DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of pre-AIA  35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
2.	Claims 1, 8 and 15 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Chittimalli (US PG Pub. No. 2020/0387497).
As per claim 1:
Chittimalli teaches a computer-implemented method for implementing security policies in a secured network (see paragraph [0003], discloses a method of detecting inconsistencies in Semantics of Business Vocabulary and Business Rules (SBVR) using Many-Sorted Logic), comprising:
retrieving a set of rules of a security policy (see paragraph [0024], discloses the one or more hardware processors 104 are configured to define a set of rules expressed in SBVR, where the set of rules comprises syntactic and semantic ambiguities and inconsistencies, and wherein each of the set of rules facilitate one or more actions based upon a specification of one or more conditions);
analyzing the set of rules of the security policy using one or more Satisfiability
Modulo Theory (SMT) operations to reduce a dimensionality of the security
policy (see paragraph [0039], discloses the one or more processors 104 are then configured to translate the set of SBVR rules into SBVR eXtensible Markup Language (XMLTM) Metadata Interchange (SBVR XMI). The one or more processors 104 generates one or more sets (or classes) for every SBVR noun concept and a sub-set relationship between sets predicted based upon parent-child relationship. From the SBVR noun concept(s), the processor 104 is able to introduce one or more graphical clusters using SMT_LIBv2 translation, please see paragraph [0061]. Thus, the SBVR rule(s) are reduced. An example of such graphical cluster is the formula: “(declare-sort airportBranch Cluster_Branch)”, please see paragraph [0063]);
and generating a visual presentation on a user interface using results of the SMT
operations (as explained earlier in paragraph [0061] one or more graphical clusters are introduced using SMT_LIBv2 translation. Note: System 100 as shown in figure 1 comprise of I/O interface device(s) 106 which includes a variety of software and hardware interfaces such as web interface, graphical user interface and the like, please see paragraphs [0021], [0110]), where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions (see paragraph [0064], discloses, the one or more hardware processors 104 declares a predicate for the SMT_LIBv2 for each set. The formula for the predicate axiom for the set airport_branch is “(declare-fun airport_branch_domain (Cluster_Branch) Bool)”. The predicate axiom may be associated with one or more domains, please see paragraph [0069] for example, i.e. domain(x)).
As per claim 8:
Chittimalli teaches a system (see Figure 1, system 100) comprising:
one or more information handling systems (see Figure 1, system 100), wherein the one or more information handling systems include:
a processor (see Figure 1, hardware processor(s) 104);
a data bus coupled to the processor (see paragraph [0019], I/O interfaces 106 and memory 102 are operatively coupled to said hardware processor(s) 104 and thus it is evident that there is an interconnection between the network elements); and
a non-transitory, computer-readable storage medium embodying computer program code, the non-transitory, computer-readable storage medium
being coupled to the data bus (as explained earlier in paragraph [0019], I/O interfaces 106 and memory 102 are operatively coupled to said hardware processor(s) 104 and thus it is evident that there is an interconnection between the network elements. Furthermore, the processor(s) is/are configured to fetch and execute computer-readable instructions stored in the memory 102);
wherein the computer program code included in one or more of the information handling systems is executable by the processor of the information handling system so that the information handling system, alone or in combination with other information handling systems (as explained earlier in paragraph [0019], the processor(s) is/are configured to fetch and execute computer-readable instructions stored in the memory 102), executes operations comprising:
retrieving a set of rules of a security policy (see paragraph [0024], discloses the one or more hardware processors 104 are configured to define a set of rules expressed in SBVR, where the set of rules comprises syntactic and semantic ambiguities and inconsistencies, and wherein each of the set of rules facilitate one or more actions based upon a specification of one or more conditions);
analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy (see paragraph [0039], discloses the one or more processors 104 are then configured to translate the set of SBVR rules into SBVR eXtensible Markup Language (XMLTM) Metadata Interchange (SBVR XMI). The one or more processors 104 generates one or more sets (or classes) for every SBVR noun concept and a sub-set relationship between sets predicted based upon parent-child relationship. From the SBVR noun concept(s), the processor 104 is able to introduce one or more graphical clusters using SMT_LIBv2 translation, please see paragraph [0061]. Thus, the SBVR rule(s) are reduced. An example of such graphical cluster is the formula: “(declare-sort airportBranch Cluster_Branch)”, please see paragraph [0063]);
and generating a visual presentation on a user interface using results of the SMT
operations (as explained earlier in paragraph [0061] one or more graphical clusters are introduced using SMT_LIBv2 translation. Note: System 100 as shown in figure 1 comprise of I/O interface device(s) 106 which includes a variety of software and hardware interfaces such as web interface, graphical user interface and the like, please see paragraph [0021]), where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions (see paragraph [0064], discloses, the one or more hardware processors 104 declares a predicate for the SMT_LIBv2 for each set. The formula for the predicate axiom for the set airport_branch is “(declare-fun airport_branch_domain (Cluster_Branch) Bool)”. The predicate axiom may be associated with one or more domains, please see paragraph [0069] for example, i.e. domain(x)).


