DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendments
The objection to the Specification has been withdrawn in light of applicant’s amendment to the Specification filed 8/24/2022.
Status of Claims
The amendment filed 8/24/2022 has been entered. Claims 2-10, 12-16, 18-20 are currently amended. Claims 1-20 are pending in the application.
The objections to claims 2-10, 12-16, 18-20 have been withdrawn in light of applicant’s amendment to the claims.
The rejection of claims 2, 12 under 35 USC 112(b) due to lack of antecedent basis has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s argument, see pages 12-14 of the Remarks filed 8/24/2022, regarding claim rejection under the 35 USC 101 of claims 11-20 as directed to non-statutory subject matter has been fully considered and is not persuasive. The claims are rejected because they are drawn as a whole to a software per se. The claims are NOT rejected due to eligibility consideration directed to abstract idea without significantly more, as applicant argued. Therefore, applicant’s argument fails to response to the Office Action (6/24/2022) in this regard. The rejection of claims 11-20 under the 35 USC 101 is maintained.
Applicant’s argument, see pages 14-17 of the Remarks filed 8/24/2022 regarding claim rejections under the 35 USC 103 over the prior arts of record have been fully considered and asserted not persuasive due to following reason.
Applicant argued that the combinations of elements set forth in claim 1 and 11 are NOT disclosed or suggested by references relied on by the Examiner”, see pages 14-15 of the Remarks. Specifically, applicant argued about the teachings of limitation “the inter-thread traffic logs” by references Gupta and Parthasarathy, see pages 15-16 of the Remarks. Examiner acknowledges applicant’s prospective however respectively disagrees.
First, the claims are interpreted with the guidance of broadest reasonable interpretation in light of applicant’s specification, however cannot import the defined elements in the Specification into the claims (see MPEP 2111.01 I II). The inter-thread traffic logs can be reasonably interpreted as collections of traffic data among devices in its plain meaning. Claim 1 recites, “collecting inter-thread traffic logs sent from at least one server, wherein a plurality of distributed applications are hosted in the at least one server”, “discovering topology information in a green room environment based on the inter-thread traffic logs”. The “inter-thread traffic logs” appear to have nothing to do with “a plurality of distributed applications” where the “plurality of distributed applications are hosted in the at least one server”. Nowhere in the claim would suggests “topology information is determined based on the inter-thread traffic logs, which has traffic information with accuracy up to an inter-thread level” as applicant argued (see the last paragraph on page 15).
Gupta discloses enforcing network policies based on monitoring network data collected by sensors, in particular creating whitelisting rules based on network topology, and the network can analyze the network data, host/endpoint data, process data, and user data to determine policies for traffic. Parthasarathy further discloses creating application topology in sandbox environment by creating complete topology of cloud application with network fingerprint of the traffic emanating in the sandbox and production application, see Fig. 4 of Parthasarathy step 420, “analyzing … to identify a set of communication links between services”. The combination of Gupta and Parthasarathy teaches monitoring, collecting of communication traffic, and creating of network topology and policies with whitelisting. Therefore, examiner asserts the combination of Gupta and Parthasarathy teaches all elements recited in claim 1 (similarly claim 11). See Claim Rejections below for details.
Applicant’s further argument regarding dependent claims are also not persuasive for the same reason set forth above. Therefore, the claim rejections under the 35 USC 103 over existing references has been maintained. Applicant is encouraged to further recite innovative features into independent claims to advance the case.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 11-20 are rejected under 35 USC § 101 because the claimed invention is directed to non-statutory subject matter. The claims are not statutory as they are drawn as a whole to a software per se. Independent claim 11 is rejected since it recites A system comprising at least one server, an analytic engine, where server and analytic engine can be software under the broadest reasonable interpretation in light of the specification of applicant’s instant application. Claims 12-20 depend on claim 11 and fail to remedy the deficiency of claim 11 therefore are also rejected. Applicant is suggested to recite a system comprising at least one hardware component such as hardware processor, memory performing action steps in the claim, to overcome the rejection.
Allowable Subject Matter
Claims 5-10, 15-20 are objected to as being dependent upon a rejected base claim(s), but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims as well as issues under 35 USC 101 presented in this office action.
The following is a statement of reasons for the indication of allowable subject matter:  
Claim 5 (similarly claim 15) specifies, performing a full graph matching by comparing a green room ADM with a real operation ADM; and based on a comparison result, determining whether the green room ADM is matched with the real operation ADM or not. The prior arts, Gupta, Parthasarathy, Chiueh, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claim 5 (similarly claim 15) as shown above. 
