DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to applicant’s appeal brief filed, 29 August 2022, of application filed, with the above serial number, on 30 January 2020 in which no claims have been amended. Claims 1-7, 9-20 are pending in the application. 
In view of the Appeal Brief filed on 29 August 2022, PROSECUTION IS HEREBY REOPENED. A new ground of rejection is set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
/NICHOLAS R TAYLOR/           Supervisory Patent Examiner, Art Unit 2443                                                                                                                                                                                             

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-7, 9-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nantel (hereinafter “Nantel”, 2016/0315907) in view of Leon (hereinafter “Leon”, 2019/0386957).
As per Claim 1, Nantel discloses a method comprising: 
determining a plurality of identifiers of a first device connecting to a network via an intermediary network device, wherein the plurality of identifiers at least includes a first transient identifier that can change across network connections and a first persistent identifier that persists across network connections (at least paragraph 31; retrieve unique physical addresses of one or more host devices 102 and map them with corresponding Internet Protocol (IP) addresses assigned by the DHCP server 106 to the one or more host devices 102 {where the transient identifier is an IP address which is dynamic; where persistent identifier is unique physical address such as MAC}); 
determining that the first persistent identifier is indicated in a first structure, wherein the first structure is maintained in a control plane of the intermediary network device and the first structure includes persistent identifiers of devices, transient identifiers assigned to the devices (at least Fig. 4a-d, par. 41-42; MAC address, 1st IP address, updating to 2nd IP Address of mapping information in (data structure) table of DHCP agent with policy rules for each device);
determining that the first structure indicates the first device as compromised (at least paragraph 27; the network traffic management/security policies can be configured to perform any or a combination of network access control (NAC),  identifying/quarantining of host devices that violate policies, logging and reporting information, among any other configured function/feature that requires security policies defined for host devices; par. 38: the network security device can implement/incorporate a physical address based network policy definition module 206 that is configured to define network traffic management/security policies corresponding to at least one of the unique physical addresses of the one or more host devices. Module 206 therefore enables the network security device to use the MAC addresses of the one or more host devices to define security policies for the host devices such that even if the IP addresses of the host devices change, the security policies for the host devices can be continued to be used as they are defined based on the static MAC/physical address of the host devices); 
determining that the first persistent identifier for the first device is associated in the first structure with a second transient identifier that is different than the first transient identifier (at least Fig. 4a-d, par. 41-42; MAC address, updating to 2nd IP Address; ie. MAC address 00-AC-1C-14-F9-0B w/ IP address 192.168.0.170 in 440 different from 192.168.0.181 in 400); and
based on the first device being indicated as compromised and the first persistent identifier for the first device being associated with the second transient identifier in the first structure instead of the first transient identifier (at least paragraph 31-33; updating (and correspondingly not updating) IP address for a specific host with network security policy in place), updating a second structure with the first transient identifier, wherein the second structure is maintained in a data plane of the intermediary network device and the data plane enforces quarantine of packets that indicate a transient identifier in the second structure (at least paragraph 31-33, 37-39; agent and network device being in combined firewall/router/dhcp agent 200, where first structure is agent based and control plane hosted and second structure is firewall/layer-3/data plane based {(see spec. [0015] “control plane 101 encompasses the hardware and program code for implementing routing protocols (e.g., route determination, maintaining interface state, etc.) and other services/tasks related to communications with neighbors (e.g., device discovery and topology discovery). The data plane 105 encompasses program code and hardware to forward protocol data units (e.g., packets) from an inbound interface to an outbound interface according to a forwarding information base 119 (FIB) provide by the control plane 103.”)}; As the IP address allocated to each host device 102 is dynamic, agent 104 can be configured to keep the mapping information between MAC addresses of the host devices and the assigned IP addresses updated at all times; update the mapping of physical address to IP address in real-time/dynamically; DHCP agent 104 to relay the mapped unique physical addresses of one or more host devices 102 to a network security device 112 (second data structure from DHCP agent first data structure). Such information can be sent as DHCP relay lease information. Based on such relay information, network security device 112 can be configured to define network traffic management/security policies corresponding to the unique physical addresses of the one or more host devices, enabling visibility of layer-2 information, such as fixed MAC addresses of devices 102, at layer-3 devices 112, such as routers/hubs/switches/gateway devices/firewalls/among other network devices 112; send desired/updated mapping information to layer-3 network device 112 (e.g., a firewall), which can then define network security policies such as packet filter policies for one or more specific host devices 102).
