Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-3, 5, 10-11, 14 and 16 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Bitdefender IPR Management LTD, WO 2020/229707.

Regarding claim 1, Bitdefender discloses a domain name service (DNS) method, comprising: 
by the DNS, receiving a name resolution request from a client computing device (paragraph 0042: DNS proxy, receive DNS query); and 
by the DNS, providing a nonce to the client computing device (0044: provide a dummy IP address from the pool, instead of the actual IP address), wherein a service is configured to authorize a connection request from the client computing device based at least in part on processing the nonce (Fig. 8 and 0046: When such a communication is detected (steps 242-244), a step 246 determines whether the destination IP address of the respective communication matches any of the list of dummy IP addresses maintained by security application 54.).Regarding claim 2, Bitdefender further discloses the method of claim 1, wherein the service is an intermediate service that is configured to authorize the connection request from the client computing device to a destination service based at least in part on processing the nonce (0047: If yes, indicating that the respective communication was selected for security processing, a step 248 performs some security actions according to the respective communication. Exemplary security actions include determining a set of metadata comprising, for instance, a real destination IP address associated with the respective dummy address).Regarding claim 3, Bitdefender further discloses the method of claim 2, wherein the intermediate service is configured to perform a network security function (0043: When the intercepted DNS message is a reply, a step 220 parses the message to determine whether it is flagged or not, i.e., whether it contains a service activation flag, and whether the value of the flag indicates that a security service is active for the respective client device 10.).Regarding claim 5, Bitdefender further discloses the method of claim 1, wherein the service is a destination service that is configured to authorize the connection request from the client computing device to the destination service based at least in part on processing the nonce (0006:  to intercept an electronic communication directed towards a destination IP address, to determine whether the destination IP address matches the dummy IP address, and in response to determining whether the destination IP address matches the dummy IP address).

Regarding claim 10, Bitdefender further discloses a method of validating a connection request from a client computing device, comprising operations of: receiving the connection request, the connection request including a nonce (0044: provide a dummy IP address from the pool, instead of the actual IP address); determining that the nonce is valid (fig. 8, step 246, determine IP address matches a dummy); based at least in part on determining that the nonce is valid, authorizing the connection request; and disabling the nonce (Fig. 8, 252: replaces dummy IP address with associated real IP access).Regarding claim 11, Bitdefender further discloses the method of claim 10, wherein: the connection request is a request to connect to a destination service; and the determining operation and the authorizing operation are performed by an intermediate service that is intermediate to the client computing device and the destination service (0006: an electronic communication directed towards a destination IP address, to determine whether the destination IP address matches the dummy IP address, and in response to determining whether the destination IP address matches the dummy IP address, if the destination IP address matches the dummy IP address, to perform a computer security procedure according to the electronic communication).Regarding claim 14, Bitdefender further discloses the method of claim 10, wherein: the connection request is a request to connect to a destination service; and the determining operation and the authorizing operation are performed by the destination service (0006: an electronic communication directed towards a destination IP address, to determine whether the destination IP address matches the dummy IP address, and in response to determining whether the destination IP address matches the dummy IP address, if the destination IP address matches the dummy IP address, to perform a computer security procedure according to the electronic communication).As per claim 16, this is a domain name service version of the claimed method discussed above in claims 1-3, 5, 10-11, 14 and 16  wherein all claimed limitations have also been addressed and/or cited as set forth above.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 4, and 6-9, 12-13, 15 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bitdefender as applied to claim 1 above, and further in view of Goldschlag et al, US 2020/0162431.

Regarding claims 4 and 12, Bitdefender lacks or does not expressly disclose VPC.  However,  Goldschlag  discloses wherein the service is one of a virtual private cloud (VPC) ingress point or a load balancer (paragraph 0081: an AWS service includes one or more Virtual Private Cloud (VPC) service resources, each of which are subject to the same or different sets of policy-based access policy elements.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bitdefeder with Goldschlag to include VPC in order to determine which client devices are granted policy based access, as taught by Goldschlag, paragraph 0081.
Regarding claims 6-7, 13, and 17-18, Bitdefender lacks or does not expressly disclose a security policy.  However, Goldschlag discloses by the DNS, determining at least a first enterprise security policy associated with a combination of the client computing device and the connection request (fig. 2 and paragraph 0025: the name and/or network address of the ARS is provided to the endpoint by a policy component such as a policy cache or policy store. In some implementations, the name provided is resolved using a directory service such as DNS. Also see paragraph 0134); and based at least in part on receiving the name resolution request, providing a response to the client computing device, the response including a routing part and a nonce part, the nonce part corresponding to the at least the first enterprise security policy (0148: the router/filter component applies filtering policy elements to packets received from client VPN concentrator (130a) including, for example, policy specified filtering policy elements and other filtering policy elements such as nonce-based); wherein determining the at least the first enterprise security policy includes interacting with an enterprise policy service (0148: the router/filter retrieves packet filtering policy elements encoded as service policy elements from the policy cache (110)).It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bitdefeder with Goldschlag to include a security policy in order to determine which client devices are granted policy based access, as taught by Goldschlag, paragraph 0081.
Regarding claims 8 and 19, Bitdefender lack or does not expressly disclose a security policy name resolution request is a first name resolution request, the service is a first protected service, and the routing part is a first routing part that indicates an intermediate service that is intermediate to the first protected service from the client computing device, the method further comprising: by the domain name service, receiving a second name resolution request from the client computing device, the second name resolution request including a name of a second protected service; by the DNS, determining at least a second enterprise security policy associated with a combination of the client computing device and the second protected service; and based at least in part on receiving the second name resolution request, providing a response to the client computing device for accessing the second protected service, the response including a second routing part and a second nonce part, the second nonce part corresponding to the at least the second enterprise security policy and the second routing part corresponding to the second protected service (0006: Once authenticated, the client and the enterprise service communicate freely. The client computer repeats these steps in order to connect with a second enterprise service, where the second enterprise service protection systems are typically different than the first enterprise service protection system and the requirements imposed on the client computer typically also differ. In some cases, the requirements imposed by the two enterprise resource systems are mutually exclusive, preventing the client computer from connecting to one or the other of the enterprise services.  0047: a first enterprise service that requires a first access policy, and a second enterprise service that requires a second access policy, where the two policies are disjoint and possibly contradictory.).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bitdefeder with Goldschlag to include a security policy in order to determine which client devices are granted policy based access, as taught by Goldschlag, paragraph 0081.Regarding claim 9, 15 and 20, Bitdefender lacks or does not expressly disclose IPV6.  However,  Goldschlag discloses wherein: by the DNS, providing the nonce to the client computing device includes providing the nonce to the client as a part of an IPv6 address (0074: low level network connections between the client device(s), ARS(s), and enterprise resource services are made using standard networking, for example, TCP/IP based networking such as commonly found on the Internet. TCP/IP v4 and TCP/IP v6 may be used as desired.).  It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Bitdefeder with Goldschlag to include IPV6 in order to use low level network connections between devices , as taught by Goldschlag, paragraph 0074.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2021/0195409 to Zhang
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        
/TESHOME HAILU/Primary Examiner, Art Unit 2434