Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.		This Office Action is responsive to the preliminary amendment filed 4/21/2021.

Information Disclosure Statement
2.	The information disclosure statements (IDS) submitted on 08/23/2021, 11/16/2021, and 5/26/2022 were filed after the mailing date of the instant application. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Allowable Subject Matter
3.	Claims 28 and 38 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claims because the examined application claim is either anticipated by, or would have been obvious over, the reference claims. See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

5.	Claims 21, 27-32, and 37-40 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-4, 6, 10-12, 14, and 18 of US Patent No. 10,999,251, hereinafter ‘251. Although the claims at issue are not identical, they are not patentably distinct from each other because all limitations recited in claims 21, 27-32, and 37-40 of the instant application are encompassed by limitations recited in claims 1-4, 6, 10-12, 14, and 18 of ‘251 (see table below).


Instant Application 17/301,279
Patent 10,999,251
Claim 21. A method comprising: 
receiving, by a policy controller for a computer network, traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads, the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network; 

correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; generating, by the policy controller and from the session records of traffic statistics for the plurality of application workloads;

generating, by the policy controller and from the session records of traffic statistics for the plurality of application workloads, one or more tags for the plurality of application workloads; 
generating, by the policy controller and based on the one or more tags for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads, 

wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied; and 

distributing, by the policy controller, the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads, the second instances of the plurality of application workloads executed by the second set of one or more computing devices, wherein the second set of one or more computing devices is different from the first set of one or more computing devices.










Claim 21 (cont). 
applying, by the policy controller, a clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; 

Claim 27.
one or more application firewall policies for the plurality of application workloads, wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied.

Claim 28. 
The method of claim 21, wherein receiving the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads comprises receiving, from a first set of virtual router agents for the first set of one or more computing devices, the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads, and wherein distributing the one or more application firewall policies to the second set of one or more computing devices for application to the traffic flows among the second instances of the plurality of application workloads comprises distributing, to a second set of virtual router agents for the second set of one or more computing devices, the one or more application firewall policies for application to the traffic flows among the second instances of the plurality of application workloads.

Claim 29. The method of claim 28, further comprising applying, by the second set of virtual router agents, the one or more application firewall policies to the traffic flows among the second instances of the plurality of application workloads to at least one of allow or deny at least one traffic flow.

Claim 30. 
The method of claim 21, further comprising presenting, by the policy controller, the one or more application firewall policies for display to a user.

Claim 31. 
A policy controller for a computer network, the policy controller comprising processing circuitry and configured to: 


receive traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads, the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network; apply a clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; generate, from the session records of traffic statistics for the plurality of application workloads, one or more tags for the plurality of application workloads; generate, based on the one or more tags for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads, wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied; and distribute the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads, the second instances of the plurality of application workloads executed by the second set of one or more computing devices, wherein the second set of one or more computing devices is different from the first set of one or more computing devices.

Claim 32. 

The policy controller of claim 31, wherein to apply the clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads, the policy controller is configured to: 

apply the clustering algorithm to identify at least one relationship between the traffic statistics for the plurality of traffic flows; and aggregate, based on the identified at least one relationship between the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads.



Claim 37.

The policy controller of claim 31, wherein the one or more application firewall policies define whether traffic flows between interfaces of the application workloads of the plurality of application workloads tagged with the one or more tags for the plurality of application workloads are to be allowed or denied. 

Claim 38.
The policy controller of claim 31, wherein to receive the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads, the policy controller is configured to receive, from a first set of virtual router agents for the first set of one or more computing devices, the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads, and wherein to distribute the one or more application firewall policies to the second set of one or more computing devices for application to the traffic flows among the second instances of the plurality of application workloads, the policy controller is configured to distribute, to a second set of virtual router agents for the second set of one or more computing devices, the one or more application firewall policies for application to the traffic flows among the second instances of the plurality of application workloads.

Claim 39.
 The policy controller of claim 31, further configured to present the one or more application firewall policies for display to a user.

