DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication filed on 4/16/2020.
Claims 1-20 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 4/16/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: The following parent application number, 15/833,763, has been patented.  Applicant is required to update the parent application’s status (see paragraph 0001 of the Applicant’s specification, CROSS-REFERENCE TO RALTED APPLICATIONS).
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-20 are rejected under 35 U.S.C. 101 as being directed to no more than software per se.  The claims11-20 do not fall within at least one of the four categories of patent eligible subject matter because the claimed invention does not direct to any concrete thing consisting of parts or devices.  The specification as originally filed fails to set forth the metes and bounds of what is meant to be encompassed by the term “electronic device”.  As such, it is reasonable to interpret the term “electronic device” as software per se (see paragraph 0014 of Applicant’s specification, “The users may access the provider network using one or more electronic devices 128 connected to the intermediate networks 126. The one or more electronic devices may include computing devices such as desktop, laptop, or mobile computing devices, servers, virtual machines, or other devices”).  Therefore, claim 11 is not patent-eligible subject matter.
The dependent claims 12-20 are depended on the rejected base claim 11, and are rejected for the same rationales.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,652,283.  Although the claims at issue are not identical, they are not patentably distinct from each other because both inventions are directed to one or more security group rules can be obtained for an application, the one or more security group rules controlling communication of one or more security groups. The one or more security group rules can be analyzed to determine placement data for the one or more security groups. The placement data can be provided to a placement service, and the placement service can be caused to deploy at least one virtual machine using the placement data.
Furthermore, Examiner notes that each and every limitation of the instant claims appear to be substantially anticipated by the corresponding claims of the patent application.
Therefore, Examiner respectfully submits that the instant claims and the claims of the patent application are not directed to patentably distinct inventions; thus, properly rejected on the grounds of nonstatutory double patenting, as further outlined below.
The dependent claims of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application.
Instant Application 16/850,410
Patent Application 10,652,283
Claim 1:

A computer-implemented method comprising: 




obtaining at least one security group rule for at least one security group, the at least one security group rule controlling communication of the at least one security group; 

analyzing the at least one security group rule to determine placement data for the at least one security group; 












providing the placement data to a placement service; and 










causing the placement service to deploy at least one virtual machine using the placement data.
Claim 1:

A computer-implemented method comprising: monitoring a security group rules data store, the security group rules data store including a plurality of security group rules corresponding to at least one security group; 
identifying a first set of security group rules defined for a first security group, the first security group corresponding to a tier of a customer application; 


comparing the first set of security group rules to a plurality of security group model rules; for each security group model rule, determining a score for each security group rule from the first set of security group rules; determining at least one matching security group model rule corresponding to at least one security group model rule having a highest score, the security group model rules corresponding to best practices rules for at least one type of tier; labeling the tier of the customer application with a type of tier corresponding to the at least one matching security group model rule; and sending a request to a placement service to place at least one virtual machine belonging to the tier of the customer application, the request including the type of tier corresponding to the at least one matching security group model rule and spread requirements associated with the type of tier; wherein the placement service identifies at least one candidate virtualization guest location based on the type of tier and the spread requirements and deploys the at least one virtual machine to the candidate virtualization guest location.
Claim 11:
A system comprising: a first one or more electronic devices to implement a placement service in a multi-tenant provider network; and a second one or more electronic devices to implement security group monitor in the multi-tenant provider network, the security group monitor including instructions that upon execution cause the security group monitor to: 



obtain at least one security group rule for at least one security group, the at least one security group rule controlling communication of the at least one security group; 

analyze the at least one security group rule to determine placement data for the at least one security group; 












provide the placement data to the placement service; and 





cause the placement service to deploy at least one virtual machine using the placement data.
Claim 8:
A system comprising: a placement service implemented by a first one or more electronic devices; and security group monitor implemented by a second one or more electronic devices, the security group monitor including instructions that upon execution cause the security group monitor to: monitor a security group rules data store, the security group rules data store including a plurality of security group rules corresponding to at least one security group; 
identify a first set of security group rules defined for a first security group, the first security group corresponding to a tier of a customer application; 


compare the first set of security group rules to a plurality of security group model rules; for each security group model rule, determine a score for each security group rule from the first set of security group rules; determine at least one matching security group model rule corresponding to at least one security group model rule having a highest score, the security group model rules corresponding to best practices rules for at least one type of tier; label the tier of the customer application with a type of tier corresponding to the at least one matching security group model rule; and 
send a request to the placement service to place at least one virtual machine belonging to the tier of the customer application, the request including the type of tier corresponding to the at least one matching security group model rule and spread requirements associated with the type of tier; wherein the placement service identifies at least one candidate virtualization guest location based on the type of tier and the spread requirements and deploys the at least one virtual machine to the candidate virtualization guest location.



Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1 and 11 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by SNIDER et al. (US 20160316003) (hereinafter SNIDER).
Regarding claim 1, SNIDER teaches a computer-implemented method comprising: obtaining at least one security group rule for at least one security group, the at least one security group rule controlling communication of the at least one security group (SNIDER: paragraphs 0019-0020, 0030, 0035, 0039, 0051 0070 and 0085, “application placement component 210 may select a target placement using a selection strategy. The selected target placement may be analyzed with respect to the placement rules.”); analyzing the at least one security group rule to determine placement data for the at least one security group (SNIDER: paragraphs 0072-0078, “a target placement may be analyzed with respect to resource balance. For example, target placements that sufficiently comply with placement rules may be analyzed. A target placement may be rejected and a new target placement may subsequently be selected based on the analysis, or the analysis may result in acceptance of the target placement”); providing the placement data to a placement service (SNIDER: paragraphs 0051 and 0078-0079, “A candidate placement plan may be selected and executed based on application placement component 210 determining that the candidate placement plan would improve the state of the platform with respect to the score”); and causing the placement service to deploy at least one virtual machine using the placement data (SNIDER: paragraph 0051, “A placement or movement may comply with a placement rule where the one or more conditions are met. As with resource metrics, placement rules can be system and/or client defined. For example, placement rules 230 includes system defined placement rules 230a and client defined placement rules 230b. As with resource metrics, placement rules can be designated for a particular job instance(s), for a particular service application instance (i.e., for all job instances of the application), and/or for all instances of a service application (or for all primary or secondary instances). Furthermore, placement rules can change and be updated, added to, or replaced over time by the system and/or clients”).
Regarding claim 11, claim 11 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 11 and rejected for the same reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 6, 12 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER in view of Jacob et al. (US 20160043968) (hereinafter Jacob).
Regarding claims 2 and 12, SNIDER does not explicitly teach the following limitation which is taught by Jacob, wherein the placement data includes a tier type for each of the at least one security group (Jacob: paragraphs 0010, 0016 and 0168, “the placement configuration indicates a plurality of groups, wherein the placement configuration identifies a set of virtual machines allocated to a first group of the plurality of groups, and wherein a first computing resource of the plurality of computing resources is allocated to the first group based on the placement configuration”).  
SNIDER and Jacob are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER and Jacob before him or her, to modify the system of SNIDER to include the placement data includes a tier type for each of the at least one security group of Jacob. The suggestion/motivation for doing so would have been for enabling convenient, on-demand network access to a shared pool of computing resources (e.g. networks, network bandwidth, servers, PODs, processing, memory, storage, applications, virtual machines, services, etc.) (Jacob: paragraph 0029).
Regarding claims 6 and 16, SNIDER as modified teaches wherein analyzing the at least one security group rule to determine placement data for the at least one security group, further comprises: identifying a spread requirement for virtual machines belonging to the at least one security group from the at least one security group rule (Jacob: paragraphs 0016 and 0048, “a placement configuration identifies a set of virtual machines allocated to a first group of the plurality of groups. A first computing resource of the plurality of computing resources is allocated to the first group based on the placement configuration. In some embodiments, a placement configuration may include a security configuration to prevent access to the plurality of computing resources by other computing resources. For example, a security configuration may indicate one or more hypervisors allocated to manage the plurality of computing resources”).  The same motivation to modify SNIDER in view of Jacob, as applied in claim 2 above, applies here.

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER in view of Jacob et al. (US 20160043968) (hereinafter Jacob), and further in view of KOUZNETSOV et al. (US 20170097845) (hereinafter KOUZNETSOV).
Regarding claims 3 and 13, SNIDER in view of Jacob does not explicitly teach the following limitations which are taught by KOUZNETSOV, wherein analyzing the at least one security group rule to determine placement data for the at least one security group, further comprises: comparing the at least one security group rule to one or more security group model rules (KOUZNETSOV: paragraphs 0062-0065, “This is done by comparing group-host scores to choose the most suitable hosts for a group of VMs 18. For example, the largest group may be chosen first”); determining a score for the at least one security group rule for each of the one or more security group model rules (KOUZNETSOV: paragraphs 0062-0065, “This is done by comparing group-host scores to choose the most suitable hosts for a group of VMs 18. For example, the largest group may be chosen first”); and labelling the at least one security group with a tier type corresponding to at least one security group model rule having a highest score (KOUZNETSOV: paragraphs 0062-0065, “This is done by comparing group-host scores to choose the most suitable hosts for a group of VMs 18. For example, the largest group may be chosen first”).
SNIDER in view of Jacob and KOUZNETSOV are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER in view of Jacob and KOUZNETSOV before him or her, to modify the system of SNIDER in view of Jacob to include the analyzing step of the at least one security group rule to determine placement data for the at least one security group of KOUZNETSOV.  The suggestion/motivation for doing so would have been to determine optimal number of hosts required per VM sub-group, determine optimal set of hosts for each VM sub-group, and deploy placement rules to enforce VM-host affinity placements (KOUZNETSOV: paragraph 0030).

