Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-20 are pending.
	

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 3 are rejected under 35 U.S.C. 103 as being unpatentable over “Definite Guide to Software-Defined Perimeter” by Cyxtera in view of US 2020/0336484 A1 to Mahajan et al. (Mahajan) and US 2022/0014553 A1 to Dutta.
Regarding claim 1, Cyxtera discloses a computer-implemented method comprising: sending an SPA request to a controller of the deperimeterized access control service (client makes access request to controller using SPA, p. 9, 1), the SPA request including a device credential (client device authenticates to controller, controller evaluates credentials, p. 9, 1); obtaining a session ticket from the deperimeterized access control service (obtain Live Entitlement from controller, p. 9, 2), the session ticket based on a policy associated with the client device (Live Entitlement is based on authorized set of network resources, p. 9, 2); sending a request to a gateway of the deperimeterized access control service to initiate a session with the service (upload Live Entitlement to gateway, p. 9, 3); initiating a session with the service using session parameters (encrypted network tunnel provided through gateway to the server, p. 9, 4); and providing the traffic destined for the service over the session (encrypted network tunnel provided through gateway to the server, p. 9, 4).  Cyxtera lacks intercepting, by a single packet authorization (SPA) agent on a client device, traffic destined for a service of a provider network from an application on the client device and determining that the service is associated with a deperimeterized access control service.  However, Mahajan teaches that it was known to install an agent application on a client device to intercept outgoing traffic and send traffic, such as to a VPN, based on a corporate policy (¶¶115-116; see also ¶86).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the client in Cyxtera to include intercepting, by a single packet authorization (SPA) agent on a client device, traffic destined for a service of a provider network from an application on the client device and determining that the service is associated with a deperimeterized access control service.  One of ordinary skill in the art would have been motivated to perform such a modification to route traffic based on a traffic type in accordance with an established policy, as taught by Mahajan.  As modified, Cyxtera lacks receiving session parameters from the gateway.  However, Dutta teaches that it was known to utilize TLS to establish a secure tunnel, where a server provides cryptographic parameters as part of a negotiation (¶47).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, to include receiving session parameters from the gateway.  One of ordinary skill in the art would have been motivated to perform such a modification to establish the tunnel between the gateway and the client, as taught by Dutta.
Regarding claim 3, Cyxtera discloses wherein the session ticket (Live Entitlement) is further based on posture information (p. 17, ¶3), the posture information including one or more of a software version associated with the client device, network security information associated with the client device (type of device, p. 16), device physical location (user location, p. 16), connected wireless devices, or user biometrics.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Cyxtera, Mahajan and Dutta, as applied to claim 1 above, in view of “AppGate SDP – Reference Architectures” by AppGate.
Regarding claim 2, Cyxtera teaches that the session ticket (Live Entitlement, where Cyxtera uses AppGate SDP, p. 15) is cryptographically signed (p. 9, 2), but is silent regarding the gateway validating the session ticket and determining the session ticket is associated with the service.  However, AppGate teaches that, in AppGate SDP, the gateway will receive a token, verify the token’s signature and create a micro private firewall for the specified user session (p. 8, § Gateways).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, such that the gateway validates the session ticket and determines the session ticket is associated with the service.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize AppGate SDP as intended, as taught by AppGate.

Claims 4, 8-9, 13 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Cyxtera, Mahajan, Dutta, AppGate and US 2020/0127994 A1 to Kukreja et al. (Kukreja).
Regarding claim 4, Cyxtera discloses computer-implemented method comprising: receiving, by a controller of a deperimeterized access control service (AppGate SDP controller, p. 8), a single packet authorization (SPA) request (SPA request sent to controller, p. 9, 1) for a session ticket from an agent on an electronic device (request for Live Entitlement from controller, p. 9, 2); authorizing the SPA request (evaluates credentials, p. 9, 1; note also that the SPA request comprises an HAMC based on a seed that is validated by the recipient, p. 18, § How SPA Works); providing a session ticket to the agent based on the request (client receives Live Entitlement, p. 9, 2); receiving, by a gateway of the deperimeterized access control service, a request to initiate a session with a service, the request including the session ticket (client uploads Live Entitlement to gateway, p. 9, 3); and initiating the session between the electronic device and the service (client tunnels through gateway to server, p. 9, 4).  Cyxtera lacks wherein the agent sends the request for the session ticket in response to intercepting traffic destined for a service associated with the deperimeterized access control service.  However, Mahajan teaches that it was known to install an agent application on a client device to intercept outgoing traffic and send traffic, such as to a VPN, based on a corporate policy (¶¶115-116; see also ¶86).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the client in Cyxtera such that the agent sends the request for the session ticket in response to intercepting traffic destined for a service associated with the deperimeterized access control service.  One of ordinary skill in the art would have been motivated to perform such a modification to route traffic based on a traffic type in accordance with an established policy, as taught by Mahajan.  As modified, Cyxtera lacks providing session parameters to the agent to be used to initiate the session between the electronic device and the service.  However, Dutta teaches that it was known to utilize TLS to establish a secure tunnel, where a server provides cryptographic parameters as part of a negotiation (¶47).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, to include providing session parameters to the agent to be used to initiate the session between the electronic device and the service.  One of ordinary skill in the art would have been motivated to perform such a modification to establish the tunnel between the gateway and the client, as taught by Dutta.  Cyxtera teaches that the session ticket (Live Entitlement, where Cyxtera uses AppGate SDP, p. 15) is cryptographically signed (p. 9, 2), but is silent regarding validating the session ticket.  However, AppGate teaches that, in AppGate SDP, the gateway will receive a token, verify the token’s signature and create a micro private firewall for the specified user session (p. 8, § Gateways).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, such that the gateway validates the session ticket.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize AppGate SDP as intended, as taught by AppGate.  As modified, Cyxtera lacks determining that the agent does not have a session ticket for the service.  However, Kukreja teaches a client application determining that an access token is needed for a particular resource, but not present, prior to submitting an access token request (¶49), enabling the client to enforce rules prior to requesting the token.  A skilled artisan would have also understood that such a process reduces the overhead of requesting the token when a valid token already exists.  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, to include the client/agent determining that the agent does not have a session ticket (Live Entitlement) for the service.  One of ordinary skill in the art would have been motivated to perform such a modification to enable enforcement of local policies and to prevent requesting the Live Entitlement if one already exists for the requested server, as taught by Kukreja.  
Regarding claim 13, the claim is similar in scope to claim 4 and is therefore rejected using a similar rationale.
Regarding claim 8, Cyxtera discloses wherein the SPA request includes an authorization payload (HMAC-based One Time Password, p. 18) and a credential previously provisioned to the agent (shared secret, p. 18).  Further, note that AppGate teaches that the user authenticates with the controller using an IAM system, such as RADIUS (p. 7, 1), where the client provides credentials such as a password (p. 8, § Clients), where incorporation of the username/password into p. 9, step 1 of Cyxtera would have been obvious for the reasons discussed above.  
Regarding claims 9 and 18, Cyxtera discloses wherein the SPA request is unidirectional (client makes request to controller, p. 9, 1).

