Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Amendment
This is a reply to the application filed on 7/25/2022, in which, claim(s) 1/20 is/are pending.

Response to Arguments
Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s argues that Bhattacharya-Parandehgheibi combination does not discloses “a set of allowable indication whether establishing networks connections between different neighboring network zones is allowed”. (See Remarks pg. 6)
The Examiner respectfully disagrees. Bhattacharya teaches access-list with indicating permitted connection between devices of different zone [Bhattacharya; ¶19-24].
Parandehgheibi teaches network connection packets routing between network devices are allowed/denied based on network policies, including internal L2 and external L3 networks [Parandehgheibi; ¶44, 59, 110-111].

In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).

Applicant’s arguments with respect to the rejection of claim(s) 1-20 have been considered but are moot in view of the new ground(s) of rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 8-12 and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharya et al. (Pub. No.: US 2011/0302647 A1; hereinafter Bhattacharya) in view of Parandehgheibi et al. (Pub. No.: US 2016/0359740 A1; hereinafter Parandehgheibi) further in view of Chhabra et al. (Pub. No.: US 20190034127 A1; hereinafter Chhabra).
Regarding claims 1, 8 and 15, Bhattacharya discloses a system for automating identifications of forbidden network connections, comprising:
a memory operable to store a firewall configuration file associated with a firewall device (memory storing the firewall configuration [Bhattacharya; Fig 3A-B and associated text]), wherein:
the firewall configuration file comprises a set of network connections between neighboring devices and interfaces of the firewall device (the firewall configuration includes network connect between devices of different zones [Bhattacharya; ¶19-25; Fig 4A-B and associated text]);
the neighboring devices belong to corresponding neighboring network zones; each of the neighboring devices is identified by a name set by a naming convention that is associated with a particular neighboring network zone, such that (each device of different zone have different labels to identifier them, and to determine the zone, such as the name of devices and IP are different based on the DMZ [Bhattacharya; ¶19-25; Fig 4A-B and associated text]):
a first device, connected to a first interface of the firewall device, is identified by a first name indicating that the first device belongs to a first network zone (client outside have different type of IPs and identification [Bhattacharya; ¶19-25; Fig 4A-B and associated text]); and
a second device, connected to a second interface of the firewall device, is identified by a second name indicating that the second device belongs to a second network zone (the devices inside of DMZ have different types of Names and IPs [Bhattacharya; ¶19-25; Fig 4A-B and associated text]); 
a processor, operably coupled with the memory, configured to (CPU 314 and Memory 316 [Bhattacharya; Fig 3A-B and associated text]). Bhattacharya discloses network reconfiguration such as firewall reconfiguration in migrations may include determining network reconfiguration needs in one or more network functionalities of the target environment based on the discovering; and applying the network reconfiguration needs to the one or more network functionalities in the target environment. Bhattacharya does not explicilty discloses the following; however, in a related and analogous art, Parandehgheibi teaches these features.
In particular, Parandehgheibi teaches create a network connectivity matrix between the neighboring network zones, wherein the network connectivity matrix comprises a set of allowability indications indicating whether establishing network connections between different neighboring network zones is allowed (creating matrix for the network data for each domain at different network layers [Parandehgheibi; ¶99-112; Fig. 5-6 and associated text]); 
determine whether there is any network connection between different neighboring devices that violates a corresponding allowability indication indicated in the network connectivity matrix (analyze the feature vector (or matrix) representation determined during step 606 to assess similarity with respect to malicious traffic, suspicious traffic, or routine traffic for purposes of detecting anomalous traffic, or to assess similarity with flows of other nodes for purposes of clustering [Parandehgheibi; ¶99-112; Fig. 5-6 and associated text]); and
in response to determining at least one network connection between different neighboring devices that violates the corresponding allowability indication, determine that the at least one network connection is a forbidden network connection (if the flow was found to be similar to malicious traffic or misconfigured traffic, then a policy may be applied to drop subsequent flows similar to the first flow and/or to perform other ameliorative measures [Parandehgheibi; ¶99-112; Fig. 5-6 and associated text]). It would have been obvious before the effective filing date of the claimed invention to modify Bhattacharya in view of Parandehgheibi with the motivation to prevent malicious traffic from accessing the secure network zone [Parandehgheibi; ¶110-111].
Bhattacharya-Parandehgheibi combination does not explicilty discloses wherein: the first name is determined based at least on a first naming convention used for naming devices that belong to the first network zone; and the first naming convention indicates that a first keyword and at least one additional alphanumeric character is included in the first name; 
wherein: the second name is determined based at least on a second naming convention used for naming devices that belong to the second network zone; the second naming convention indicates that a second keyword and at least one additional alphanumeric character is included in the second name; and the first keyword is different from the second keyword; however, in a related and analogous art, Chhabra teaches these features.
In particular, Chhabra teaches internal naming schema which may various between different network, such that the naming of the new devices when joining the network is the device/maker with alphanumeric characters. The naming schema is uniform formatted, specifying a uniform naming scheme for manufacturers, years, models, and other inputs specifying lengths and types of data fields, etc.), inputs specifying data to be communicated or not to be communicated outside of a local maintenance network, and inputs specifying whether anonymization of data is to be performed (e.g., inputs specifying the use or withholding of partial, scrambled, or default device names, network addresses, domain names, locations, etc.). [¶72-77; Figs. 8-10 and associated text]. It would have been obvious before the effective filing date of the claimed invention to modify Bhattacharya-Parandehgheibi combination in view of Chhabra with the motivation to easier provide access, managed and reduce registration overhead [Chhabra; ¶16-18].

