Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This communication is in response to the amended application filed on 08/23/2022.
Claims 1-20 are pending.
Claims 1-7, 9-14, 16-17 and 19-20 are amended.
Remarks
Applicant’s arguments filed on 08/23/2022 (‘Remarks’) have been considered.
Regarding the Claim Objections
	The claim objections have been withdrawn due to the amendments to the claims. 
Regarding the 35 U.S.C. § 112 Rejections
	The 35 U.S.C. § 112 rejections have been withdrawn due to the amendments to the claims.
Regarding the Prior Art
	The arguments regarding claims 1, 4 and 13 are moot due to the new reference, Cooper (Pub. No. US 2014/0115578 A1), being used in the current rejection. 
The arguments regarding claims 5 and 16 are moot in part due to the new reference being used in the current rejection, Blank (Pat. No. US 11,171,939 B1), and unpersuasive in part. 
With regard to claims 5 and 16, Nedbal teaches sending a request to at least one of an automated reasoning service or a resource access service to determine whether there are any conflicts with the at least one access control policy and one or more existing permissions or access patterns (Nedbal ¶ [0085], sending and receiving can be interpreted as being internal and is inherent in this paragraph, “the security microservice [automated reasoning service/resource access service] evaluates the results of applying the one or more security policies to the one or more resource groups passively to determine whether there is at least one recommended modification to apply to the network sets”; see also ¶ [0086], “if a particular security policy is triggered by too much network traffic or is not triggered by any network traffic [the policy is in conflict with an access pattern], the security microservice can recommend removing the particular security policy or not activating the particular security policy”); based on one or more responses from the at least one of the automated reasoning service or the resource access service, returning feedback for the one or more intent statements (Nedbal ¶ [0086], recommendations are made);
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Cooper and Nedbal to teach recommending that a security policy be disabled or set to monitoring mode based on analyzing an network activity because it allows for optimizing use of network resources, Nedbal ¶ [0019].  
Nedbal does not explicitly teach making recommendations via the user interface and receiving, via the user interface, a confirmation of the one or more intent statements.
However, Blank teaches making recommendations via the user interface and receiving, via the user interface, a confirmation of the one or more intent statements (Blank column 38, lines 35-41, “customer, such as an administrator of the organization 110, may interact with the UI to accept or reject policy change recommendations. Customers may also manage configurations and policies at the UI and run reports from the UI”).
Claim Rejections - 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA  35 U.S.C. §§ 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. § 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Cooper (Pub. No. US 2014/0115578 A1) in view of Gracyk (Pub. No. US 2004/0221022 A1) and in view of Tautschnig (Pat. No. US 10,652,266 B1).