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Cyxtera, Mahajan, Dutta, AppGate and Kukreja, as applied to claims 4 and 13 above, in view of US 2021/0081632 A1 to Batchu et al. (Batchu).
Regarding claims 5 and 14, Cyxtera lacks wherein the agent on the electronic device is further configured to: obtain posture information for the electronic device, the posture information including one or more of a software version associated with the client device, network security information associated with the client device, device physical location, connected wireless devices, or user biometrics; and provide the posture information to the controller.  However, AppGate teaches that the controller uses user attributes and context to apply policies and create the Entitlement tokens (p. 7, 2).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, to utilize the user’s context in determining policies.  One of ordinary skill in the art would have been motivated to perform such a modification to maintain compliance with AppGate SDP, as taught by AppGate.  Further, Batchu teaches that it was known to utilize client agent software to report a device’s posture to a server, the posture including application inventory and device location (¶15, ¶22).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, such that the agent on the electronic device is further configured to: obtain posture information for the electronic device, the posture information including one or more of a software version associated with the client device, network security information associated with the client device, device physical location, connected wireless devices, or user biometrics; and provide the posture information to the controller.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize the device’s posture to determine the Entitlements, as taught by Batchu.1

Claims 10 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Cyxtera, Mahajan, Dutta, AppGate and Kukreja, as applied to claims 4 and 13 above, in view of US 8,832,855 B1 to Enderwick et al. (Enderwick).
Regarding claims 10 and 19, Cyxtera, as modified above, lacks receiving by the gateway of the deperimeterized access control service, a second request to initiate a session with a service, the request not including the session ticket; and ignoring the second request.  However, Enderwick teaches a system requiring a token to access a gateway as part of a device-binding policy (col. 4, lines 62-65), where a missing token in the request causes the gateway to drop the connection (col. 5, lines 1-2).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Cyxtera, as modified above, to include receiving by the gateway of the deperimeterized access control service, a second request to initiate a session with a service, the request not including the session ticket; and ignoring the second request.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize a known method of dropping requests that cannot be validated, as taught by Enderwick. 

Allowable Subject Matter
Claims 6-7, 11-12, 15-17 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Regarding claims 6-7 and 15-17, the prior art teaches holding and releasing traffic (US 20190306251 A1 (Talebi Fard; Peyman et al.) (¶¶339-340) teaches buffering intercepted traffic and releasing the traffic when a session is established.  US 10230770 B2 (Xu; Feilong et al.) (col. 1, lines 30-59) teaches a load balancer intercepting and holding traffic.).  However, the prior art fails to teach, alone or in a reasonable combination, holding the intercepted traffic and providing the traffic to the server once the session has been initiated, when considered within the existing claims as a whole.
Regarding claims 11-12 and 20, the prior art teaches utilizing a decoy environment to examine the actions of malicious users (US 20220116421 A1 (Yadav; Navindra et al) (Abstract, claim 1) teaches directed network traffic to a decoy network.).  However, the prior art fails to teach, alone or in a reasonable combination, instructions to receive, by the gateway of the deperimeterized access control service, a second request to initiate a session with a service, the request not including the session ticket; and route the second request to a deception environment having a same IP address as the service, when considered within the existing claims as a whole.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841. The examiner can normally be reached Monday - Friday, 7:00-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Michael Simitoski/               Primary Examiner, Art Unit 2493                                                                                                                                                                                         
July 27, 2022


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Examiner cites US 10992670 B1 (Drooger; Jack A. et al.) (col. 9, line 34 – col. 10, line 2) and US 20170324733 A1 (HOWRY; Dolores F. et al.) (¶24) for teaching additional types of security posture data.