Claim 40. 
A non-transitory, computer-readable medium comprising instructions that, when executed, are configured to cause processing circuitry to execute a policy controller for a computer network, the policy controller configured to: receive traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads, the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network; apply a clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; generate, from the session records of traffic statistics for the plurality of application workloads, one or more tags for the plurality of application workloads; generate, based on the one or more tags for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads, wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied; and distribute the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads, the second instances of the plurality of application workloads executed by the second set of one or more computing devices, wherein the second set of one or more computing devices is different from the first set of one or more computing devices.


Claim 1. A method comprising: 
receiving, by a policy controller for a computer network, traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads, the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network; 

correlating, by the policy controller and based on one or more tags specified by the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; 

generating, by the policy controller and based on the session records of traffic statistics for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads, 

 generating, by the policy controller and based on the session records of traffic statistics for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads,

wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied; and 

distributing, by the policy controller, the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads, the second instances of the plurality of application workloads executed by the second set of one or more computing devices, wherein the second set of one or more computing devices is different from the first set of one or more computing devices.


Claim 6. The method of claim 1, wherein correlating, based on the one or more tags specified by the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads comprises: 

applying, by the policy controller, a clustering algorithm to identify which traffic flows of the plurality of traffic flows correspond to application workloads of the plurality of application workloads; and 

Claim 1 (cont).
one or more application firewall policies for the plurality of application workloads, wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied.

Claim 2. 
The method of claim 1, wherein receiving the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads comprises receiving, from a first set of virtual router agents for the first set of one or more computing devices, the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads, and wherein distributing the one or more application firewall policies to the second set of one or more computing devices for application to traffic flows among the second instances of the plurality of application workloads comprises distributing the one or more application firewall policies to a second set of virtual router agents for the second set of one or more computing devices for application to the traffic flows among the second instances of the plurality of application workloads.

Claim 3. The method of claim 2, further comprising applying, by the second set of virtual router agents, the one or more application firewall policies to the traffic flows among the second instances of the plurality of application workloads to at least one of allow or deny at least one traffic flow.

Claim 4.
The method of claim 1, further comprising presenting, by the policy controller, the one or more application firewall policies for display to a user.

Claim 10.
A policy controller of a computer network, wherein the policy controller comprises processing circuitry, and wherein the policy controller is configured to: 

receive traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads, the first instances of the plurality of application workloads executed by a first set of one or more computing devices of the computer network; correlate, based on one or more tags specified by the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; generate, based on the session records of traffic statistics for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads, wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied; and distribute the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads, the second instances of the plurality of application workloads executed by the second set of one or more computing devices, wherein the second set of one or more computing devices is different from the first set of one or more computing devices.



Claim 14.
 The policy controller of claim 10, wherein, to correlate, based on the one or more tags specified by the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads, the policy controller is further configured to:

apply a clustering algorithm to identify which traffic flows of the plurality of traffic flows correspond to application workloads of the plurality of application workloads; and correlate, based on the clustering algorithm and the one or more tags specified by the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads.

Claim 10 (cont.).



wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied.

Claim 11. 
The policy controller of claim 10, wherein, to receive the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads, the policy controller is further configured to receive, from a first set of virtual router agents for the first set of one or more computing devices, the traffic statistics for the plurality of traffic flows among the first instances of the plurality of application workloads, and wherein, to distribute the one or more application firewall policies to the second set of one or more computing devices for application to traffic flows among the second instances of the plurality of application workloads, the policy controller is further configured to distribute the one or more application firewall policies to a second set of virtual router agents for the second set of one or more computing devices for application to the traffic flows among the second instances of the plurality of application workloads.

Claim 12. 
The policy controller of claim 10, wherein the policy controller is further configured to present the one or more application firewall policies for display to a user.

