Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to original filing of November 11, 2020 and examiner-initiated interview of July 5th, 2022.  Claims 1-21 are pending and have been considered below.

Priority
15930412, filed 05/12/2020 is a continuation of 15841542, filed 12/14/2017 ,now U.S. Patent #10701090; 15841542 is a division of 14474916, filed 09/02/2014 ,now U.S. Patent #9882919 and having 1 RCE-type filing therein; 14474916 Claims Priority from Provisional Application 61899468, filed 11/04/2013; 14474916 is a continuation in part of 14249128, filed 04/09/2014 ,now U.S. Patent #9882783 and having 1 RCE-type filing therein; 14249128 Claims Priority from Provisional Application 61810480, filed 04/10/2013; 14249128 Claims Priority from Provisional Application 61899468, filed 11/04/2013; 14474916 is a continuation in part of 14249145, filed 04/09/2014 ,now U.S. Patent #9942102; 14249145 Claims Priority from Provisional Application 61810480, filed 04/10/2013; 14249145 Claims Priority from Provisional Application 61899468, filed 11/04/2013.

Drawings
The drawings filed on 05/12/2020 are accepted.

Specification
The specification filed on 05/12/2020 is accepted.

Status of Claims
The following claims have been amended and or cancelled via examiner amendments: Claims 2-8, 11-16 and 20 have been amended. Claims 1, 9, 10, 18 and 19 have been cancelled.  Claims 22-25 have been added. Claims 2-8, 11-17 have been added. Claims 2-8, 11-17 and 20-25 are pending and have been considered below.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 09/23/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Allowable Subject Matter
Claims 2-8, 11-17 and 20-25 are allowed. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. John Kind, Reg. No. 70670 on 07/01/2022. An agreement was made on 07/05/2022.   