Regarding claim 1, Sidebottom teaches a computer-implemented method comprising: receiving, via a user interface (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”) of an intent-based governance service of a provider network (Sidebottom Fig. 2 service development device 4 & Fig. 1, service provider 6 includes service development device & column 2, lines 26-29, “FIG. 1 is a block diagram illustrating an exemplary system 2 in which a service provider 6 employs a Service Deployment Device ("SDD") 4 to deploy business policies of service provider 6.”), one or more intent statements written in a domain-specific language from an administrator expressing security intent for resources (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules [intent statements] drafted in a rule description language [domain specific language]”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers; see also column 3, lines 34-40 & 59-62, rule specification language is high level and related to business level information making it a domain specific language [business level/policies domain]); parsing the one or more intent statements to generate parsed one or more intent statements and compiling the parsed one or more intent statements into at least one access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules; see also claim 21, which shows how the rule compiler processes/parses rules; see also column 5, lines 24-39, event translator parses rules to determine a source event attribute and a translation attribute; see also column 5, lines 63-67, regarding the rules engine parsing rules); associating the at least one access control policy with the customer computing resources based on the one or more intent statements (Sidebottom column 6, lines 55-65, actions descriptors are associated with processor descriptor; see also Fig. 3 and column 8, lines 20-33, regarding processor classes, which include user defined processor classes, service activation proxy and database proxy).
Sidebottom does not explicitly teach a customer expressing security intent for customer computing resources hosted by the provider network, utilizing a provider network model to parse a policy, detecting a change to the provider network based on a static code analysis of one or more services of the provider network; updating the provider network model based on the change to the provider network; and recompiling the parsed one or more intent statements into an updated at least one access control policy, the updated at least one access control policy applying to at least the one or more services of the provider network that have changed.
However, Cooper teaches receiving, via a user interface of an intent-based governance service of a provider network, one or more intent statements written in a domain-specific language from a customer expressing security intent for customer computing resources hosted by the provider network (*Although Sidebottom teaches some of these elements, as explained above, Cooper teaches all of them – Cooper Fig. 1 ¶¶ [0003] & [0036], cloud infrastructure 100 is the provider network which hosts customer resources/VMs where “allocated resources and networks may be accessed remotely by users”; see also ¶ [0038], “Security manager 175 may enable users to provide policies for virtual machines as they are added or moved via cloud manager 150”; see also ¶ [0133], “a security manager (e.g., security manager 175 of FIG. 1) may provide a user interface to allow authorized users to update or add security policies to new or existing guest virtual machines.”) 
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Cooper to teach customers setting up security policies for customer resources in a cloud because this protects sensitive data. Furthermore, this is merely combining prior art elements (customer resources such as VMs in a cloud infrastructure) according to known methods (users setting security policies for user resources in the cloud) to yield predictable results (securing user resources). MPEP 2143(I).  
Cooper does not explicitly teach utilizing a provider network model to parse a policy, detecting a change to the provider network based on a static code analysis of one or more services of the provider network; updating the provider network model based on the change to the provider network; and recompiling the parsed one or more intent statements into an updated at least one access control policy, the updated at least one access control policy applying to at least the one or more services of the provider network that have changed.
However, Gracyk teaches parsing the one or more intent statements based on a provider network model (Gracyk Fig. 1 and ¶¶ [0011]-[0013], WMI model used to parse out intent statements in the service definition such as “PolicyGroup = ExchangePolicies” (Fig. 1, 116) and “PackageGuid=ExchangeFM” (Fig. 1, 120) and associate the intent statements with a service), detecting a change to the provider network based on an analysis of one or more services of the provider network (Gracyk ¶ [0011], “the discovery agent 102 discovers a service 106 [detects a change to the provider network] in the node A, for example a service named ‘Microsoft Exchange’.”); updating the provider network model based on the change to the provider network (Gracyk Fig. 1 and ¶ [0012] “The discovery agent 102 sends the information on what services have been discovered to the discovery server 112 which then writes the services to the network model 114” – by writing the discovered service to the network model the network model is updated based on the change to the provider network); and recompiling the parsed one or more intent statements into an updated at least one access control policy, the updated at least one access control policy applying to at least the one or more services of the provider network that have changed (Gracyk Fig. 1 and ¶ [0017], the new exchange policies 108 are deployed based on the instance 116 in the model).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Cooper and Gracyk because this is merely combining prior art elements (receiving policies in a domain specific language and parsing/compiling/enforcing them) according to known methods (utilizing a network model to parse policies, updating the network model and accordingly updating the policies) to yield predictable results (allowing for the automated updating of policies when the network configuration changes). MPEP 2143(I). Furthermore, utilizing a model is a known technique that is applied to known devices (network devices) ready for improvement to yield predictable results (creation and enforcement of network policies). MPEP 2143(I). See also Gracyk ¶ [0030], about adding packages/policies on the fly without having to write or compile code.  
Gracyk does not explicitly teach detecting a change to the provider network based on a static code analysis of one or more services of the provider network.
However, Tautschnig teaches detecting a change to the provider network based on a static code analysis of one or more services of the provider network (Tautschnig Fig. 1 and column 16, lines 32-38, source code analysis engine detects changes to source code of a service to determine a change in the service provider network).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Copper and Gracyk with the teachings of Tautschnig (source code analysis of a service) because it allows for automated identification and mitigation of violations of security policies in an environment where users and developers dynamically modify the source code of a service to change functionality of a service. Tautschnig column 1, lines 25-34 and column 3, lines 32-47.

