DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
1.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 04/27/2022 has been entered.
	Claims 1, 3, 9, 11, 17, and 19 have been amended, and claims 2, 4, 10, 12, and 18 have been cancelled.
	Claims 1, 3, 5-9, 11, 13-17, 19 and 20 remain pending.
 

Response to Arguments
2.	Applicant's arguments regarding the previously applied Fainberg and Cheng references failing to disclose or rendering obvious: “receiving, at the service and via a user interface, an indication of one or more scalable group tags associated with the endpoint device,” and “determining, by the service an intent of the endpoint device indicative of an expected behavior of the endpoint device, using the one or more component tags, the one or more activity tags, and the one or more scalable group tags,” as recited in claim 1, and similarly recited in claims 9 and 17,  have been fully considered but they are not persuasive. During the interview on 04/19/2022, the amended limitations which were previously included in now cancelled claims 2 and 4 were presented. It was suggested that additional language describing how the information obtained from the tags is applied to determine an intention indicative of expected behavior of each endpoint device could help to overcome the Fainberg-Cheng combination of references. The current amendments do not include such language.
Applicant first submits that the Fainberg-Cheng combination fails to teach that an indication of one or more scalable group tags is received via a user interface, as presently claimed, because Applicant asserts that the clustering factors inputted through an interface in Cheng are distinguishable from scalable group tags.
Regarding the scalable group tags it is first noted that, as acknowledged by Applicant, in Fainberg, it is a tag such as the “third floor tag” which is construed as being equivalent to the claimed scalable group tag. Within the scope of the scalable group tags in the claims, the exemplary third floor tag in Fainberg is designated for a particular, adaptable group of entities located on the third floor. Although Fainberg does not explicitly disclose receiving these scalable group tags via a user interface, paragraph [0040] of Fainberg does disclose that, when categorization functionalities are updated, a user may be presented with a GUI indicating the categorization of one or more entities is changing in order for the user to confirm such a change. In other words, similarly to both the claimed invention and the Cheng reference, Fainberg teaches the use of a user interface for a user or administrator to manage the tags and categorization of device entities. However, it is the Cheng reference which expressly teaches an administrator using such a user interface for inputting cluster group factors. 
Applicant acknowledges that Cheng teaches an interface through which “new cluster factors” can be inputted, but argues that the clustering factors of Cheng are distinguishable from the claimed scalable group tags. There are no additional remarks regarding why or how the scalable group tags are believed to be distinct from the cluster factors in Cheng. Contrary to this assertion, Cheng expressly discloses in paragraph [0102] clustering IoT devices into groups using clustering factors including, for example, a group of IoT devices at an enterprise location into a single cluster. It is therefore submitted that these clustering factors, used to group IoT devices based on characteristics, are unambiguously within the scope of scalable group tags as described by the claimed invention and, like the claimed invention, Cheng teaches that an interface is provided to an administrator to manually input these clustering factors, or scalable group tags.
Applicant additionally argues that neither Fainberg nor Cheng teach that an intent of an endpoint device, which indicates an expected behavior of the endpoint device, is determined using each of 1) one or more component tags, 2) one or more activity tags, and 3) the aforementioned one or more scalable group tags, as presently claimed, because Applicant asserts that, even assuming that the “third floor tag” of Fainberg can be construed as a scalable group tag, there is no indication in the respective disclosures that such a tag, in conjunction with one or more component tags and one or more activity tags assigned to an endpoint device is used to determine an intent of the endpoint device.
Fainberg is directed to a system which dynamically tags entities with various tags based on a variety of properties or characteristics, which is disclosed in several instances through the specification. Paragraphs [0067]-[0069] recite that characteristics of an entity used to determine tags include classification, identification, categorization, or a combination thereof which may be based on fingerprints, entity behavior, etc. For example, paragraph [0021] describes a printer device tag or an IP camera device tag assigned based on device type, correlating with the claimed component tags. Paragraphs [0061] and [0062] describe determining that a device is a server or a client running a collaboration application based on analysis of packets and behavior of the device, and assigning a server tag or client tag and collaboration application tag accordingly, correlating with the claimed activity tags. Paragraph [0073] provides for a third floor tag for grouping devices on the third floor, correlating with the claimed scalable group tags. The combination of all of these assigned tags, in conjunction, based on a fingerprint, entity behavior, compliance, location, operating system, application, user department, patch status, manufacturer, vender, etc. are used to define zones, groups, or categories for respective entities as described in paragraph [0024] and, synonymous to the claimed invention, Fainberg utilizes these tags to implement a policy enforcing communication access on a network. Additional support for this is in paragraphs [0057] and [0058] which disclose determining one or more tags such as a compliance tag, a firewall tag, a location tag, an access control list tag, a department tag, a user tag, or an account tag, and then, based on these tags, a zone for each device is determined.
Although it is the Cheng reference which is relied upon for explicitly disclosing that an intent of an endpoint device determined by the tags is indictive of an expected behavior of the endpoint device, it is noted that there is a correspondence between the segmentations, or “zones”, dictated by the tags in Fainberg indicating which other devices a particular endpoint device is enabled, or predicted, to communicate with. For example, paragraph [0027] describes segmentation policies allowing an MRI machine to communicate with an MRI server, which could be interpreted as predicted behavior.
It is therefore submitted that the Fainberg and Cheng references are an obvious combination teaching each and every limitation of the amended claims, and the rejection is therefore maintained.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

