Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.       This action is responsive to the communication filed on 1/25/2021.
Information Disclosure Statement
2.	The information disclosure statement (IDS) submitted on 1/25/2021 was filed after the mailing date of the instant application. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s).  See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
4.       	Claims 1-4, 8-12, 14, and 16-19 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-5, 10-11, 13-14, and 19, respectively of U.S. Patent No. 10,911,495. Although the conflicting claims are not identical, they are not patentably distinct from each other because all limitations recited in claims1-4, 8-12, 14, and 16-19 of the instant application are encompassed by limitations recited in claims 1-5, 10-11, 13-14, and 19 of the patent US 10,911,495, respectively (see table below).  


Instant Application 17/157,957


Patent No. US 10,911,495


Claim 1:  

A system comprising:
one or more processors; and at least one non-transitory computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the system to: 

create a security compliance requirement for a network, the security compliance requirement comprising group selectors, a traffic selector, and a communication operator, wherein the group selectors represent sets of groups, wherein the traffic selector identifies traffic associated with one or more traffic parameters, and wherein the communication operator defines a condition for traffic associated with the group selectors and the traffic selector; determine that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts; for each pair of groups, 














create a first respective data structure representing the pair of groups, the communication operator, and the traffic selector; 






create a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the one of the different network contexts; determine whether the first respective data structure is contained in the second respective data structure to yield a containment check; 


Claim 2:
determine that both of the different network contexts contain policies for traffic between the respective groups in the one or more pairs of groups; and based on both of the different network contexts containing policies for traffic between the respective groups in the one or more pairs of groups, create a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with one of the different network contexts

Claim 3:
wherein determining whether the first respective data structure is contained in the second respective data structure comprises determining whether the first respective data structure is contained in both the second respective data structure and the third respective data structure.




determine, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement.



Claim 4:
 

The system of claim 3, wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.





Claim 11:


A method comprising: 

creating a security compliance requirement for a network, the security compliance requirement comprising group selectors, a traffic selector, and a communication operator, wherein the group selectors represent sets of groups, wherein the traffic selector identifies traffic associated with one or more traffic parameters, and wherein the communication operator defines a condition for traffic associated with the group selectors and the traffic selector; 

determining that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts; for each pair of groups, 


creating a first respective data structure representing the pair of groups, the communication operator, and the traffic selector;

Claim 12:
determining that both of the different network contexts contain policies for traffic between the respective groups in the one or more pairs of groups; and based on both of the different network contexts containing policies for traffic between the respective groups in the one or more pairs of groups, 



the first portion of the logical model containing policies associated with the one of the different network contexts; and 
















determining whether the first respective data structure is contained in the second respective data structure to yield a containment check;










Creating a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with one of the different network contexts


determining, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement.







Claim 14:
 

The method of claim 13, wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.









Claim 17:


The method of claim 13, wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: compare one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, determine whether a state of the network complies with the security compliance requirement.


Claim 9:



wherein determining whether a state of the network complies with the security compliance requirement comprises determining whether the hardware policy entries configured on the network devices in the network satisfy, violate, or apply the security compliance requirement.


Claim 10:

The system of claim 1, wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: 

generate one or more compliance assurance events indicating that one or more of the policies satisfy, violate, or do not apply the security compliance requirement; and present at least one of: a first indication that the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated, or not applied; 






and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category, and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected, and a policy object affected.



Claim 11:

A method comprising: 

creating a security compliance requirement for a network, the security compliance requirement comprising group selectors, a traffic selector, and a communication operator, wherein the group selectors represent sets of groups, wherein the traffic selector identifies traffic associated with one or more traffic parameters, and wherein the communication operator defines a condition for traffic associated with the group selectors and the traffic selector; 







determining that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts; for each pair of groups, 









creating a first respective data structure representing the pair of groups, the communication operator, and the traffic selector; 







the first portion of the logical model containing policies associated with the one of the different network contexts; determining whether the first respective data structure is contained in the second respective data structure to yield a containment check; and 






creating a second respective data structure representing a first portion of a logical model of the network, 

12. The method of claim 11, further comprising: determining that both of the different network contexts contain policies for traffic between the respective groups in the one or more pairs of groups; and based on both of the different network contexts containing policies for traffic between the respective groups in the one or more pairs of groups, 

creating a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with one of the different network contexts.







determining, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement.


