DETAILED ACTION
Office Action Summary
Instant application claims priority to 3/23/2018.
Claims 21-40 are pending in the instant application.
Claims 21-40 are rejected under 35 USC § 103/Double Patenting.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 31-40 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 U.S. Patent No. 10862912 Although the claims at issue are not identical, they are not patentably distinct from each other because they substantially recite the same subject matter.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 21-40 rejected under 35 U.S.C. 103 as being unpatentable over Foo et al. (US Pre-Grant Publication No: 2007/0256122) hereinafter referred to as Foo.

As per claims 21, 28 and 35, Foo teaches generating, by a device, a data structure of endpoint hosts that are each connected to a network and at least one network segment, of a plurality of network segments, of the network; (The network location information of client device 102 may include the IP address of edge device 104A and the port ID of the port through which client device 102 accesses network 100...Edge device 104A then creates a session record in centralized database 112, which session record represents the session in which client device 102 accesses network 100...session server 110 extracts the information set and creates a corresponding session record in centralized database 112...")
updating, by the device, the data structure based on a change in a session associated with at least one endpoint host of the endpoint hosts; (Foo, [0038], teaches "When edge device 104A detects that the session through which client device 102 accesses network 100 has ended, edge device 104A sends a RADIUS accounting packet to session server 110 in order to remove the corresponding session record from centralized database 112. By removing the session record from the centralized database, the temporal binding between the authenticated identity information, the network address information, and the network location information of client device 102 is ended..." or in [0044]: "...The session records stored in the centralized database thus represent real-time session information that indicates all active sessions established by entities to the network at any given time. The session records stored in the centralized database are used by one or more data processing systems to perform realtime diagnostics of the network.”)
identifying, by the device and based on the data structure, a particular endpoint host, of the endpoint hosts, that changed location within the at least one network segment; determining, by the device, an action to enforce for the particular endpoint host; identifying, by the device, a network control system that controls the at least one network segment associated with the particular endpoint host; and causing, by the device, the action to be enforced, by the network control system, for the particular endpoint host. (Foo, [0076]: "...the techniques for creating and tracking network sessions described herein allow an IDS to use session records stored in a centralized database to perform diagnostics of the network in real-time. Such real-time diagnostic of the network may include, but is not limited to, network attack detection, network attack diagnostics, and network attack triangulation...Such rapid real-time identification capabilities greatly reduce the mean time for resolving network-driven incidents and allow a dynamic response mechanism (in an IDS or in another monitoring system) to accurately reconfigure the authorization and access permissions for network clients")
The subject matter of claims 21, 28 and 35 differs from the method of Foo in that it further comprises the data structure is used to identify a particular endpoint that changed location within the network segments.
Taking into account the disclosure of Foo, the problem to be solved by the present invention may be regarded as how to enhance the diagnostics and network attack detection of an specific area covered by the edge device.
On this regard it is noted that having an specific protection for network areas that are especially sensitive is notoriously known. Further on this respect it is noted that Foo discloses an Intrusion Detection System that tracks on real-time the sessions established by the devices connected to the network, in particular using information gathered by the Edge Devices. Said information includes the network location of the client devices (see in Fig. 2). Foo also discloses in [0076] that the network location information for the entities that are currently accessing the network is pinpointed in real-time by the IDS, meaning that in fact the IDS is tracking in real-time the location of the client devices and therefore the location changes of those devices. Finally, Foo teaches in [0077] that it uses the centralized database to determine whether the captured network packets entered the network from a particular topological location. In view of the disclosure of Foo that teaches that the identity and the location of the devices with an established session is tracked in real-time, when confronted with the above mentioned problem it would be obvious for the skilled person to identify the client devices that changed location to the specific area in order to provide the enhanced network attack detection for said area, thus arriving at the method according to claim 1 without the need of any inventive activity.

As per claim 22, Foo teaches wherein the data structure is generated based on network topology information. (Foo, [0074])

As per claim 23, Foo teaches further comprising: processing the network topology information to determine capabilities associated with the endpoint hosts; and storing information identifying the capabilities associated with the endpoint hosts in the data structure. (Foo, [0059] and [0074])

As per claim 24, Foo teaches wherein the network topology information is processed utilizing one or more artificial intelligence models. (Foo, [0059] and [0074])

As per claim 25, Foo teaches wherein identifying the network control system comprises: identifying the network control system based on matching the particular endpoint host with a specific network element. (Foo, [0074]-[0076])

As per claim 26, Foo teaches wherein the action includes at least one of blocking endpoint host traffic at perimeter network devices of the network for external host threat traffic, or blocking endpoint host traffic at a switching layer of the network for internal host threat traffic. (Foo, [0074]-[0076])

As per claim 27, Foo teaches receiving host threat feed information associated with the endpoint hosts; and tagging host threats, identified by the host threat feed information, with particular identifications, and wherein determining the action to be enforced comprises: determining the action to be enforced based on a particular identification, of the particular identifications, associated with the particular endpoint host.  (Foo, [0059] and [0074])

As per claim 29, Foo teaches wherein the one or more processors are further to: trigger an automatic enforcement of a new threat policy change based on a change of a location associated with an endpoint host. (Foo, [0059] and [0074])