3.	Claims 1, 3, 9, 11, 17, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Fainberg et al. (US 2020/0007395, referred to herein as Fainberg1) in view of Cheng et al. (US 2016/0301707).

Regarding claim 1, Fainberg1 teaches a method comprising:  
2obtaining, by a service, one or more component tags (a printer can be tagged with a printer device tag. Similarly, a device that is classified, identified, or a combination therefore as an IP camera can be tagged an IP camera device tag, [0022]) and one or more activity tags (assign tags based on a fingerprint, entity behavior, [0024]) 3that were assigned to an endpoint device in a network (a policy engine evaluates each of the properties or characteristics associated with an entity to determine one or more tags to be assigned to the entity. The policy may be used to determine one or more tags for an entity continuously and in real time, [0069]) based on inspection of 4traffic associated with the endpoint device (adaptively, continuously, and in real-time categorize and tag entities automatically based on communications sent by the entity and the entity receiving the communications, [0025]; The monitoring of entities by network monitor device 102 may be based on a combination of one or more pieces of information including traffic analysis, [0043]; Traffic analyzer 408 is configured to perform analysis of network traffic (e.g., in real-time, with machine learning, etc.) to and from an entity thereby provide analysis of end to end communications of an entity, [0080]);  
receiving, at the service, an indication of one or more scalable group tags associated with the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]); 
5determining, by the service, an intent of the endpoint device, using the one or 6more component tags, the one or more activity tags7, and the one or more scalable group tags (Embodiments can assign tags based on a fingerprint, entity behavior, compliance location, operating system, application (e.g., billing application), user, user department, patch status (e.g., whether or not a device is patched), manufacturer, vendor, etc. Each property or characteristic of an entity may define a tag and thus a zone, group, or category of the entity, [0024]; Network monitor device 280 is configured to determine one or more tags based the characteristics of devices 220-230. The tags can include a compliance tag (e.g., whether the entity is in compliance with a policy), a firewall tag (e.g., which resources or areas the entity is permitted to communicate with based on a firewall), a location tag (e.g., the location, for instance fifth floor, or the department, for instance, accounting department, an access control list (ACL) tag (e.g., which resources or areas the entity is permitted to communicate with), a department tag, a user tag (e.g., which user is logged into the entity), or an account tag (e.g., which account(s) are associated with the entity), [0057]; Based on the tags, network monitor device 280 is operable to determine a zone based on the tags determined for an entity. For example, if device 230 has an accounting department tag, a California office tag, a second floor tag, a wireless tag, a lab environment tag, the zone may be a wireless California office lab zone, [0058]);  
8translating, by the service, the intent of the endpoint device into a network 9segmentation policy (Based on the zone, network monitor device 280 is operable to determine enforcement points associated with the determined zone. For example, if device 230 is an accounting department device, switch 201 and firewalls 206 and 202 may be determined to be enforcement points associated with the zone determined for device 220, [0059]; one or more enforcement points associated with the entity is determined. The enforcement points may be determined based on the zone associated with the entity, [0071]); and 