Nantel fails to explicitly disclose first structure includes a compromised state indicator for each device. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Leon. Leon discloses, in an analogous art, an active threat detector identifying IP addresses as malicious, creating and sending routing tables or lists of addresses that are threats by flagging addresses as malicious addresses, with such data being managed in the control plane of the network and sending data to firewalls (at least Leon paragraph 39-44, 100, 102). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Leon’s malicious address flagging with Nantel’s IP address table as Leon describes correlating such information provides a more robust security scheme such that if one node identifies a threat, the other nodes can be automatically updated to recognize and prepare for the same threat to block such packets communicating with a malicious address. This would be an obvious enhancement with Nantel’s system of mapping such dynamic IP addresses that change with the MAC physical address that doesn’t change so that malicious actors would not be able to simply change the IP address and infiltrate the network, the MAC address mapping would identify such tactics and still block the communication and apply the Policy Rule Nantel enforces.
As per Claim 2. The method of claim 1 further comprising: 
determining a second plurality of identifiers of a second device connecting to the network via the intermediary network device, wherein the second plurality of identifiers includes a second persistent identifier of the second device and a third transient identifier assigned to the second device (at least paragraph 31; retrieve unique physical addresses of one or more host devices 102 and map them with corresponding Internet Protocol (IP) addresses assigned by the DHCP server 106 to the one or more host devices 102 {where the transient identifier is an IP address which is dynamic; where persistent identifier is unique physical address such as MAC});
determining that the first structure indicates the second persistent identifier associated with a fourth transient identifier instead of the second transient identifier and indicates that the second device is not compromised (at least paragraph 27; the network traffic management/security policies can be configured to perform any or a combination of network access control (NAC),  identifying/quarantining of host devices that violate policies, logging and reporting information, among any other configured function/feature that requires security policies defined for host devices; par. 38: the network security device can implement/incorporate a physical address based network policy definition module 206 that is configured to define network traffic management/security policies corresponding to at least one of the unique physical addresses of the one or more host devices. Module 206 therefore enables the network security device to use the MAC addresses of the one or more host devices to define security policies for the host devices such that even if the IP addresses of the host devices change, the security policies for the host devices can be continued to be used as they are defined based on the static MAC/physical address of the host devices; Leon paragraph 39-44); and
based on determining that the second persistent identifier is associated with fourth transient identifier instead of the third transient identifier in the first structure and that the second device is not indicated as compromised in the first structure, updating the first structure to associate the second persistent identifier with the third transient identifier instead of the fourth transient identifier without updating the second structure (at least paragraph 35, 33, 40; aggregating; collector agents 304 can then (with or without pre-processing, such as aggregation with authentication information) send the relay lease information having MAC address mapping of host devices to one or more network devices 306, such as gateway devices 306-1 and 306-2. Network/security devices 306 can then process the received lease information, and enable packet processing/filtering based on one or more security/policy rules that can be defined based on the physical addresses of host devices. In this manner, even if an IP address assigned to a host device changes, the security policy for the device remains intact and can be applied efficiently by network device 306. Therefore, network device 306 can apply network access control 308, and can also define one or more security/management policies 310 for the host devices; aggregate DHCP lease information with existing SSO information (from say 110), and forward this data to network/security/layer-3 devices 112, which can use this enhanced information to enforce accurate NAC, quarantining and logging. Network devices 112 can also exchange such physical address/MAC address information of host devices 102 with one or more other network security/manager devices in order to allow for adequate centralized logging and reporting, and to provide an ability for other units/modules managed by the network management device(s) to query the device(s) for new detected devices (using their MAC address) in order to obtain their current posture as it relates to NAC, quarantining or other policy status that may related to the device in question; par. 40, 45; network access control is used for policy to block with firewall if the device is quarantined, if the device is not quarantined the network access control policy would not have a policy for the device(s) not in need of quarantining).
