DETAILED ACTION
	Claims 1-20 are presented on 01/26/2021 for examination on merits.  Claims 1, 9, and 17 are independent base claims.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Examiner's Instructions for filing Response to this Office Action
When the Applicant submits amendments regarding to the claims in response the Office Action, the Examiner would prefer that Applicant submit two sets of claims: 
Set #1 that includes indicators for the status of claim and all marked amendments to the claims; and 
Set #2 comprising a clean version of the claims with all the markups removed for entry, as an appendix to the Applicant Arguments/Remarks or a section following the Remarks.

Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted for examination on merits is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner. See the annotated 1449 documents.

Claim Objections
Claim 1, 9, and 17 are objected to because of the following informalities: 
Claims 1, 9, 17 each recite a limitation “wherein the grouped traffic records comprise first and second traffic records comprising corresponding first and second source address identifiers, first and second source port identifiers, first and second destination address identifiers, and first and second destination port identifiers” or similar ones without pointing out the first instance always corresponds to the second, nor is there any indication of one-to-one correspondence between the first and the second instances.  The Examiner suggests adding “respectively” in the limitation.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):

(B)  CONCLUSION—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

The rejection(s) under 35 U.S.C. 112(b) is/are determined by the following reasons:
Claims 1, 9, and 17 each recite the limitation "the first and second records" in the identifying step.  There is insufficient antecedent basis for this limitation in the claims, respectively.
Claims 8 and 16 each also recite the limitation "the first and second records" without sufficient antecedent basis for the same reason as that of claim 1 as indicated above.
Claims 2-8, 10-16, and 18-20 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, because they depend from the rejected base claims 1, 8, and 15, respectively.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-2, 5-10, 13-18 are rejected under 35 U.S.C. 103 as being unpatentable over Addepalli  (US 8848608 B1; hereinafter “Adde”) in view of Bassett (US 20070016937 A1; hereinafter “Bas”.

As per claim 1, Adde teaches a computer-implemented method comprising: 
capturing, by at least one processor, network traffic data, the network traffic data comprising a plurality of traffic records (Adde, col. 22, lines 20-27: [using] periodic packet probes to [capture] data traffic to assess link quality… with transmit/receive buffer size, timer, etc.; col. 22, lines 39-46: OBU30 is activated with …virtual interfaces … that can intercept network traffic data); 
grouping, by the at least one processor, traffic records selected from the plurality of traffic records, wherein the grouped traffic records comprise first and second traffic records comprising corresponding first and second source address identifiers, first and second source port identifiers, first and second destination address identifiers, and first and second destination port identifiers (Adde, col. 19, lines 66-67 and col. 20, lines 1-5: a first interface can be selected for uplink traffic (i.e., from OBU 30 to an external network) and a second interface can be selected for downlink traffic (i.e., from the external network to OBU 30); col. 15, lines 27-41: traffic processing includes: independent interface selection for uplink and downlink traffic, which means that traffic records are grouped as uplink and downlink traffic; each session may be identified by a …port number (SID); see col. 28, lines 6-20); 
identifying, by the at least one processor, first and second network interfaces associated with the first and second records based on the first and second source address identifiers (Adde, col. 28, lines 4-17: Outgoing network traffic flows from OBU 30 can include packets…each has at least one identifier (e.g., Internet Protocol (IP) address), with each identifier corresponding to a different physical interface; Adde discloses bi-directional interface selection for incoming traffic flow of the network session, the second wireless interface being selected for outgoing traffic flow of the network session; see clm. 21 of Adde); 
determining, by the at least one processor, a direction of network traffic comprising identifying an ingress node based on the first and second security rule populations (Adde, col. 20, lines 1-11: selecting uplink or downlink based on usage policies in Adde is determining a direction of network traffic comprising identifying an ingress node; [for example] a second interface can be selected for downlink traffic (i.e., from the external network to OBU 30)).
While Adde discloses determining an interface for downlink or ingress data flow based on the usage policies, Adde is silent about associating first and second security rule populations corresponding to the first and second network interfaces.  This aspect of the claim is identified as  a difference.
In a related art, Bas discloses:
associating, by the at least one processor, first and second security rule populations corresponding to the first and second network interfaces (Bas, par. 0034: the security system allows a user to establish security rules, also referred to as authenticated firewall rules; par. 0036: the security system allows an outbound security policy for connection security to be automatically derived from an inbound security policy for the connection security).
Adde and Bas are analogous art, because they are in a similar field of endeavor in improving network policies for controlling traffic flows.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Abbe’s system with Bas’ teaching on the association of first and second security rule populations such that an outbound security policy for connection security can be automatically determined or derived from an inbound security policy for the connection security.  For this combination, the motivation would have been to improve the automation of security rules and rule updates.