14. The method of claim 13, wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.


17. The method of claim 11, further comprising: comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, determining whether the hardware policy entries configured on the network devices in the network satisfy, violate, or apply the security compliance requirement.

18. The method of claim 11, further comprising: generating one or more compliance assurance events indicating that one or more of the policies satisfy, violate, or do not apply the security compliance requirement; and presenting at least one of: a first indication that the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated, or not applied; 




and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category, and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected, and a policy object affected.




16. The method of claim 11, wherein the first respective data structure and the second respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.


17. The method of claim 11, further comprising: comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, determining whether the hardware policy entries configured on the network devices in the network satisfy, violate, or apply the security compliance requirement.


Claim 19:

At least one non-transitory computer-readable storage medium having stored therein instructions which, when executed by one or more processors, cause the one or more processors to: 

create a security compliance requirement for a network, the security compliance requirement comprising group selectors, a traffic selector, and a communication operator, wherein the group selectors represent sets of groups, wherein the traffic selector identifies traffic associated with one or more traffic parameters, and wherein the communication operator defines a condition for traffic associated with the group selectors and the traffic selector; 




determine that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts; for each pair of groups, 









create a first respective data structure representing the pair of groups, the communication operator, and the traffic selector; 





create a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the one of the different network contexts; determine whether the first respective data structure is contained in the second respective data structure to yield a containment check; 

















and determine, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement.



Claim 10:  

A system comprising: 
one or more processors; and at least one non-transitory computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the system to: 

create a security compliance requirement for a network, the security compliance requirement comprising endpoint group (EPG) selectors, a traffic selector, and a communication operator, wherein the EPG selectors represent sets of EPGs, wherein the traffic selector comprises traffic parameters identifying traffic corresponding to the traffic selector, and wherein the communication operator defines a communication condition for traffic associated with the EPG selectors and the traffic selector; based on a plurality of distinct pairs of EPGs from the sets of EPGs, determine that respective EPGs in one or more distinct pairs of EPGs are associated with different network contexts in the network, 

each of the plurality of distinct pairs of EPGs comprising respective EPGs from the EPG selectors; 

determine, for each of the one or more distinct pairs of EPGs, which of the different network contexts contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs; for each distinct pair of EPGs, 


create a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; 


when only a first one of the different network contexts is determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: 

create a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the first one of the different network contexts; and determine whether the first respective data structure is contained in the second respective data structure to yield a first containment check; 



when both of the different network contexts are determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: create the second respective data structure representing the first portion of the logical model and a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with a second one of the different network contexts; 




and determine whether the first respective data structure is contained in at least one of the second respective data structure and the third respective data structure 




to yield a second containment check; and 

determine whether policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement based on at least one of the first containment check and the second containment check.

Claim 11:

The system of claim 10, wherein the first respective data structure and at least one of the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors, and wherein the different network contexts comprise at least one of virtual routing and forwarding (VRF) instances, private networks, and network domains.

Claim 1:
A method comprising: 

creating a security compliance requirement for a network, the security compliance requirement comprising endpoint group (EPG) selectors, a traffic selector, and a communication operator, wherein the EPG selectors represent sets of EPGs, wherein the traffic selector comprises traffic parameters identifying traffic corresponding to the traffic selector, and wherein the communication operator defines a communication condition for traffic associated with the EPG selectors and the traffic selector; 

based on a plurality of distinct pairs of EPGs from the sets of EPGs, 

determining that respective EPGs in one or more distinct pairs of EPGs are associated with different network contexts in the network, each of the plurality of distinct pairs of EPGs comprising respective EPGs from the first EPG selectors; 


.determining, for each of the one or more distinct pairs of EPGs, which of the different network contexts contains policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs; for each distinct pair of EPGs, 


creating a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; 




when only a first one of the different network contexts is determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: 




creating a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the first one of the different network contexts; and 

determining whether the first respective data structure is contained in the second respective data structure to yield a first containment check; 

when both of the different network contexts are determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: 

creating the second respective data structure representing the first portion of the logical model and 

a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with a second one of the different network contexts; and 

determining whether the first respective data structure is contained in at least one of the second respective data structure and the third respective data structure to yield a second containment check; and determining whether policies for traffic between respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement based on at least one of the first containment check and the second containment check.
Claim 2:

The mehod of claim 1, wherein the first respective data structure and at least one of the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors, 

and wherein the different network contexts comprise at least one of virtual routing and forwarding (VRF) instances, private networks, and network domains.

