DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	The Office action is in response to the patent application filed on September 7, 2020.  The application contains 11 claims.  Claims 1-11 are directed to a method, and a computer-readable storage media for controlling wi-fi traffic from network applications with centralized firewall rules implemented at the edge of a data communication network.  Claims 1-11 are pending. 

Claim Rejections - 35 USC § 103

3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1-11 are rejected under 35 U.S.C. 103 as being unpatentable over Kaushik et al. (U.S. 2016/0112903 A1), hereinafter “Kaushik”, in view of Lee et al. (U.S. 10,492,211 B2), hereinafter “Lee”, further in view of Mahabir et al. (U.S. 2017/0244740 A1), hereinafter “Mahabir”.
Referring to claims 1, 11:
	 	Kaushik teaches:
                      A computer-implemented method, in a Wi-Fi controller SDN controller on a data communication network, for improving computer network security by implementing security policies of a firewall device at a plurality of access points, the method comprising the steps of (see Kaushik, [0021] ‘The SDN controller 110 steers stations, … from a currently connected access point … using data plane rules’; [0026] ‘the SDN controller 110 and the Wi-Fi controller 120 are integrated into a single physical device.’; [0027] ‘The SDN controller 110 policies, … co-exit, … with policies of the Wi-Fi controller 120 and the access pointes’):
            receiving application data (intrusion detection system) on the data communication network and concerning applications executing on stations coupled to the plurality of access points (see Kaushik, [0022] ‘… that a traffic flow concerns video streaming for a certain application’);
            receiving firewall rules for applications from a firewall device coupled to the data communication network and providing firewall services to the plurality of access points, including outbound traffic from the plurality of access points (see Kaushik, [0020] ‘Additional network components can also be part of the system 100, such as firewalls, virus scanners, routers, switches, application servers, databases, and the like.’; [0021] ‘The SDN controller 110 steers stations, … from a currently connected access point … using data plane rules’; [0022] ‘policy-violating application’);
            parsing the firewall rules to expose configured actions for applications (see Kaushik, [0022] ‘… a traffic flow concerns a low priority or policy-violating application’);
            preparing a customized application control policy for each particular application for implementation by at least one of the plurality of access points, wherein the customized application policy concerns how the at least one access point prioritizes network traffic for DPI (deep packet inspection) for data packets for a specific application of a station based on the firewall rules and application data for the specific
application (see Kaushik, [0022] ‘… a traffic flow concerns a low priority or policy-violating application’); and
             distributing customized application control policies to the plurality access points based on application traffic handled by each access point (see Kaushik, [0042] ‘Data plane rules directed at how packets concerning the station are handled by a preferred access point (or access points) are generated by the SDN and implemented at the currently preferred access point (step 650).’).
	Kaushik discloses or suggests the SDN controller implementing security policies of a firewall device at a plurality of access points (see Kaushik, [0021] ‘The SDN controller 110 steers stations, … from a currently connected access point … using data plane rules’).  However, Kaushik does not disclose a wi-fi controller implementing security policies of a firewall device at a plurality of access points.
	Kaushik further discloses the wi-fi controller (see Kaushik, [0026] ‘In one embodiment, the SDN controller 110 and the Wi-Fi controller 120 are integrated into a single physical device.’; [0027] ‘The SDN controller 110 policies, … co-exit, … with policies of the Wi-Fi controller 120 and the access pointes’).  
	 It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Kaushik into the system of Kaushik to use a wi-fi controller for implementing security policies of a firewall device at a plurality of access points. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Kaushik’s teaching could enhance the system of Kaushik,  because Kaushik teaches “The SDN controller 110 policies, as implemented, can override, co-exist, or compete with policies of the Wi-Fi controller 120 and the access points 130A-N.” (see Kaushik, [0027]).
	Kaushik suggests the firewall rules (see Kaushik, [0020] ‘Additional network components can also be part of the system 100, such as firewalls, virus scanners, routers, switches, application servers, databases, and the like.’; [0021] ‘The SDN controller 110 steers stations, … from a currently connected access point … using data plane rules’).  However, Kaushik does not explicitly disclose the term firewall rules.
	Lee discloses the firewall rules (see Lee, col. 4, line 10, ‘firewall rules’).
	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Lee into the system of Kaushik to implement the firewall rules. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Lee’s teaching could enhance the system of Kaushik,  because Lee teaches “Examples of network policies may include controlling the network activity, QoS, rate-limiting, firewall rules or other security policies to be applied during wireless data transmission.” (see Lee, col. 5, line 7).
 	However, Kaushik and Lee do not disclose IDS (intrusion detection system).
	Mahabir disclose the IDS (see Mahabir, [0047] ‘intrusion detection systems’).
	In addition, Mahabir further disclose the customized control policy for an application (see Mahabir, [0128] ‘These rules … can be calculated for each software application … based on its qualities, attributes or properties’).
	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Mahabir into the system of Kaushik to implement an IDS. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Mahabir’s teaching could enhance the system of Kaushik,  because Mahabir discloses “Current cybersecurity practices depend on detailed analysis and deployment of technology at the computer network level, to try and prevent unwanted intrusions.” (see Mahabir, [0044])
Referring to claim 2:
	 	Kaushik, Lee, and Mahabir further disclose:
		wherein the configured actions comprise one or more of monitor, block, and
quarantine (see Kaushi, [0015] ‘monitoring data flows’. And, Mahabir, [0047] ‘monitor … block’; [0057] ‘quarantine’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Mahabir into the system of Kaushik to implement block, and quarantine. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Mahabir’s teaching could enhance the system of Kaushik,  because Mahabir discloses “Current cybersecurity practices depend on detailed analysis and deployment of technology at the computer network level, to try and prevent unwanted intrusions.” (see Mahabir, [0044])
Referring to claim 3:
	 	Kaushik, Lee, and Mahabir further disclose:
	receiving application information from an IPS (intrusion prevention system), the application information comprising at least one of application risk and
application popularity (see Mahabir, [0006] ‘determining a software application risk assessment score’; [0044] ‘prevent unwanted intrusions’; [0047] ‘intrusion detection systems’).
            It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Mahabir into the system of Kaushik to implement an IPS, and use application risk. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Mahabir’s teaching could enhance the system of Kaushik,  because Mahabir discloses “Current cybersecurity practices depend on detailed analysis and deployment of technology at the computer network level, to try and prevent unwanted intrusions.” (see Mahabir, [0044])
Referring to claim 4:
	 	Kaushik, Lee, and Mahabir further disclose:
           wherein the access point applies the firewall rules against a data packet, and responsive to the firewall rules, drops the data packet before reaching the firewall device (see Kaushik, [0008] ‘e.g., drop, delay, or change priority of packets from station flow’).
 Referring to claim 5:
	 	Kaushik, Lee, and Mahabir further disclose:
	wherein the network applications is categorized as either high risk or low risk, wherein data packets from high risk applications are prioritized for processing over data packets from low risk applications (Kaushik, [0008] ‘e.g., drop, delay, or change priority of packets from station flow’. And, Mahabir, [0006] ‘determining a software application risk assessment score for the selected software application’; [0089] ‘classifications [i.e., categorizing ]’; [0090] ‘categorize’).
	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Mahabir into the system of Kaushik to categorize applications, and prioritize packets based on the prioritized applications. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Mahabir’s teaching could enhance the system of Kaushik,  because Mahabir discloses “Measurement of risk can be facilitated by understanding the applications that support specific organizational functions.” (see Mahabir, [0059]) 
Referring to claim 6:
	 	Kaushik, Lee, and Mahabir further disclose:
	updating the firewall rules for applications and updating custom application control polices that are affected (see Kaushi, [0020] ‘firewalls’; [0021] ‘rules’; [0035] ‘Periodic updates’).
Referring to claim 7:
	 	Kaushik, Lee, and Mahabir further disclose:
	providing less AirTime in a packet prioritization scheme for high risk applications relative to low risk applications (see Lee, col. 2, line 3 ‘Airtime with the wireless access point can be divided into time windows’. And, Mahabir, [0006] ‘determining a software application risk assessment score for the selected software application’).	
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Lee into the system of Kaushik to provide airtime based on application risk level. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Lee’s teaching could enhance the system of Kaushik,  because Lee discloses “The inputs can be factors used by the network controller 102 to determine how airtime and network policies are allocated.” (see Lee, col. 6, line 21)
Referring to claim 8:
	 	Kaushik, Lee, and Mahabir further disclose:
	dropping one or more packets at the access point based on firewall rules (see Kaushik, [0008] ‘rules’; [0020] ‘… access points … firewalls’; [0027] ‘packets …dropped’)
Referring to claim 9:
	 	Kaushik, Lee, and Mahabir further disclose:
	           dropping one or more packets at the Wi-Fi controller based on firewall rules (see Kaushik, [0008] ‘rules’; [0020] ‘… access points … wi-fi controller 120 … firewalls’; [0027] ‘packets …dropped’).
Referring to claim 10:
	 	Kaushik, Lee, and Mahabir further disclose:
	dropping one or more packets based on an application generating the traffic (see Kaushik, [0008] ‘rules’; [0020] ‘… access points … wi-fi controller 120 … firewalls’; [0027] ‘packets …dropped’. And, Mahabir, [0006] ‘determining a software application risk assessment score for the selected software application’; [0089] ‘classifications [i.e., categorizing ]’; [0090] ‘categorize’).
	It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Mahabir into the system of Kaushik to categorize applications, and drop packets based on the prioritized applications. Kaushik teaches "The invention relates generally to wireless computer networking, and more specifically, to self-provisioning a wireless communication network with a centralized data plane for access points.” (see Kaushik, [0001]).  Therefore, Mahabir’s teaching could enhance the system of Kaushik, because Mahabir discloses “Measurement of risk can be facilitated by understanding the applications that support specific organizational functions.” (see Mahabir, [0059])  

Conclusion

5.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Price; Michael et al. (US 11394722 B2) disclose Social media rule engine;
(b)	Marwah; Manish et al. (US 11244043 B2) disclose Aggregating anomaly scores from anomaly detectors;
(c)	Raghuramu; Arun et al. (US 20200322369 A1) disclose NETWORK PORTION RISK ASSESSMENT;
(d)	Syme; Philip et al. (US 10581883 B1) disclose In-transit visual content analysis for selective message transfer;
(e)	Mermoud; Grégory et al. (US 10320825 B2) disclose Fingerprint merging and risk level evaluation for network anomaly detection;
(f)	Foster; James et al. (US 20190124109 A1) disclose AUTOMATED SOCIAL ACCOUNT REMOVAL;
(g)	Cullison; Christopher B. et al. (US 20190036960 A1) disclose ORGANIZATIONAL SOCIAL THREAT REPORTING.

 	6.       Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
          If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                             



/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492