PLEASE AMEND THE CLAIMS AS FOLLOWS: 
1. 	(Canceled)
2.	(Currently Amended)  A method for enforcing a segmentation policy, the method comprising:
receiving, by a management module, initial management instructions for controlling connections with a managed server, wherein the management instructions include initial function-level instructions and initial actor-sets, wherein the initial function-level instructions whitelist a set of permitted connections identified by a label set for providers or users of the service, the initial function-level instructions each specifying a service of the managed server associated with the permitted connections by a port/protocol pair, and wherein the initial actor-sets each identify actors having the label sets for the providers or the users of the service specified in the initial function-level instructions;
configuring a rule set of a management module to whitelist connections associated with the specified service and block connections with the managed server that are not whitelisted by the management instructions;  and
applying the rule set of the management module to traffic to or from the managed server to block connection requests that are not whitelisted by the management instructions.
3.	(Currently Amended) The method of claim [[1]] 2, further comprising:
responsive to blocking a connection request, sending, by the management module, a notification to a global manager.
4.	(Currently Amended) The method of claim 3, further comprising: 
receiving, from the global manager responsive to the notification, an instruction to quarantine the managed server; and
configuring the management module in a self-quarantine mode in which all outbound traffic from the management module is blocked and only inbound traffic allowed by the management instructions are permitted.  
5.	(Currently Amended) The method of claim 4, further comprising:
receiving, from the global manager, an instruction to unquarantine the managed server; and
configuring the management module to exit the self-quarantine mode and to enable outbound traffic permitted by the management instructions. 
6.	(Currently Amended) The method of claim [[1]] 2, further comprising:
receiving updated actor-sets; and
re-configuring the rule set of management module based on the updated actor-sets.  
7.	(Currently Amended) The method of claim [[1]] 2, further comprising:
receiving updated functional-level instructions; and
reconfiguring the rule set of the management module based on the updated function-level instructions.
8.	(Currently Amended) The method of claim [[1]] 2, wherein the management module executes on the managed server. 
9.	(Canceled)
10.	(Canceled)
11.	(Currently Amended)  A non-transitory computer-readable storage medium storing instructions for enforcing a segmentation policy, the instructions when executed by a processor causing the processor to perform steps including:
receiving, by a management module, initial management instructions for controlling connections with a managed server, wherein the management instructions include initial function-level instructions and initial actor-sets, wherein the initial function-level instructions whitelist a set of permitted connections identified by a label set for providers or users of the service, the initial function-level instructions each specifying a service of the managed server associated with the permitted connections by a port/protocol pair, and wherein the initial actor-sets each identify actors having the label sets for the providers or the users of the service specified in the initial function-level instructions;
configuring a rule set of a management module to whitelist connections associated with the specified service and block connections with the managed server that are not whitelisted by the management instructions;  and
applying the rule set of the management module to traffic to or from the managed server to block connection requests that are not whitelisted by the management instructions.
12.	(Currently Amended) The non-transitory computer-readable storage medium of claim 11, wherein the instructions when executed further cause the processor to perform steps including:
responsive to blocking a connection request, sending, by the management module, a notification to a global manager.
13.	(Currently Amended) The non-transitory computer-readable storage medium of claim 12, wherein the instructions when executed further cause the processor to perform steps including: 
receiving, from the global manager responsive to the notification, an instruction to quarantine the managed server; and
configuring the management module in a self-quarantine mode in which all outbound traffic from the management module is blocked and only inbound traffic allowed by the management instructions are permitted.  
14.	(Currently Amended) The non-transitory computer-readable storage medium of claim 13, wherein the instructions when executed further cause the processor to perform steps including:
receiving, from the global manager, an instruction to unquarantine the managed server; and
configuring the management module to exit the self-quarantine mode and to enable outbound traffic permitted by the management instructions. 
15.	(Currently Amended) The non-transitory computer-readable storage medium of claim 11, wherein the instructions when executed further cause the processor to perform steps including:
receiving updated actor-sets; and
re-configuring the rule set of management module based on the updated actor-sets.  
16.	(Currently Amended) The non-transitory computer-readable storage medium of claim 11, wherein the instructions when executed further cause the processor to perform steps including:
receiving updated functional-level instructions; and
reconfiguring the rule set of the management module based on the updated function-level instructions.
17.	(Previously Presented) The non-transitory computer-readable storage medium of claim 11, wherein the management module executes on the managed server. 
18.	(Canceled)
19.	(Canceled)
20.	(Currently Amended)  A computer system comprising:
a processor; and 
a non-transitory computer-readable storage medium storing instructions for enforcing a segmentation policy, the instructions when executed by the processor causing the processor to perform steps including:
receiving, by a management module, initial management instructions for controlling connections with a managed server, wherein the management instructions include initial function-level instructions and initial actor-sets, wherein the initial function-level instructions whitelist a set of permitted connections identified by a label set for providers or users of the service, the initial function-level instructions each specifying a service of the managed server associated with the permitted connections by a port/protocol pair, and wherein the initial actor-sets each identify actors having the label sets for the providers or the users of the service specified in the initial function-level instructions;
configuring a rule set of a management module to whitelist connections associated with the specified service and block connections with the managed server that are not whitelisted by the management instructions;  
applying the rule set of the management module to traffic to or from the managed server to block connection requests that are not whitelisted by the management instructions.
21.	(Previously Presented) The computer system of claim 20, wherein the instructions when executed further cause the processor to perform steps including:
responsive to blocking a connection request, sending, by the management module, a notification to a global manager.
22.	(New) The computer system of claim 21, wherein the instructions when executed further cause the processor to perform steps including: 
receiving, from the global manager responsive to the notification, an instruction to quarantine the managed server; and
configuring the management module in a self-quarantine mode in which all outbound traffic from the management module is blocked and only inbound traffic allowed by the management instructions are permitted.  
23.	(New) The computer system of claim 22, wherein the instructions when executed further cause the processor to perform steps including:
receiving, from the global manager, an instruction to unquarantine the managed server; and
configuring the management module to exit the self-quarantine mode and to enable outbound traffic permitted by the management instructions. 
24.	(New) The computer system of claim 20, wherein the instructions when executed further cause the processor to perform steps including:
receiving updated actor-sets; and
re-configuring the rule set of management module based on the updated actor-sets.  
25.	(New) T The computer system of claim 20, wherein the instructions when executed further cause the processor to perform steps including:
receiving updated functional-level instructions; and
reconfiguring the rule set of the management module based on the updated function-level instructions.

