DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The IDS filed 9/23/2021 has been considered.
Claims 1-20 are pending.

Specification
The disclosure is objected to because paragraph 1 should include reference to the patent number of the parent application, since the parent application has been patented.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
5.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

7.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cummins et al. (U.S. Patent Application Publication Number 2019/0319926), hereinafter referred to as Cummins, in view of Kung et al. (U.S. Patent Application Publication Number 2018/0234459), hereinafter referred to as Kung, both listed on the applicant’s IDS filed 9/23/2021.
Cummins disclosed techniques for controlling network security configurations.  In an analogous art, Kung disclosed techniques for enforcing network security policies.  Both systems are directed toward the managing of network security policies across interconnected devices and services.
Regarding claim 1, Cummins discloses a method for generating vulnerability information relating to workloads executing on one or more processing devices in a segmented computing environment within an administrative domain, the method comprising: obtaining a current segmentation policy for the workloads executing on the one or more processing devices in the segmented computing environment (paragraph 28, accesses each security appliance for security configuration); identifying vulnerabilities associated with respective ports of the workloads (paragraph 47, uses vulnerability scanner, and paragraph 33, network ports defined in configuration file); generating a vulnerability exposure score for one port of the respective ports, wherein the vulnerability exposure score represents a measure of exposure to the vulnerabilities based on the current segmentation policy applicable to the one port (paragraph 44, each node has security sensitivity value, and paragraph 47, collects vulnerability information and descriptions, and CVE data); generating a presentation of vulnerability exposure information based on the vulnerability exposure scores (paragraph 51, generates visual representation of security configuration); and outputting the presentation of the vulnerability exposure information (paragraph 51, visual representation is displayed map).
Cummins does not explicitly state wherein the current segmentation policy comprises a set of label-based rules that indicate permitted connectivity among the workloads based on respective label sets associated with the workloads and wherein the vulnerability exposure score is based on the permitted connectivity under the rules of the current segmentation policy.  However, using such label sets with security policies was well known in the art as evidenced by Kung.  Since the inventions encompass the same field of endeavor it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Cummins by adding the ability that the current segmentation policy comprises a set of label-based rules that indicate permitted connectivity among the workloads based on respective label sets associated with the workloads and that the vulnerability exposure score is based on the permitted connectivity under the rules of the current segmentation policy as provided by Kung (see paragraphs 205 and 206, security policies use tags to enforce segmentation).  One of ordinary skill in the art would have recognized the benefit that enforcing such network security policies would assist in controlling communications to and from workload units of applications running on different nodes (see Kung, paragraph 8).
Regarding claim 2, the combination of Cummins and Kung discloses wherein generating the presentation of the vulnerability exposure information comprises: aggregating, for workloads within a tier, the vulnerability exposure scores for each port number to generate port number scores for each port number; and generating a ranked list of port numbers based on the port number scores (Cummins, paragraph 42, determines security enclaves, and paragraph 25, security sensitivity values specify ranking corresponding to security policy).
Regarding claim 3, the combination of Cummins and Kung discloses wherein generating the presentation of the vulnerability exposure information comprises: identifying tiers of workloads, each of the tiers comprising a group of workloads having common label values across two or more label dimensions (Cummins, paragraph 42, determines security enclaves, and Kung, paragraph 205, tags indicate development, staging, production, etc.); aggregating the vulnerability exposure scores across workloads in each of the tiers to generate tier-level scores for each of the tiers (Cummins, paragraph 44, security sensitivity values); generating a representation of a tier-level segmentation policy graph comprising nodes representing the tiers and edges representing connectivity between workloads in different ones of the tiers (Cummins, paragraph 52, icons represent nodes, and paragraph 53, illustrates enclaves, and paragraph 54, lines represent traffic flows); and associating the tier-level scores with corresponding nodes in the tier-level segmentation policy graph (Cummins, paragraph 52, icons positioned on map based on security sensitivity values).
Regarding claim 4, the combination of Cummins and Kung discloses wherein identifying the vulnerabilities comprises: executing a vulnerability scanner to detect the vulnerabilities on each of the workloads (Cummins, paragraph 47, uses vulnerability scanner).