Claim 6 (similarly claim 16) depends on claim 5 (claim 15 respectively) and includes limitation(s) further limit the claim; Claim 7 (similarly claim 17) depends on claim 6 (claim 16 respectively) and includes limitation(s) further limit the claim; Claim 8 (similarly claim 18) depends on claim 7 (claim 17 respectively) and includes limitation(s) further limit the claim; Claim 9 (similarly claim 19) depends on claim 8 (claim 18 respectively) and includes limitation(s) further limit the claim; Claim 10 (similarly claim 20) depends on claim 9 (claim 19 respectively) and includes limitation(s) further limit the claim. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 11-12 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta et al (US20160359915A1-IDS by applicant, hereinafter, “Gupta”), in view of Parthasarathy et al (US20210373861A1, hereinafter, “Parthasarathy”).
Regarding claim 1, Gupta teaches:
A method for establishing application whitelisting (Gupta, discloses method of achieving compliance by defining and enforcing network policies using whitelist rules, see [Abstract], [0051]) comprising: 
collecting inter-thread traffic logs sent from at least one server, wherein a plurality of distributed applications are hosted in the at least one server (Gupta, [0022] The sensors 104 can monitor network traffic between nodes (i.e. servers), and send network traffic data and corresponding data (e.g., host data, process data, user data, etc.) to the collectors 108 for storage (i.e. inter-thread traffic logs). And [0026] Since the sensors 104 may be located throughout the network, network traffic and corresponding data can be collected from multiple vantage points or multiple perspectives in the network to provide a more comprehensive view of network behavior. Examiner notes the distributed application is sensing network traffic by the sensors); 
creating a set of whitelisting rules based on the topology information (Gupta, [0051] the policy builder module 202 can receive the network topology (whether automatically generated, manually configured, or some combination thereof) and application dependency mappings, such as generated by the application dependency mapping (ADM) module 140 of FIG. 1, and the policy builder module 202 can automatically determine policies for the network. The policies can be based on whitelist rules or blacklist rules. A network defined by whitelist rules allows a communication between a source and a destination); and 
enforcing the set of whitelisting rules (Gupta, [0013] A network can achieve compliance by defining and enforcing a set of network policies. And [0054] The policy utilization module 208 evaluates network traffic for conformance or non-conformance with policies of the network. The policy utilization module 208 analyzes each flow in the network over a specified period of time (e.g., time of day, day of week or month, month(s) in a year, etc.) to determine which policies are being enforced and the extent (e.g., number of packets, number of bytes, number of flows, etc.) to which those policies are being enforced within the network).  
While Gupta teaches the main concept of the invention by enforcing network policies with whitelist rules generated based on topology, but does not explicitly teach discovering topology information in a green room environment, Parthasarathy in the same field of endeavor teaches:
discovering topology information in a green room environment based on the inter-thread traffic logs (Parthasarathy, discloses creating application topology with identified sandbox environment (i.e. green room environment), see [Abstract]. And [0050] FIG. 4 is a flowchart depicting a topology discovery method 400... As depicted, topology discovery method 400 includes identifying (410) a sandbox environment corresponding to a cloud application, analyzing (420) the sandbox environment to identify a set of communication links between services, … querying (440) the production system to identify a set of structural dependencies, and creating (450) a complete topology of the cloud application by combining the horizontal topology and the vertical topology. Topology discovery method 400 may be utilized to conduct a non-invasive analysis of a cloud application's topography. And [0055] Creating (450) a complete topology of the cloud application may include computing a network fingerprint of the traffic emanating from services (i.e. inter-thread traffic) in the sandbox environment and the production application);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Parthasarathy in the policy driven compliance of Gupta by identifying and discovering application topology in sandbox environment. This would have been obvious because the person having ordinary skill in the art would have been motivated to create application topology in a cloud application for fault diagnosis and optimization of cloud applications (Parthasarathy, [Abstract], [0002]).

Regarding claim 11, claim 11 is a system claim that encompasses limitations that are similar to those of the method claim 1. Therefore, claim 11 is rejected with the same rationale and motivation as applied against claim 1. In addition, Gupta disclose a system (Gupta, discloses method and system of achieving compliance by defining and enforcing network policies using whitelist rules, see [Abstract], [0051]) for establishing application whitelisting comprising: at least one server, wherein a plurality of distributed applications are hosted in the at least one server (Fig. 4, nodes, severs in cloud network); and 10an analytic engine (Fig. 1, Analytics Engine).  

