DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	Applicant's arguments and amendments, filed on 03/10/2022 has been entered and carefully considered. Claims 1, 9, 10, 18 and 19 are amended. Claim 20 is cancelled. Claims 21 is new. Claims 1-19 and 21  have been examined and rejected.
 
Response to Amendment and Arguments
3.	Applicant’s amendments and arguments filed on 03/10/2022 with respect to rejections of claims 1-19 and 21 have been considered but are moot in view of the new ground of rejection necessitated by applicant’s amendment.

Claim Objections
4.	Claim 21 objected to because of the following informalities: Claim 21 recited to be dependent on the cancelled claim 20 instead of the System claim 19.  Appropriate correction is required.


Claim Rejections - 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


6.	Claims 1-19 are rejected under AIA  35 U.S.C. 103 as being unpatentable over Kung et al. (U.S. PGPub 2018/0234459) in view of Ponnuswamy et al. (U.S. PGPub 2019/0173736) in view of Bhatia et al. (PGPub 2020/0272741).
As per claims 1, 10 and 19
Kung teaches a method for managing a segmentation policy (Kung see fig. 5 para 0149, 0150 , incoming and outgoing network traffic flows for infrastructure resources are captured and mapped to logical groups or segments to identify and expose the communication requirements needed for the logical objects defined by the logical groups as segments, allowing the system to extract real-time communication requirements to define and manage micro-segmentation policies that restrict communication among applications and generic logical groups to the strict necessary to support the applications) the method comprising: 
obtaining a segmentation policy comprising a set of rules for controlling traffic between workloads (Kung see fig. 3-6, para 0066, 0091 and 0092, as shown in fig. 4  an application level security policy for the computer infrastructure of FIG. 3. It is presented in the form of table, it can be stored in any number of forms in a database, given a set of users U1 and U2 from the example of fig. 3 and workload units W1.1, W.2, W.1.3 and W2.1, an application level security policy specification defines a set of rules, R1 to R6 as shown in fig. 4, representing rules part of the segmentation policy controlling traffic between workload 1 and 2, as shown in fig. 6 contextual security platform 202 of fig. 5, obtain and map an application level security policy rule to network level security policy rules);
detecting a plurality of protected workloads that are members of a secure enclave protected by an enclave protection device such that traffic between the protected workloads and external workloads outside the secure enclave pass through the enclave protection device (Kung see para 0172,0175, 0176, 0181,  Contextual security platform continuously discover of all public/private cloud native infrastructure objects, virtualized and bare metal servers, including workloads, services, existing security controls, and data flow, monitor real-time data flows between workloads and comparing to deployed security policies for compliance);
determining, from the segmentation policy, a set of cross-boundary rules pertaining to traffic between at least one of the protected workloads and at least one of the external workloads (Kung see para fig. 13, para 0284, at step 1302, processes triggered by a local organization creating its own communication policy. As indicated by step 1304, the process scans all proposed rules defined within the proposed “self-service” security policy, at step 1306 in step 1308, the process checks each proposed rule  in the security policy at step 1310, at  step 1310, the computer network security application performs process 1400 shown in fig. 14 determines whether or not the rule is allowed based on the constraint policies); 
Kung fails to exclusively teach generating, from the set of cross-boundary rules, a configuration for the enclave protection device that causes the enclave protection device to permit the traffic meeting the set of cross-boundary rules; and distributing the configuration to the enclave protection device to enable enforcement of the cross-boundary rules.  
In a similar field of endeavor Ponnuswamy teaches generating, from the set of cross-boundary rules, a configuration for the enclave protection device that causes the enclave protection device to permit the traffic meeting the set of cross-boundary rules; and distributing the configuration to the enclave protection device to enable enforcement of the cross-boundary rules (Ponnuswamy see para 0067, 0211-0217, “Contract” refer to rules or configurations that specify what and how communications in a network are conducted, contracts configure  how communications between endpoints and/or EPGs take place providing rules and configurations for Access Control List  with a profile including a named entity that contains the configuration details for implementing one or more instances of a policy, the cross-domain assurance system 608 can use received network traffic data and received network events to provide assurance for a combination of both the network infrastructure 604 and the servers 606, the cross-domain assurance system 608 can determine that bond interfaces on the first leaf 602-1 are configured to properly communicate over a bonded connection with bond interfaces on the first server 606-1).
It would have been obvious to one of ordinary skill in the art to before the effective filling date of the claimed invention to combine the teaching of Kung with the teaching of Ponnuswamy, as doing so would provide an efficient method for coss-domain assurance between server cluster and an infrastructure of a network environment using policy modeling for segmented Application Policy Infrastructure framework (Ponnuswamy see para 0028-0030).
Kungs in view of Ponnuswamy fails to exclusively teach wherein generating the configuration for the enclave protection device comprises: identifying, in the cross-boundary rules, a set of duplicate rules; and combining the duplicate rules into a combined rule and replacing the duplicate rules with the combined rule in the cross-boundary rules, the configuration for the enclave protection device being based on the combined rule; and 2distributing the configuration to the enclave protection device to enable enforcement of the cross-boundary rules.
In a similar field of endeavor Bhatia teaches wherein generating the configuration for the enclave protection device comprises: identifying, in the cross-boundary rules, a set of duplicate rules (Bhatia see para, 0068,  0107, rule deduplication and merging engine 108 provides logic for performing automated Security Incident and Event Management rules rule deduplication and merging based on the similarity scores or measures associated with the pairings of rules in the rule set data structure 134 for rules that have a similarity score above a deduplication threshold similarity score indicating that the STEM rules are considered to be duplicates of one another, Pairings of rules with each other in the rule set data structure are created and similarity measures are generated, based on the key terms extracted from each automated Security Incident and Event Management rule, for each pairing indicating the statistical similarity representing duplicate rules between each rule in the pairing is performed in step 1230); 
and combining the duplicate rules into a combined rule and replacing the duplicate rules with the combined rule in the cross-boundary rules, the configuration for the enclave protection device being based on the combined rule rules (Bhatia see para, 0048,  0109, identified duplicate rules are flagged for deduplication by reducing the number of duplicate rules to a single rule by merging into a single rule a “super rule,” that combines the features of each of the rules being merged, those pairings whose similarity measures meet or exceed a merge threshold value, but are less than the deduplication threshold value, a merge operation is performed to merge elements of the paired rules using logical operators in step 1280); 
and 2distributing the configuration to the enclave protection device to enable enforcement of the cross-boundary rules (Bhatia see para 0109,  deduplicated/merged Security Incident and Event Management rules are used to modify the original Security Incident and Event Management rule set data structure to generate a modified Security Incident and Event Management rules data structure as rule configuration in step 1290, the new data structure as rule configuration  deployed and utilized to enable enforcement in monitoring and managing security incidents and events in step 1295).
It would have been obvious to one of ordinary skill in the art to before the effective filling date of the claimed invention to combine the teaching of Kung in view of Ponnuswamy with the teaching of Bhatia, as doing so would provide an efficient method for cross-domain advanced rule analyzer pairing and determining a similarity measure indicating a degree of similarity to identify  duplicate rules and marging the duplicate rules to create a super rule generate a modified security rule set (Bhatia see para 0008).