Claim 18. 
A non-transitory computer-readable medium comprising instructions that, when executed, cause processing circuitry executing a policy controller for a computer network to: receive traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads, the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network; correlate, based on one or more tags specified by the traffic statistics for the plurality of traffic flows, the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads; generate, based on the session records of traffic statistics for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads, wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied; and distribute the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads, 


the second instances of the plurality of application workloads executed by the second set of one or more computing devices, wherein the second set of one or more computing devices is different from the first set of one or more computing devices.



Claim Rejections – 35 USC 103
6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


7.	Claims 21-27, 30-37, and 39-40 are rejected under 35 U.S.C. 103 as being unpatentable over Bansal et al (US 2018/0176261) in view of Tiagi et al (US 2019/0180141).
Regarding claim 21, Bansal et al teaches a method comprising:
receiving, by a policy controller (fig. 1, ‘110) for a computer network, traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads (par [0057], lines 1-5 & par [0062], lines 6-10, which disclose monitoring and collecting network traffic flow data), the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network (par [0062], “workload VMs”); 
correlating the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads (par [0118], lines 1-6 & [0121], which disclose utilizing flow records for defining traffic patterns regarding data flow between various VM groups); 
generating, by the policy controller and from the session records of traffic statistics for the plurality of application workloads, one or more tags for the plurality of application workloads (par [0057], lines 8-14, par [0062], and par [0109], lines 1-6, which disclose implementing protocol types, security tags and firewall rules to associate with the various VM objects); 
generating, by the policy controller and based on the one or more tags for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads (par [0053], lines 10-13, & par [0055], which disclose implementing micro-segmentation policies/firewall rules correlating to analyzing network flow data), wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied (fig. 28, ‘2840 & par [0121], which discloses the firewall rules used to determining which defied traffic patterns are allowed and denied to be transmitted between nodes); and 
wherein the second set of one or more computing devices is different from the first set of one or more computing devices (par [0097], lines 1-10, which discloses applying the firewall rules to various network nodes, par [0128], lines 1-5, and par [0129], which disclose pairing flow records to different sets of clients that are grouped to a shared subnet and VLAN).
Bansal et al does not explicitly teach applying, by the policy controller, a clustering algorithm; distributing, by the policy controller, the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads; the second instances of the plurality of application workloads executed by the second set of one or more computing devices.
However, Tiagi et al teaches applying, by the policy controller, a clustering algorithm (par [0006], lines 1-5, which discloses applying a clustering algorithm);
distributing, by the policy controller, the one or more application firewall policies to a second set of one or more computing devices (par [0006], lines 12-18, which discloses applying a plurality of security and firewall policies to groups or clusters of a plurality of network nodes) for application to traffic flows among second instances of the plurality of application workloads (par [0043-0044], which discloses applying firewall rules to network traffic regarding traffic patterns associated with the node clusters); and 
the second instances of the plurality of application workloads executed by the second set of one or more computing devices (par [0040], which discloses the policies appended to the plurality of node clusters being applied based on applications and services associated with each node cluster).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al would provide the predictive result of improving upon determining network traffic-related patterns by automatically identifying policies applied to network node clusters (as disclosed in par [0006], lines 16-18 of Tiagi et al), which would enhance data flow in Bansal et al by reducing time required to determine security policies appending to each group of nodes.
Regarding claim 22, Bansal et al teaches aggregating, based on the identified at least one relationship between the traffic statistics for the plurality of traffic flows (par [0053], lines 1-5, “flow collector”), the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads (par [0121], “flow record”).
Bansal et al does not explicitly teach wherein applying the clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads comprises: applying the clustering algorithm to identify at least one relationship between the traffic statistics for the plurality of traffic flows.
Tiagi et al further teaches wherein applying the clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads comprises: 
applying the clustering algorithm to identify at least one relationship between the traffic statistics for the plurality of traffic flows (par [0024], lines 7-8, “network traffic patterns are related to the different flows in the network”).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al according to the motivation previously addressed regarding claim 21.