As per claim 15:
Chittimalli teaches a non-transitory, computer-readable storage medium embodying computer program code (see Figure 1, paragraph [0019], system 100 includes one or more processors 104 and memory 102. The processor(s) 104 fetches and executed instructions stored in memory 102), the computer program code comprising computer-executable instructions configured for:
retrieving a set of rules of a security policy (see paragraph [0024], discloses the one or more hardware processors 104 are configured to define a set of rules expressed in SBVR, where the set of rules comprises syntactic and semantic ambiguities and inconsistencies, and wherein each of the set of rules facilitate one or more actions based upon a specification of one or more conditions);
analyzing the set of rules of the security policy using one or more Satisfiability Modulo Theory (SMT) operations to reduce a dimensionality of the security policy (see paragraph [0039], discloses the one or more processors 104 are then configured to translate the set of SBVR rules into SBVR eXtensible Markup Language (XMLTM) Metadata Interchange (SBVR XMI). The one or more processors 104 generates one or more sets (or classes) for every SBVR noun concept and a sub-set relationship between sets predicted based upon parent-child relationship. From the SBVR noun concept(s), the processor 104 is able to introduce one or more graphical clusters using SMT_LIBv2 translation, please see paragraph [0061]. Thus, the SBVR rule(s) are reduced. An example of such graphical cluster is the formula: “(declare-sort airportBranch Cluster_Branch)”, please see paragraph [0063]);
and generating a visual presentation on a user interface using results of the SMT operations (as explained earlier in paragraph [0061] one or more graphical clusters are introduced using SMT_LIBv2 translation. Note: System 100 as shown in figure 1 comprise of I/O interface device(s) 106 which includes a variety of software and hardware interfaces such as web interface, graphical user interface and the like, please see paragraph [0021]), where the visual presentation includes visual indicia representing one or more targeted policy dimensions with respect to one or more fixed policy dimensions (see paragraph [0064], discloses, the one or more hardware processors 104 declares a predicate for the SMT_LIBv2 for each set. The formula for the predicate axiom for the set airport_branch is “(declare-fun airport_branch_domain (Cluster_Branch) Bool)”. The predicate axiom may be associated with one or more domains, please see paragraph [0069] for example, i.e. domain(x)).