Regarding clam 2, Sidebottom, Cooper, Gracyk and Tautschnig teach the computer-implemented method of claim 1. Sidebottom furthermore teaches wherein the security intent for customer resources includes limiting access to the customer computing resources from one or more regions of the provider network (Sidebottom column 3, lines 18-23, access is limited from a region of the provider network).

Regarding clam 3, Sidebottom, Cooper, Gracyk and Tautschnig teach the computer-implemented method of claim 1.  Sidebottom furthermore teaches wherein the security intent for customer resources includes limiting sharing of the customer computing resources to the customer's organization (Sidebottom column 3, lines 3-12, subscriber is authenticated which limits sharing of resources to non-authenticated individuals).

Claims 4, 8, 12-13 and 20 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Cooper (Pub. No. US 2014/0115578 A1).

Regarding claim 4, Sidebottom teaches computer-implemented method comprising: receiving, via a user interface (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”) of an intent-based governance service (Sidebottom Fig. 2 service development device 4 & Fig. 1, service provider 6 includes service development device & column 2, lines 26-29, “FIG. 1 is a block diagram illustrating an exemplary system 2 in which a service provider 6 employs a Service Deployment Device ("SDD") 4 to deploy business policies of service provider 6.”), one or more intent statements associated with user computing resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers); compiling the one or more intent statements into at least one access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules); and associating the at least one access control policy with the user resources (Sidebottom column 6, lines 55-65, actions descriptors are associated with processor descriptor; see also Fig. 3 and column 8, lines 20-33, regarding processor classes, which include user defined processor classes, service activation proxy and database proxy).
Sidebottom does not explicitly teach customer computing resources hosted by the provider network.
However, Cooper teaches receiving, via a user interface of an intent-based governance service of a provider network, one or more intent statements associated with user computing resources hosted by a provider network the one or more intent statements expressing at least one type of action allowed to be performed on the computing resources (*Although Sidebottom teaches some of these elements, as explained above, Cooper teaches all of them – Cooper Fig. 1 ¶¶ [0003] & [0036], cloud infrastructure 100 is the provider network which hosts customer resources/VMs where “allocated resources and networks may be accessed remotely by users”; see also ¶ [0038], “Security manager 175 may enable users to provide policies for virtual machines as they are added or moved via cloud manager 150”; see also ¶ [0133], “a security manager (e.g., security manager 175 of FIG. 1) may provide a user interface to allow authorized users to update or add security policies to new or existing guest virtual machines.”) 
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Cooper to teach customers setting up security policies for customer resources in a cloud because this protects sensitive data. Furthermore, this is merely combining prior art elements (customer resources such as VMs in a cloud infrastructure) according to known methods (users setting security policies for user resources in the cloud) to yield predictable results (securing user resources). MPEP 2143(I).  

Regarding claim 8, Sidebottom and Cooper teach the computer-implemented method of claim 4. Sidebottom furthermore teaches receiving an event from a service of the provider network indicating at least one change to the provider network (Sidebottom Fig. 2, events are received by event translator 24 & column 8, lines 34-50, “Because the methods of database proxy 50 may change what services should be available to a subscriber, database proxy 50 may generate a new event. Database proxy 50 may then send the new event to event translator 24”).

Regarding 12, Sidebottom and Cooper teach the computer-implemented method of claim 8. Sidebottom furthermore teaches wherein the service of the provider network is an area status service, and wherein the at least one change is a new area of the provider network being brought online (Sidebottom column 8, lines 34-50, “Because the methods of database proxy 50 may change what services should be available [a new are of the provider network being brought online] to a subscriber, database proxy 50 may generate a new event. Database proxy 50 may then send the new event to event translator 24”; see also column 8, lines 51-66 regarding service activation proxy allowing access to the internet to a subscriber).