10configuring, by the service, a network overlay in the network that implements the 11network segmentation policy (Network monitor device 280, based on the enforcement points, can assign enforcement actions to enforcement points, [0060]; enforcement actions are assigned to the enforcement points based on the tags assigned to the entity, [0072]; if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, and the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]).  
However, Fainberg1 does not explicitly disclose deep packet inspection, the indication of the one or more scalable group tags is received via a user interface or that the intent of the endpoint device is indicative of an expected behavior of the endpoint device.
Cheng teaches tags assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device (The packet analysis based IoT device management system 106 can use deep packet inspection to model behavior of an IoT device and create a normal behavior device profile for the IoT device, [0046]; an event log, a system log, and an access log can be created from transaction data identified from deep packet inspection of data packets transmitted to and from the IoT device, [0160]); 
receiving, at a service and via a user interface, an indication of one or more scalable group tags associated with the endpoint device (the IoT device clustering engine 606 functions to receive regarding new clustering factors and subsequently cluster the devices according to new clustering factors, [0103]; the IoT device clustering engine 606 can provide an interface through which an applicable entity, e.g. an administrator, can manually input new clustering factors, [0103]); and 
determining an intent of the endpoint device indicative of an expected behavior of the endpoint device using the tags (Events can include applicable parameters related to operation of an IoT device, such as what data is sent to and from the IoT device, destinations and origins of data sent to and from the IoT device, identifications of the IoT device, geographic information relating to the IoT device, and interaction types corresponding to patterns of events, [0046]; The packet analysis based IoT device management system 106 can analyze an event log to determine historical normal behavior of an IoT device, [0046]; The IoT device profiling engine 608 can model baseline behavior of IoT devices based on historical records of IoT devices. Baseline behavior includes ways an IoT device typical acts, users a device interacts with, and applications and/or operating system that are typically executed at the IoT device, [0107]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize deep packet inspection and administrator defined groups for analyzing and recording device behavior in the system/method of Fainberg1 as suggested by Cheng in order to allow an administrator to specify device clusters and to establish a baseline of normal behavior for a particular device profile. One would be motivated to combine these teachings in order to determine abnormal interactions related to devices in various clusters using thorough inspection of packets communicated to and from the device. 

Regarding claim 13, Fainberg1 teaches the method as in claim 1, wherein translating the intent of the endpoint device into the network segmentation policy comprises:  27PATENT 0141458.U CPOL 1028072-US.01
3generating a security group access control list, based on the one or more scalable 4group tags associated with the endpoint device (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]); and wherein configuring the network 5overlay in the network comprises:  
6sending the security group access control list to networking equipment in the 7network (determining enforcement actions (e.g., rules, ACLs, etc.) for enforcement points (firewalls, routers, switches, etc.), and apply those enforcement actions to the enforcement points, [0030]; A next generation firewall can be updated with an ACL like policy regarding an entity accessing the Internet, [0039]; Firewall 202 and switch 210 may be assigned enforcement actions (e.g., ACLs) to allow device 230 to access other accounting resources, [0060]).  

