DETAILED ACTION
This office action is in response to the application filed on 03/20/20. Claims 1-20 are pending and are examined.	
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-19 are rejected under 35 U.S.C. 101 because they claim “at least one computer-readable storage medium having stored therein instructions” without excluding a signal.

Regarding claim 15, it claims “at least one computer-readable storage medium having stored therein instructions”. The claims are transitory signals per se, since there is no record showing the term "at least one computer-readable storage medium having stored therein instructions" is limited to only a non-transitory storage medium either in the claims or in the specification.

Claims 16-19 dependent to claim 15 and therefore, they are rejected under 35 U.S.C. 101.
The broadest reasonable interpretation of a claim drawn to a computer readable medium (also called machine readable medium and other such variations) typically covers forms of non-transitory tangible media and transitory propagating signals per se in view of the ordinary and customary meaning of computer readable media, particularly when the specification is silent. See MPEP 2111.01. When the broadest reasonable interpretation of a claim covers a signal per se, the claim must be rejected under
35 US.C. § 101 as covering non-statutory subject matter. See In re Nuijten, 500 F.3d
1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter) and Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 Us. C. § 101, Aug. 24, 2009; p. 2.

To narrow the claim to cover only statutory embodiments to avoid a rejection under 35 US.C. § 101 add the limitation "non-transitory" to the claim. Such an amendment would typically not raise the issue of new matter, even when the specification is silent because the broadest reasonable interpretation relies on the ordinary and customary meaning that includes signals per se. The limited situations in which such an amendment could raise issues of new matter occur, for example, when the specification does not support a non-transitory embodiment because a signal per se is the only viable embodiment such that the amended claim is impermissibly broadened beyond the supporting disclosure. See, e.g., Gentry Gallery, Inc. v. Berkline Corp., 134F.3d 1473 (Fed. Cir. 1998).


Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-6, 8, 15-17 and 20 are rejected under AIA  35 U.S.C. 102(a) (1) as being unpatentable over Zeitlin et al. (U.S. Pub. No. 2016/0164894 A1, referred to as Zeitlin).
Regarding claims 1, 15 and 20, Zeitlin teaches:
monitoring data traffic passing into a virtualized network environment including a plurality of virtual machines running on a switch fabric (Fig. 1, Items 36, 40, 44, 60; ¶ 0018- ¶ 0024; Fig. 2; ¶ 0032- ¶ 0064).
identifying, at the switch fabric, a network threat introduced into the virtualized network environment through at least a portion of the data traffic passing into the virtualized network environment (Fig. 2, Step 116; ¶ 0054- ¶ 0062); and 
performing one or more remedial measures in the virtualized network environment based on the identification of the network threat in the virtualized network environment (Fig. 2, Step 120; ¶ 0063- ¶ 0064).

Regarding claim 15, Zeitlin further teaches:
A system comprising: one or more processors; and at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations (Fig. 1, Item 20; ¶ 0018- ¶ 0022).

Regarding claim 20, Zeitlin further teaches:
A non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to perform operations (¶ 0029- ¶ 0030).

Regarding claim 2, Zeitlin teaches all the features of claim 1, as outlined above.
 Zeitlin further teaches:
wherein the switch fabric is a virtualized switch fabric (Fig. 1, Item 44; ¶ 0021; ¶ 0059).

Regarding claims 3, Zeitlin teaches all the features of claim 1, as outlined above.
Zeitlin further teaches:
intercepting the at least a portion of the data traffic introducing the network threat into the virtualized network environment at the switch fabric; and performing the one or more remedial measures while the at least a portion of the data traffic remains in the switch fabric (Fig. 2, Step 120; ¶ 0063- ¶ 0064).

Regarding claims 4, Zeitlin teaches all the features of claim 3, as outlined above.
Zeitlin further teaches:
wherein performing the one or more remedial measures includes quarantining, in the switch fabric, the at least a portion of the data traffic introducing the network threat in the virtualized network environment (Fig. 2, Step 120; ¶ 0063- ¶ 0064).