Regarding clam 23, Bansal et al does not explicitly teach wherein the clustering algorithm comprises one of: a K-Means clustering algorithm; a Mean-Shift clustering algorithm; a Density-based Spatial Clustering of Applications with Noise (DBSCAN) clustering algorithm; an Expectation-Maximization (EM) clustering algorithm using Gaussian Mixture Models (GMM); or an Agglomerative Hierarchical clustering algorithm.
However, Tiagi et al teaches wherein the clustering algorithm comprises one of: 
a K-Means clustering algorithm (par [0006], lines 1-5); a Mean-Shift clustering algorithm; a Density-based Spatial Clustering of Applications with Noise (DBSCAN) clustering algorithm; an Expectation-Maximization (EM) clustering algorithm using Gaussian Mixture Models (GMM); or an Agglomerative Hierarchical clustering algorithm.
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al according to the motivation previously addressed regarding claim 21.

Regarding claim 24, Bansal et al and Tiagi et al teach the limitations disclosed in claim 21.
Bansal et al further teaches wherein the one or more tags specify a plurality of different object levels for the plurality of application workloads (par [0077], “hypervisor level”).

Regarding claim 25, Bansal et al and Tiagi et al teach the limitations disclosed in claim 24.
Bansal et al further teaches wherein the one or more tags specify one or more of: 
a global environment level for the plurality of application workloads; a project level for the plurality of application workloads; a virtual network level for the plurality of application workloads (par [0067], lines 9-11, “VNIC level”); a virtual machine level for the plurality of application workloads; or an interface level for the plurality of application workloads.

Regarding claim 26, Bansal et al and Tiagi et al teach the limitations disclosed in claim 21.
Bansal et al further teaches wherein generating, from the session records of traffic statistics for the plurality of application workloads, the one or more tags for the plurality of application workloads comprises:
 generating, from metadata of the session records of traffic statistics for the plurality of application workloads, the one or more tags for the plurality of application workloads (par [0109]).

Regarding claim 27, Bansal et al and Tiagi et al teach the limitations disclosed in claim 21.
Bansal et al further teaches wherein the one or more application firewall policies define whether traffic flows between interfaces of the application workloads of the plurality of application workloads tagged with the one or more tags for the plurality of application workloads are to be allowed (par [0097], lines 1-6, “allow, block, reject”, par [0109], & par [0121],, “traffic pattern that is allowed between nodes”) or denied (par [0109] & [0121], “default deny policy”).

Regarding claim 30, Bansal et al and Tiagi et al teach the limitations disclosed in claim 21.
Bansal et al further teaches presenting, by the policy controller, the one or more application firewall policies for display to a user (par [0141], “display firewall rules”).

