Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claims 1-2, 4-9, 11-16, 18-23 are pending in Instant Application.
Claims 3, 10, 17 are cancelled.
Claims 1, 4, 8, 11, 15, 18 are amended.


Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 11/14/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered if signed and initialed by the Examiner.

Response to arguments
Applicant’s arguments filed in the amendment filed 09/09/2022 have been fully considered but are moot in view grounds of rejection. The reasons set forth below.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-2, 4-9, 11-16, 18-23 are rejected under 35 U.S.C. 103 as being unpatentable over Boss et al., “herein after Boss” (U.S. Patent Application: 20130219067) in view of Factor et al., “hereinafter Factor” (U.S. Patent Application: 20140330869) and further in view of Vaidya et al., “hereinafter Vaidya” (U.S. Patent Application: 20220103598).

As per Claim 1, Boss discloses a method comprising: 
acquiring, by one or more processing units of a location-based manager of a cloud service provider (Boss, Para.05, a computer-implemented method for activating location-based resources in a networked computing environment, Para.26, ), a pool of subscriptions from a cloud platform configured to allocate cloud resources to the cloud service provider (Boss, Para.26, the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).), where each subscription defines a specific set of cloud resources allocated for use for a defined time period (Boss, Para.19, "activation" can mean instantiation, allocation, provisioning, and/or the general acquisition and deployment of a networked-based computing resource, Para.20, provide an approach for instantiation/activation/invocation and deactivation/de-allocation of networked-based resources (e.g., cloud-based resources) based on users' geographic movements… A listening service may then be implemented for the set of resources to determine a location of the set of users. Based on the location and the associations of the set of resources with the set of geographic points of interest, at least one of the set of resources may then be instantiated, activated ); 
assigning, by the location-based manager of the cloud service provider, at least one subscription of the pool of subscriptions for a resource unit of the cloud platform (Boss, Para.26, the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand.), wherein the at least one subscription is shared by a plurality of tenants configured to request access to the cloud resources from the resource unit (Boss, Para.22, Cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service.).
creating, by the location-based manager of the cloud service provider, a logical zone between the resource unit and other resource units managed by the location-based manager (Boss, Para.26, the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand, Para.54, Virtualization layer 62 provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients. ); and 
deploying, by the location-based manager of the cloud service provider, the cloud resources associated with the at least one subscription within the logical zone for use by the resource unit on behalf of the plurality of tenants (Boss, Para.08, deploying a computer infrastructure being operable to: receive a set of user preferences in a computer storage device, the set of user preferences comprising at least one of the following: a set of geographic points of interest, a set of users, associations of a set of resources of the set of users with the set of geographic points of interest, or contexts associated with the set of geographic points of interest; implement a listening service for the set of resources to determine a location of the set of users; and activate at least one of the set of resources based on the set of locations and the associations of the set of resources with the set of geographic points of interest.).
However Boss does not discloses creating a logical zone that defines a first security boundary between the resource unit and other resource units.
Factor discloses creating a logical zone that effectively creates a security boundary between the resource unit and other resource units (Factor, Para.03, a system and method for secure isolation of tenant resources in a multi-tenant storage system, Para.28, a secure multi-tenancy model 300 is provided (see FIGS. 3A and 3B) to allow pooling of shared resources by incorporating a set of principles for safe logical isolation. In one implementation, the added security may be achieved by isolation across tenants based on a principle of least privilege, for example, where each system component runs with the least set of privileges needed to service a request or the least set of privileges needed to complete an intended task, Para.44, The security gateway 310 may use an operating system mechanism, such as an access control list (ACL) or OS level user IDs to ensure the end-to-end isolation of the tenant resources.).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Boss with the teachings as in Factor. The motivation for implementing a secure system and a secure multi-tenancy model is provided to allow pooling of shared resources by incorporating a set of principles for safe logical isolation (Factor, Para.28).
However Boss and Factor do not disclose the logical zone includes one or more second security boundaries that isolate individual tenants of the plurality of tenants from other tenants of the plurality of tenants.
Vaidya discloses the logical zone includes one or more second security boundaries that isolate individual tenants of the plurality of tenants from other tenants of the plurality of tenants (Vaidya, Para.10, in addition to being provided with the ability to configure their own isolated logical network and security policy in a VHC, each tenant user can define additional sub-users, who in turn can define their own isolated logical network and security policy within a VHC, Para.58, the tenant user configurations 210 and 215 are fully isolated from each other; that is, one tenant user has no ability to view, modify, or even necessarily be aware of any other tenant user configuration, even if they share physical infrastructure resources and/or the use of provider logical network entities.).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Boss, Factor with the teachings as in Vaidya. The motivation for managing a virtualization infrastructure having one or more logical networks defined across one or more sites (e.g., datacenters). The network management system allows for a top-level user of the virtual infrastructure (e.g., a cloud provider, an enterprise's network administrators) to define a provider logical network and to define one or more second-level users (e.g., tenants, enterprise organizational units) of the virtualization infrastructure. (Vaidya, Para.2).