Regarding claims 5 and 16, Zeitlin teaches all the features of claims 1 and 15, as outlined above.
 Zeitlin further teaches:
wherein performing the one or more remedial measures comprises preventing transmission of the at least a portion of the data traffic introducing the network threat to either or both the virtual machines and one or more hypervisors hosting the virtual machines in the virtualized network environment (Fig. 2, Step 120; ¶ 0063- ¶ 0064).

Regarding claims 6 and 17, Zeitlin teaches all the features of claims 1 and 15, as outlined above.
Zeitlin further teaches:
wherein the network threat is identified at a first node in the switch fabric, the method further comprising: generating threat information regarding the network threat introduced into the virtualized network environment; and propagating the threat information to one or more additional nodes in the switch fabric distinct from the first node in the switch fabric (Fig. 2, Select 112; ¶ 0050, “At an investigation-instructions distribution step 112, processor 68 sends over network 26 investigation instructions 92 to each agent 46 having at least one VM that appears on suspect list 88 (EN: a first node in the switch fabric and one or more additional nodes in the switch fabric distinct from the first node in the switch fabric). In an embodiment, processor 68 refrains from sending the investigation instructions to agents 46 having no VMs on suspect list 88. The investigation instructions are also referred to as investigation directives.”; ¶ 0051- ¶ 0053), wherein the one or more additional nodes in the switch fabric are configured to identify one or more additional network threats introduced into the virtualized network environment based on the threat information (Fig. 2, Select 116; ¶ 0054, “At an investigation step 116, each agent 46 that receives directives 92 investigates one or more of the VMs on its respective node 24 for possible infection. Typically, each agent 46 looks for a match between the attack characteristics in the attack footprint and events of data items found on its associated VMs.” (EN: identify one or more additional network threats introduced into the virtualized network environment based on the threat information); ¶ 0055- ¶ 0062).

Regarding claims 8, Zeitlin teaches all the features of claim 6, as outlined above.
Zeitlin further teaches:
wherein the threat information includes one or a combination of an identification of a type of threat of the network threat, an identification of a source of the at least a portion of the data traffic introducing the network threat into the virtualized network environment, a signature of the at least a portion of the data traffic, and an identification of characteristics of the at least a portion of the data traffic (¶ 0051- ¶ 0055, “Typically, processor 68 derives the investigation directives from attack footprint 80 received from honeypot 48. In some embodiments, processor 68 sends the raw attack footprint (EN: a signature of the at least a portion of the data traffic) as the investigation directives, without further processing. In other embodiments, processor 68 processes the footprint so as to produce the investigation directives.”).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was.


Claims 9-12 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zeitlin, in view of Lukas et al. (U.S Pub No. 2013/0219497 A1, referred to as Lukas).

Regarding claims 9 and 18, Zeitlin teaches all the features of claims 1 and 15, as outlined above.
Zeitlin does not explicitly disclose, however Lukas teaches:
matching the at least a portion of the data traffic introducing the network threat to a known network threat based on a signature of the at least a portion of the data traffic and a signature of the known network threat; and identifying the network threat in the at least a portion of the data traffic based on a matching of the at least a portion of the data traffic to the known network threat (Lukas: Fig. 1, Item 193; ¶ 0028, “NIDS 190 also includes attack signatures 193. These attack signatures 193 could be the same as prior art attack signatures, or could have additional or different information.” (EN: signature of the known network threat); Fig. 2, Steps 220- 260; ¶ 0029).
It would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Zeitlin by Lukas and have  a network intrusion detection system (NIDS) which works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. (Lukas: ¶ 0006). 

Regarding claims 10, Zeitlin teaches all the features of claim 9, as outlined above.
Zeitlin does not explicitly disclose, however Lukas teaches:
wherein the known network threat and the signature of the known network threat are identified previously in one or more network environments (Lukas: Fig. 1, Item 193; ¶ 0028; Fig. 3; ¶ 0030).
Same motivation as claim 9.