As per Claim 3. The method of claim 2 further comprising: 
accumulating the updated association of the second persistent identifier with the third transient identifier for the second device with other updates of identifier associations for devices indicated as not compromised in the first structure (at least paragraph 35, 40, 31; done in real-time or dynamically or at defined/configured periodic intervals {condition for batch satisfied); collector agents 304 can then (with or without pre-processing, such as aggregation with authentication information) send the relay lease information having MAC address mapping of host devices to one or more network devices 306, such as gateway devices 306-1 and 306-2. Network/security devices 306 can then process the received lease information, and enable packet processing/filtering based on one or more security/policy rules that can be defined based on the physical addresses of host devices; Network devices 112 can also exchange such physical address/MAC address information of host devices 102 with one or more other network security/manager devices in order to allow for adequate centralized logging and reporting, and to provide an ability for other units/modules managed by the network management device(s) to query the device(s) for new detected devices (using their MAC address) in order to obtain their current posture as it relates to NAC, quarantining or other policy status that may related to the device in question);
determining whether a condition to communicate the accumulated updates to control planes of other intermediary network devices is satisfied; and based on a determination that the condition is satisfied, communicating to the control planes of the other intermediary network devices device the accumulated updates (at least paragraph 35, 40, 31; done in real-time or dynamically or at defined/configured periodic intervals {condition for batch satisfied); collector agents 304 can then (with or without pre-processing, such as aggregation with authentication information) send the relay lease information having MAC address mapping of host devices to one or more network devices 306, such as gateway devices 306-1 and 306-2. Network/security devices 306 can then process the received lease information, and enable packet processing/filtering based on one or more security/policy rules that can be defined based on the physical addresses of host devices; Network devices 112 can also exchange such physical address/MAC address information of host devices 102 with one or more other network security/manager devices in order to allow for adequate centralized logging and reporting, and to provide an ability for other units/modules managed by the network management device(s) to query the device(s) for new detected devices (using their MAC address) in order to obtain their current posture as it relates to NAC, quarantining or other policy status that may related to the device in question).
As per Claim 4. The method of claim 1 further comprising communicating the updated association of the first persistent identifier with the first transient identifier to a second intermediary network device that enforces quarantine of compromised devices (at least paragraph 35, 33, 40; forward this data to network/security/layer-3 devices 112, which can use this enhanced information to enforce accurate NAC, quarantining and logging; collector agents 304 can then (with or without pre-processing, such as aggregation with authentication information) send the relay lease information having MAC address mapping of host devices to one or more network devices 306, such as gateway devices 306-1 and 306-2. Network/security devices 306 can then process the received lease information, and enable packet processing/filtering based on one or more security/policy rules that can be defined based on the physical addresses of host devices. In this manner, even if an IP address assigned to a host device changes, the security policy for the device remains intact and can be applied efficiently by network device 306. Therefore, network device 306 can apply network access control 308, and can also define one or more security/management policies 310 for the host devices; aggregate DHCP lease information with existing SSO information (from say 110), and forward this data to network/security/layer-3 devices 112, which can use this enhanced information to enforce accurate NAC, quarantining and logging. Network devices 112 can also exchange such physical address/MAC address information of host devices 102 with one or more other network security/manager devices in order to allow for adequate centralized logging and reporting, and to provide an ability for other units/modules managed by the network management device(s) to query the device(s) for new detected devices (using their MAC address) in order to obtain their current posture as it relates to NAC, quarantining or other policy status that may related to the device in question).
As per Claim 5. The method of claim 1 further comprising: detecting that a compromised state of a second device has changed; updating the first structure to indicate the changed compromised state of the second device; and updating the second structure in the data plane corresponding to the changed state for the second device (at least paragraph 33-35, 6; one or more specific host devices 102 {second device}; information may be used to address layer-2 visibility along with ensuring controls, such as NAC, host quarantine and visibility that can benefit from the accuracy that comes with layer 2 visibility (specifically, MAC address to IP address relationships). As firewalls 112 are generally operating as layer-3 controls (using IP address), this added visibility can provide device-oriented policy actions with accuracy, which is, in existing platforms, restricted to layer-2 adjacent devices. As network device(s) 112 can define host device 102 specific security policies based on the MAC addresses of host devices 102, changes in IP addresses assigned by server 106 to devices 102 does not impact the policy defined by network device 112 as it is defined using the physical address of the devices 102 and is therefore static; A router, another example of a layer-3 device, is also typically placed between networks. Routers serve as intermediate destinations for network traffic. They receive and evaluate incoming packets to identify the source and destination address and then forward the packets onto an appropriate interface based on their routing tables to ensure the packets reach their intended destination).