Regarding claims 2, 9 and 16, Bhattacharya-Parandehgheibi combination discloses wherein the naming convention for devices in the particular neighboring network zone comprises a particular keyword that is common between the devices in the particular neighboring network zone (hostname and IP are set to the particular zones [Bhattacharya; ¶18-25]).

Regarding claims 3, 10 and 17, Bhattacharya-Parandehgheibi combination discloses wherein the processor is further configured to create an interface-to-zone map that indicates associations between the interfaces of the firewall device and the neighboring network zones based at least in part upon the naming convention used for naming each of the neighboring devices (the zone map with respect to the firewall device [Bhattacharya; ¶40-42; fig. 5 and associated texts]).

Regarding claims 4, 11 and 18, Bhattacharya-Parandehgheibi combination discloses wherein creating the interface-to-zone map comprises: determining that the first device is connected to the first interface; determining that the first device belongs to the first network zone based at in part upon the first name that is associated with the first network zone; mapping the first interface to the first network zone (the client device is mapped to the outside interface of the INTERNET_to_DMZ zone [Bhattacharya; ¶40-42; fig. 5 and associated texts]); 
determining that the second device is connected to the second interface; determining that the second device belongs to the second network zone based at in part upon the second name that is associated with the second network zone; and mapping the second interface to the second network zone (the webserver is mapped to the DMZ interface at the No_DMZ_out zone  [Bhattacharya; ¶40-42; fig. 5 and associated texts]).

Regarding claims 5, 12 and 19, Bhattacharya-Parandehgheibi combination discloses wherein the set of allowability indications identify allowable network connections and a set of forbidden network connections identify forbidden network connections (firewall rules for permit, allow, deny, etc., [Bhattacharya; ¶29-32; fig. 5 and associated texts]).

Claims 6-7, 13-14 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Bhattacharya-Parandehgheibi-Chhabra combination further in view of Couillard et al. (Pub. No.: US 2020/0099658 A1; hereinafter Couillard).
Regarding claims 6, 13 and 20, Bhattacharya-Parandehgheibi combination does not explicilty discloses the following elements; however, in a related and analogous art, Couillard teaches these features.
In particular, Couillard teaches wherein creating the network connectivity matrix between the neighboring network zones comprises: determining that network connections from the first network zone to the second network zone should be forbidden (devices on the public zone trying to communicate with devices on the restriction zone, without proper permission is not allowed [Couillard; ¶85-89, 136-138; Fig. 5-6, 9 and associated texts]);
in response to determining that network connections from the first network zone to the second network zone should be forbidden, adding a forbidden indication in a corresponding element in the network connectivity matrix (device in public zone are not allow to access devices in restricted zone without proper authentication [Couillard; ¶85-89, 136-138; Fig. 5-6, 9 and associated texts]);
determining that network connections from the second network zone to the first network zone should be allowed (devices at restricted zone can communicates with device in public zone [Couillard; ¶85-89, 136-138; Fig. 5-6, 9 and associated texts]); and
in response to determining that network connections from the second network zone to the first network zone should be allowed, adding an allowable indication in a corresponding element in the network connectivity matrix (communication is based on zones rules/polices of trusted networks [Couillard; ¶85-89, 136-138; Fig. 5-6 and associated texts]). IT would have been obvious before the effective filing dated of the claimed invention to modify Bhattacharya-Parandehgheibi combination in view of Couillard with the motivation to easier manage/controls the follows of traffics in different zones.

Regarding claims 7 and 17, Bhattacharya-Parandehgheibi combination does not explicilty discloses the following elements; however, in a related and analogous art, Couillard teaches these features.
In particular, Couillard teaches wherein determining whether there is any network connection between different neighboring devices that violates the corresponding allowability indication comprises: determining, from the firewall configuration file, that there is a first network connection from the first device to the second device (devices on the public zone trying to communicate with devices on the restriction zone, without proper permission is not allowed [Couillard; ¶85-89, 136-138; Fig. 5-6, 9 and associated texts]);
determining that the first network connection allows network traffic from the first network zone to the second network zone (device in public zone are not allow to access devices in restricted zone without proper authentication [Couillard; ¶85-89, 136-138; Fig. 5-6, 9 and associated texts]);
determining, from the network connectivity matrix, that a first allowability indication corresponding to the first network connection indicates that network connections from the first network zone to the second network zone are forbidden (devices at restricted zone can communicates with device in public zone [Couillard; ¶85-89, 136-138; Fig. 5-6, 9 and associated texts]); and
determining that the first network connection is violating the first allowability indication (communication is based on zones rules/polices of trusted networks [Couillard; ¶85-89, 136-138; Fig. 5-6 and associated texts]). IT would have been obvious before the effective filing dated of the claimed invention to modify Bhattacharya-Parandehgheibi combination in view of Couillard with the motivation to easier manage/controls the follows of traffics in different zones.

Internet Communications
Applicant is encouraged to submit a written authorization for Internet communications (PTO/SB/439, http:ljwww.uspto.gov/sites/default/files/documents/sb0439.pdf) in the instant patent application to authorize the examiner to communicate with the applicant via email. The authorization will allow the examiner to better practice compact prosecution. The written authorization can be submitted via one of the following methods only: (1) Central Fax which can be found in the Conclusion section of this Office action; (2) regular postal mail; (3) EFS WEB; or (4) the service window on the Alexandria campus. EFS web is the recommended way to submit the form since this allows the form to be entered into the file wrapper within the same day (system dependent). Written authorization submitted via other methods, such as direct fax to the examiner or email, will not be accepted. See MPEP § 502.03.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAO Q HO whose telephone number is (571)270-5998.  The examiner can normally be reached on 7:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/DAO Q HO/Primary Examiner, Art Unit 2432