DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-18 are pending in this application.
IDS submitted on 09/02/2021 and 03/15/2022 have been considered.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-18 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 11,057,433 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-18 of U.S. Patent No. US 11,057,433 B2 contains every element of claims 1-18 of the instant application and thus anticipate the claims of the instant application (see Claim Comparison Table below).


Instant application 17/336,724
Patent No.: US 11,057,433 B2
1. A method of controlling data connections of an application program, the method comprising: 
establishing a service definition for the application program; 

establishing definitions of allowed connections; 

storing the service definition and the definitions of allowed connections in an application service registry; 

embedding the definitions of allowed connections as metadata into a source code for the application program; 

automatically deriving firewall rules from the metadata by 



extracting the metadata that corresponds to each of a plurality of communication endpoints to determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; 



automatically deriving an allowed application data listing from the metadata; and 
configuring an application interface manager using the allowed application data listing.
1. A method of controlling data connections of an application program, the method comprising: 
establishing a service definition for the application program corresponding to an application development phase; establishing definitions of allowed connections; 

storing the service definition and the definitions of allowed connections in an application service registry; 

embedding the definitions of allowed connections as metadata into a source code for the application program; 

automatically deriving firewall rules from the metadata by, identifying a plurality of communication endpoints, the plurality of communication endpoints including the application program; extracting the metadata corresponding to each of the plurality of communication endpoints; and determining whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; 



automatically deriving an allowed application data listing from the metadata; and 
configuring an application interface manager using the allowed application data listing
2. The method of claim 1, wherein the definitions of allowed connections are also embedded as metadata in a corresponding application program.
2. The method of claim 1, wherein the definitions of allowed connections are also embedded as metadata in a corresponding application program.
3. The method of claim 2, further comprising creating a definition of data publications and data sources and wherein a databook is created that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources.
3. The method of claim 2, further comprising creating a definition of data publications and data sources and wherein a databook is created that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources.
4. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises identifying application types to which an application program is permitted to communicate.
4. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises identifying application types to which an application program is permitted to communicate.
5. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises identifying application environments to which the application program is permitted to communicate.
5. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises identifying application environments to which the application program is permitted to communicate.
6. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises identifying ports through which the application program is permitted to communicate.
6. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises identifying ports through which the application program is permitted to communicate.
7. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises defining geographic locations with which the application program is permitted to communicate.
7. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises defining geographic locations with which the application program is permitted to communicate.
8. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program.
8. The method of claim 1, wherein the step of establishing definitions of allowed connections comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program.
9. The method of claim 1, further comprising the steps of: comparing an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and recording each attempt to access a connection that is not included in the definition of allowed connections.
9. The method of claim 1, further comprising the steps of: comparing an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and recording each attempt to access a connection that is not included in the definition of allowed connections.
10. A system for automatically regulating data connections of an application program, the system comprising: 
an application service registry;
 
a source data repository in communication with the application service registry; 

{P6331104821220.DOCX}13P63311 the application service registry comprising software instructions that when executed by a first processor cause the first processor to: 
extract metadata information pertaining to permitted application data connections; 

the source data repository comprising software instructions that when executed by a second processor, cause the second processor to: establish a software application requirements definition for the application program, 
the software application requirements definition comprises allowed connections with other applications and data sources; 

store the defmitions of allowed connections to a metadata document; 

embed the definitions of allowed connections as metadata into a source code for the application program; 

automatically establish firewall rules from the metadata by 



extracting the metadata that corresponds to each of a plurality of communication endpoints to determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; 

automatically establish an allowed application data listing from the metadata; and 
configure an application interface manager using the allowed application data listing.
10. A system for automatically regulating data connections of an application program, the system comprising: 
an application service registry; 

a source data repository in communication with the application service registry; 

the application service registry comprising software instructions that when executed by a first processor cause the first processor to: 
extract metadata information pertaining to permitted application data connections; 

the source data repository comprising software instructions that when executed by a second processor, cause the second processor to: establish a software application requirements definition for the application program corresponding to an application development phase, the software application requirements definition comprises allowed connections with other applications and data sources; 
store the definitions of allowed connections to a metadata document; 