Claim 2:

The method of claim 1, wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to determine whether a state of the network complies with the security compliance requirement by: comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, 



Claim 14 (cont):



determining whether the hardware policy entries configured on the network devices in the network satisfy, violate, or apply the security compliance requirement.

Claim 13:

The system of claim 12, wherein the generating of the one or more compliance assurance events comprises presenting a compliance result comprising at least one of: 


a first indication indicating whether the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated, or not applied, wherein the second indication identifies at least one of a set of policy objects and one or more policies, 



the set of policy objects comprising at least one of a consumer EPG, a provider EPG, a contract, a filter, a tenant, a virtual routing and forwarding (VRF) object, a network context, and an application profile; 

and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category, and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected, and a policy object affected.


Claim 1:

A method comprising: 

creating a security compliance requirement for a network, the security compliance requirement comprising endpoint group (EPG) selectors, a traffic selector, and a communication operator, wherein the EPG selectors represent sets of EPGs, wherein the traffic selector comprises traffic parameters identifying traffic corresponding to the traffic selector, and 



wherein the communication operator defines a communication condition for traffic associated with the EPG selectors and the traffic selector; based on a plurality of distinct pairs of EPGs from the sets of EPGs, 

determining that respective EPGs in one or more distinct pairs of EPGs are associated with different network contexts in the network, each of the plurality of distinct pairs of EPGs comprising respective EPGs from the first EPG selectors; 

determining, for each of the one or more distinct pairs of EPGs, which of the different network contexts contains policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs; for each distinct pair of EPGs, 

creating a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; 

when only a first one of the different network contexts is determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: creating a second respective data structure representing a first portion of a logical model of the network, 

the first portion of the logical model containing policies associated with the first one of the different network contexts; and determining whether the first respective data structure is contained in the second respective data structure to yield a first containment check; 

when both of the different network contexts are determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: 

creating the second respective data structure representing the first portion of the logical model and 










a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with a second one of the different network contexts; 

and determining whether the first respective data structure is contained in at least one of the second respective data structure and the third respective data structure to yield a second containment check; and 

determining whether policies for traffic between respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement based on at least one of the first containment check and the second containment check.

2. The method of claim 1, wherein the first respective data structure and at least one of the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors, and wherein the different network contexts comprise at least one of virtual routing and forwarding (VRF) instances, private networks, and network domains.


3. The method of claim 1, wherein determining whether policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement comprises determining whether one or more of the policies satisfy, violate, or apply the security compliance requirement, the method further comprising: generating one or more compliance assurance events indicating whether the policies comply with the security compliance requirement.


4.The method of claim 3, wherein generating the one or more compliance assurance events comprises presenting a compliance result comprising at least one of: a first indication indicating whether the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated, or not applied, wherein the second indication identifies at least one of a set of policy objects and one or more policies, 


the set of policy objects comprising at least one of a consumer EPG, a provider EPG, a contract, a filter, a tenant, a virtual routing and forwarding (VRF) object, a network context, and an application profile; 

and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category, and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected, and a policy object affected.

5. The method of claim 1, further comprising determining whether a state of the network complies with the security compliance requirement by: comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; 







and based on the comparing, determining whether the hardware policy entries configured on the network devices in the network satisfy, violate, or apply the security compliance requirement.

Claim 19:


A non-transitory computer-readable storage medium comprising: instructions stored therein which, when executed by one or more processors, cause the one or more processors to: 

create a security compliance requirement for a network, the security compliance requirement comprising endpoint group (EPG) selectors, a traffic selector, and a communication operator, wherein the EPG selectors represent sets of EPGs, wherein the traffic selector comprises traffic parameters identifying traffic corresponding to the traffic selector, and wherein the communication operator defines a communication condition for traffic associated with the EPG selectors and the traffic selector; based on a plurality of distinct pairs of EPGs from the sets of EPGs, 

determine that respective EPGs in one or more distinct pairs of EPGs are associated with different network contexts in the network, each of the plurality of distinct pairs of EPGs 