Regarding claim 9, Fainberg1 teaches an apparatus, comprising: 28PATENT 0141458.U CPOL 1028072-US.01 
2one or more network interfaces to communicate with a network (Network Interface Device 508 of FIG. 5);  
3a processor coupled to the one or more network interfaces and configured to 4execute one or more processes (Processing Device 502 of FIG. 5); and  
5a memory configured to store a process that is executable by the processor (Main Memory 504 of FIG. 5), the 6process when executed configured to:  
7obtain one or more component tags (a printer can be tagged with a printer device tag. Similarly, a device that is classified, identified, or a combination therefore as an IP camera can be tagged an IP camera device tag, [0022]) and one or more activity tags (assign tags based on a fingerprint, entity behavior, [0024]) that were 8assigned to an endpoint device in a network (a policy engine evaluates each of the properties or characteristics associated with an entity to determine one or more tags to be assigned to the entity. The policy may be used to determine one or more tags for an entity continuously and in real time, [0069]) based on inspection of 9traffic associated with the endpoint device (adaptively, continuously, and in real-time categorize and tag entities automatically based on communications sent by the entity and the entity receiving the communications, [0025]; The monitoring of entities by network monitor device 102 may be based on a combination of one or more pieces of information including traffic analysis, [0043]; Traffic analyzer 408 is configured to perform analysis of network traffic (e.g., in real-time, with machine learning, etc.) to and from an entity thereby provide analysis of end to end communications of an entity, [0080]); 
recergg
receive an indication of one or more scalable group tags associated with the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]);  receive recerr
10determine an intent of the endpoint device using the one or more 11component tags, the one or more activity tags, 12and the one or more scalable group tags (Embodiments can assign tags based on a fingerprint, entity behavior, compliance location, operating system, application (e.g., billing application), user, user department, patch status (e.g., whether or not a device is patched), manufacturer, vendor, etc. Each property or characteristic of an entity may define a tag and thus a zone, group, or category of the entity, [0024]; Network monitor device 280 is configured to determine one or more tags based the characteristics of devices 220-230. The tags can include a compliance tag (e.g., whether the entity is in compliance with a policy), a firewall tag (e.g., which resources or areas the entity is permitted to communicate with based on a firewall), a location tag (e.g., the location, for instance fifth floor, or the department, for instance, accounting department, an access control list (ACL) tag (e.g., which resources or areas the entity is permitted to communicate with), a department tag, a user tag (e.g., which user is logged into the entity), or an account tag (e.g., which account(s) are associated with the entity), [0057]; Based on the tags, network monitor device 280 is operable to determine a zone based on the tags determined for an entity. For example, if device 230 has an accounting department tag, a California office tag, a second floor tag, a wireless tag, a lab environment tag, the zone may be a wireless California office lab zone, [0058]);  
13translate the intent of the endpoint device into a network segmentation 14policy (Based on the zone, network monitor device 280 is operable to determine enforcement points associated with the determined zone. For example, if device 230 is an accounting department device, switch 201 and firewalls 206 and 202 may be determined to be enforcement points associated with the zone determined for device 220, [0059]; one or more enforcement points associated with the entity is determined. The enforcement points may be determined based on the zone associated with the entity, [0071]); and  
15configure a network overlay in the network that implements the network 16segmentation policy (Network monitor device 280, based on the enforcement points, can assign enforcement actions to enforcement points, [0060]; enforcement actions are assigned to the enforcement points based on the tags assigned to the entity, [0072]; if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, and the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]).  
However, Fainberg1 does not explicitly disclose deep packet inspection, the indication of one or more scalable group tags is received via a user interface, or that the intent of the endpoint device is indicative of an expected behavior of the endpoint device.
Cheng teaches tags assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device (The packet analysis based IoT device management system 106 can use deep packet inspection to model behavior of an IoT device and create a normal behavior device profile for the IoT device, [0046]; an event log, a system log, and an access log can be created from transaction data identified from deep packet inspection of data packets transmitted to and from the IoT device, [0160]); 
receiving, via a user interface, an indication of one or more scalable group tags associated with the endpoint device (the IoT device clustering engine 606 functions to receive regarding new clustering factors and subsequently cluster the devices according to new clustering factors, [0103]; the IoT device clustering engine 606 can provide an interface through which an applicable entity, e.g. an administrator, can manually input new clustering factors, [0103]); and 
determining an intent of the endpoint device indicative of an expected behavior of the endpoint device using the tags (Events can include applicable parameters related to operation of an IoT device, such as what data is sent to and from the IoT device, destinations and origins of data sent to and from the IoT device, identifications of the IoT device, geographic information relating to the IoT device, and interaction types corresponding to patterns of events, [0046]; The packet analysis based IoT device management system 106 can analyze an event log to determine historical normal behavior of an IoT device, [0046]; The IoT device profiling engine 608 can model baseline behavior of IoT devices based on historical records of IoT devices. Baseline behavior includes ways an IoT device typical acts, users a device interacts with, and applications and/or operating system that are typically executed at the IoT device, [0107]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize deep packet inspection and administrator defined groups for analyzing and recording device behavior in the system/method of Fainberg1 as suggested by Cheng in order to allow an administrator to specify device clusters and to establish a baseline of normal behavior for a particular device profile. One would be motivated to combine these teachings in order to determine abnormal interactions related to devices in various clusters using thorough inspection of packets communicated to and from the device. 