embed the definitions of allowed connections as metadata into a source code for the application program; 

automatically establish firewall rules from the metadata to, identify a plurality of communication endpoints, the plurality of communication endpoints including the application program; 
extract the metadata corresponding to each of the plurality of communication endpoints; and determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; 


automatically establish an allowed application data listing from the metadata; and 
configure an application interface manager using the allowed application data listing.
11. The system of claim 10, further comprising software instructions that cause the second processor to create a definition of data publications and data sources.
11. The system of claim 10, further comprising software instructions that cause the second processor to create a definition of data publications and data sources.
12. The system of claim 10, further comprising software instructions that cause the second processor to create a databook that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources.
12. The system of claim 10, further comprising software instructions that cause the second processor to create a databook that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources.
13. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises identifying allowed connections with other applications and data sources.
13. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises identifying allowed connections with other applications and data sources.
14. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises identifying application environments to which the application program is permitted to communicate.
14. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises identifying application environments to which the application program is permitted to communicate.
15. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises defining ports through which the application program is permitted to communicate.
15. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises defining ports through which the application program is permitted to communicate.
16. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises defining geographic locations from which the application program is permitted to communicate.
16. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises defining geographic locations from which the application program is permitted to communicate.
17. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program.
17. The system of claim 10, wherein the step of establishing a software application requirements definition further comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program.
18. The system of claim 10, further comprising an application interface manager, the application interface manager comprising software instructions that when executed by the application interface manager cause the application interface manager to: compare an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and {P6331104821220.DOCX}15P63311 record access attempts to connections that are not including in the definition of allowed connections.
18. The system of claim 10, further comprising an application interface manager, the application interface manager comprising software instructions that when executed by the application interface manager cause the application interface manager to: compare an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and record access attempts to connections that are not including in the definition of allowed connections.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 10-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because a system or an apparatus claim should always claim the structure or the hardware that performs the functions. Claim 10 has limitations consists of software that do not describe the structure of a hardware. Claim 10 recites service registry, data repository and software instructions which may be implemented as software/signals. 
Claims 11-18 are dependent from claim 10 and do not cure the deficiencies of claim 10.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8-15, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Manring et al. (US 2011/0247074 A1) (hereinafter, “Manring”) in view of Woolward (US 2017/0279770 A1).