With respect to Claim 8 and Claim 15 are substantially similar to Claim 1 and is rejected in the same manner, the same art and reasoning applying.

As per Claim 2, Boss in view of Factor, Vaidya discloses the method of claim 1, wherein the security boundary between the resource unit and other resource units comprises a virtual network (Factor, Para.105, Virtualization layer 2062 provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients. In one example, management layer 2064 may provide the functions described below. Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment.).

The same motivation that was utilized for combining Boss and Factor as set forth in claim 1 is equally applicable to claim 2.

With respect to Claim 9 and Claim 16 are substantially similar to Claim 2 and is rejected in the same manner, the same art and reasoning applying


As per Claim 4, Boss in view of Factor, Vaidya disclose the method of claim 1, wherein the one and more second security boundaries comprise one or more security parameters defined in the at least one subscription (Factor, Para.40, a security gateway 310 determines a tenant's privileges, the request processor 220 assumes the privileges of the particular tenant for the purpose of servicing the request associated with the tenant. If so, the request processor 220 may no longer be used or assigned to serve a client of another tenant. The assumed privileges may be determined according to the identity and credentials of the respective tenant associated with the request, the respective user associated with the request, or both. As noted in further detail below, servicing of a single user request may be performed by several worker processes.).
The same motivation that was utilized for combining Boss and Factor as set forth in claim 1 is equally applicable to claim 4.

With respect to Claim 11 and Claim 18 are substantially similar to Claim 4 and are rejected in the same manner, the same art and reasoning applying.

As per Claim 5, Boss in view of Factor, Vaidya disclose the method of claim 1, wherein the location-based manager is configured to manage a geographic region comprising a plurality of geographic areas, and the location-based manager is deployed as a plurality of instances where each instance has an associated geographic area for managing cloud resources (Boss, Para.20, instantiation/activation/invocation and deactivation/de-allocation of networked-based resources (e.g., cloud-based resources) based on users' geographic movements. Specifically, in a typical embodiment, a set (one or more) of user preferences are received. Such preferences can include: a set of geographic points of interest, a set of users, associations of a set of resources (e.g., services, applications, etc.) of the set of users with the set of geographic points of interest, and/or contexts associated with the set of geographic points of interest. A listening service may then be implemented for the set of resources to determine a location of the set of users. Based on the location and the associations of the set of resources with the set of geographic points of interest, at least one of the set of resources may then be instantiated, activated, and/or invoked.).

With respect to Claim 12 and Claim 19 are substantially similar to Claim 5 and are rejected in the same manner, the same art and reasoning applying.


As per Claim 6,  Boss in view of Factor, Vaidya disclose the method of claim 1, wherein the allocation of cloud resources defined by each subscription of the pool of subscriptions is based on at least one of an availability of cloud resources at the cloud platform, a number of tenants utilizing the cloud service provider, or a geographic location of the cloud service provider (Boss, Para.26, the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand, Para.83, determining a certain number of potential consumers sufficient to negotiate a group and/or reduced price for resources rendered for a group or cooperative of people. For example, if a certain number of consumers are present in an Internet Cafecertain number of additional terminals will be activated, Para.28, Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.).

