DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication filed on 9/7/2020.
Claims 1, 5, 11 and 15 have been amended.
Claims 1-20 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 9/7/2022 has been reviewed and is accepted.  The terminal disclaimer has been recorded.

Response to Arguments
In view of the amendment to the applicant’s specification, the specification’s objection has been withdrawn.
Regarding to the double patenting rejection, the terminal disclaimer filed on 9/7/22 has been approved and recorded.  Therefore, the rejection has been withdrawn.
Regarding to the 101 rejection of claims 11-20, the claims have been amended to add one or more processors associated with the one or more electronic devices.  Adding the term “processor” does not overcome the rejection because when a processor is recited to be comprised a virtual machine (i.e., electronic device).  As a result, the system of claim 11 is still directed to software per se.  Furthermore, the term “processor” is defined as software per se by itself (see Computer Desktop Encyclopedia).  Therefore, the rejection has been maintained.
Applicant’s arguments (i.e., “security group rule controlling communication of a set one of one or more virtual machines in [a] security group” and “analyzing the at least one security group rule to determine placement data for the at least one security group, wherein at least a portion of the placement data is inferred by a machine learning model”) with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-20 are rejected under 35 U.S.C. 101 as being directed to no more than software per se.  The claims11-20 do not fall within at least one of the four categories of patent eligible subject matter because the claimed invention does not direct to any concrete thing consisting of parts or devices.  The specification as originally filed fails to set forth the metes and bounds of what is meant to be encompassed by the terms “electronic device” and “processor”.  As such, it is reasonable to interpret the term “electronic device” (see paragraph 0014 of Applicant’s specification, “The users may access the provider network using one or more electronic devices 128 connected to the intermediate networks 126. The one or more electronic devices may include computing devices such as desktop, laptop, or mobile computing devices, servers, virtual machines, or other devices”) and the term “processor” (see Computer Desktop Encyclopedia) as software per se.  Therefore, claim 11 is not patent-eligible subject matter.
The dependent claims 12-20 are depended on the rejected base claim 11, and are rejected for the same rationales.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER et al. (US 20160316003) (hereinafter SNIDER) in view of ACER et al. (US 20140149493) (hereinafter ACER).
Regarding claim 1, SNIDER teaches a computer-implemented method comprising: obtaining at least one security group rule for at least one security group, the at least one security group rule controlling communication of the at least one security group (SNIDER: paragraphs 0019-0020, 0030, 0035, 0039, 0051 0070 and 0085, “application placement component 210 may select a target placement using a selection strategy. The selected target placement may be analyzed with respect to the placement rules.”); analyzing the at least one security group rule to determine placement data for the at least one security group (SNIDER: paragraphs 0072-0078, “a target placement may be analyzed with respect to resource balance. For example, target placements that sufficiently comply with placement rules may be analyzed. A target placement may be rejected and a new target placement may subsequently be selected based on the analysis, or the analysis may result in acceptance of the target placement”); providing the placement data to a placement service (SNIDER: paragraphs 0051 and 0078-0079, “A candidate placement plan may be selected and executed based on application placement component 210 determining that the candidate placement plan would improve the state of the platform with respect to the score”); and causing the placement service to deploy at least one virtual machine using the placement data (SNIDER: paragraph 0051, “A placement or movement may comply with a placement rule where the one or more conditions are met. As with resource metrics, placement rules can be system and/or client defined. For example, placement rules 230 includes system defined placement rules 230a and client defined placement rules 230b. As with resource metrics, placement rules can be designated for a particular job instance(s), for a particular service application instance (i.e., for all job instances of the application), and/or for all instances of a service application (or for all primary or secondary instances). Furthermore, placement rules can change and be updated, added to, or replaced over time by the system and/or clients”).
SNIDER discloses the at least one security group rule controlling communication but SNIDER does not explicitly disclose the following laminations which are disclosed by ACER, the at least one security group rule controlling communication of a set one of one or more virtual machine in the at least one security group (ACER: paragraphs 0035 and 0036, “Network aware mechanisms, such as those described in the algorithms below, may be used that determine, for each service of the distributed application, how many virtual machines should be allocated in every data center and the amount of service requests are distributed to them. Such mechanisms may be implemented in the cloud controller”); and wherein at least portion of the placement data is inferred by a machine learning model (ACER: paragraphs 0037 and 0040-0041, “placement is modeled by an artificial intelligence …”).    
SNIDER and ACER are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER and ACER before him or her, to modify the system of SNIDER to include at least one security group rule controlling communication of a set one of one or more virtual machine and placement data is inferred by a machine learning model of ACER.  The suggestion/motivation for doing so would have been with guarantees of data isolation that prevents data from one tenant being accessible to another tenant (ACER: paragraph 0002).

Regarding claim 11, claim 11 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 11 and rejected for the same reasons.