Claims 7-10 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER in view of NEOGI et al. (US 20170257424) (hereinafter NEOGI).
Regarding claims 7 and 17, SNIDER does not explicitly teach the following limitations which are taught by NEOGI, wherein the placement service: receives a request to place a plurality of virtual machines belonging to a first security group (NEOGI: paragraphs 0077-0078, “a search of available hosts can be performed to determine a list of candidate hosts in an associated data center and associated network paths that satisfy the specified and/or enriched requirements (network, security, affinity, availability, etc.) of the container being placed”); determines a rank for each of a plurality of candidate virtualization guest locations based on the placement data (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); and deploys the plurality of virtual machines to the plurality of candidate virtualization guest locations based at least on their ranks (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”).
SNIDER and NEOGI are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER and NEOGI before him or her, to modify the system of SNIDER in view of Jaco to include the deployment of the plurality of virtual machines to the plurality of candidate virtualization guest locations based at least on their ranks of NEOGI.  The suggestion/motivation for doing so would have been for implementing flexible and scalable application virtualization mechanisms (NEIOGI: paragraph 0002).
Regarding claims 8 and 18, SNIDER as modified teaches wherein the placement service: receives a request to place at least one virtual machine belonging to the first security group (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); determines a rank for each of a second plurality of candidate virtualization guest locations based at least on the placement data and placement of the plurality of virtual machines (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); deploys the at least one virtual machine to at least one candidate virtualization guest locations based at least on their ranks (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); and redeploys at least one of the plurality of virtual machines to the second plurality of candidate virtualization guest locations based at least on their ranks (NEOGI: paragraphs 0049, 0078-0080 and 0111, “systems and techniques also provide for automatically mutating and expanding such container ecosystem environments, including network segments within them in response to changes (change events such as scaling changes in a given application or a data center implementing the containerized application), migration of containers and/or redeployment events in the container ecosystem. The described methods, systems and techniques are also independent of: a) networking device specifics; b) internal or external cloud configuration (including the cloud-burst use case; c) compute virtualization/clustering platforms; and d) container virtualization/clustering platforms.”).  The same motivation to modify SNIDER in view of NEOGI, as applied in claim 7 above, applies here.
Regarding claims 9 and 19, SNIDER as modified teaches wherein the at least one security group rule includes a protocol, port range, and source or destination identifier (NEIOGI: paragraphs 0039 and 0088, “the containers 130, 140 and 150 can be configured to implement an autonomous 3-tier application stack with a web tier (container 130) accepting incoming hypertext transfer protocol secure (HTTPS) connections on port 443, an App tier (container 140) accepting incoming HTTPS connections on port 8443 and a database (DB) tier (container 150) accepting trusted (e.g., from a pre-defined origination Internet Protocol (IP) address) connections to port 1433.”).  The same motivation to modify SNIDER in view of NEOGI, as applied in claim 7 above, applies here.
Regarding claims 10 and 20, SNIDER as modified teaches further comprising: generating a first visualization of a tier of an application corresponding to the at least one security group, the first visualization including one or more computing systems with which the tier of the application can communicate based on the at least one security group rule (NEIOGI: paragraphs 0039 and 0088, “the containers 130, 140 and 150 can be configured to implement an autonomous 3-tier application stack with a web tier (container 130) accepting incoming hypertext transfer protocol secure (HTTPS) connections on port 443, an App tier (container 140) accepting incoming HTTPS connections on port 8443 and a database (DB) tier (container 150) accepting trusted (e.g., from a pre-defined origination Internet Protocol (IP) address) connections to port 1433.”).  The same motivation to modify SNIDER in view of NEOGI, as applied in claim 7 above, applies here.

Allowable Subject Matter
Claims 4-5 and 14-15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed below:
Raduchel (US 20190253523) discloses a method for implementing software containers implementing network engines that may be configured to act in a zero-knowledge environment. In such implementations, all information pertaining to the network engine associated with a user that is stored in the container is solely that of a user unless explicitly shared by the user. In some implementations, the containers may be configured to participate in a publish-and-subscribe network in order to share information. In addition, the containers may be provisioned with controls so that global operators may comply with local privacy rules.
Nagpal (US 20180136958) discloses a system for placing virtual machines in a virtualization environment receives instructions to place a virtual machine within the virtualization environment, wherein the virtual environment includes a plurality of host machines that include a hypervisor, at least one user virtual machine, and an input/output (I/O) controller and a virtual disk that includes a plurality of storage devices and is accessible by all of the I/O controllers, wherein the I/O controllers conduct I/O transactions with the virtual disk based on I/O requests received from the UVMs. The system determines a predicted resource usage profile for the virtual machine. The system selects, based on the predicted resource usage profile, one of the host machines for placement of the virtual machine. The system places the virtual machine on the selected one of the host machines.
Fine (US 9965309) discloses An example method may include determining a shared threat potential for a virtual machine based, at least in part, on a degree of co-location the virtual machine has with a current virtual machine operating on a physical machine, determining a workload threat potential for the virtual machine based, at least in part, on a level of advantage associated with placing the virtual machine on the physical machine, determining a threat potential for the virtual machine based, at least in part, on a combination of the shared threat potential and the workload threat potential, and placing the virtual machine on the physical machine based on the threat potential.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TRANG T DOAN/Primary Examiner, Art Unit 2431