As to claim 1, Manring discloses a method of controlling data connections of an application program, the method comprising: 
establishing a service definition for the application program ("The metadata may be used to control the access and security settings of the file and to require that only an approved method of gaining access to the file, or any of the file's contents, is used, and that the method and use of the file is in accord with the access and security parameter definitions in the metadata which embody the corporate policy” –e.g. see, [0007]); 
establishing definitions of allowed connections ("… the security management facility 122 may provide for network access control, which may provide control over network connections,'' –e.g. see, [0025], see also, [0007]); 
storing the service definition and the definitions of allowed connections in an application service registry ("a metadata agent 206 may be associated with a threat management facility 100, policy management facility 112, and/or client device 144 (such as a desktop or some other type of computer facility), as described herein. The metadata agent 206 may be able to read, create, alter, store, and/or analyze metadata 204 that is associated with a software file 202 A file 202 may include, but is not limited to a document, image, text, program file (e.g., and ".exe" file), a registry file, or some other type of software file," –e.g. see, [0062]); 
embedding the definitions of allowed connections as metadata into a source code for the application program (''The metadata may be stored in association with the file, appended to the file, linked to the file in a database or plurality of databases (including a remote database or plurality of databases), or otherwise encoded to relate to the file in such a manner that the metadata and its related file may be read together or near simultaneously," –e.g. see, [0007], see also, [0025], [0062]); 
configuring an application interface manager using the allowed application data listing ("the threat management facility 100 may provide configuration management, which may be similar to policy management, but may specifically examine the configuration set of applications, operating systems, hardware, and the like, and managing changes to their configurations," –e.g. see, [0032]).  
Manring may not explicitly disclose automatically deriving firewall rules from the metadata by extracting the metadata that corresponds to each of a plurality of communication endpoints to determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata; 
automatically deriving an allowed application data listing from the metadata; 
However, in an analogous art, Woolward discloses automatically deriving firewall rules from the metadata by extracting the metadata that corresponds to each of a plurality of communication endpoints to determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata ("determining an application or service performed by the deployed container from the received metadata by processing data packets to identify the determined application or service; retrieving at least one model using the determined application or service, the at least one model identifying expected network communications behavior of the deployed container; generating a high-level declarative security policy associated with the deployed container using the at least one model, the high-level declarative security policy indicating at least an application or service with which the deployed container is permitted to communicate; producing a low-level firewall rule set using the high-level declarative security policy; and applying the low-level firewall rule set to data network traffic," –e.g. see, [0005]); 
automatically deriving an allowed application data listing from the metadata (" Firewalls control incoming and outgoing network traffic using a rule set. A rule, for example, allows a connection to a specific (Internet Protocol (IP)) address, allows a connection to a specific (IP) address if the connection is secured (e.g., using Internet Protocol security (IPsec)), blocks a connection to a specific (IP) address, redirects a connection from one IP address to another IP address, logs communications to and/or from a specific IP address, and the like. A firewall rule at a low level of abstraction may indicate a specific (IP) address and protocol to which connections are allowed and/or not allowed," –e.g. see, [0017], see also, [0005]); 
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Manring with the teaching of Woolward to include “automatically deriving firewall rules from the metadata by extracting the metadata that corresponds to each of a plurality of communication endpoints to determine whether a connection between each of the plurality of communication endpoints is permitted based on a comparison of the extracted metadata” in order to uniquely identify an end user device in a multiuser system by authenticating the end user device in a secure manner before permitting access.

As to claim 10, it is rejected using the similar rationale as for the rejection of claim 1. Furthermore, Manring discloses an application service registry (Manring: [0062]; herein a registry file); a source data repository in communication with the application service registry (Manring: [0007]; herein, appended to the file, linked to the file in a database or plurality of databases (including a remote database or plurality of databases)); {P6331104821220.DOCX}13P63311

As to claims 2 and 11, the combination of Manring and Woolward disclose wherein the definitions of allowed connections are also embedded as metadata in a corresponding application program (Manring: ''The metadata may be stored in association with the file, appended to the file, linked to the file in a database or plurality of databases (including a remote database or plurality of databases), or otherwise encoded to relate to the file in such a manner that the metadata and its related file may be read together or near simultaneously,'' –e.g. see, Manring: [0007]).  

As to claims 3 and 12, the combination of Manring and Woolward disclose further comprising creating a definition of data publications and data sources and wherein a databook is created that comprises definitions of critical data elements and data sourcing rules derived from the definition of data publications and data sources (Manring: “The policy management facility 112 may include a database. a text file, a combination of databases and text files, or the like. In an embodiment, a policy database may be a block list, a black list, an allowed list, a white list, or the like that may provide a list of enterprise facility 102 external network locations/applications that may or may not be accessed by the client facility 144. The policy management facility 112 may include rules that may be interpreted with respect to an enterprise facility 102 network access request to determine if the request should be allowed. The rules may provide a generic rule for the type of access that may be granted; the rules may be related to the policies of an enterprise facility 102 for access rights for the enterprise facility's 102 client facility 144. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client facility 144, a security facility may access the rules within a policy facility to determine if the requested access is related to a sporting website. In an embodiment, the security facility may analyze the requested website to determine if the website matches with any of the policy facility rules," –e.g. see, Manring: [0030]).  

As to claims 4 and 13, the combination of Manring and Woolward disclose wherein the step of establishing definitions of allowed connections comprises identifying application types to which an application program is permitted to communicate (Manring: "The policies may be defined for application type, subset of application capabilities, organization hierarchy, computer facility type, user type, network location, time of day, connection type, or the like,"-e.g. see, Manring: [0031]).  