Claim Rejections - 35 USC § 103
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 2, 3, 9, 10, 16 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Chittimalli in view of Cook (US PG Pub. No. 2019/0007418).
As per claim 2:
Chittimalli teaches the computer-implemented method of claim 1 with the exception of:
further comprising:
retrieving a further set of rules of a further security policy;
analyzing the set of rules and the further set of rules to identify one or more rules of
the further security policy that are not equivalent to one or more rules of the security policy;
and generating a visual presentation on a user interface showing an impact of differences between the rules of the security policy and the rules set of the further security policy with respect to one or more targeted policy dimensions and one or more fixed policy dimensions.
Cook teaches further comprising:
retrieving a further set of rules of a further security policy (see figure 12, step 1204, paragraph [0119], the system may determine 1204 a first propositional logic expression based at least in part on the first security policy. Paragraph [0120], step 1206 discloses the system determining a second propositional logic expression based at least in part on the second security policy. Note: Examiner is reading said first and second logic expressions respectively as the further set of rules for the respective security policies);
analyzing the set of rules and the further set of rules to identify one or more rules of
the further security policy that are not equivalent to one or more rules of the security policy (see figure 12, step 1208, paragraph [0121], the system may determine whether the first propositional logic expression and the second propositional logic expression are equivalent. The two policies may be said to be equivalent if the security permissions from the first policy and the second policy apply in the same manner to all actions, resources and principles. That is, for any given set of actions, resources, and principles, the first and second security policies will both either deny access or both grant access. See figure 12, step 1210, paragraph [0125], if the system determines that the first propositional logic expression and the second propositional logic expression are not equivalent, then the system may identify 1210 a set of parameters that is sufficient to determine that the first propositional logic expression and the second propositional logic expression lack equivalency);
and generating a visual presentation on a user interface showing an impact of differences between the rules of the security policy and the rules set of the further security policy with respect to one or more targeted policy dimensions and one or more fixed policy dimensions (see paragraph [0125], discloses, the system may provide 1212 the set of parameters as part of a web API response as an indication that the security policies are not equivalent. See paragraph [0149] and figure 15, the second graphical user interface 1512 shows a visual presentation indicating the lack of equivalency including various predefined policies such as reference policies mapped to respective underlying policies such as JSON format).
Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the respective propositional logics of the first and second security policies (as disclosed in Cook) into Chittimalli as a way of enabling the user system to determine whether both security policies either deny or grant access (please see paragraph [0121] of Cook). Therefore, implementing such propositional logics helps in managing and maintaining the security of the computer systems (please see paragraph [0003] of Cook).
As per claim 3:
Chittimalli in view of Cook teaches the computer-implemented method of claim 2.
Chittimalli does not teach wherein:
the targeted policy dimensions for the security policy and targeted dimensions for the further security policy are displayed generally adjacent to one another to facilitate a visual comparison of the rules of the security policy and rules of the further security policy.
Cook teaches the targeted policy dimensions for the security policy and targeted dimensions for the further security policy are displayed generally adjacent to one another to facilitate a visual comparison of the rules of the security policy and rules of the further security policy (see Figures 10, 15 as shown, within the graphical user interface, details of policy 1 is placed adjacent to policy 2. The submit button is pressed in order to determine whether the parameters associated with the first policy is the same as the parameters associated with the second policy, see paragraphs [0148], [0149]).
Same rationale as provided for claim 2.
	Claim 9 is rejected in the same scope as claim 2.
	Claim 10 is rejected in the same scope as claim 3.
	Claim 16 is rejected in the same scope as claim 2.
	Claim 17 is rejected in the same scope as claim 3.
6.	Claims 4-6, 11-13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chittimalli in view of Cook and further in view of Rogers (US PG Pub. No. 2014/0115654).
As per claim 4:
Chittimalli in view of Cook teaches the computer-implemented method of claim 2 with the exception of:
wherein:
the security policy is a security policy currently implemented in the secured network;
and the further security policy comprises a modified version of the security policy
proposed for implementation in the secured network.
Rogers teaches wherein:
the security policy is a security policy currently implemented in the secured network (see paragraph [0043], the one or more dynamic security policies that effectuate a blocklist service may be utilized to implement one or more VPNs and thus a secured network);
and the further security policy comprises a modified version of the security policy
proposed for implementation in the secured network (see paragraph [0062], the security policy management server 120 may communicate the new or modified dynamic security policy to the packet security gateway 112).
	Thus, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the dynamic security policy which could be modified by one or more rules (as disclosed n Rogers) into both Chittimalli and Cook as a way of enabling the server handling the traffic to block a malicious host attacker service (please see paragraph [0059] of Rogers). Therefore, implementing the one or more rules associated with the security policy helps to filter substantially all network traffic at high resolution (please see paragraph [0003] of Rogers).
As per claim 5:
Chittimalli in view of Cook and further view of Rogers teaches the computer-implemented method of claim 4.
Chittimalli and Cook does not clearly teach with the exception of:
wherein:
the rules of the security policy and rules of the further security policy comprise
network security rules.
Rogers teaches wherein:
the rules of the security policy and rules of the further security policy comprise
network security rules (see paragraph [0037], the one or more rules associated with the dynamic security policy are used for specifying that packets having specified information should be forwarded to packet transformation formation 216 while all other packets should be forwarded to packet transformation function 218. The packets are then forward from respective filters to a network A 102 and thus said one or more rules are network security rules).
	Same rationale as provided for claim 4.
As per claim 6:
Chittimalli in view of Cook and further in view of Rogers teaches the computer-implemented method of claim 5.
The combination of Chittimalli and Cook does not teach wherein:
the one or more fixed policy dimensions include a destination port or Internet
Protocol (IP) address;
and the one or more targeted policy dimensions include one or more traffic policies for the one or more fixed policy dimensions.
Rogers teaches wherein:
the one or more fixed policy dimensions include a destination port or Internet
Protocol (IP) address (see paragraph [0041], the dynamic security policy 300 may include one or more rules that specify a packet transmission function other than forwarding (accepting or allowing) or dropping (denying) a packet. The rules may specify packets associated with source and destination ports as well as source and destination IP addresses);
and the one or more targeted policy dimensions include one or more traffic policies for the one or more fixed policy dimensions (see paragraph [0042], the one or more rules within the dynamic security policy 300 may be required to execute in a specific order. For example, one or more rules 1-4 302, 304, 306, 308).
Same rationale as provided for claim 4.
	Claim 11 is rejected in the same scope as claim 4.
	Claim 12 is rejected in the same scope as claim 5.
	Claim 13 is rejected in the same scope as claim 6.
	Claim 18 is rejected in the same scope as claim 4.
	Claim 19 is rejected in the same scope as claim 5.
	Claim 20 is rejected in the same scope as claim 6.