Regarding claim 111, Fainberg1 teaches the apparatus as in claim 9, wherein the apparatus translates the intent of the endpoint device into the network segmentation policy by:  29PATENT 0141458.U CPOL 1028072-US.01 
3generating a security group access control list, based on the one or more scalable 4group tags associated with the endpoint device (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]); and wherein configuring the network 5overlay in the network comprises:  
6sending the security group access control list to networking equipment in the 7network (determining enforcement actions (e.g., rules, ACLs, etc.) for enforcement points (firewalls, routers, switches, etc.), and apply those enforcement actions to the enforcement points, [0030]; A next generation firewall can be updated with an ACL like policy regarding an entity accessing the Internet, [0039]; Firewall 202 and switch 210 may be assigned enforcement actions (e.g., ACLs) to allow device 230 to access other accounting resources, [0060]).  

Regarding claim 117, Fainberg1 teaches a tangible, non-transitory, computer-readable medium storing program instructions that cause a service to execute a process comprising:  30PATENT 0141458.U 
CPOL 1028072-US.01	3obtaining, by the service, one or more component tags (a printer can be tagged with a printer device tag. Similarly, a device that is classified, identified, or a combination therefore as an IP camera can be tagged an IP camera device tag, [0022]) and one or more activity 4tags (assign tags based on a fingerprint, entity behavior, [0024]) that were assigned to an endpoint device in a network (a policy engine evaluates each of the properties or characteristics associated with an entity to determine one or more tags to be assigned to the entity. The policy may be used to determine one or more tags for an entity continuously and in real time, [0069]) based on 5inspection of traffic associated with the endpoint device (adaptively, continuously, and in real-time categorize and tag entities automatically based on communications sent by the entity and the entity receiving the communications, [0025]; The monitoring of entities by network monitor device 102 may be based on a combination of one or more pieces of information including traffic analysis, [0043]; Traffic analyzer 408 is configured to perform analysis of network traffic (e.g., in real-time, with machine learning, etc.) to and from an entity thereby provide analysis of end to end communications of an entity, [0080]);  
	receiving, at the service, an indication of one or more scalable group tags associated with the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]);
6determining, by the service, an intent of the endpoint device using the one or 7more component tags, the one or more activity tags, 8and the one or more scalable group tags (Embodiments can assign tags based on a fingerprint, entity behavior, compliance location, operating system, application (e.g., billing application), user, user department, patch status (e.g., whether or not a device is patched), manufacturer, vendor, etc. Each property or characteristic of an entity may define a tag and thus a zone, group, or category of the entity, [0024]; Network monitor device 280 is configured to determine one or more tags based the characteristics of devices 220-230. The tags can include a compliance tag (e.g., whether the entity is in compliance with a policy), a firewall tag (e.g., which resources or areas the entity is permitted to communicate with based on a firewall), a location tag (e.g., the location, for instance fifth floor, or the department, for instance, accounting department, an access control list (ACL) tag (e.g., which resources or areas the entity is permitted to communicate with), a department tag, a user tag (e.g., which user is logged into the entity), or an account tag (e.g., which account(s) are associated with the entity), [0057]; Based on the tags, network monitor device 280 is operable to determine a zone based on the tags determined for an entity. For example, if device 230 has an accounting department tag, a California office tag, a second floor tag, a wireless tag, a lab environment tag, the zone may be a wireless California office lab zone, [0058]);  
9translating, by the service, the intent of the endpoint device into a network 10segmentation policy (Based on the zone, network monitor device 280 is operable to determine enforcement points associated with the determined zone. For example, if device 230 is an accounting department device, switch 201 and firewalls 206 and 202 may be determined to be enforcement points associated with the zone determined for device 220, [0059]; one or more enforcement points associated with the entity is determined. The enforcement points may be determined based on the zone associated with the entity, [0071]); and  