As to claims 5 and 14, the combination of Manring and Woolward disclose wherein the step of establishing definitions of allowed connections comprises identifying application environments to which the application program is permitted to communicate ("The rules may provide a generic rule for the type of access that may be granted; the rules may be related to the policies of an enterprise facility 102 for access rights for the enterprise facility's 102 client facility 144. For example, there may be a rule that does not permit access to sporting websites. When a website is requested by the client facility 144, a security facility may access the rules within a policy facility to determine if the requested access is related to a sporting website. In an embodiment, the security facility may analyze the requested website to determine if the website matches with any of the policy facility rules,"-e.g. see, Manring: [0030]).  

As to claims 6 and 15, the combination of Manring and Woolward disclose wherein the step of establishing definitions of allowed connections comprises identifying ports through which the application program is permitted to communicate ("The action may be one or more of continuing to block all requests to a denied network location, a malicious code scan on the application, a malicious code scan on the client facility 144, quarantine of the application, terminating the application, isolation of the application, isolation of the client facility 144 to a location within the network that restricts network access. blocking a network access port from a client facility 144, reporting the application to a administration facility 134, or the like," –e.g. see, Manring: [0042]).  

As to claims 8 and 17, the combination of Manring and Woolward disclose wherein the step of establishing definitions of allowed connections comprises defining at least one data type from among an environmental variable, a location variable, a confidentiality variable, and a regulatory and compliance variable that may be communicated from the application program (Manring: "The policies may be defined for application type, subset of application capabilities, organization hierarchy, computer facility type, user type, network location, time of day, connection type, or the like,"-e.g. see, Manring: [0031]).  

As to claims 9 and 18, the combination of Manring and Woolward disclose further comprising the steps of: comparing an attempt to access a connection by an application program running in a test environment with the definitions of allowed connections; and recording each attempt to access a connection that is not included in the definition of allowed connections ("Verifying that the threat management facility 100 is detecting threats and violations to established policy, may require the ability to test the system, either at the system level or for a particular computing component. The testing facility 118 may allow the administration facility 134 to coordinate the testing of the security configurations of client facility 144 computing facilities on a network. The administration facility 134 may be able to send test files to a set of client facility 144 computing facilities to test the ability of the client facility 144 to determine acceptability of the test file. After the test file has been transmitted, a recording facility may record the actions taken by the client facility 144 in reaction to the test file. The recording facility may aggregate the testing information from the client facility 144 and report the testing information to the administration facility 134. The administration facility 134 may be able to determine the level of preparedness of the client facility 144 computing facilities by the reported information,"-e.g. see, Manring: [0044], see also, claim 25).  


Claims 7 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Manring in view of Woolward and further in view of Qureshi et al. (US 2014/0007048 A1) (hereinafter, “Qureshi”).

As to claims 7 and 16, neither Manring nor Woolward explicitly disclose wherein the step of establishing definitions of allowed connections comprises defining geographic locations with which the application program is permitted to communicate. 
However, in an analogous art, Qureshi discloses wherein the step of establishing definitions of allowed connections comprises defining geographic locations with which the application program is permitted to communicate ("..the enterprise agent 320 can be configured to filter out those application-generated communications that meet predefined and/or configurable criteria. Such criteria can include, for example, any one or more of the following, as well as various other criteria: (1) the URL (e.g., of the enterprise system 110, or of web sites whose access is restricted by the enterprise), (2) server port(s) to which an application 318 attempts to send the request, (3) data regarding the application that issues the request (e.g., name, version, etc.), (4) time of day, (5) day of the week, and/or (6) geographic location of the mobile device 120," –e.g. see, Qureshi: [0182]).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Manring and Woolward with the teaching of Qureshi to include “wherein the step of establishing definitions of allowed connections comprises defining geographic locations with which the application program is permitted to communicate” in order to provide users benefit from systems and methods adapted for geography-based security rules, because such systems and methods allow for allowing or disallowing connections based on the geographic location of a running application.

Conclusion


Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495                                                                                                                                                                                                        
/Jeremy S Duffield/Primary Examiner, Art Unit 2498