Regarding claims 11 and 19, Zeitlin teaches all the features of claims 9 and 18, as outlined above.
Zeitlin does not explicitly disclose, however Lukas teaches:
wherein the at least a portion of the data traffic introducing the network threat is matched to the known network threat locally within the switch fabric based on one or more policies distributed to nodes within the switch fabric (Lukas: Fig. 1; Fig. 8; Fig. 9; ¶ 0028, “A NIDS 190 is also provided that has significantly enhanced features and capabilities when compared to the prior art NIDS 710 and 720 shown in FIGS. 7-9. NIDS 190 includes a DVE switch fabric interface 191 that allows the NIDS to communicate with the DVE switch fabric 1360 via the DVE information bridge 1370 to access the virtual view 1362 of the networked computer system, thereby providing to the NIDS 190 all details of all system in the network. NIDS 190 also includes a network topology/configuration 192, which is preferably derived from the virtual view 1362 provided by the DVE switch fabric 1360. NIDS 190 also includes attack signatures 193. These attack signatures 193 could be the same as prior art attack signatures, or could have additional or different information. Notification rules 194 are provided so a system administrator may be notified of a network intrusion.”; Fig. 2, Step 200; ¶ 0029, “The NIDS monitors network traffic (step 210). When the network traffic does not satisfy any attack signature (step 220=NO), method 200 loops back to step 210 and continues. When the network traffic satisfies one or more attack signatures (step 220=YES), the NIDS determines whether to notify the system administrator or whether to take automatic action.” (EN: matching is based at least on a policy).
Same motivation as claim 9.

Regarding claims 12, Zeitlin teaches all the features of claim 11, as outlined above.
Zeitlin does not explicitly disclose, however Lukas teaches:
wherein the one or more policies include the signature of the known network threat (Lukas: Fig. 3, steps 310, 320; ¶ 0030, “Referring to FIG. 3, a method 300 shows the steps for configuring and maintaining the NIDS 190 shown in FIG. 1. The NIDS accesses the DVE information bridge to determine network topology and configuration for all networks in the fabric (step 310). This is done by accessing the virtual view 1362. The network administrator defines attack signatures for all networks in the fabric (step 320)”).
Same motivation as claim 9.

Allowable Subject Matter
Claims 7 and 13-14 would be allowable if they were rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The following is an examiner’s statement of reasons for identifying allowable subject matter.	

The closest prior arts made of records are, over Zeitlin et al. (U.S. Pub. No. 2016/0164894 A1, referred to as Zeitlin) and Lukas et al. (U.S Pub No. 2013/0219497 A1, referred to as Lukas).

Zeitlin discloses a method for securing a computer system which includes detecting a malware attack on a honeypot node, and, based on the detected malware attack, automatically generating investigation directives for verifying whether an endpoint of the computer system is subject to the malware attack. The investigation directives are distributed to one or more software agents that are each associated with one or more endpoints of the computer system. At least one infected endpoint in the computer system, which is subject to the malware attack, is identified by the software agents using the investigation directives.

Lukas discloses a network intrusion detection system (NIDS) works in conjunction with a distributed virtual switch fabric to provide enhanced network intrusion detection in a way that does not require as much human intervention, autonomically adjusts to hardware changes in the network, and responds much more quickly than known network intrusion detection systems. The NIDS accesses network information from the distributed virtual switch fabric, which gives the NIDS access to a virtual view that includes hardware information for all networking devices in the network. This allows the NIDS to automatically determine network topology, update itself as hardware in the network is added or changed, and promptly take automated service actions in response to detected network intrusions.

However, regarding claim 7, the prior art of Zeitlin and Lukas when taken in the context of the claim as a whole do not disclose nor suggest, “wherein the first node in the switch fabric receives the at least a portion of the data traffic introducing the network threat as an ingress point for the switch fabric and locally identifies the network threat introduced through the at least a portion of the data traffic received at the first node.”.

Regarding claim 13, the prior art of Zeitlin and Lukas when taken in the context of the claim as a whole do not disclose nor suggest, “identifying the network threat in the at least a portion of the data traffic based on inclusion of one or more characteristics of the at least a portion of the data traffic in a traffic exclusion list associated with the virtualized network environment, wherein the traffic exclusion list specifies one or more characteristics of traffic to refrain from transmitting through the virtualized network environment.”.

Claim 14 depends on claim 13 and is of consequence identified as allowable.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:  See PTO-892.  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HASSAN SAADOUN whose telephone number is (571)272-8408. The examiner can normally be reached Mon-Fri 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HASSAN SAADOUN/Examiner, Art Unit 2435  

/JOSEPH P HIRL/Supervisory Patent Examiner, Art Unit 2435