Regarding claim 13, Sidebottom teaches a system comprising: a first one or more electronic devices to implement user resources in a multi-tenant provider network, the user computing resources including one or more first processors and first memory (Sidebottom Fig. 1, service provider 6 is comprised of one or more electronic devices to implement user resources & column 3, lines 18-32); and a second one or more electronic devices to implement an intent-based governance service in the multi-tenant provider network (Sidebottom Fig. 1, Service Deployment Device 4 & column 3, lines 18-32), the intent-based governance service including one or more second processors and second memory storing instructions that upon execution by the one or more second processors cause the intent-based governance service to: receive, via a user interface (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”) of the intent-based governance service (Sidebottom column 2, lines 26-29, “FIG. 1 is a block diagram illustrating an exemplary system 2 in which a service provider 6 employs a Service Deployment Device ("SDD") 4 to deploy business policies of service provider 6.”), one or more intent statements associated with the user computing resources, the one or more intent statements expressing at least one type of action allowed to be performed on the user computing resources (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 to supply custom business logic rules drafted in a rule description language”; see also column 3, lines 18-32, service provider 6 controls access to resources used by customers); compile the one or more intent statements into at least one access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules); and associate the at least one access control policy with the user computing resources (Sidebottom column 6, lines 55-65, actions descriptors are associated with processor descriptor; see also Fig. 3 and column 8, lines 20-33, regarding processor classes, which include user defined processor classes, service activation proxy and database proxy).
Sidebottom does not explicitly teach customer computing resources hosted by the provider network.
However, Cooper teaches customer computing resources hosted by the provider network (*Although Sidebottom teaches some of these elements, as explained above, Cooper teaches all of them – Cooper Fig. 1 ¶¶ [0003] & [0036], cloud infrastructure 100 is the provider network which hosts customer resources/VMs where “allocated resources and networks may be accessed remotely by users”; see also ¶ [0038], “Security manager 175 may enable users to provide policies for virtual machines as they are added or moved via cloud manager 150”; see also ¶ [0133], “a security manager (e.g., security manager 175 of FIG. 1) may provide a user interface to allow authorized users to update or add security policies to new or existing guest virtual machines.”) 
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom with the teachings of Cooper to teach customers setting up security policies for customer resources in a cloud because this protects sensitive data. Furthermore, this is merely combining prior art elements (customer resources such as VMs in a cloud infrastructure) according to known methods (users setting security policies for user resources in the cloud) to yield predictable results (securing user resources). MPEP 2143(I).  

Sidebottom and Cooper teach all the limitations of claim 20 as asserted above with regard to claims 8 and 12

Claims 5 and 16 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Cooper (Pub. No. US 2014/0115578 A1) in view of Nedbal (Pub. No. US 2021/0126948 A1) and further in view of Blank (Pat. No. US 11,171,939 B1).