Regarding claim 31, Bansal et al teaches a policy controller (fig. 1, ‘110) for a computer network, the policy controller comprising circuitry (fig. 1) and configured to:
receiving traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads (par [0057], lines 1-5 & par [0062], lines 6-10, which disclose monitoring and collecting network traffic flow data), the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network (par [0062], “workload VMs”); 
correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads (par [0118], lines 1-6 & [0121], which disclose utilizing flow records for defining traffic patterns regarding data flow between various VM groups); 
generate, from the session records of traffic statistics for the plurality of application workloads, one or more tags for the plurality of application workloads (par [0057], lines 8-14, par [0062], and par [0109], lines 1-6, which disclose implementing protocol types, security tags and firewall rules to associate with the various VM objects); 
generating, based on the one or more tags for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads (par [0053], lines 10-13, & par [0055], which disclose implementing micro-segmentation policies/firewall rules correlating to analyzing network flow data), wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied (fig. 28, ‘2840 & par [0121], which discloses the firewall rules used to determining which defied traffic patterns are allowed and denied to be transmitted between nodes); and 
wherein the second set of one or more computing devices is different from the first set of one or more computing devices (par [0097], lines 1-10, which discloses applying the firewall rules to various network nodes, par [0128], lines 1-5, and par [0129], which disclose pairing flow records to different sets of clients that are grouped to a shared subnet and VLAN).
Bansal et al does not explicitly teach applying a clustering algorithm; distributing the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads; the second instances of the plurality of application workloads executed by the second set of one or more computing devices.
However, Tiagi et al teaches applying a clustering algorithm (par [0006], lines 1-5, which discloses applying a clustering algorithm);
distributing the one or more application firewall policies to a second set of one or more computing devices (par [0006], lines 12-18, which discloses applying a plurality of security and firewall policies to groups or clusters of a plurality of network nodes) for application to traffic flows among second instances of the plurality of application workloads (par [0043-0044], which discloses applying firewall rules to network traffic regarding traffic patterns associated with the node clusters); and 
the second instances of the plurality of application workloads executed by the second set of one or more computing devices (par [0040], which discloses the policies appended to the plurality of node clusters being applied based on applications and services associated with each node cluster).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al would provide the predictive result of improving upon determining network traffic-related patterns by automatically identifying policies applied to network node clusters (as disclosed in par [0006], lines 16-18 of Tiagi et al), which would enhance data flow in Bansal et al by reducing time required to determine security policies appending to each group of nodes.
Regarding claim 32, Bansal et al teaches aggregating, based on the identified at least one relationship between the traffic statistics for the plurality of traffic flows (par [0053], lines 1-5, “flow collector”), the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads (par [0121], “flow record”).
Bansal et al does not explicitly teach wherein to apply the clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workload the policy controller configured to: apply the clustering algorithm to identify at least one relationship between the traffic statistics for the plurality of traffic flows.
Tiagi et al further teaches wherein to apply the clustering algorithm to correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workload the policy controller configured to:
apply the clustering algorithm to identify at least one relationship between the traffic statistics for the plurality of traffic flows (par [0024], lines 7-8, “network traffic patterns are related to the different flows in the network”).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al according to the motivation previously addressed regarding claim 31.

Regarding clam 33, Bansal et al does not explicitly teach wherein the clustering algorithm comprises one of: a K-Means clustering algorithm; a Mean-Shift clustering algorithm; a Density-based Spatial Clustering of Applications with Noise (DBSCAN) clustering algorithm; an Expectation-Maximization (EM) clustering algorithm using Gaussian Mixture Models (GMM); or an Agglomerative Hierarchical clustering algorithm.
However, Tiagi et al teaches wherein the clustering algorithm comprises one of: 
a K-Means clustering algorithm (par [0006], lines 1-5); a Mean-Shift clustering algorithm; a Density-based Spatial Clustering of Applications with Noise (DBSCAN) clustering algorithm; an Expectation-Maximization (EM) clustering algorithm using Gaussian Mixture Models (GMM); or an Agglomerative Hierarchical clustering algorithm.
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al according to the motivation previously addressed regarding claim 31.

Regarding claim 34, Bansal et al and Tiagi et al teach the limitations disclosed in claim 21.
Bansal et al further teaches wherein the one or more tags specify a plurality of different object levels for the plurality of application workloads (par [0077], “hypervisor level”).

Regarding claim 35, Bansal et al and Tiagi et al teach the limitations disclosed in claim 24.
Bansal et al further teaches wherein the one or more tags specify one or more of: 
a global environment level for the plurality of application workloads; a project level for the plurality of application workloads; a virtual network level for the plurality of application workloads (par [0067], lines 9-11, “VNIC level”); a virtual machine level for the plurality of application workloads; or an interface level for the plurality of application workloads.

Regarding claim 36, Bansal et al and Tiagi et al teach the limitations disclosed in claim 31.
Bansal et al further teaches wherein to generate, from the session records of traffic statistics for the plurality of application workloads, the one or more tags for the plurality of application workloads configured to generate, from metadata of the session records of traffic statistics for the plurality of application workloads, the one or more tags for the plurality of application workloads (par [0109]).