As per Claim 6. The method of claim 5, wherein the changed compromised state is from not compromised to compromised and updating the second structure comprises determining a current transient identifier assigned to the second device and updating the second structure to indicate the current transient identifier assigned to the second device (at least paragraph 27, 33-35; network traffic management/security policies can be configured to perform any or a combination of network access control (NAC), identifying/quarantining of host devices that violate policies, logging and reporting information, among any other configured function/feature that requires security policies defined for host devices; ensuring controls, such as NAC, host quarantine; {policies that identify whether to quarantine a host device or vice versa}).
As per Claim 7. The method of claim 5, wherein the changed compromised state is from compromised to not compromised and updating the second structure comprises determining a current transient identifier assigned to the second device and removing from the second structure the current transient identifier assigned to the second device (at least paragraph 27, 33-35; network traffic management/security policies can be configured to perform any or a combination of network access control (NAC), identifying/quarantining of host devices that violate policies, logging and reporting information, among any other configured function/feature that requires security policies defined for host devices; ensuring controls, such as NAC, host quarantine; {policies that identify whether to quarantine a host device or vice versa and no longer having security policy and quarantining}).
As per Claim 9. The method of claim 1, wherein the first transient identifier is a network address and the first persistent identifier is one of a devid and a hostid (at least paragraph 30-33; IP and MAC addresses of host device).
As per Claim 10, Nantel discloses a non-transitory, machine-readable medium having stored thereon program code to: 
collect device identifiers of devices based on the devices connecting to a network (at least paragraph 31; retrieve unique physical addresses of one or more host devices 102 and map them with corresponding Internet Protocol (IP) addresses assigned by the DHCP server 106 to the one or more host devices 102 {where the transient identifier is an IP address which is dynamic; where persistent identifier is unique physical address such as MAC}); 
maintain in a control plane mappings of the device identifiers to corresponding network addresses of the devices that connect to the network, wherein the program code to maintain mappings comprises program code to update the mappings to indicate changes in assignments of network addresses to devices (at least paragraph 31-33, 39; As the IP address allocated to each host device 102 is dynamic, agent 104 can be configured to keep the mapping information between MAC addresses of the host devices and the assigned IP addresses updated at all times; update the mapping of physical address to IP address in real-time/dynamically; DHCP agent 104 to relay the mapped unique physical addresses of one or more host devices 102 to a network security device 112. Such information can be sent as DHCP relay lease information. Based on such relay information, network security device 112 can be configured to define network traffic management/security policies corresponding to the unique physical addresses of the one or more host devices, enabling visibility of layer-2 information, such as fixed MAC addresses of devices 102, at layer-3 devices 112, such as routers/hubs/switches/gateway devices/firewalls/among other network devices 112; send desired/updated mapping information to layer-3 network device 112 (e.g., a firewall), which can then define network security policies such as packet filter policies for one or more specific host devices 102); 
propagate, to security devices of the network, changes in mappings based on changes in the network address assignments (at least paragraph 27; the network security device can update a mapping between IP addresses and the physical addresses of the one or more host devices in real-time based on relay information received from the DHCP agent); and 
limit propagation, from a control plane to a data plane, of changes in assignments of network addresses (at least paragraph 33, 6; verify/aggregate/correlate the received relay information having IP-MAC address mapping with additional authentication information 110 stored therewith to then send desired/updated mapping information to layer-3 network device 112 (e.g., a firewall), which can then define network security policies such as packet filter policies for one or more specific host devices 102 so that incoming/outgoing packets from/to the Internet 114 can be routed/processed by layer-3 network device 112 accordingly; A router, another example of a layer-3 device, is also typically placed between networks. Routers serve as intermediate destinations for network traffic. They receive and evaluate incoming packets to identify the source and destination address and then forward the packets onto an appropriate interface based on their routing tables to ensure the packets reach their intended destinations; {(see spec. [0015] “control plane 101 encompasses the hardware and program code for implementing routing protocols (e.g., route determination, maintaining interface state, etc.) and other services/tasks related to communications with neighbors (e.g., device discovery and topology discovery). The data plane 105 encompasses program code and hardware to forward protocol data units (e.g., packets) from an inbound interface to an outbound interface according to a forwarding information base 119 (FIB) provide by the control plane 103.”)}).