As per claims 2, 11 and 21
 	Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 1, wherein determining the set of cross-boundary rules comprises: identifying a source label set and a destination label set specified by a segmentation rule of the segmentation policy; identifying the segmentation rule as a cross-boundary rule responsive to identifying at least one protected workload having the source label set and identifying at least one external workload having the destination label set, or in response to 2430025/45036/FW/11138477.2identifying at least one protected workload having the destination label set and identifying at least one external workload having the source label set (Kung see para 0066, 0075, on-premise data center 502, there are two hardware server computers 506 and 508, that are intended only to be representative of a large number of servers that might otherwise be hosted in the datacenter. Information about the infrastructure resources identified in the FIG., such as applications (labelled “A”), servers (labelled “server”), nodes (“node”), security mechanisms (labelled “m”), and workloads (labelled “WU”) are stored in infrastructure resource information database 210, Physical or hardware server computer 506, which is labelled server1.1. hosts two logical or virtual computer instances (virtual machines) 510 and 512, labelled nodes 1.1 and 1.2 in the system mode, as shown in fig. 4 rules of the policy contain source and destination labels, of users U1 and U2 from the example of FIG. 3 and workload units W1.1, W.2, W.1.3 and W2.1, an application level security policy specification defines a set of rules, R1 to R6, that specify which workloads and users may communicate with each other and the type of service that can be provided through that communication. These rules enable the communication pattern between a “client” of a given service (S1, S2, S3 and S4 are for examples that are given).

As per claims 3 and 12
 	Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 1, wherein the set of cross-boundary rules are permissive rules that cause the enclave protection device to allow the traffic between the at least one of the protected workloads and the at least one of the external workloads (Kung see para 0066, 0075 , 0168, Using rule R6 node3 running service s3  of workload 1 can communicate with node4 of workload 2 running service s4, f a security group is configured to enforce a “white list communication policy,” the IP address of a resource is used to configure security group with allowed traffic based on which remote resource a given resource is allowed to communicate to and from).

As per claims 4 and 13
Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 1, wherein generating the configuration of the enclave protection device comprises: generating an enclave protection rule that permits traffic between a first workload group identified by a first group identifier and a second workload group identified by a second group identifier that meets specified traffic criteria; and generating membership information specifying first workload identifiers for first workloads in the first workload group, and second workload identifiers for second workloads in the second workload group(Kung see para 0065 there are two application workloads, workload W1 and workload W2; and two users, U1 and U2. Workload W1 has three workload units, W1.1, W1.2 and W1.3; and workload W2 has one workload unit, W2.1. User U1 can access workload units from device1 using an access application workload unit A1, User U2 can access workloads units from device2 using an access application workload unit A2, dotted arrows show the application communication requirements, workload units W1.1 and W1.3 need to use a service offered by workload unit 1.2. Workload unit 2.1 need to use a service offered by workload unit 1.3, both users U1 and U2 should be allowed to access a service offered by workload W1.1, and User U2 should also be allowed to access a service offered by workload W2.1).