Examiner's Statement of Reasons for Allowance
The following is a statement of reasons for the indication of allowable subject matter:  
Regarding Claims 2, 11 and 20:
The Jayanthi  et al U.S. 2013/0097708 A1 is directed toward a method is provided in one example embodiment that includes receiving a signal to enable a whitelist mode on a host in a network, terminating a process executing on the host if the process is not verified, and blocking execution of software objects on the host if the software objects are not represented on the whitelist. In more particular embodiments, the method also includes identifying the process on a process list that enumerates one or more processes executing on the host. Yet further embodiments include quarantining the host if a second process on the process list is a critical process and if the second process is not verified. More specific embodiments include identifying and restarting another process on the process list if process memory was modified. 
Morley et al U.S. 8,095,961 B1 teaches a method for quarantining  a node from other nodes in a network is described. A node is scanned to obtain a health posture of the node by determining if the node is compliant with one or more requirements. A current policy  in accordance with the obtained health posture of the node is obtained. A previous policy is removed. If the node is determined to be non-compliant, a key that is unique to the non-compliant node is selected. The current policy is applied.
The Wong U.S. 2003/0084101 A1 is directed toward A system for the distribution of electronic documents and information to multiple participants in a project hosting web site using a multiple account, multiple administrator platform such that each participant can distribute its files and or data to all other participants or selectively distribute its files and or data to selected participants. Each participant is provided with an individual platform which is linked to all other platforms on the server and which is self-administered by each participant and which exists as a component of the project workspace. By maintaining a discrete and secure platform each participant receives its own individual copy of the electronic files and or data for document management, archival and internal circulation.
Levy-Yrista et al U.S. 9742773 B2 teaches Signals from an unidentified device at a location related to a communications network are correlated with identification patterns of managed devices to identify whether or not the unidentified device corresponds to a managed or unmanaged device in the communications network. Both managed and unmanaged devices can be tracked, and network interaction can be managed for devices that are identified as managed devices.
Rathor U.S. 9124636 is drawn toward a network device may store health status information specifying a current security status for each of a plurality of authenticated endpoint devices in accordance with an authorization data model. The network device may update the current security status of each of at least two of the plurality of authenticated endpoint devices connected to an enterprise network to indicate that each of the at least two of the plurality of authenticated endpoint devices has a compromised security status, and identify a characteristic common to both of the authenticated endpoint devices having the compromised security status. The network device may interface with one or more policy enforcement devices to quarantine a set of endpoint devices associated with the identified characteristic. The current security status of at least one of the quarantined endpoint devices may indicate that the quarantined endpoint device does not have a compromised security status.
Phillippe et al 20110060823 A1 teaches  a system and method for generating and tracking health diagnoses of devices connected to a computer network via a statement of health provided by each device. The system monitors the health of devices on the network and attempts to engage the operator of undiagnosed devices in order to provide a diagnosis. Undiagnosed devices are quarantined to restrict their access to network resources. For example, access requests from quarantined devices to certain Web services may be intercepted and the device redirected to a page informing the operator of the need to provide a health diagnosis by installing or activating a compatible system health agent.
Manring et al U.S. 20090217346 A1 teaches toward an improved capabilities are described for the computer program product steps of serving a limited network connection to an endpoint computing facility via network device access control lists, where the limited network connection may enable the endpoint to communicate with a limited set of network resources; assessing security compliance information relating to the endpoint to determine a security state; and in response to receiving an indication that the security compliance information is acceptable, serving a managed network connection to the endpoint, where the managed connection may enable the endpoint to communicate with a larger set of network resources than the limited network connection.
The prior arts of record, either alone or in combination, do not describe or suggest all elements of independent claims 2, 11 and 20 as amended. In particular, the cited references do not describe or suggest  wherein for controlling connections with a managed server, wherein the management instructions include initial function-level instructions and initial actor-sets, wherein the initial function-level instructions whitelist a set of permitted connections identified by a label set for providers or users of the service, the initial function-level instructions each specifying a service of the managed server associated with the permitted connections by a port/protocol pair, and wherein the initial actor-sets each identify actors having the label sets for the providers or the users of the service specified in the initial function-level instructions; configuring a rule set of a management module to whitelist connections associated with the specified service and block connections with the managed server that are not whitelisted by the management instructions, in combination with all the elements of the independent claims.
The above prior art references of record does not teach or render obvious the limitations as recited in independent claims 2, 11 and 20 as presented.
Regarding claims 3-8, 12-17 and 21-25, the claims are allowable based at least on their depending from an allowable claim.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Friday, July 15, 2022

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436