, examples of such translations were provided on page 87, specifically  “all TCP traffic to the computer science department is blocked except for those destined to specific IP addresses or TCP port numbers.” -> “We also placed a probe node at a router called yoza rtr to check reachability policies at the computer science department.”; “that every edge router be able to communicate with the outside world via the uplink of a specified router called bbra rtr.”->” We found no violation of the computer science department's reachability policies.”; “all paths between any two edge ports be no longer than 3 hops long to minimize network latency.”->” However, NetPlumber did detect a dozen un-optimized routes, whose paths take 4 hops instead of 3. We also found 10 loops similar to those reported in Section 3.5.1.”;
5 Kazemian teaches “reachability restrictions enforced in the Stanford network by different ACLs” (page 87), and also “we connect 16 source nodes, one to each router in the rule dependency graph.” (page 87). The simplified object graph is precented at Figure 3.16: Topology of the backbone network of Stanford university (page 50). Network space was defined by Kazemian as “We model the network as a set of boxes called switches with external interfaces called ports, each of which is modeled as having a unique identifier. We use “switches" to denote routers, bridges and any other middleboxes.” (page 10). The disclosure of Kazemian “Also, network operators often limit the communication between different groups of hosts (or users) by putting them in different isolated slices. A common requirement for isolated slices is that traffic stay within its slice and not leak to another slice. Traditionally, network slicing is done by VLANs, where each slice is defined by a unique VLAN ID. However, for software defined networks (SDNs), FlowVisor [48] can create dynamic slices based on any set of header  fields” (page 40).
“are left guessing” argument – Applicant argues that Applicants are left guessing as to how the Examiner reads the first step onto the description on pages 81-82 (REMARKS, page 11).
RESPONSE: Examiner reads the second, not the first step onto the description on pages 81-82;
“no mention” argument – Applicant argues that there is no mention on pages 81-82 of the NetPlumber management layer displaying the equivalent of "identify information of the computing devices and the virtual objects.'' For instance, there is no mention of the NetPlumber management layer presenting the virtual machines mentioned on pages 40 and 62. (REMARKS, page 11).
RESPONSE: Kazemian teaches “we evaluate the performance and functionality of our C++ based implementation of NetPlumber on three real world networks: the Google inter-datacenter WAN, Stanford's backbone network, and the Internet 2 nationwide network” (page 82), and “Stanford University Backbone Network. This is the same data set used in Section 3.5.1.” (page 84);
“does not mention” argument – Applicant argues that Kazemian does not mention that the NetPlumber management layer that "enables creation of rules that control access to services provided the virtual objects by the computing devices.'' Kazemian does describe the same rule creation (REMARKS, page 11).
RESPONSE: Applicant admitted that “Kazemian does describe the same rule creation” (REMARKS, page 11);
“Fourth” argument – Applicant argues that the description on pages 81-82 does not follow the description on page 87. (REMARKS, page 11).
RESPONSE: Pages 81-82 describe implementation of NetPlumber, and page 87 describes the evaluation based on checking policy in Stanford network. Thus they are closely related.
“Finally” argument – Applicant argues that The description on page 80 says nothing about distributing rules to hosts of a distributed computing system. In fact, there is no mention of distributing anything hosts of a distributed computing system on page 80. There is no evidence that the rules on page 80 allow computing devices located outside a distributed computing system to access the services and processes provided by virtual objects. Therefore, Kazemian does not anticipate the third step of claim 1. (REMARKS, page 11).
RESPONSE: Kazemian teaches “Our distributed implementation of NetPlumber is based on this observation. Each instance of NetPlumber is responsible for checking a subset of rules that belong to one cluster (i.e., a FEC). Rules that belong to more than one cluster will be replicated on all of the instances with which they interact (see Figure 5.5). Probe nodes are replicated on all instances to ensure global verification. The final probe result is the aggregate of results generated by all the probes - that is, all probe nodes should meet their constraints in order for the constraint to be verified.” (page 80). 
Conclusion -Therefore, in view of the above reasons, Examiner maintains rejections.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/OLEG KORSAK/Primary Examiner, Art Unit 2492