Regarding claim 5, the combination of Cummins and Kung discloses wherein determining the exposure scores comprises: identifying an external network permitted to connect to a particular port under the current segmentation policy; obtaining a predefined score associated with the external network; and generating an exposure score for the particular port based in part on the predefined score associated with the external network (Cummins, paragraph 56, determines access via external network, and paragraph 47, CVE data).
Regarding claim 6, the combination of Cummins and Kung discloses wherein determining the exposure scores comprises: identifying an exposure score for a connecting port permitted to connect to a particular port under the current segmentation policy; and generating the exposure score for the particular port based in part on the exposure score for the connecting port (Cummins, paragraph 55, determines all network traffic flows, and paragraph 45, traffic flow defined by connecting ports, and paragraph 47, CVE data).
Regarding claim 7, the combination of Cummins and Kung discloses observing communications among the workloads under the current segmentation policy to generate a traffic flow graph (Cummins, paragraph 54, shows network traffic flows); generating a modified segmentation policy based on the vulnerability exposure scores, the traffic flow graph, and configuration settings, wherein the modified segmentation policy reduces exposure to the vulnerabilities relative to the current segmentation policy (Cummins, paragraph 57, specifies change to map); generating management instructions based on the modified segmentation policy to enforce the modified segmentation policy (Cummins, paragraph 57, determines changes to configurations); and sending the management instructions to operating system instances executing the workloads (Cummins, paragraph 59, transmits command sets to devices).
Regarding claim 8, the combination of Cummins and Kung discloses wherein generating the modified segmentation policy comprises: detecting, in a first group of workloads, a vulnerable port on which one of the vulnerabilities exists; detecting connectivity using the vulnerable port between the first group of workloads and a second group of workloads in the traffic flow graph; detecting a lack of connectivity between the first group of workloads having the vulnerable port and a third group of workloads in the traffic flow graph; generating the modified segmentation policy to limit permitted communications of the first group of workloads to the second group of workloads without permitting communications between the first group of workloads and the third group of workloads (Cummins, paragraph 61, adds node to particular enclave).
Regarding claim 9, the combination of Cummins and Kung discloses wherein generating the modified segmentation policy comprises: detecting, in a first group of workloads, a vulnerable port on which one of the vulnerabilities exists; detecting a lack of connectivity using the vulnerable port between the first group of workloads and a second group of workloads in the traffic flow graph; detecting connectivity using one or more non-vulnerable ports between the first group of workloads and the second group of workloads in the traffic flow graph; generating the modified segmentation policy to limit permitted communications between the first group of workloads and the second group of workloads to using the one or more non-vulnerable ports without permitting communications between the first group of workloads and the second group of workloads using the vulnerable port (Cummins, paragraph 61, adds node to particular enclave).
Regarding claim 10, the combination of Cummins and Kung discloses wherein generating the exposure scores comprises at least one of: (a) generating an intra-group exposure score representing a measure of connectivity of the particular port to other workloads within a group associated with a workload of the particular port (Cummins, paragraph 48, quantifies nodes within specific enclave); (b) generating an inter-group exposure score representing a measure of connectivity of the particular port to other workloads outside the group associated with a workload of the particular port; and (c) generating a total exposure score representing a measure of connectivity of the particular port to any other workloads.
Regarding claim 11, Cummins discloses a non-transitory computer-readable storage medium storing instructions for generating vulnerability information relating to workloads executing on one or more processing devices in a segmented computing environment within an administrative domain, the instructions when executed by a processor causing the processor to perform steps including: obtaining a current segmentation policy for the workloads executing on the one or more processing devices in the segmented computing environment (paragraph 28, accesses each security appliance for security configuration); identifying vulnerabilities associated with respective ports of the workloads (paragraph 47, uses vulnerability scanner, and paragraph 33, network ports defined in configuration file); generating a vulnerability exposure score for one port of the respective ports, wherein the vulnerability exposure score represents a measure of exposure to the vulnerabilities based on the current segmentation policy applicable to the one port (paragraph 44, each node has security sensitivity value, and paragraph 47, collects vulnerability information and descriptions, and CVE data); generating a presentation of vulnerability exposure information based on the vulnerability exposure scores (paragraph 51, generates visual representation of security configuration); and outputting the presentation of the vulnerability exposure information (paragraph 51, visual representation is displayed map).