7.	Claim(s) 7 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chittimalli in view of Sartran (US PG Pub. No. 2018/0077182).
As per claim 7:
Chittimalli teaches the computer-implemented method of claim 1 with the exception of:
wherein:
the visual presentation comprises a table displaying one or more fixed dimensions on corresponding table axes and displaying one or more targeted dimensions within the table as a function of the one or more fixed dimensions.
Sartran teaches wherein:
the visual presentation comprises a table displaying one or more fixed dimensions on corresponding table axes and displaying one or more targeted dimensions within the table as a function of the one or more fixed dimensions (see figure 6 and paragraphs [0097]-[0098], discloses using a satisfiability modulo theory (SMT) solver using linear arithmetic to determine optimal address groups. As shown in figure 6, traffic records 416 comprising a plurality of port addresses are grouped using SMT solvers to form N address groups).
Thus it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to incorporate the grouping of port addresses using SMT solver form example (as disclosed in Sartran) into Chittimalli. The motivation for doing so would be to distinguish when an attack is underway (please see paragraph [0003] of Sartran).
	Claim 14 is rejected in the same scope as claim 7.

Conclusion
8.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to PRINCE AKWASI MENSAH whose telephone number is (571)270-7183. The examiner can normally be reached Mon-Fri 8:00am-4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, MICHAEL THIER can be reached on 571-272-2832. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

PRINCE AKWASI. MENSAH
Examiner
Art Unit 2474



/PRINCE A MENSAH/Examiner, Art Unit 2474 

/BENJAMIN H ELLIOTT IV/Primary Examiner, Art Unit 2474