As per claims 5 and 14
Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 4, wherein the specified traffic criteria comprises a least one of: a service, a port, and a protocol (Kung see para 0066 and 0067, rules, R1 to R6, that specify which workloads and users may communicate with each other and the type of service that can be provided through that communication. These rules enable the communication pattern between a “client” of a given service (S1, S2, S3 and S4 ) and a “provider” of that service required for correct operation of the applications and also to enable users to access the workload units for which they are authorized to use) .

As per claims 6 and 15
 	Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 4, wherein distributing the configuration to the enclave protection device comprises: detecting a change in the first workloads in the first workload group; and sending updated membership information to the enclave protection device reflecting the change without sending the enclave protection rule (Ponnuswamy see para 0140-0145, Switch Logical Configuration Generator 316 can also perform change analysis and generate lint events or records for problems discovered in L_Model 270A and/or LR_Model 270B. The lint events or records can be used to generate alerts for a user or network operator).

It would have been obvious to one of ordinary skill in the art to before the effective filling date of the claimed invention to combine the teaching of Kung with the teaching of Ponnuswamy, and the motivation to combine the teachings will be the same a stated above for the motivation with relation to claims 1 and 10;

As per claims 7 and 16
 	Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 4, wherein distributing the configuration to the enclave protection device comprises:  2530025/45036/FW/11138477.2detecting a change in the segmentation policy that affects the enclave protection rule; and sending an updated enclave protection rule to the enclave protection device reflecting the change without sending the membership information (Ponnuswamy see para 0131 and 0132, topology Explorer 312 can detect Leafs 104 and Spines 102 that are part of Fabric 120 and publish their corresponding out-of-band management network addresses (IP addresses) to downstream services, the topological view that is published to the downstream services at the conclusion of Topology Explorer's 312 discovery epoch, unified Collector 314 can receive the topological view from Topology Explorer 312 and use the topology information to collect information for network assurance from Fabric 120. Such information can include L_Model 270A and/or LR_Model 270B from Controllers 116, switch software configurations from Leafs 104 and/or Spines 102, hardware configurations from Leafs 104 and/or Spines 102, etc. Unified Collector 314 can collect Ci_Model 274 and Hi_Model 276 from individual fabric members).
It would have been obvious to one of ordinary skill in the art to before the effective filling date of the claimed invention to combine the teaching of Kung with the teaching of Ponnuswamy, and the motivation to combine the teachings will be the same a stated above for the motivation with relation to claims 1 and 10;

As per claims 8 and 17
 Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 1, wherein generating the configuration of the enclave protection device comprises: identifying, in the cross-boundary rules, a first rule referencing a set of one or more services, a first group of source workloads, and a first group of destination workloads, and a second rule referencing the set of one or more services, a second group of source workloads and a second group of destination workloads; and generating, from the first and second rule, a combined rule that references the set of one or more services, a combined group of source workloads including the first and second groups of source workloads, and a combined group of destination workloads including the first and second groups of destination workloads (Kung, see para 0071-0073, Constraint policies define combinations of logical group membership that are not allowed. The constraints are defined as logical expressions with “and”, “or” and “not” operators on logical group membership, the expression “LG1 and “LG2 or LG3” define that a resource cannot be a member of logical group LG1 and at the same time be a member of either logical group LG2 or logical group LG3, contextual security platform for configuring different types of network security mechanisms for enforcing rules on network traffic at different points of the network infrastructure based on application level security policies. The policy manager provides a multi-layer in depth defense system and configure multiple enforcement mechanisms in a coordinated way. By configuring multiple mechanisms, the policy manager combines their different capabilities and features and offer a better effective global security than what each individual mechanism can offer in isolation).

As per claims 9 and 18
 	Kung in view of Ponnuswamy in view of Bhatia teaches the method of claim 1, wherein the set of duplicate rules comprises two or more rules that share a common set of services, ports, and protocols (Bhatia see para 0098,  rule component database specifies the various condition components used to define rules, the various log source components used to define rules, threshold components, terms from condition statements are matched between rules, log sources and their types are also matched to the log source reference appearing the rule logic, if rule x has 2 log sources—Juniper firewall and checkpoint firewall—a search for these terms in the rule logic is performed and establishes a match when it is present, every rule is broken down into components representing log sources, conditions, thresholds).

It would have been obvious to one of ordinary skill in the art to before the effective filling date of the claimed invention to combine the teaching of Kung in view of Ponnuswamy with the teaching of Bhatia, and the motivation to combine the teachings will be the same a stated above for the motivation with relation to claims 1 and 10;


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANJOY K ROY whose telephone number is (571)270-0675.  The examiner can normally be reached on Mon-Fri 8:30am-5:00pm, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Nicholas R. Taylor can be reached on 571-272-3889.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 1000.

/SANJOY ROY/
Examiner, Art Unit 2443

/NICHOLAS R TAYLOR/Supervisory Patent Examiner, Art Unit 2443