comprising respective EPGs from the EPG selectors; determine, for each of the one or more distinct pairs of EPGs, which of the different network contexts contains policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs; for each distinct pair of EPGs, 

create a first respective data structure representing the distinct pair of EPGs, the communication operator, and the traffic selector; 

when only a first one of the different network contexts is determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: 

create a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the first one of the different network contexts; and determine whether the first respective data structure is contained in the second respective data structure to yield a first containment check; and 

when both of the different network contexts are determined to contain policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs: create the second respective data structure representing the first portion of the logical model and a third respective data structure representing a second portion of the logical model, the second portion of the logical model containing policies associated with a second one of the different network contexts; and determine whether the first respective data structure is contained in at least one of the second respective data structure and the third respective data structure to yield a second containment check; 

and determine whether policies for traffic between the respective EPGs in the one or more distinct pairs of EPGs comply with the security compliance requirement based on at least one of the first containment check and the second containment check.










Claim Rejections – 35 USC 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office Action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. 

6.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Nicol et al (US 2008/0301765) in view of Sen et al (US 8,775,352).
	Regarding claim 1, Nicol et al teaches a system comprising:
one or more processors (fig. 3, ‘142); and 
at least one non-transitory computer-readable storage medium (par [0119], lines 1-5) having stored therein instructions which, when executed by the one or more processors, cause the system to: 
create a security compliance requirement for a network (par [0042], lines 1-5, “policy implemented for compliance”), a traffic selector (par [0064], lines 16-25, which discloses analyzing collected traffic), and a communication operator (par [0048], “communication interface”), wherein the traffic selector identifies traffic associated with one or more traffic parameters (par [0064], lines 16-25, “attributes of the traffic”), and wherein the communication operator defines a condition for traffic associated with the traffic selector (par [0034], lines 11-18, “traffic attribute sets”); 
determine that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts (par [0039], lines 11-13, which discloses the grouped entities being grouped together that may indicate subnetworks and properties being specified for each grouping); 
for each pair of groups, create a first respective data structure representing the pair of groups (fig. 5 & 6B, which disclose topology graph representation of the plurality of grouped nodes), the communication operator (fig. 5 & 6B), and the traffic selector (fig. 5 & 6B); 
create a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the one of the different network contexts (par [0081], lines 12-16, which discloses a model representing network status according to rule sets and policy space); 
determine whether the first respective data structure is contained in the second respective data structure to yield a containment check (par [0042], lines 1-7, “check the policy implementation for compliance”); and 
determine, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement (Abstract, lines 1-5 which discloses implementing rule-sets for compliance in accordance with a specified network topology and parameters required to ensure secure elements).
Nicol et al does not explicitly teach the security compliance requirement comprising group selectors; wherein the group selectors represent sets of groups; and a condition for traffic associated with the group selectors.
However, Sen et al further teaches the security compliance requirement comprising group selectors (fig. 14C, col. 18, lines 40-45 & col. 21, lines 16-20, which discloses performing policy related compliance determination on a plurality of paired routers); 
wherein the group selectors represent sets of groups (fig. 14C & col. 21, lines 55-60, “selected pair of routers”); and
 a condition for traffic associated with the group selectors (col. 3, lines 22-30, “grouping traffic”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al in order to provide the predictive result of improving upon ensuring network compliance with pre-established policies and rule sets when implementing a policy detector, class of service modeler, pattern identifier, and model analyzer (disclosed in col. 2, lines 23-31 of Sen et al) because each entity would cause the teachings of Nicol et al to not only view and detect policy compliance using a generated model, but to also get a more in depth compliance determination because the model analyzer (disclosed by Sen et al) performs an additional compliance determination after the class of service compliance-related model is generated.
Regarding claim 2, Nicol et al and Sen et al teach the limitations of claim 1.
	Nicol et al further teaches wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: 
determine that both of the different network contexts contain policies for traffic between the respective groups in the one or more pairs of groups (par [0021-0022]); and 
based on both of the different network contexts containing policies for traffic between the respective groups in the one or more pairs of groups, create a third respective data structure representing a second portion of the logical model (fig. 6B & par [0020], which disclose security policy implementation for the various grouped routers displayed via graphical representation), the second portion of the logical model containing policies associated with one of the different network contexts (par [0020], “integrates policy rules”).