As per claim 2, the references as combined above teach the method of claim 1, wherein: 
the first and second network interfaces are connected within a private cloud-based computer network (Bas, par. 0005 and 0036: computing devices of an enterprise, which is a private computer network; see par. 0058-0059 for using remote connections which suggests the connection is within a private cloud-based computer network); and 
the first and second security rule populations are selected from one or more firewall exceptions corresponding to the first and second network interfaces (Bas, par. 0005 and 0036: Once the inbound security policy is distributed to the computing devices of an enterprise, the security system can use the security suites of the inbound security policy as the basis of the security suites for the outbound security policy of the computing devices).

As per claim 5, the references as combined above teach the method of claim 1, wherein the grouping traffic records comprises determining that the second traffic record has a relationship to the first traffic record (Bas, par. 0036: automatically augment inbound security policies based on security suites defined for an outbound security policy and augment inbound security policies based on security suites defined for an inbound security policy; par. 0064: establishes the outbound security policy based on the security suites of the inbound security policy).

As per claim 6, the references as combined above teach the method of claim 1, wherein the identifying the first and second network interfaces comprise performing at least one query operation (Adde, col. 2, lines 59-67: selecting the first wireless interface based on one or more criteria in the interface usage policy…such as cost; col. lines : a policy driven wireless interface selection…which includes a plethora of input parameters (e.g., cost of interfaces, delay, power consumption, user preferences and criteria, location, time, application requirements, received signal strength indication (RSSI), signal-to-noise ratio (SNR), bit error rate (BER), etc..  The interface selection by parameters or criteria requires performing at least one query operation inherently).

As per claim 7, the references as combined above teach the method of claim 1, wherein each traffic record of the plurality of traffic records further comprises a first traffic action selected from a permit traffic action and a reject traffic action (Adde, col. 51, lines 51-54: Access and logging module 704 examines communications (messages) …and applies appropriate policies to permit or deny the messages; see also par. 0054 for [examining] communications (messages) … and [applying] appropriate policies to permit or deny the messages).

As per claim 8, the references as combined above teach the method of claim 7, wherein: 
the first and second records further comprise corresponding first and second record traffic actions to permit traffic (Adde, col. 54, lines 16-21: If it is determined at 2004 that communication is permitted between the source and destination interfaces, then a determination is made at 2006 as to whether communication is permitted between the source address and the destination address); and 
the identifying the ingress node comprises determining that: 
the first security rule population corresponding to the first network interface permitted ingress traffic with the first network interface (Adde, col. 51, lines 57-60: permit certain communication (e.g., communication between specific machine devices, communication between specific machine devices and specific network interfaces 24); or 
the second security rule population corresponding to the second network interface permitted ingress traffic with the second network interface (Adde, col. 50, lines 59-63: a source from a particular bus subsystem is permitted to send messages to a destination on another bus subsystem (e.g., CAN, MOST, Flexray, LIN) or to another destination (e.g., WiFi interface, 3G interface, etc.).).

As per claim 9, Adde teaches a device, comprising a processor coupled to a memory and configured to execute instructions stored in the memory that: 
captures network traffic data, the network traffic data comprising a plurality of traffic records (Adde, col. 22, lines 20-27: [using] periodic packet probes to [capture] data traffic to assess link quality… with transmit/receive buffer size, timer, etc.; col. 22, lines 39-46: OBU30 is activated with …virtual interfaces … that can intercept network traffic data); 
groups traffic records selected from the plurality of traffic records, wherein the grouped traffic records comprise first and second traffic records comprising corresponding first and second source address identifiers, first and second source port identifiers, first and second destination address identifiers, and first and second destination port identifiers (Adde, col. 19, lines 66-67 and col. 20, lines 1-5: a first interface can be selected for uplink traffic (i.e., from OBU 30 to an external network) and a second interface can be selected for downlink traffic (i.e., from the external network to OBU 30); col. 15, lines 27-41: traffic processing includes: independent interface selection for uplink and downlink traffic, which means that traffic records are grouped as uplink and downlink traffic; each session may be identified by a …port number (SID); see col. 28, lines 6-20); 
identifies first and second network interfaces associated with the first and second records based on the first and second source address identifiers (Adde, col. 28, lines 4-17: Outgoing network traffic flows from OBU 30 can include packets…each has at least one identifier (e.g., Internet Protocol (IP) address), with each identifier corresponding to a different physical interface; Adde discloses bi-directional interface selection for incoming traffic flow of the network session, the second wireless interface being selected for outgoing traffic flow of the network session; see clm. 21 of Adde); 
determines a direction of network traffic comprising identifying an ingress node based on the first and second security rule populations (Adde, col. 20, lines 1-11: selecting uplink or downlink based on usage policies in Adde is determining a direction of network traffic comprising identifying an ingress node; [for example] a second interface can be selected for downlink traffic (i.e., from the external network to OBU 30)).
While Adde discloses determining an interface for downlink or ingress data flow based on the usage policies, Adde is silent about associating first and second security rule populations corresponding to the first and second network interfaces.  This aspect of the claim is identified as  a difference.
In a related art, Bas discloses:
associates first and second security rule populations corresponding to the first and second network interfaces (Bas, par. 0034: the security system allows a user to establish security rules, also referred to as authenticated firewall rules; par. 0036: the security system allows an outbound security policy for connection security to be automatically derived from an inbound security policy for the connection security).
Adde and Bas are analogous art, because they are in a similar field of endeavor in improving network policies for controlling traffic flows.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Abbe’s system with Bas’ teaching on the association of first and second security rule populations such that an outbound security policy for connection security can be automatically determined or derived from an inbound security policy for the connection security.  For this combination, the motivation would have been to improve the automation of security rules and rule updates.