Nantel fails to explicitly disclose set state indicators of whether devices are compromised or not compromised in association with the device identifiers in the mappings and limit propagation to those corresponding to devices indicated as compromised according to the state indicators. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Leon. Leon discloses, in an analogous art, an active threat detector identifying IP addresses as malicious, creating and sending routing tables or lists of only addresses that are threats by flagging addresses as malicious addresses, with such data being managed in the control plane of the network and sending data to firewalls (at least Leon paragraph 39-44, 100, 102). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Leon’s malicious address flagging with Nantel’s IP address table as Leon describes correlating such information provides a more robust security scheme such that if one node identifies a threat, the other nodes can be automatically updated to recognize and prepare for the same threat to block such packets communicating with a malicious address. This would be an obvious enhancement with Nantel’s system of mapping such dynamic IP addresses that change with the MAC physical address that doesn’t change so that malicious actors would not be able to simply change the IP address and infiltrate the network, the MAC address mapping would identify such tactics and still block the communication and apply the Policy Rule Nantel enforces.
As per Claim 11. The non-transitory, machine-readable medium of claim 10, further comprising program code to propagate changes in state indicators to security devices of the network, wherein the program code to propagate the changes in state indicators to security devices uses the device identifiers (at least paragraph 27; the network traffic management/security policies can be configured to perform any or a combination of network access control (NAC), identifying/quarantining of host devices that violate policies, logging and reporting information, among any other configured function/feature that requires security policies defined for host devices; par. 29: enabling the DHCP agent to relay the mapped unique physical addresses of one or more host devices to a network security device; and defining, at the network security device, network traffic management/security policies corresponding to at least one of the unique physical addresses of the one or more host devices).
As per Claim 12. The non-transitory, machine-readable medium of claim 10, wherein the program code to collect device identifiers comprises program code to collect device identifiers that persist across connections or session from headers of packets or messages corresponding to establishing a connection or session (at least paragraph 26; retrieve unique physical addresses (layer-2 information such as MAC addresses) of one or more host devices and map them with corresponding Internet Protocol (IP) addresses assigned by the DHCP server to the one or more host devices. The system can further include a physical address information forwarding module configured to enable the DHCP agent to relay the mapped unique physical addresses (layer-2 information such as MAC addresses) of one or more host devices to a network security device. System of the present disclosure can further include a physical address based network policy definition module configured at the network security device (layer-3 device) to define network traffic management/security policies corresponding to at least one of the unique physical addresses (layer-2 information such as MAC addresses) of the one or more host devices, enabling visibility of layer-2 information at layer-3 devices).
As per Claim 13. The non-transitory, machine-readable medium of claim 10, wherein the program code to propagate changes in assignments of network addresses from the control plane to the data plane comprises program code to determine whether a change in mapping occurs for a device indicated as compromised and to update the data plane identify the compromised device for quarantine with a currently assigned network address instead of a previously assigned network address (at least paragraph 33, 31, 6; As the IP address allocated to each host device 102 is dynamic, agent 104 can be configured to keep the mapping information between MAC addresses of the host devices and the assigned IP addresses updated at all times. Maintaining of the mapping information can be done in real-time or dynamically or at defined/configured periodic intervals; verify/aggregate/correlate the received relay information having IP-MAC address mapping with additional authentication information 110 stored therewith to then send desired/updated mapping information to layer-3 network device 112 (e.g., a firewall), which can then define network security policies such as packet filter policies for one or more specific host devices 102 so that incoming/outgoing packets from/to the Internet 114 can be routed/processed by layer-3 network device 112 accordingly; A router, another example of a layer-3 device, is also typically placed between networks. Routers serve as intermediate destinations for network traffic. They receive and evaluate incoming packets to identify the source and destination address and then forward the packets onto an appropriate interface based on their routing tables to ensure the packets reach their intended destinations).
As per Claims 14-20. The limitations therein have substantially the same scope as claims 1-7 because claims 1-7 are a method implemented by those systems of claims 14-20. Therefore claims 14-20 are rejected for at least the same reasons as claims 1-7.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 10, 14 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763. The examiner can normally be reached 8:30-5 MST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/GREGORY TODD/Primary Examiner, Art Unit 2443