Regarding claim 37, Bansal et al and Tiagi et al teach the limitations disclosed in claim 31.
Bansal et al further teaches wherein the one or more application firewall policies define whether traffic flows between interfaces of the application workloads of the plurality of application workloads tagged with the one or more tags for the plurality of application workloads are to be allowed (par [0097], lines 1-6, “allow, block, reject”, par [0109], & par [0121],, “traffic pattern that is allowed between nodes”) or denied (par [0109] & [0121], “default deny policy”).

Regarding claim 39, Bansal et al and Tiagi et al teach the limitations disclosed in claim 31.
Bansal et al further teaches presenting, by the policy controller, the one or more application firewall policies for display to a user (par [0141], “display firewall rules”).

Regarding claim 40, Bansal et al teaches a non-transitory, computer-readable medium (fig. 1 & fig. 30) comprising instructions that, when executed, are configured to cause processing circuitry (fig. 1) to execute a policy controller (fig. 1, ‘110) for a computer network, the policy controller configured to:
receive traffic statistics for a plurality of traffic flows among first instances of a plurality of application workloads (par [0057], lines 1-5 & par [0062], lines 6-10, which disclose monitoring and collecting network traffic flow data), the first instances of the plurality of application workloads executed by a first set of one or more computing devices of a computer network (par [0062], “workload VMs”); 
correlate the traffic statistics for the plurality of traffic flows into session records of traffic statistics for the plurality of application workloads (par [0118], lines 1-6 & [0121], which disclose utilizing flow records for defining traffic patterns regarding data flow between various VM groups); 
generate, from the session records of traffic statistics for the plurality of application workloads, one or more tags for the plurality of application workloads (par [0057], lines 8-14, par [0062], and par [0109], lines 1-6, which disclose implementing protocol types, security tags and firewall rules to associate with the various VM objects); 
generating, based on the one or more tags for the plurality of application workloads, one or more application firewall policies for the plurality of application workloads (par [0053], lines 10-13, & par [0055], which disclose implementing micro-segmentation policies/firewall rules correlating to analyzing network flow data), wherein the one or more application firewall policies define whether traffic flows between application workloads of the plurality of application workloads are to be allowed or denied (fig. 28, ‘2840 & par [0121], which discloses the firewall rules used to determining which defied traffic patterns are allowed and denied to be transmitted between nodes); and 
wherein the second set of one or more computing devices is different from the first set of one or more computing devices (par [0097], lines 1-10, which discloses applying the firewall rules to various network nodes, par [0128], lines 1-5, and par [0129], which disclose pairing flow records to different sets of clients that are grouped to a shared subnet and VLAN).
Bansal et al does not explicitly teach applying a clustering algorithm; distributing the one or more application firewall policies to a second set of one or more computing devices for application to traffic flows among second instances of the plurality of application workloads; the second instances of the plurality of application workloads executed by the second set of one or more computing devices.
However, Tiagi et al teaches applying a clustering algorithm (par [0006], lines 1-5, which discloses applying a clustering algorithm);
distributing the one or more application firewall policies to a second set of one or more computing devices (par [0006], lines 12-18, which discloses applying a plurality of security and firewall policies to groups or clusters of a plurality of network nodes) for application to traffic flows among second instances of the plurality of application workloads (par [0043-0044], which discloses applying firewall rules to network traffic regarding traffic patterns associated with the node clusters); and 
the second instances of the plurality of application workloads executed by the second set of one or more computing devices (par [0040], which discloses the policies appended to the plurality of node clusters being applied based on applications and services associated with each node cluster).
It would have been obvious to one of ordinary skill in the art before the effective date of the claimed invention to combine the teachings of Tiagi et al within the network traffic flow monitoring system of Bansal et al would provide the predictive result of improving upon determining network traffic-related patterns by automatically identifying policies applied to network node clusters (as disclosed in par [0006], lines 16-18 of Tiagi et al), which would enhance data flow in Bansal et al by reducing time required to determine security policies appending to each group of nodes.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Luu Pham can be reached on (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RANDY A SCOTT/Primary Examiner, Art Unit 2439
20220928