Cummins does not explicitly state wherein the current segmentation policy comprises a set of label-based rules that indicate permitted connectivity among the workloads based on respective label sets associated with the workloads and wherein the vulnerability exposure score is based on the permitted connectivity under the rules of the current segmentation policy.  However, using such label sets with security policies was well known in the art as evidenced by Kung.  Since the inventions encompass the same field of endeavor it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Cummins by adding the ability that the current segmentation policy comprises a set of label-based rules that indicate permitted connectivity among the workloads based on respective label sets associated with the workloads and that the vulnerability exposure score is based on the permitted connectivity under the rules of the current segmentation policy as provided by Kung (see paragraphs 205 and 206, security policies use tags to enforce segmentation).  One of ordinary skill in the art would have recognized the benefit that enforcing such network security policies would assist in controlling communications to and from workload units of applications running on different nodes (see Kung, paragraph 8).
Regarding claim 12, the combination of Cummins and Kung discloses wherein generating the presentation of the vulnerability exposure information comprises: aggregating, for workloads within a tier, the vulnerability exposure scores for each port number to generate port number scores for each port number; and generating a ranked list of port numbers based on the port number scores (Cummins, paragraph 42, determines security enclaves, and paragraph 25, security sensitivity values specify ranking corresponding to security policy).
Regarding claim 13, the combination of Cummins and Kung discloses wherein generating the presentation of the vulnerability exposure information comprises: identifying tiers of workloads, each of the tiers comprising a group of workloads having common label values across two or more label dimensions (Cummins, paragraph 42, determines security enclaves, and Kung, paragraph 205, tags indicate development, staging, production, etc.); aggregating the vulnerability exposure scores across workloads in each of the tiers to generate tier-level scores for each of the tiers (Cummins, paragraph 44, security sensitivity values); generating a representation of a tier-level segmentation policy graph comprising nodes representing the tiers and edges representing connectivity between workloads in different ones of the tiers (Cummins, paragraph 52, icons represent nodes, and paragraph 53, illustrates enclaves, and paragraph 54, lines represent traffic flows); and associating the tier-level scores with corresponding nodes in the tier-level segmentation policy graph (Cummins, paragraph 52, icons positioned on map based on security sensitivity values).
Regarding claim 14, the combination of Cummins and Kung discloses wherein determining the exposure scores comprises: identifying an external network permitted to connect to a particular port under the current segmentation policy; obtaining a predefined score associated with the external network; and generating an exposure score for the particular port based in part on the predefined score associated with the external network (Cummins, paragraph 56, determines access via external network, and paragraph 47, CVE data).
Regarding claim 15, the combination of Cummins and Kung discloses observing communications among the workloads under the current segmentation policy to generate a traffic flow graph (Cummins, paragraph 54, shows network traffic flows); generating a modified segmentation policy based on the vulnerability exposure scores, the traffic flow graph, and configuration settings, wherein the modified segmentation policy reduces exposure to the vulnerabilities relative to the current segmentation policy (Cummins, paragraph 57, specifies change to map); generating management instructions based on the modified segmentation policy to enforce the modified segmentation policy (Cummins, paragraph 57, determines changes to configurations); and sending the management instructions to operating system instances executing the workloads (Cummins, paragraph 59, transmits command sets to devices).