11configuring, by the service, a network overlay in the network that implements the 12network segmentation policy (Network monitor device 280, based on the enforcement points, can assign enforcement actions to enforcement points, [0060]; enforcement actions are assigned to the enforcement points based on the tags assigned to the entity, [0072]; if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, and the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]).  
However, Fainberg1 does not explicitly disclose deep packet inspection, the indication of one or more scalable group tags is received via a user interface, or that the intent of the endpoint device is indicative of an expected behavior of the endpoint device.
Cheng teaches tags assigned to an endpoint device in a network based on deep packet inspection of traffic associated with the endpoint device (The packet analysis based IoT device management system 106 can use deep packet inspection to model behavior of an IoT device and create a normal behavior device profile for the IoT device, [0046]; an event log, a system log, and an access log can be created from transaction data identified from deep packet inspection of data packets transmitted to and from the IoT device, [0160]); 
receiving, at a service and via a user interface, an indication of one or more scalable group tags associated with the endpoint device (the IoT device clustering engine 606 functions to receive regarding new clustering factors and subsequently cluster the devices according to new clustering factors, [0103]; the IoT device clustering engine 606 can provide an interface through which an applicable entity, e.g. an administrator, can manually input new clustering factors, [0103]); and 
determining an intent of the endpoint device indicative of an expected behavior of the endpoint device using the tags (Events can include applicable parameters related to operation of an IoT device, such as what data is sent to and from the IoT device, destinations and origins of data sent to and from the IoT device, identifications of the IoT device, geographic information relating to the IoT device, and interaction types corresponding to patterns of events, [0046]; The packet analysis based IoT device management system 106 can analyze an event log to determine historical normal behavior of an IoT device, [0046]; The IoT device profiling engine 608 can model baseline behavior of IoT devices based on historical records of IoT devices. Baseline behavior includes ways an IoT device typical acts, users a device interacts with, and applications and/or operating system that are typically executed at the IoT device, [0107]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to utilize deep packet inspection and administrator defined groups for analyzing and recording device behavior in the system/method of Fainberg1 as suggested by Cheng in order to allow an administrator to specify device clusters and to establish a baseline of normal behavior for a particular device profile. One would be motivated to combine these teachings in order to determine abnormal interactions related to devices in various clusters using thorough inspection of packets communicated to and from the device. 

Regarding claim 119, Fainberg1 teaches the computer-readable medium as in claim 17, wherein translating the intent of the 2endpoint device into the network segmentation policy comprises:  
3generating a security group access control list, based on the one or more scalable 4group tags associated with the endpoint device (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor (e.g., servers, printers, peer devices, etc., on the third floor, [0073]); and wherein configuring the network soverlay in the network comprises:  
6sending the security group access control list to networking equipment in the  network (determining enforcement actions (e.g., rules, ACLs, etc.) for enforcement points (firewalls, routers, switches, etc.), and apply those enforcement actions to the enforcement points, [0030]; A next generation firewall can be updated with an ACL like policy regarding an entity accessing the Internet, [0039]; Firewall 202 and switch 210 may be assigned enforcement actions (e.g., ACLs) to allow device 230 to access other accounting resources, [0060]).  


4.	Claims 5-7, 13-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Fainberg1-Cheng in view of Fainberg et al. (US 2020/0007396, referred to herein as Fainberg2).