Regarding claim 5, Sidebottom and Cooper teach the computer-implemented method of claim 4. 
Sidebottom and Cooper do not explicitly teach sending a request to at least one of an automated reasoning service or a resource access service to determine whether there are any conflicts with the at least one access control policy and one or more existing permissions or access patterns; based on one or more responses from the at least one of the automated reasoning service or the resource access service, returning feedback for the one or more intent statements via the user interface; and receiving, via the user interface, a confirmation of the one or more intent statements.
However, Nedbal teaches sending a request to at least one of an automated reasoning service or a resource access service to determine whether there are any conflicts with the at least one access control policy and one or more existing permissions or access patterns (Nedbal ¶ [0085], “the security microservice [automated reasoning service/resource access service] evaluates the results of applying the one or more security policies to the one or more resource groups passively to determine whether there is at least one recommended modification to apply to the network sets”; see also ¶ [0086]); based on one or more responses from the at least one of the automated reasoning service or the resource access service, returning feedback for the one or more intent statements (Nedbal ¶ [0086], recommendations are made);
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Cooper and Nedbal to teach recommending that a security policy be disabled or set to monitoring mode based on analyzing an network activity because it allows for optimizing use of network resources, Nedbal ¶ [0019].  
Nedbal does not explicitly teach making recommendations via the user interface and receiving, via the user interface, a confirmation of the one or more intent statements.
However, Blank teaches making recommendations via the user interface and receiving, via the user interface, a confirmation of the one or more intent statements (Blank column 38, lines 35-41, “customer, such as an administrator of the organization 110, may interact with the UI to accept or reject policy change recommendations. Customers may also manage configurations and policies at the UI and run reports from the UI”).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Cooper, Nedbal and Blank to teach rejecting policy change recommendations via a GUI because it allows the users more flexibility in policy enforcement. Furthermore,  this is merely combining prior art elements according to known methods to yield predictable results. MPEP 2143(I).

Sidebottom, Cooper, Nedbal and Blank teach all the limitations of claim 16 as asserted above with regard to claim 5. 

Claims 6-7 and 14-15 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Cooper (Pub. No. US 2014/0115578 A1) and in view of Nedbal (Pub. No. US 2021/0126948 A1).

Regarding claim 6, Sidebottom and Cooper teach the computer-implemented method of claim 4. 
Sidebottom and Cooper do not explicitly teach: sending a request to a resource activity service to compare the at least one access control policy to an activity history associated with the user computing resources and receiving a response indicating that the at least one access control policy would restrict recent activity associated with the user computing resources.
However, Nedbal teaches sending a request to a resource activity service to compare the at least one access control policy to an activity history associated with the user resources and receiving a response indicating that the at least one access control policy would restrict recent activity associated with the user resources (Nedbal ¶ [0086], a recommendation to disable a security policy is made based on activity associated with the security policy).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Cooper and Nedbal to teach recommending that a security policy be disabled or set to monitoring mode based on analyzing an network activity because it allows for optimizing use of network resources, Nedbal ¶ [0019].  

Regarding claim 7, Sidebottom, Cooper and Nedbal teach the computer-implemented method of claim 6. Sidebottom furthermore teaches a user interface for receiving at least one updated intent statement (Sidebottom Fig. 2, user interface 28 & column 5, lines 12-14, “Administrator 36 interacts with SDD 4 through administrative interface 28 supply custom business logic rules drafted in a rule description language”); and compiling the at least one updated intent statement into at least one updated access control policy (Sidebottom column 5, lines 17-23, rule compiler compiles business logic rules).
Sidebottom does not explicitly indicating the recent activity that would be restricted by the at least one access control policy.
However, Nedbal teaches indicating the recent activity that would be restricted by the at least one access control policy (Nedbal ¶ [0086], “a security policy having a number of violations less than a predefined threshold may be recommended to be disabled”; see also ¶ [0092] about classifying activity and indicating that it would be restricted by the access control policy, “the security microservice identifies or records 20,000 violations, all related to the rendering farm. In other words, the violations or security policies/rules are asymmetrically clustered to a particular member or type of member of the “application tier” network set. In this example, the security microservice can identify that all of the security policy violations are from the rendering farm”).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom, Cooper and Nedbal to teach indicating recent activity that would be restricted by the access policy because it allows for optimizing use of network resources, Nedbal ¶ [0019]. 

Claims 14-15 are rejected by Sidebottom, Cooper and Nedbal as asserted above with regard to claim 6-7.

Claims 9-10 and 17-18 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Cooper (Pub. No. US 2014/0115578 A1) and further in view of Gracyk (Pub. No. US 2004/0221022 A1).

