Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
The present Office Action is responsive to communication received 2/22/2022. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 1/3/2022 and 3/11/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.


Response to Arguments
Applicant’s arguments received 2/22/2022 are respectfully considered and are addressed as follows:
Applicant argues the limitation “wherein the notification received at the network device from the threat management facility outside the subnet includes an identifier for the compromised one of the plurality of endpoints using a subnet address for the compromised one of the plurality of endpoints within the subnet, the subnet address provided to the threat management facility by one of the plurality of endpoints on the subnet“ as recited in the amended claims. 
The new limitations change the scope of the claims, a new ground of rejection necessitated by the amendments is presented below.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-9 and 14-20 are rejected under 35 USC as being unpatentable over US 20150312266 to Thomas, hereinafter Thomas, in view of  US 20080320116 to Briggs, hereinafter Briggs and further view of US 20090031423 to Liu et al., hereinafter Liu.

Regarding claim 1, Thomas discloses:
A computer program product comprising computer executable code embodied on a non-transitory computer readable medium that, when executing on one or more processors of a network device that couples a subnet including a plurality of endpoints to an enterprise network, causes the network                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              translation device to perform the steps of (Fig. 2: gateway couples endpoints in enterprise networks (see Fig. 1)): receiving a notification of a detection of a compromised one of the plurality of endpoints on the subnet from a threat management facility separated from the compromised one of the plurality of endpoints by the network translation device ([0036][0068]: threat facility external to the enterprise network (Fig. 1), separated from the enterprise endpoints by a network device (Fig. 2) send notification of violation to the administration facility of the enterprise network (via the gateway or firewall which is the point of entry to the enterprise network ([0046])), the violation can be determination of malicious code within a file or application in an endpoint ([0030]), in response to the notification, blocking traffic between the compromised one of the plurality of endpoints and the enterprise network outside the subnet ([0036]: terminate the application, place the endpoint in isolation ... [0036]); one or more of the plurality of endpoints on the subnet that are managed by the threat management facility ([0067],[0073]).
Thomas does not teach  a network translation device and translating address information between a first routing prefix for the subnet and a second routing prefix for a network external to the subnet ...
Thomas however discloses providing protection to the enterprise against a plurality of threats ([0013]), and “the threat ... may need to be stopped at various points of a networked computing environment” ([0015]).  One way of providing protection to an enterprise network is to hide the private IP addresses within the private network by implementing a border device such as a network translation device, as taught by Briggs.
Briggs teaches a network translation device that couples a subnet including a plurality of endpoints to an enterprise network (Fig. 1, [0005][0014] NAT router couples endpoints 101, 103, 105 ... in an internal network to an external network 104, the endpoints with internal IP addresses selected from private IP addresses subnets as known in the art ([0003]),  causes the network translation device to perform the steps of: translating address information between a first routing prefix for the subnet and a second routing prefix for a network external to the subnet, translating each of the endpoint internal IP addresses into a corresponding external IP address from a public address space ([0005]), see Fig 4: mapping including routing prefixes); Briggs also teaches the threat management facility using a different address space than the plurality of endpoints (Fig. 1 [0003]: DPI device in the external network coupled by NAT router to endpoints, the endpoints having internal IP addresses subnets and the external network -including DPI- using public address spaces); wherein the notification received at the network translation device from the threat management facility outside the subnet includes an identifier for the compromised one of the plurality of endpoints using a subnet address for the compromised one of the plurality of endpoints within the subnet (Fig. 3: DPI device combined with policy server ([0024])  in external network detects malicious endpoint in internal network ([0028]), notify the NAT router to redirect traffic from the identified endpoint ([0029]), the IP address of the malicious endpoint is an external address ([0028]) mapped to an internal address on the NAT and recorded in a flat file (Fig. 2, 205-209) shared with policy server/DPI device (Fig. 3, 301)), the subnet address provided to the threat management facility by one of the plurality of endpoints on the subnet ([0030[0031]] traffic received from an endpoint is translated into an external address, see Fig. 4, recorded in a file shared with policy server/DPI (Fig. 3, 301)) ; It would have been obvious to a skilled artisan before the filing of the present invention to use a NAT device receiving a notification of compromise of an endpoint from an entity outside the internal network as taught by Briggs because it would allow to pinpoint the compromised endpoints from the external network and take actions for the particular endpoint, instead of blocking all endpoint devices in the internal network, as performed in current state-of-the-art approaches (Briggs, [0004]).
Thomas in view of Briggs does not teach: directing one or more of the plurality of endpoints other than the compromised one of the plurality of endpoints to stop network communications on the subnet with the compromised one of the plurality of endpoints while maintaining network communications on the subnet with other endpoints. 
In an analogous art, Liu discloses a worm containment method for an enterprise network that can seamlessly integrated with existing worm scan filtering (Abstract); A PWC manager receives notification of an infected host from an agent running on the infected host  and propagates the notification to all other agents running in other hosts except the infected host  ([0037][0038]), for  the other hosts to possibly implement containment ([0039]) i.e. hold on outbound SYN packets and drop incoming SYNACK packets ([0073]) i.e stop all new connections establishment, while preserving already established sessions; Liu also teaches the smoking sign or notification includes the IP address of the comprised node ([0047]), therefore Liu suggests the limitation: directing one or more of the plurality of endpoints other than the compromised one of the plurality of endpoints to stop network communications on the subnet with the compromised one of the plurality of endpoints while maintaining network communications on the subnet with other endpoints. It would have been obvious to a skilled artisan before the filing of the present invention to implement the functionalities of the PWC manager into the threat management facility in Thomas/Briggs and teach the claim because it would allow all nodes in the subnet to be alerted about an infection in the network, and take containment measures to prevent the spread of malware inside the enterprise network and outside the enterprise network, increasing security. 