Regarding claim 15, Fainberg1 teaches the method as in claim 1, wherein the network overlay restricts the endpoint device to 2communicating only with a subset of senders or receivers via the network (For example, the IP camera may be restricted from communicating with other entities (e.g., other IoT devices, or the Internet) as part of a segmentation based on the categorization of the IP camera, [0027]; Cloud infrastructure (e.g., AWS security groups) can be updated to drop packets from the IP of the entity that have a destination outside the cloud, [0039]; the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).
However, Fainberg1-Cheng do not explicitly disclose wherein 3the network overlay further restricts the endpoint device to sending or receiving only a 4specific type of application traffic via the network.  
Fainberg2 teaches wherein a network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via a network (the orange indicator helps a user understand that the rule just created is blocking certain traffic while allowing other traffic between a printers group and a cameras group, [0040]; at the intersection of the groups on the matrix of whether the two groups are able to communicate and the associated communication properties (e.g., whether the groups are able to communicate on certain ports or with certain protocols). Based on the GUI presented by network monitor device 280, a user can then configure one or more rules to limit or block communication between the two groups, [0098]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to limit the types of traffic allowed between devices in the system/method of Fainberg1-Cheng as suggested by Fainberg2 during management of network segmentation policies. One would be motivated to combine these teachings because limiting the types of communication between different types of devices can improve the security of the network.

Regarding claim 6, Fainberg1 teaches 1the method as in claim 5, wherein the one or more component tags are indicative of a 2physical location of the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]), and wherein one or more of the senders or 3receivers in the subset are also located in that physical location (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).  

Regarding claim 17, Fainberg1-Cheng do not explicitly disclose the method as in claim 1, wherein the endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD).  
	Fainberg2 teaches wherein an endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD) (For the OT environments, programmable logic controller (PLC), human interface machines (HMI), production floor centers, and other groups relevant to OT environments may be shown, [0043]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to recognize a PLC in an IoT environment such as Fainberg1-Cheng as suggested by Fainberg2 to enhance automation in production lines and machine functions in many industries and applications. One would be motivated to combine these teachings because industrial PLCs are durable and easy to program and control.

Regarding claim 113, Fainberg1 teaches the apparatus as in claim 9, wherein the network overlay restricts the endpoint 2device to communicating only with a subset of senders or receivers via the network (For example, the IP camera may be restricted from communicating with other entities (e.g., other IoT devices, or the Internet) as part of a segmentation based on the categorization of the IP camera, [0027]; Cloud infrastructure (e.g., AWS security groups) can be updated to drop packets from the IP of the entity that have a destination outside the cloud, [0039]; the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).
However, Fainberg1-Cheng do not explicitly disclose 3wherein the network overlay further restricts the endpoint device to sending or receiving 4only a specific type of application traffic via the network.  
Fainberg2 teaches wherein a network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via a network (the orange indicator helps a user understand that the rule just created is blocking certain traffic while allowing other traffic between a printers group and a cameras group, [0040]; at the intersection of the groups on the matrix of whether the two groups are able to communicate and the associated communication properties (e.g., whether the groups are able to communicate on certain ports or with certain protocols). Based on the GUI presented by network monitor device 280, a user can then configure one or more rules to limit or block communication between the two groups, [0098]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to limit the types of traffic allowed between devices in the system/method of Fainberg1-Cheng as suggested by Fainberg2 during management of network segmentation policies. One would be motivated to combine these teachings because limiting the types of communication between different types of devices can improve the security of the network.

Regarding claim 114, Fainberg1 teaches the apparatus as in claim 13, wherein the one or more component tags are indicative 2of a physical location of the endpoint device (if an entity is a WindowsTM device on a third floor, the device will be tagged with a third floor tag, [0073]), and wherein one or more of the senders or 3receivers in the subset are also located in that physical location (the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).  

Regarding claim 115, Fainberg1-Cheng do not explicitly disclose the apparatus as in claim 9, wherein the endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD).  
Fainberg2 teaches wherein an endpoint device comprises a programmable 2logic controller (PLC) or variable-frequency drive (VFD) (For the OT environments, programmable logic controller (PLC), human interface machines (HMI), production floor centers, and other groups relevant to OT environments may be shown, [0043]).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to recognize a PLC in an IoT environment such as Fainberg1-Cheng as suggested by Fainberg2 to enhance automation in production lines and machine functions in many industries and applications. One would be motivated to combine these teachings because industrial PLCs are durable and easy to program and control.