Regarding claim 3, Nicol et al and Sen et al teach the limitations of claim 1.
Nicol et al further teaches wherein determining whether the first respective data structure is contained in the second respective data structure comprises determining whether the first respective data structure is contained in both the second respective data structure and the third respective data structure (par [0110], “access decision sequences that include both the rules”).

Regarding claim 4, Nicol et al does not explicitly teach wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
However, Sen et al further teaches wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs) (col. 11, lines 55-60), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 1.
Regarding claim 5, Nicol et al does not explicitly teach wherein the second respective data structure is created in response to a determination that only one of the different network contexts contains policies for traffic between the respective groups in the one or more pairs of groups.
However, Sen et al further teaches wherein the second respective data structure is created in response to a determination that only one of the different network contexts contains policies for traffic between the respective groups in the one or more pairs of groups (col. 3, lines 25-30, “grouping traffic having similar or identical service requirements”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 1.
Regarding claim 6, Nicol et al does not explicitly teach wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: determine, for each of the one or more pairs of groups, that at least one of the different network contexts contains policies for traffic between the respective groups in the one or more pairs of groups.
However, Sen et al further teaches wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: determine, for each of the one or more pairs of groups, that at least one of the different network contexts contains policies for traffic between the respective groups in the one or more pairs of groups (col. 3, lines 25-30, “grouping traffic”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 1.
Regarding claim 7, Nicol et al does not explicitly teach wherein the first respective data structure and the second respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
However, Sen et al further teaches wherein the first respective data structure and the second respective data structure comprise at least one of binary decision diagrams (BDDs) (col. 12, lines 21-25), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 1.
Regarding claim 8, Nicol et al does not explicitly teach wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: compare one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, determine whether a state of the network complies with the security compliance requirement.
However, Sen et al further teaches wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: 
compare one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network (col. 11, lines 43-47), the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs) (col. 11, lines 55-60), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and
 based on the comparing, determine whether a state of the network complies with the security compliance requirement (col. 18, lines 37-42, “ensure it is in compliance with the SLA”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 1.
Regarding claim 9, Nicol et al and Sen et al teach the limitations of claim 1.
Nicol et al further teaches wherein determining whether a state of the network complies with the security compliance requirement comprises determining whether the hardware policy entries configured on the network devices in the network satisfy, violate (par [0044], lines 8-13), or apply the security compliance requirement.
Regarding claim 10, Nicol et al and Sen et al teach the limitations of claim 1.
Nicol et al further teaches wherein the at least one non-transitory computer-readable storage medium stores additional instructions which, when executed by the one or more processors, cause the system to: 
generate one or more compliance assurance events indicating that one or more of the policies satisfy, violate (par [0045], lines 1-6), or do not apply the security compliance requirement; and present at least one of: 
a first indication that the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated (par [0064], lines 20-25), or not applied; and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category (par [0072], “number of rules in a violation”), and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected (par [0069], lines 7-8resources required”), and a policy object affected.