As per claim 10, the references as combined above teach the device of claim 9, wherein: 
the first and second network interfaces are connected within a private cloud-based computer network (Bas, par. 0005 and 0036: computing devices of an enterprise, which is a private computer network; see par. 0058-0059 for using remote connections which suggests the connection is within a private cloud-based computer network); and 
the first and second security rule populations are selected from one or more firewall exceptions corresponding to the first and second network interfaces (Bas, par. 0005 and 0036: Once the inbound security policy is distributed to the computing devices of an enterprise, the security system can use the security suites of the inbound security policy as the basis of the security suites for the outbound security policy of the computing devices).

As per claim 13, the references as combined above teach the device of claim 9, wherein the grouping traffic records comprises determining that the second traffic record has a relationship to the first traffic record (Bas, par. 0036: automatically augment inbound security policies based on security suites defined for an outbound security policy and augment inbound security policies based on security suites defined for an inbound security policy; par. 0064: establishes the outbound security policy based on the security suites of the inbound security policy).

As per claim 14, the references as combined above teach the device of claim 9, wherein the identifying the first and second network interfaces comprise performing at least one query operation (Adde, col. 2, lines 59-67: selecting the first wireless interface based on one or more criteria in the interface usage policy…such as cost; col. lines : a policy driven wireless interface selection…which includes a plethora of input parameters (e.g., cost of interfaces, delay, power consumption, user preferences and criteria, location, time, application requirements, received signal strength indication (RSSI), signal-to-noise ratio (SNR), bit error rate (BER), etc..  The interface selection by parameters or criteria requires performing at least one query operation inherently).

As per claim 15, the references as combined above teach the device of claim 9, wherein each traffic record of the plurality of traffic records further comprises a first traffic action selected from a permit traffic action and a reject traffic action (Adde, col. 51, lines 51-54: Access and logging module 704 examines communications (messages) …and applies appropriate policies to permit or deny the messages; see also par. 0054 for [examining] communications (messages) … and [applying] appropriate policies to permit or deny the messages).

As per claim 16, the references as combined above teach the device of claim 14, wherein: 
the first and second records further comprise corresponding first and second record traffic actions to permit traffic (Adde, col. 54, lines 16-21: If it is determined at 2004 that communication is permitted between the source and destination interfaces, then a determination is made at 2006 as to whether communication is permitted between the source address and the destination address); and 
the identifying the ingress node comprises determining that: the first security rule population corresponding to the first network interface permitted ingress traffic with the first network interface (Adde, col. 51, lines 57-60: permit certain communication (e.g., communication between specific machine devices, communication between specific machine devices and specific network interfaces 24); or 
the second security rule population corresponding to the second network interface permitted ingress traffic with the second network interface (Adde, col. 50, lines 59-63: a source from a particular bus subsystem is permitted to send messages to a destination on another bus subsystem (e.g., CAN, MOST, Flexray, LIN) or to another destination (e.g., WiFi interface, 3G interface, etc.)).