Claims 2, 6, 12 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER in view of ACER, and further in view of Jacob et al. (US 20160043968) (hereinafter Jacob).
Regarding claims 2 and 12, SNIDER in view of ACER does not explicitly teach the following limitation which is taught by Jacob, wherein the placement data includes a tier type for each of the at least one security group (Jacob: paragraphs 0010, 0016 and 0168, “the placement configuration indicates a plurality of groups, wherein the placement configuration identifies a set of virtual machines allocated to a first group of the plurality of groups, and wherein a first computing resource of the plurality of computing resources is allocated to the first group based on the placement configuration”).  
SNIDER in view of ACER and Jacob are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER in view of ACER and Jacob before him or her, to modify the system of SNIDER in view of ACER to include the placement data includes a tier type for each of the at least one security group of Jacob. The suggestion/motivation for doing so would have been for enabling convenient, on-demand network access to a shared pool of computing resources (e.g. networks, network bandwidth, servers, PODs, processing, memory, storage, applications, virtual machines, services, etc.) (Jacob: paragraph 0029).
Regarding claims 6 and 16, SNIDER as modified teaches wherein analyzing the at least one security group rule to determine placement data for the at least one security group, further comprises: identifying a spread requirement for virtual machines belonging to the at least one security group from the at least one security group rule (Jacob: paragraphs 0016 and 0048, “a placement configuration identifies a set of virtual machines allocated to a first group of the plurality of groups. A first computing resource of the plurality of computing resources is allocated to the first group based on the placement configuration. In some embodiments, a placement configuration may include a security configuration to prevent access to the plurality of computing resources by other computing resources. For example, a security configuration may indicate one or more hypervisors allocated to manage the plurality of computing resources”).  The same motivation to modify SNIDER in view of Jacob, as applied in claim 2 above, applies here.

Claims 3 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER in view of ACER and Jacob, and further in view of KOUZNETSOV et al. (US 20170097845) (hereinafter KOUZNETSOV).
Regarding claims 3 and 13, SNIDER in view of ACER and Jacob does not explicitly teach the following limitations which are taught by KOUZNETSOV, wherein analyzing the at least one security group rule to determine placement data for the at least one security group, further comprises: comparing the at least one security group rule to one or more security group model rules (KOUZNETSOV: paragraphs 0062-0065, “This is done by comparing group-host scores to choose the most suitable hosts for a group of VMs 18. For example, the largest group may be chosen first”); determining a score for the at least one security group rule for each of the one or more security group model rules (KOUZNETSOV: paragraphs 0062-0065, “This is done by comparing group-host scores to choose the most suitable hosts for a group of VMs 18. For example, the largest group may be chosen first”); and labelling the at least one security group with a tier type corresponding to at least one security group model rule having a highest score (KOUZNETSOV: paragraphs 0062-0065, “This is done by comparing group-host scores to choose the most suitable hosts for a group of VMs 18. For example, the largest group may be chosen first”).
SNIDER in view of ACER in view of Jacob and KOUZNETSOV are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER in view of ACER in view of Jacob and KOUZNETSOV before him or her, to modify the system of SNIDER in view of ACER in view of Jacob to include the analyzing step of the at least one security group rule to determine placement data for the at least one security group of KOUZNETSOV.  The suggestion/motivation for doing so would have been to determine optimal number of hosts required per VM sub-group, determine optimal set of hosts for each VM sub-group, and deploy placement rules to enforce VM-host affinity placements (KOUZNETSOV: paragraph 0030).