As per claim 30, Foo teaches wherein the one or more processors are further to: provide, to a management device, information identifying endpoint host threats for updating threat feeds with current unique host identifiers. (Foo, [0074]-[0076])

As per claim 31, Foo teaches generate another data structure of network elements based on network topology information associated with the network; determine capabilities associated with the network elements based on the network topology information; and store information identifying the capabilities associated with the network elements in the other data structure. (Foo, [0074]-[0076])

As per claim 32, Foo teaches wherein the one or more processors are further to: identify a network control system associated with the particular endpoint host; and add, to the data structure, information identifying the network control system associated with the particular endpoint host, and wherein the one or more processors, when causing the threat policy action to be enforced, are to: cause the threat policy action to be enforced, by the network control system, based on the data structure. (Foo, [0074]-[0076])

As per claim 33, Foo teaches wherein the one or more processors are further to: tag host threats, identified by host threat feed information, with particular identifications, each of the particular identifications being based on one of a media access control (MAC) address, session information, or a hardware identifier associated with one of the endpoint hosts, and wherein the one or more processors, when determining the threat policy action, are to: determine the threat policy action based on a particular identification, of the particular identifications, associated with the particular endpoint host. (Foo, Figure 2, “Radius Session ID” and The network location information of client device 102 may include the IP address of edge device 104A and the port ID of the port through which client device 102 accesses network 100...Edge device 104A then creates a session record in centralized database 112, which session record represents the session in which client device 102 accesses network 100...session server 110 extracts the information set and creates a corresponding session record in centralized database 112...")

As per claim 34, Foo teaches wherein the one or more processors are further to: monitor host threat traffic across the network based on the particular identifications; and provide information associated with the host threat traffic to a management device. (Foo, [0074]-[0076])

As per claim 36, Foo teaches tag host threats, identified by host threat feed information, with particular identifications, each of the particular identifications being based on one of: a media access control (MAC) address, session information, or a hardware identifier associated with one of the endpoint hosts, and wherein the one or more instructions, that cause the one or more processors to determine the action to be enforced, cause the one or more processors to: determine the action to be enforced based on a particular identification, of the particular identifications, associated with the particular endpoint host. (Foo, [0074]-[0076])

As per claim 37, Foo teaches wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: monitor host threat traffic across the network based on the particular identifications; and provide information associated with the host threat traffic to a management device. (Foo, [0059] and [0074])

As per claim 38, Foo teaches receive network topology information associated with the network; and generate, based on the network topology information, another data structure that includes information identifying capabilities of each network element of the network, and wherein the one or more instructions, that cause the one or more processors to cause the action to be enforced, cause the one or more processors to: cause the action to be enforced, by one or more network elements of the network, based on the other data structure. (Foo, [0074]-[0076])

As per claim 39, Foo teaches wherein the one or more instructions, when executed by the one or more processors, further cause the one or more processors to: store information identifying capabilities associated with the endpoint hosts in the other data structure. (Foo, [0074]-[0076])

As per claim 40, Foo teaches wherein the network topology information is processed utilizing one or more artificial intelligence models. (Foo, [0059] and [0074]-[0076])


Other Related Art
Mohaban (US Patent 7,483,437 B1) teaches “A method, performed in a network element, for communicating packet multimedia data between a first endpoint and a second endpoint, the method comprising the machine-implemented steps of receiving an outbound multimedia data packet; determining if the outbound multimedia data packet originated from a first endpoint that is logically behind a security device; determining and storing information identifying a logical pinhole in the security device, wherein the logical pinhole is associated with expected inbound multimedia data packets directed to the first endpoint; performing an action that keeps the logical pinhole open during all of a communication session between the first endpoint and the second endpoint; and forwarding inbound multimedia data packets directed from the second endpoint to the first endpoint via the logical pinhole.”
Schroeder (US Patent 8,443,435 B1) teaches “A VPN handler of a client device is described that provides VPN connectivity by automatically creating multiple split VPN tunnels that provide direct access to different VPN concentrators of an enterprise based on specific resources requested by the client device. A local VPN concentrator normally used by the client device may provide the VPN handler with a resource list that provides a mapping of the resources of the enterprise network to the multiple VPN concentrators that have been deployed to provide secure access to those resources. The local VPN concentrator may dynamically update the resource list on the client device so as to control the construction and use of the split VPN tunnels by the VPN handler based on changes to the enterprise network. The split tunnel approach may be transparent to applications executing on the client device and may be easily deployed to the client devices of the enterprise.”
Bek (US 2019/0260804 A1) teaches “An expert interface component can automatically connect a system user with a system support expert. A user interface module can present a threat-tracking graphical user interface and a query interface component integrated into the threat-tracking graphical user interface to a system user belonging to a client team to review a potential cyber threat and receive a query for assistance. The query interface component can allow the system user to digitally grab a visual data container displaying information and containing a data object. The query interface component can collect the visual data container from the threat-tracking graphical user interface into a collection window of the query interface component. A communication module provides an incident ticket containing the query and the visual data container to a system support expert at a remote platform.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIMON P KANAAN whose telephone number is (571)270-3906.  The examiner can normally be reached on M-F (7AM-4PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SIMON P KANAAN/Primary Examiner, Art Unit 2492