Regarding claim 120, Fainberg1 teaches the computer-readable medium as in claim 19, wherein the network overlay restricts 2the endpoint device to communicating only with a subset of senders or receivers via the 3network (For example, the IP camera may be restricted from communicating with other entities (e.g., other IoT devices, or the Internet) as part of a segmentation based on the categorization of the IP camera, [0027]; Cloud infrastructure (e.g., AWS security groups) can be updated to drop packets from the IP of the entity that have a destination outside the cloud, [0039]; the enforcement points on the third floor are configured (e.g., via ACLs) to allow the device to communicate with resources available to a device on the third floor, [0073]).
	However, Fainberg1-Cheng do not explicitly disclose wherein the network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via the network.
Fainberg2 teaches wherein a network overlay further restricts the endpoint device to sending or receiving only a specific type of application traffic via a network (the orange indicator helps a user understand that the rule just created is blocking certain traffic while allowing other traffic between a printers group and a cameras group, [0040]; at the intersection of the groups on the matrix of whether the two groups are able to communicate and the associated communication properties (e.g., whether the groups are able to communicate on certain ports or with certain protocols). Based on the GUI presented by network monitor device 280, a user can then configure one or more rules to limit or block communication between the two groups, [0098]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to limit the types of traffic allowed between devices in the system/method of Fainberg1-Cheng as suggested by Fainberg2 during management of network segmentation policies. One would be motivated to combine these teachings because limiting the types of communication between different types of devices can improve the security of the network.


5.	Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Fainberg1-Cheng in view of Nellen (US 2019/0141015).

Regarding claim 18, Fainberg1-Cheng do not explicitly disclose the method as in claim 1, wherein the network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in the network.  
	Nellen teaches wherein a network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in a network (to create and simultaneously manage the plurality of private VNs on secure cloud 110, PVN managers 115A-D and 152A-B can implement Virtual Extensible LAN (VXLAN) protocols to overlay the private VN on top of the network in secure cloud 110, [0096]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement VXLAN in the system/method of Fainberg1-Cheng as suggested by Nellen to enhance scalability. One would be motivated to combine these teachings because utilizing VXLAN would allow for flexibility in managing the segmentation of a large number of endpoint devices on a network.

Regarding claim 116, Fainberg1-Cheng do not explicitly disclose the apparatus as in claim 9, wherein the network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in the network.  
Nellen teaches wherein a network overlay is implemented as a Virtual 2Extensible Local Area Network (VxLAN) overlay in a network (to create and simultaneously manage the plurality of private VNs on secure cloud 110, PVN managers 115A-D and 152A-B can implement Virtual Extensible LAN (VXLAN) protocols to overlay the private VN on top of the network in secure cloud 110, [0096]).
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement VXLAN in the system/method of Fainberg1-Cheng as suggested by Nellen to enhance scalability. One would be motivated to combine these teachings because utilizing VXLAN would allow for flexibility in managing the segmentation of a large number of endpoint devices on a network.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.

Cardente et al		US 9,621,431 – classification models utilized to determine an expected behavior of a given endpoint

Chillappa et al.		US 2016/0381030 – editing profiles and moving devices across zones via a user interface and monitoring expected device behaviors.

Chen et al.			US 2017/0046510 – classifying devices based on application type and using device behavior models.

Ueda				US 2017/0075336 – user setting a device belonging to a group on a user interface screen.

Kim et al.			US 2018/0249521 – grouping and set up of IoT network devices.

Lifshitz et al.			US 2019/0380037 – IoT device classifying and monitoring of device traffic and device behavior profiles to detect suspicious behavior.

Pandian et al.		US 2020/0076853 – grouping devices by category and determining risk scores for anomalous behavior of the devices.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHU WOOLCOCK whose telephone number is (571)270-3629. The examiner can normally be reached Tuesday, Thursday 9-6 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chris Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHU WOOLCOCK
Examiner
Art Unit 2451



/MADHU WOOLCOCK/Primary Examiner, Art Unit 2451