Regarding claim 2, Thomas in view of Briggs and Liu discloses the computer program product of claim 1 wherein the detection of the compromised one of the plurality of endpoints is based on an omission of an expected heartbeat from the compromised one of the plurality of endpoints (Thomas teaches the gateway monitoring heartbeat of endpoints (Fig. 4, 404 [0077]) included in the enterprise network (Fig. 2, [0054]), the monitoring detects interruption of a heartbeat ([0078])). 

Regarding claim 3, Thomas in view of Briggs and Liu discloses the computer program product of claim 1 wherein the detection of the compromised one of the plurality of endpoints is based on an error in content of a heartbeat from the compromised one of the plurality of endpoints (Thomas,[0078]: error in the periodic signal, a malformed packet).  

Regarding claim 4, the claim recites a subset of limitations in claim 1, all taught by the combined teachings of Thomas, Briggs and Liu, as presented in claim 1.

Regarding claim 5, Thomas in view of Briggs and Liu discloses the method of claim 4 wherein the detection of the compromised one of the plurality of endpoints includes receiving a notification from the compromised one of the plurality of endpoints (Liu, [0037][0038], see claim 1 for motivation).  

Regarding claim 6, Thomas in view of Briggs and Liu discloses the method of claim 4 wherein the detection of the compromised one of the plurality of endpoints includes receiving a notification from one of the plurality of endpoints other than the compromised one of the plurality of endpoints (Thomas [0040] Fig. 1: endpoint communicates through a router).

Regarding claim 7, Thomas in view of Briggs and Liu discloses the method of claim 4 wherein the detection of the compromised one of the plurality of endpoints includes detecting potentially malicious traffic to or from the compromised one of the plurality of endpoints at the network device (Thomas [0032][0036]  [0006]- see claim 1 for  motivation to combine with Thomas).  

Regarding claim 8, Thomas in view of Briggs and Liu discloses the method of claim 7 further comprising querying each of the endpoints coupled to the subnet to identify a source of the potentially malicious traffic (Liu, [0037][0039]: send the “smoking sign” to other hosts to determine if they are also infected with the worm, in order to improve security).  

Regarding claim 9, Thomas in view of Briggs and Liu discloses the method of claim 8 further comprising: when the source is identified, preventing communications through the network device by the source (Liu [0039]: when one of the other hosts is also infected, it becomes a source of contagion and implements containment (Liu [0073])); and when the source is not identified, preventing communications by any of the endpoints through the network device (Liu [0039]: when none of the other host is infected, the smoking sign is dropped, the first endpoint that forwarded the alert to the PWC manager is the only infected and block traffic ([0073]); it would have been obvious to a skilled artisan before the application was filed to implement the functionalities of the PWC manager into the threat management facility/gateway in order to allow self-inspection for other nodes in the subnet and apply self-containment or not, increasing security).  

Regarding claim 14, Thomas in view of Briggs and Liu discloses the method of claim 4; additionally Thomas discloses determining a security status of each of the one or more of the plurality of endpoints other than the compromised one of the plurality of endpoints and permitting network communications through the network device only from devices meeting one or more security conditions (Thomas ([0058][0078]): the gateway periodically receiving heartbeat and software compliance status from endpoints located in an enterprise network , and taking actions when an endpoint is compromised as indicated by an interruption of heartbeat, such actions including suspending communications for the compromised endpoint ([0079][0080]). The gateway continues to periodically receive heartbeat status from the other endpoints after a compromised one is blocked ([0058]). 

Regarding claim 15, Thomas in view of Briggs and Liu discloses the method of claim 14 wherein the one or more security conditions include a presence of a secure heartbeat (Thomas, [0059]: secure the heartbeat by encryption or signing).  