As per claim 17, Adde teaches a system comprising: 
a network traffic database that captures a plurality of network traffic records generated on a private cloud-based computer network (Bas, par. 0005 and 0036: computing devices of an enterprise, which is a private computer network; see par. 0058-0059 for using remote connections which suggests the connection is within a private cloud-based computer network); and 
a server coupled to a processor, configured to execute instructions that: 
groups traffic records selected from the plurality of traffic records, wherein the grouped traffic records comprise first and second traffic records comprising corresponding first and second source address identifiers, first and second source port identifiers, first and second destination address identifiers, and first and second destination port identifiers (Adde, col. 19, lines 66-67 and col. 20, lines 1-5: a first interface can be selected for uplink traffic (i.e., from OBU 30 to an external network) and a second interface can be selected for downlink traffic (i.e., from the external network to OBU 30); col. 15, lines 27-41: traffic processing includes: independent interface selection for uplink and downlink traffic, which means that traffic records are grouped as uplink and downlink traffic; each session may be identified by a …port number (SID); see col. 28, lines 6-20); 
identifies first and second network interfaces associated with the first and second records based on the first and second source address identifiers (Adde, col. 28, lines 4-17: Outgoing network traffic flows from OBU 30 can include packets…each has at least one identifier (e.g., Internet Protocol (IP) address), with each identifier corresponding to a different physical interface; Adde discloses bi-directional interface selection for incoming traffic flow of the network session, the second wireless interface being selected for outgoing traffic flow of the network session; see clm. 21 of Adde); 
determines a direction of network traffic comprising identifying an ingress node based on the first and second security rule populations (Adde, col. 20, lines 1-11: selecting uplink or downlink based on usage policies in Adde is determining a direction of network traffic comprising identifying an ingress node; [for example] a second interface can be selected for downlink traffic (i.e., from the external network to OBU 30)).
While Adde discloses determining an interface for downlink or ingress data flow based on the usage policies, Adde is silent about associating first and second security rule populations corresponding to the first and second network interfaces.  This aspect of the claim is identified as  a difference.
In a related art, Bas discloses:
associates first and second security rule populations corresponding to the first and second network interfaces (Bas, par. 0034: the security system allows a user to establish security rules, also referred to as authenticated firewall rules; par. 0036: the security system allows an outbound security policy for connection security to be automatically derived from an inbound security policy for the connection security).
Adde and Bas are analogous art, because they are in a similar field of endeavor in improving network policies for controlling traffic flows.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Abbe’s system with Bas’ teaching on the association of first and second security rule populations such that an outbound security policy for connection security can be automatically determined or derived from an inbound security policy for the connection security.  For this combination, the motivation would have been to improve the automation of security rules and rule updates.

As per claim 18, the references as combined above teach the system of claim 17, wherein: 
the first and second network interfaces are connected within a private cloud-based computer network (Bas, par. 0005 and 0036: computing devices of an enterprise, which is a private computer network; see par. 0058-0059 for using remote connections which suggests the connection is within a private cloud-based computer network); and 
the first and second security rule populations are selected from one or more firewall exceptions corresponding to the first and second network interfaces (Bas, par. 0005 and 0036: Once the inbound security policy is distributed to the computing devices of an enterprise, the security system can use the security suites of the inbound security policy as the basis of the security suites for the outbound security policy of the computing devices).

Claims 3, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Adde and Bas, as applied to claim 1, and further in view of Ganapathi (US 20190138362 A1; hereinafter “Gana”).

As per claim 3, the references of Adde and Bas as combined above teach the method of claim 1.  However, the combination of Adde and Bas does not explicitly disclose a capture time contained in each of the plurality of traffic records.  This aspect of the claim is found to be a further difference.
In a related art, Gana teaches:
wherein each of the plurality of traffic records further comprises a capture time (Gana, par. 0095: data representing outcomes of the download such as the throughput, download complete time, and time to first byte, may be captured in each database record in the network traffic data store 112 for each static policy).
Gana is analogous art to the claimed invention in a similar field of endeavor in improving network traffic controls.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify Abbe-Bas’ system with Gana’s teaching on the capture time being recorded in each traffic record.  For this combination, the motivation would have been to improve the record management with an accurate timestamp.

As per claim 11, the references as combined above teach the device of claim 9.  And Gana further teaches wherein each of the plurality of traffic records further comprises a capture time as discussed in claim 3.

As per claim 19, the references as combined above teach the system of claim 17, And Gana further teaches wherein each of the plurality of traffic records further comprises a capture time as discussed in claim 3.

Allowable Subject Matter
Claims 4, 12, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The claims 4, 12, and 20 recite elements of “wherein the server is further configured to execute instructions that: identifies at least one rule from the first and second security rule populations, the at least one rule permitting a response by the ingress node; and modifies a table of records to include a record, the record comprising the at least one rule and the capture time”.  The elements with the features thereof, in combination with the other limitations in their base claims, respetively, are not anticipated by, nor made obvious over the prior art of record.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure as the prior art additionally discloses certain parts of the claim features (See “PTO-892 Notice of Reference Cited”).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DON ZHAO whose telephone number is (571)272.9953.  The examiner can normally be reached on Monday to Friday, 7:30 A.M to 5:00 P.M EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl G Colin can be reached on 571.272.3862.  The fax phone number for the organization where this application or proceeding is assigned is 571.273.8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800.786.9199 (IN USA OR CANADA) or 571.272.1000.


/Don G Zhao/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        08/23/2022