Regarding claim 2, similarly claim 12, Gupta-Parthasarathy combination teaches the method according to claim 1, the system according to claim 11,
Gupta further teaches: wherein the topology information includes an application dependency mapping (ADM) (Gupta, [0051] the policy builder module 202 can receive the network topology (whether automatically generated, manually configured, or some combination thereof) and application dependency mappings, such as generated by the application dependency mapping (ADM) module 140 of FIG. 1); the ADM creates relationships between the distributed applications hosted in the at least one server (Gupta, [0044] The ADM module 140 can determine dependencies of applications of the network. That is, particular patterns of traffic may correspond to an application, and the interconnectivity or dependencies of the application can be mapped to generate a graph for the application); and 15the ADM identifies: a plurality of devices that are communicating with one another, TCP IP ports the devices use for communication, and processes that are running on these devices (Gupta, [0022] The sensors 104 can monitor network traffic between nodes, and send network traffic data and corresponding data (e.g., host data, process data, user data, etc.)… And [0044] The ADM module 140 can receive input data from various repositories of the data lake 130 (e.g., the flow attributes 132, the host and/or endpoint attributes 134, the process attributes 136, etc.). The ADM module 140 may analyze the input data to determine there is first traffic flowing between external endpoints on port 80 of the first endpoints corresponding to Hypertext Transfer Protocol (HTTP) requests and responses. The input data may also indicate second traffic between first ports of the first endpoints and second ports of the second endpoints corresponding to application server requests and response. And [0081] The nodes typically communicate over the network by exchanging discrete frames or packets of data according to predefined protocols, such as the Transmission Control Protocol/Internet Protocol (TCP/IP)).  

Claims 3-4, 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta-Parthasarathy as applied above to claim 2, 12 respectively, further in view Chiueh et al (US20130159999A1, hereinafter, “Chiueh”).
Regarding claim 3, similarly claim 13, Gupta-Parthasarathy combination teaches the method according to claim 2, the system according to claim 12,
While the combination of Gupta-Parthasarathy does not explicitly teach the following limitation(s), Chiueh in same field of endeavor teaches:
wherein the ADM is built by the following steps: intercepting guest operating system (OS)'s at packet sending system call; getting running thread and TCP connection information (Chiueh, discloses method for generating application-level dependencies, [Abstract]. And [0031] The exemplary embodiments disclose a technique for using VM inspection to generate application-level dependencies in a virtualization environment. The VM inspection may be performed by intercepting VM execution and introspecting VM states. The technique intercepts guest OS's at packet sending system call, performs VM introspection to get running thread and TCP connection information, and sends this traffic log to servers); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chiueh in the policy driven compliance of Gupta-Parthasarathy by generating application-level dependencies using thread and TCP connection information. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the TCP information and thread information to generate application trajectory and export application dependencies for distributed application’ performance management (Chiueh, [Abstract], [0002]).
Parthasarathy further teaches: and generating the ADM from the inter-thread traffic logs (Parthasarathy, [0050] analyzing (420) the sandbox environment to identify a set of communication links between services, … creating (450) a complete topology of the cloud application by combining the horizontal topology and the vertical topology. And [0055] Creating (450) a complete topology of the cloud application may include computing a network fingerprint of the traffic emanating from services in the sandbox environment and the production application). Same motivation as presented in claim 1 would apply.

Regarding claim 4, similarly claim 14, Gupta-Parthasarathy combination teaches the method according to claim 2, the system according to claim 12,
Gupta further teaches: wherein in creating the set of whitelisting rules, for each record in the ADM (Gupta, [0051] the policy builder module 202 can receive the network topology … and application dependency mappings, …, and the policy builder module 202 can automatically determine policies (i.e. whitelist rules) for the network), 
While the combination of Gupta-Parthasarathy does not explicitly teach the following limitation(s), Chiueh in same field of endeavor teaches:
the set of whitelisting rules includes a plurality of nodes each having attribute including an application name information and a destination port information (Chiueh, [0051] Information for per thread traffic log 1110 may comprises time information, thread information (such as vm id, process id, application name), connection information (such as source IP, source port, destination IP, destination port) …).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Chiueh in the policy driven compliance of Gupta-Parthasarathy by generating application-level dependencies using thread and TCP connection information. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the TCP information and thread information to generate application trajectory and export application dependencies for distributed application’ performance management (Chiueh, [Abstract], [0002]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Mihelich et al (US20180191681A1) discloses method for managing network traffic. A topology of the private network is derived based on the internal network information. Security engine creates a whitelist or blacklist for internal host devices based on the topology of the internal network.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436  
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436