Regarding claim 16, Thomas in view of Briggs and Liu discloses the method of claim 14 wherein the one or more security conditions include an indication of security compliance from a local security agent (Thomas [0058]: health monitor on endpoint checks on compliance of antivirus or other security software).  

Regarding claim 17, Thomas in view of Briggs and Liu discloses the method of claim 4 further comprising translating network traffic at the network device between a first routing prefix for the subnet and a second routing prefix for a network external to the subnet (Briggs [0003][0005], and Fig. 4 mapping of internal/external addresses including routing prefixes)

Regarding claim 18, Thomas in view of Briggs and Liu discloses the method of claim 4 wherein the network device includes a network address translation device (Briggs Fig. 1, NAT device).

Regarding claim 19, Thomas in view of Briggs and Liu discloses the method of claim 4 wherein the network device includes at least one of a router and a gateway (Briggs, Fig. 1: NAT router).  

Regarding claim 20, the claim recites substantially the same content as claim 1 and is rejected using the rationales for rejecting claim 1; additionally, Briggs discloses the NAT router (claimed network device) comprises a first interface to an external network (Fig. 1, interface to aggregation router on left)  and a second interface to a subnet (Fig. 1, interface to plurality of endpoints, on right),  one or more processors ([0032]).

Claim 10 is rejected under 35 USC 103 as being unpatentable over Thomas, Briggs and Liu in view of US 20150150072 to Doctor et al., hereinafter Doctor.
Regarding claim 10, Thomas in view of Briggs and Liu discloses the method of claim 4, but does not teach:  wherein the detection of the compromised one of the plurality of endpoints includes receiving a notification from a firewall in the enterprise network outside the subnet.  
In an analogous art, Doctor describes an enterprise network divided into subnets, each subnet includes a scanner to scan for vulnerabilities and report to a scanner manager the results of the scans ([0028], Fig. 1 and 2). Each subnet communicates with devices out of the subnets via a firewall (Fig. 2, [0027]) i.e. each scanner reports from a subnet to the scanner manager thru a firewall. Therefore, it would have been obvious to a skilled artisan before the invention was filed to have the guard device receives notifications from a firewall controlling the subnet, teaching the claim. Receiving a notification from a firewall would increase security, as the firewall would filter any malicious packet.

Claims 11-13 are rejected under 35 USC 103 as being unpatentable over Thomas, Brigss and Liu, in view of US 20170034190 to May, hereinafter May.
Regarding claim 11, Thomas in view of Briggs and Liu discloses the method of claim 4 further comprising, in response to receiving notification of the compromised one of the plurality of endpoints, directing communications from the one or more of the plurality of endpoints other than the compromised one of the plurality of endpoints (Liu [0037]-[0039], see claim 1) .
Thomas in view of Briggs and Liu discloses the enterprise network is a private network, but does not explicitly teach communications through a virtual private network. However, implementing VPN in an enterprise network is well common, as taught by May. May discloses an enterprise network connected to the internet by a router or gateway, through a network security device that provides VPN ([0034]). Therefore it would have been obvious to a skilled artisan before the invention was filed to implement the gateway as a security device permitting communications through a VPN because it is a well-established technique known to protect communications from being intercepted.

Regarding claim 12, Thomas in view of Briggs and Liu and May discloses the method of claim 11, wherein the virtual private network physically passes through the network device (May, Fig. 1, network security device is a physical device (see Fig. 2), see claim 11 for motivation).
   
Regarding claim 13, Thomas in view of Briggs and Liu and May discloses the method of claim 11 wherein the virtual private network physically circumvents the network device (May [0030], Fig. 1: wireless devices 102, 104, 106, 108 communicate within the enterprise network through an access point, i.e circumvent the network security device, because the access point allows the mobile devices to communicate). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Chen et al 20120011589 provide a method, an apparatus, and a system for detecting a zombie host to solve the technical problem that the zombie  host on a private network equipped with a NAT device cannot be detected on current communication networks.
Vogt et al 20110103394 discloses a first packet is received from a client over an internal network destined for a remote node of an external network. The first packet includes a source IP address having an internal network portion that identifies a location of the client in the internal network and an external network portion that identifies a location of the internal network accessible by the external network. An obfuscation operation is performed on the internal network portion of the source IP address of the first packet to conceal the location of the client in the internal network and the internal network portion of the source IP address of the first packet is rewritten with the obfuscated internal network portion while maintaining the current external network portion of the source IP address. Thereafter, the first packet is transmitted to the remote node over the external network. 
Xie 7716725 discloses a firewall configured to be interfaced between an internal and an external networks. The firewall includes a VoIP processor for detecting an outgoing VoIP packet sent from the internal network, for changing data in a header of the VoIP packet and also changing data contents in the VoIP packet corresponding to data changed in the header to enable bi-directional VoIP communication. 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138. The examiner can normally be reached Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        5/11/2022