Regarding claim 9, Sidebottom and Cooper teach the computer-implemented method of claim 8.
Sidebottom and Cooper do not explicitly teach updating a model of the provider network based on the at least one change to generate an updated model.
However, Gracyk teaches updating a model of the provider network based on the at least one change to generate an updated model (Gracyk Fig. 1 and ¶ [0012] “The discovery agent 102 sends the information on what services have been discovered to the discovery server 112 which then writes the services to the network model 114” – by writing the discovered service to the network model the network model is updated based on the change to the provider network). 
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom and Cooper with the teachings of Gracyk because this is merely combining prior art elements according to known methods (updating a network model according to configuration changes) to yield predictable results (allowing for the automated updating of policies when the network configuration changes). MPEP 2143(I). Furthermore, utilizing a model is a known technique that is applied to known devices (network devices) ready for improvement to yield predictable results (creation and enforcement of network policies). MPEP 2143(I). See also Gracyk ¶ [0030], about adding packages/policies on the fly without having to write or compile code.  

Regarding claim 10, Sidebottom, Cooper and Gracyk teach the computer-implemented method of claim 9.
Sidebottom and Cooper do not explicitly teach recompiling the one or more intent statements using the updated model to generate at least one updated access control policy which applies to the at least one change to the provider network.
However, Gracyk recompiling the one or more intent statements using the updated model to generate at least one updated access control policy which applies to the at least one change to the provider network (Gracyk Fig. 1 and ¶ [0012] “The discovery agent 102 sends the information on what services have been discovered to the discovery server 112 which then writes the services to the network model 114”; see also ¶ [0017], the new exchange policies 108 are deployed based on the instance 116 in the model)
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom and Cooper with the teachings of Gracyk because this is merely combining prior art elements (receiving policies in a domain specific language and parsing/compiling/enforcing them) according to known methods (utilizing a network model to parse policies, updating the network model and accordingly updating the policies) to yield predictable results (allowing for the automated updating of policies when the network configuration changes). MPEP 2143(I). Furthermore, utilizing a model is a known technique that is applied to known devices (network devices) ready for improvement to yield predictable results (creation and enforcement of network policies). MPEP 2143(I). See also Gracyk ¶ [0030], about adding packages/policies on the fly without having to write or compile code.  

Sidebottom, Cooper and Gracyk teach all the limitations of claim 17 as asserted above with regard to claims 8-9, respectively. 

Sidebottom, Cooper and Gracyk teach all the limitations of claim 18 as asserted above with regard to claims 10.

Claims 11 and 19 are rejected under 35 U.S.C. § 103 as being unpatentable over Sidebottom (Pat. No. US 7,962,633 B1) in view of Cooper (Pub. No. US 2014/0115578 A1) in view of and further in view of Tautschnig (Pat. No. US 10,652,266 B1).

Regarding claim 11, Sidebottom and Cooper teach the computer-implemented method of claim 8.
Sidebottom does not explicitly teach wherein the service of the provider network is a static code analysis service, and wherein the at least one change is a new feature of a second service of the provider network identified based on a static code analysis.
However, Tautschnig teaches wherein the service of the provider network is a static code analysis service, and wherein the at least one change is a new feature of a second service of the provider network identified based on a static code analysis (Tautschnig Fig. 1 and column 16, lines 32-38, source code analysis engine detects changes to source code of a service; see also column 1, lines 25-34, users make changes to network-based services).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Sidebottom and Cooper with the teachings of Tautschnig (source code analysis of a service) because it allows for automated identification and mitigation of violations of security policies in an environment where users and developers dynamically modify the source code of a service to change functionality of a service. Tautschnig column 1, lines 25-34 and column 3, lines 32-47.

Sidebottom, Cooper and Tautschnig teach all the limitations of claim 19 as asserted above with regard to claims 8 and 11.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY P TOLCHINSKY whose telephone number is (571)270-0599. The examiner can normally be reached m-f (9:30-6:30PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/G.P.T./Examiner, Art Unit 2456                                                                                                                                                                                                        
/Brian Whipple/Primary Examiner, Art Unit 2456                                                                                                                                                                                                        11/21/2022