Regarding claim 11, Nicol et al teaches a method comprising:
creating a security compliance requirement for a network (par [0042], lines 1-5, “policy implemented for compliance”), a traffic selector (par [0064], lines 16-25, which discloses analyzing collected traffic), and a communication operator (par [0048], “communication interface”), wherein the traffic selector identifies traffic associated with one or more traffic parameters (par [0064], lines 16-25, “attributes of the traffic”), and wherein the communication operator defines a condition for traffic associated with the traffic selector (par [0034], lines 11-18, “traffic attribute sets”); 
determining that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts (par [0039], lines 11-13, which discloses the grouped entities being grouped together that may indicate subnetworks and properties being specified for each grouping); 
for each pair of groups, creating a first respective data structure representing the pair of groups (fig. 5 & 6B, which disclose topology graph representation of the plurality of grouped nodes), the communication operator (fig. 5 & 6B), and the traffic selector (fig. 5 & 6B); 
creating a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the one of the different network contexts (par [0081], lines 12-16, which discloses a model representing network status according to rule sets and policy space); 
determining whether the first respective data structure is contained in the second respective data structure to yield a containment check (par [0042], lines 1-7, “check the policy implementation for compliance”); and 
determining, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement (Abstract, lines 1-5 which discloses implementing rule-sets for compliance in accordance with a specified network topology and parameters required to ensure secure elements).
Nicol et al does not explicitly teach the security compliance requirement comprising group selectors; wherein the group selectors represent sets of groups; and a condition for traffic associated with the group selectors.
However, Sen et al further teaches the security compliance requirement comprising group selectors (fig. 14C, col. 18, lines 40-45 & col. 21, lines 16-20, which discloses performing policy related compliance determination on a plurality of paired routers); 
wherein the group selectors represent sets of groups (fig. 14C & col. 21, lines 55-60, “selected pair of routers”); and
 a condition for traffic associated with the group selectors (col. 3, lines 22-30, “grouping traffic”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al in order to provide the predictive result of improving upon ensuring network compliance with pre-established policies and rule sets when implementing a policy detector, class of service modeler, pattern identifier, and model analyzer (disclosed in col. 2, lines 23-31 of Sen et al) because each entity would cause the teachings of Nicol et al to not only view and detect policy compliance using a generated model, but to also get a more in depth compliance determination because the model analyzer (disclosed by Sen et al) performs an additional compliance determination after the class of service compliance-related model is generated.
Regarding claim 12, Nicol et al and Sen et al teach the limitations of claim 11.
	Nicol et al further teaches determining that both of the different network contexts contain policies for traffic between the respective groups in the one or more pairs of groups (par [0021-0022]); and 
based on both of the different network contexts containing policies for traffic between the respective groups in the one or more pairs of groups, creating a third respective data structure representing a second portion of the logical model (fig. 6B & par [0020], which disclose security policy implementation for the various grouped routers displayed via graphical representation), the second portion of the logical model containing policies associated with one of the different network contexts (par [0020], “integrates policy rules”).


Regarding claim 13, Nicol et al and Sen et al teach the limitations of claim 11.
Nicol et al further teaches wherein determining whether the first respective data structure is contained in the second respective data structure comprises determining whether the first respective data structure is contained in both the second respective data structure and the third respective data structure (par [0110], “access decision sequences that include both the rules”).