With respect to Claim 13 is substantially similar to Claim 6 and is rejected in the same manner, the same art and reasoning applying

As per Claim 7, Boss in view of Factor, Vaidya disclose the method of claim 1, wherein the allocation of cloud resources defined by each subscription of the pool of subscriptions is adjusted based on data defining tenant activity by the plurality of tenants utilizing the cloud service provider (Boss, Para.28, cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active consumer accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service, Para.04, a set (one or more) of user preferences are received. Such preferences can include: a set of geographic points of interest, a set of users, associations of a set of resources (e.g., services, applications, etc.) of the set of users with the set of geographic points of interest, and/or contexts associated with the set of geographic points of interest. A listening service may then be implemented for the set of resources to determine a location of the set of users. Based on the location and the associations of the set of resources with the set of geographic points of interest, at least one of the set of resources may then be instantiated/activated, Para.87, a service provider, such as a Solution Integrator, could offer to provide resource activation functionality. In this case, the service provider can create, maintain, support, etc., a computer infrastructure, such as computer system 12 (FIG. 1) that performs the processes of the invention for one or more consumers.).

With respect to Claim 14 and Claim 20 are substantially similar to Claim 7 and are rejected in the same manner, the same art and reasoning applying.

Claims 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Boss et al., “herein after Boss” (U.S. Patent Application: 20130219067) in view of Factor et al., “hereinafter Factor” (U.S. Patent Application: 20140330869) and further in view of Vaidya et al., “hereinafter Vaidya” (U.S. Patent Application: 20220103598) and further in view of Shenoy, JR et al., “hereinafter Shenoy, JR” (U.S. Patent Application: 20190098037)


As per Claim 21, Boss in view of Factor, Vaidya disclose the method of claim 1, 
However Boss in view of Factor, Vaidya do not disclose detecting a security breach that compromises at least one of the one or more second security boundaries that isolate the individual tenants in response to detecting the security breach, containing the security breach within the resource unit using the first security boundary between the resource unit and the other resource units managed by the location-based manager.
Shenoy, JR  discloses detecting a security breach that compromises at least one of the one or more second security boundaries that isolate the individual tenants (Shenoy, JR, Para.207, a security violation has occurred, then at 708, the security system 450 of FIG. 4 may perform one or more resolutions as indicated in the security rules schema (at 706). Depending on the security rule that has been breached (i.e., security violation), the security system 450 may take different remedial actions (i.e., resolutions.)); and
 in response to detecting the security breach, containing the security breach within the resource unit using the first security boundary between the resource unit and the other resource units managed by the location-based manager (Shenoy, JR, Para.215, conditions of a security rule have been have not been met then at 814, the security system 450 FIG. 4 continues to monitor activity data and additional activity data for security violations. The security system 450 may continue to flag actions and store flagged actions associated with user accounts during the use of one or more services provided by a service provider. In some examples, the security system 450 may remove flagged actions associated with a user account after a certain amount of time since the occurrence of the flagged action. For example, if a user account has a flagged action for logging into a service from an unusual access location, the flagged action may be kept in the threat memory 404 of FIG. 4 for a certain period of time (e.g., 24 hours, 2 days, etc.) before it is removed. However, other flagged actions that may be considered more severe may be kept in the threat memory 404 for a longer period of time. For example, if a flagged action is malicious activity inside social media (as detailed in FIG. 5) then such a flagged action may be kept in threat memory 404 for a longer period of time (e.g. 1 month, 2 months, etc.) By continuously updating the threat memory 404, the security system 450 may identify one or more security violations across cloud-based services.).

It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to utilize the teachings as in Boss, Factor, Vaidya with the teachings as in Shenoy, JR. The motivation for implementing a cloud security system that can provide real time threat analysis for multiple cloud-based services. In various examples, the security system obtains activity data from a first service provider system. The activity data may describe actions performed at a first point in time during use of a first cloud service. The actions may be performed by one or more user devices associated with a tenant, where the first service provider system provides the tenant with a tenant account. In some examples, the tenant account enables the one or more user devices to access the first cloud service. In some examples, the security system may determine, based on the received activity data, that a first event that occurred during use of the first cloud service. The first event may describe one or more actions performed by one or more user devices associated with a tenant. In some examples, the security system may determine that the first event is associated with a security rule configured for the tenant.. (Shenoy, JR., Para.6).

With respect to Claim 22 and Claim 23 are substantially similar to Claim 21 and are rejected in the same manner, the same art and reasoning applying.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to NORMIN ABEDIN whose telephone number is (571)270-5970. The examiner can normally be reached Monday to Friday from 10 am to 6 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Vivek Srivastava can be reached on 5712727304. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NORMIN ABEDIN/Primary Examiner, Art Unit 2449