Regarding claim 16, Cummins discloses a processing server for generating vulnerability information relating to workloads executing on one or more processing devices in a segmented computing environment within an administrative domain, the processing server comprising: one or more processors; and a non-transitory computer-readable storage medium storing instructions that when executed by the one or more processors cause the one or more processors to perform steps including: obtaining a current segmentation policy for the workloads executing on the one or more processing devices in the segmented computing environment (paragraph 28, accesses each security appliance for security configuration); identifying vulnerabilities associated with respective ports of the workloads (paragraph 47, uses vulnerability scanner, and paragraph 33, network ports defined in configuration file); generating a vulnerability exposure score for one port of the respective ports, wherein the vulnerability exposure score represents a measure of exposure to the vulnerabilities based on the current segmentation policy applicable to the one port (paragraph 44, each node has security sensitivity value, and paragraph 47, collects vulnerability information and descriptions, and CVE data); generating a presentation of vulnerability exposure information based on the vulnerability exposure scores (paragraph 51, generates visual representation of security configuration); and outputting the presentation of the vulnerability exposure information (paragraph 51, visual representation is displayed map).
Cummins does not explicitly state wherein the current segmentation policy comprises a set of label-based rules that indicate permitted connectivity among the workloads based on respective label sets associated with the workloads and wherein the vulnerability exposure score is based on the permitted connectivity under the rules of the current segmentation policy.  However, using such label sets with security policies was well known in the art as evidenced by Kung.  Since the inventions encompass the same field of endeavor it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system of Cummins by adding the ability that the current segmentation policy comprises a set of label-based rules that indicate permitted connectivity among the workloads based on respective label sets associated with the workloads and that the vulnerability exposure score is based on the permitted connectivity under the rules of the current segmentation policy as provided by Kung (see paragraphs 205 and 206, security policies use tags to enforce segmentation).  One of ordinary skill in the art would have recognized the benefit that enforcing such network security policies would assist in controlling communications to and from workload units of applications running on different nodes (see Kung, paragraph 8).
Regarding claim 17, the combination of Cummins and Kung discloses wherein generating the presentation of the vulnerability exposure information comprises: aggregating, for workloads within a tier, the vulnerability exposure scores for each port number to generate port number scores for each port number; and generating a ranked list of port numbers based on the port number scores (Cummins, paragraph 42, determines security enclaves, and paragraph 25, security sensitivity values specify ranking corresponding to security policy).
Regarding claim 18, the combination of Cummins and Kung discloses wherein generating the presentation of the vulnerability exposure information comprises: identifying tiers of workloads, each of the tiers comprising a group of workloads having common label values across two or more label dimensions (Cummins, paragraph 42, determines security enclaves, and Kung, paragraph 205, tags indicate development, staging, production, etc.); aggregating the vulnerability exposure scores across workloads in each of the tiers to generate tier-level scores for each of the tiers (Cummins, paragraph 44, security sensitivity values); generating a representation of a tier-level segmentation policy graph comprising nodes representing the tiers and edges representing connectivity between workloads in different ones of the tiers (Cummins, paragraph 52, icons represent nodes, and paragraph 53, illustrates enclaves, and paragraph 54, lines represent traffic flows); and associating the tier-level scores with corresponding nodes in the tier-level segmentation policy graph (Cummins, paragraph 52, icons positioned on map based on security sensitivity values).
Regarding claim 19, the combination of Cummins and Kung discloses wherein determining the exposure scores comprises: identifying an external network permitted to connect to a particular port under the current segmentation policy; obtaining a predefined score associated with the external network; and generating an exposure score for the particular port based in part on the predefined score associated with the external network (Cummins, paragraph 56, determines access via external network, and paragraph 47, CVE data).
Regarding claim 20, the combination of Cummins and Kung discloses wherein determining the exposure scores comprises: identifying an exposure score for a connecting port permitted to connect to a particular port under the current segmentation policy; and generating the exposure score for the particular port based in part on the exposure score for the connecting port (Cummins, paragraph 55, determines all network traffic flows, and paragraph 45, traffic flow defined by connecting ports, and paragraph 47, CVE data).

Double Patenting
8.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
9.	Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent Number 11,075,936.  Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the present application represent a somewhat broader embodiment of the claims of the patent.

Conclusion
10.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Komarek et al. (U.S. Patent Application Publication Number 2019/0020671) disclosed techniques for determining malware infection based on per-flow vectors.
11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Victor Lesniewski whose telephone number is (571)272-2812. The examiner can normally be reached Monday thru Friday, 9am to 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Victor Lesniewski/Primary Examiner, Art Unit 2493