Regarding claim 14, Nicol et al does not explicitly teach wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
However, Sen et al further teaches wherein the first respective data structure, the second respective data structure and the third respective data structure comprise at least one of binary decision diagrams (BDDs) (col. 11, lines 55-60), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 11.
Regarding claim 15, Nicol et al does not explicitly teach wherein the second respective data structure is created in response to a determination that only one of the different network contexts contains policies for traffic between the respective groups in the one or more pairs of groups.
However, Sen et al further teaches wherein the second respective data structure is created in response to a determination that only one of the different network contexts contains policies for traffic between the respective groups in the one or more pairs of groups (col. 3, lines 25-30, “grouping traffic having similar or identical service requirements”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 11.
Regarding claim 16, Nicol et al does not explicitly teach wherein the first respective data structure and the second respective data structure comprise at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
However, Sen et al further teaches wherein the first respective data structure and the second respective data structure comprise at least one of binary decision diagrams (BDDs) (col. 12, lines 21-25), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors.
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 11.
Regarding claim 17, Nicol et al does not explicitly teach comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network, the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and based on the comparing, determine whether a state of the network complies with the security compliance requirement.
However, Sen et al further teaches comparing one or more first data structures representing the security compliance requirement with one or more second data structures representing hardware policy entries configured on network devices in the network (col. 11, lines 43-47), the one or more first data structures and the one or more second data structures comprising at least one of binary decision diagrams (BDDs) (col. 11, lines 55-60), reduced ordered binary decision diagrams (ROBDDs), and n-bit vectors; and
 based on the comparing, determine whether the hardware policy entries configured on the network devices in the network satisfy, violate (par [0044], lines 8-13), or apply the security compliance requirement.
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al according to the motivation disclosed regarding claim 11.
Regarding claim 18, Nicol et al and Sen et al teach the limitations of claim 11.
Nicol et al further teaches generating one or more compliance assurance events indicating that one or more of the policies satisfy, violate (par [0045], lines 1-6), or do not apply the security compliance requirement; and present at least one of: 
a first indication that the security compliance requirement is satisfied, violated, or not applied by one or more of the policies on the network; a second indication of a cause for the security compliance requirement being satisfied, violated (par [0064], lines 20-25), or not applied; and a third indication of at least one of an event severity, a number of security compliance issues, a compliance score, a security compliance issues count by category (par [0072], “number of rules in a violation”), and a compliance score by category, wherein the category comprises at least one of a type of security compliance requirement, a type of resource affected (par [0069], lines 7-8resources required”), and a policy object affected.
Regarding claim 19, Nicol et al teaches at least one non-transitory computer-readable storage medium (par [0119], lines 1-5) having stored therein instructions which, when executed by the one or more processors, cause the system to: 
create a security compliance requirement for a network (par [0042], lines 1-5, “policy implemented for compliance”), a traffic selector (par [0064], lines 16-25, which discloses analyzing collected traffic), and a communication operator (par [0048], “communication interface”), wherein the traffic selector identifies traffic associated with one or more traffic parameters (par [0064], lines 16-25, “attributes of the traffic”), and wherein the communication operator defines a condition for traffic associated with the traffic selector (par [0034], lines 11-18, “traffic attribute sets”); 
determine that respective groups in one or more pairs of groups from the sets of groups are associated with different network contexts (par [0039], lines 11-13, which discloses the grouped entities being grouped together that may indicate subnetworks and properties being specified for each grouping); 
for each pair of groups, create a first respective data structure representing the pair of groups (fig. 5 & 6B, which disclose topology graph representation of the plurality of grouped nodes), the communication operator (fig. 5 & 6B), and the traffic selector (fig. 5 & 6B); 
create a second respective data structure representing a first portion of a logical model of the network, the first portion of the logical model containing policies associated with the one of the different network contexts (par [0081], lines 12-16, which discloses a model representing network status according to rule sets and policy space); 
determine whether the first respective data structure is contained in the second respective data structure to yield a containment check (par [0042], lines 1-7, “check the policy implementation for compliance”); and 
determine, based on the containment check, whether policies for traffic between respective groups in the one or more pairs of groups comply with the security compliance requirement (Abstract, lines 1-5 which discloses implementing rule-sets for compliance in accordance with a specified network topology and parameters required to ensure secure elements).
Nicol et al does not explicitly teach the security compliance requirement comprising group selectors; wherein the group selectors represent sets of groups; and a condition for traffic associated with the group selectors.
However, Sen et al further teaches the security compliance requirement comprising group selectors (fig. 14C, col. 18, lines 40-45 & col. 21, lines 16-20, which discloses performing policy related compliance determination on a plurality of paired routers); 
wherein the group selectors represent sets of groups (fig. 14C & col. 21, lines 55-60, “selected pair of routers”); and
 a condition for traffic associated with the group selectors (col. 3, lines 22-30, “grouping traffic”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine embodiment of Sen et al within the system of Nicol et al in order to provide the predictive result of improving upon ensuring network compliance with pre-established policies and rule sets when implementing a policy detector, class of service modeler, pattern identifier, and model analyzer (disclosed in col. 2, lines 23-31 of Sen et al) because each entity would cause the teachings of Nicol et al to not only view and detect policy compliance using a generated model, but to also get a more in depth compliance determination because the model analyzer (disclosed by Sen et al) performs an additional compliance determination after the class of service compliance-related model is generated.

Regarding claim 20, Nicol et al and Sen et al teach the limitations of claim 19.
	Nicol et al further teaches the at least one non-transitory computer-readable storage medium, wherein the instructions, when executed by the one or more processors, cause the processors to: 
determine that both of the different network contexts contain policies for traffic between the respective groups in the one or more pairs of groups (par [0021-0022]); and 
based on both of the different network contexts containing policies for traffic between the respective groups in the one or more pairs of groups, create a third respective data structure representing a second portion of the logical model (fig. 6B & par [0020], which disclose security policy implementation for the various grouped routers displayed via graphical representation), the second portion of the logical model containing policies associated with one of the different network contexts (par [0020], “integrates policy rules”); and
wherein determining whether the first respective data structure is contained in the second respective data structure comprises determining whether the first respective data structure is contained in both the second respective data structure and the third respective data structure (par [0110], “access decision sequences that include both the rules”).



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 272-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/RANDY A SCOTT/Primary Examiner, Art Unit 2439                                                                                                                                                                                                        20220726