Claims 7-10 and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over SNIDER in view of ACER, and further in view of NEOGI et al. (US 20170257424) (hereinafter NEOGI).
Regarding claims 7 and 17, SNIDER in view of ACER does not explicitly teach the following limitations which are taught by NEOGI, wherein the placement service: receives a request to place a plurality of virtual machines belonging to a first security group (NEOGI: paragraphs 0077-0078, “a search of available hosts can be performed to determine a list of candidate hosts in an associated data center and associated network paths that satisfy the specified and/or enriched requirements (network, security, affinity, availability, etc.) of the container being placed”); determines a rank for each of a plurality of candidate virtualization guest locations based on the placement data (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); and deploys the plurality of virtual machines to the plurality of candidate virtualization guest locations based at least on their ranks (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”).
SNIDER in view of ACER and NEOGI are analogous art because they are from the same field of endeavor, management and provisioning of resources. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of SNIDER in view of ACER and NEOGI before him or her, to modify the system of SNIDER in view of ACER to include the deployment of the plurality of virtual machines to the plurality of candidate virtualization guest locations based at least on their ranks of NEOGI.  The suggestion/motivation for doing so would have been for implementing flexible and scalable application virtualization mechanisms (NEIOGI: paragraph 0002).
Regarding claims 8 and 18, SNIDER as modified teaches wherein the placement service: receives a request to place at least one virtual machine belonging to the first security group (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); determines a rank for each of a second plurality of candidate virtualization guest locations based at least on the placement data and placement of the plurality of virtual machines (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); deploys the at least one virtual machine to at least one candidate virtualization guest locations based at least on their ranks (NEOGI: paragraphs 0078-0080, “each candidate host in the data center and/or corresponding network path is scored (e.g., using a heuristic formula based on scoring weights in the manifest file) to determine the best candidate host for the container being placed. An example of such a formula is provided below.”); and redeploys at least one of the plurality of virtual machines to the second plurality of candidate virtualization guest locations based at least on their ranks (NEOGI: paragraphs 0049, 0078-0080 and 0111, “systems and techniques also provide for automatically mutating and expanding such container ecosystem environments, including network segments within them in response to changes (change events such as scaling changes in a given application or a data center implementing the containerized application), migration of containers and/or redeployment events in the container ecosystem. The described methods, systems and techniques are also independent of: a) networking device specifics; b) internal or external cloud configuration (including the cloud-burst use case; c) compute virtualization/clustering platforms; and d) container virtualization/clustering platforms.”).  The same motivation to modify SNIDER in view of NEOGI, as applied in claim 7 above, applies here.
Regarding claims 9 and 19, SNIDER as modified teaches wherein the at least one security group rule includes a protocol, port range, and source or destination identifier (NEIOGI: paragraphs 0039 and 0088, “the containers 130, 140 and 150 can be configured to implement an autonomous 3-tier application stack with a web tier (container 130) accepting incoming hypertext transfer protocol secure (HTTPS) connections on port 443, an App tier (container 140) accepting incoming HTTPS connections on port 8443 and a database (DB) tier (container 150) accepting trusted (e.g., from a pre-defined origination Internet Protocol (IP) address) connections to port 1433.”).  The same motivation to modify SNIDER in view of NEOGI, as applied in claim 7 above, applies here.
Regarding claims 10 and 20, SNIDER as modified teaches further comprising: generating a first visualization of a tier of an application corresponding to the at least one security group, the first visualization including one or more computing systems with which the tier of the application can communicate based on the at least one security group rule (NEIOGI: paragraphs 0039 and 0088, “the containers 130, 140 and 150 can be configured to implement an autonomous 3-tier application stack with a web tier (container 130) accepting incoming hypertext transfer protocol secure (HTTPS) connections on port 443, an App tier (container 140) accepting incoming HTTPS connections on port 8443 and a database (DB) tier (container 150) accepting trusted (e.g., from a pre-defined origination Internet Protocol (IP) address) connections to port 1433.”).  The same motivation to modify SNIDER in view of NEOGI, as applied in claim 7 above, applies here.

Allowable Subject Matter
Claims 4-5 and 14-15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Regarding claims 4 and 14, the prior art of record including SNIDER, ACER, Jacob and KOUZNETSOV, either singularly or in combination, does not disclose or suggest the combination of limitations including, but not limited to, “wherein comparing the at least one security group rule to the one or more security group model rules further comprises: determining at least one difference between the at least one security group rule and the at least one security group model rule having the highest score; and determining a suggested rule change to the at least one security group rule based on the at least one difference for a user associated with the security group rule”.
Regarding claims 5 and 15, the prior art of record including SNIDER, ACER, Jacob and KOUZNETSOV, either singularly or in combination, does not disclose or suggest the combination of limitations including, but not limited to, “wherein the machine learning model comprises a tier type classifier, and wherein analyzing the at least one security group rule to determine placement data for the at least one security group, further comprises: providing the at least one security group rule to the tier type classifier, the tier type classifier trained using a security model including a plurality of rules defined for a plurality of known tier types; and receiving the tier type and a confidence value from the tier type classifier, wherein the placement data includes the tier type and the confidence value”.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed below:
Raduchel (US 20190253523) discloses a method for implementing software containers implementing network engines that may be configured to act in a zero-knowledge environment. In such implementations, all information pertaining to the network engine associated with a user that is stored in the container is solely that of a user unless explicitly shared by the user. In some implementations, the containers may be configured to participate in a publish-and-subscribe network in order to share information. In addition, the containers may be provisioned with controls so that global operators may comply with local privacy rules.
Nagpal (US 20180136958) discloses a system for placing virtual machines in a virtualization environment receives instructions to place a virtual machine within the virtualization environment, wherein the virtual environment includes a plurality of host machines that include a hypervisor, at least one user virtual machine, and an input/output (I/O) controller and a virtual disk that includes a plurality of storage devices and is accessible by all of the I/O controllers, wherein the I/O controllers conduct I/O transactions with the virtual disk based on I/O requests received from the UVMs. The system determines a predicted resource usage profile for the virtual machine. The system selects, based on the predicted resource usage profile, one of the host machines for placement of the virtual machine. The system places the virtual machine on the selected one of the host machines.
Fine (US 9965309) discloses An example method may include determining a shared threat potential for a virtual machine based, at least in part, on a degree of co-location the virtual machine has with a current virtual machine operating on a physical machine, determining a workload threat potential for the virtual machine based, at least in part, on a level of advantage associated with placing the virtual machine on the physical machine, determining a threat potential for the virtual machine based, at least in part, on a combination of the shared threat potential and the workload threat potential, and placing the virtual machine on the physical machine based on the threat potential.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740. The examiner can normally be reached Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/TRANG T DOAN/Primary Examiner, Art Unit 2431