Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/28/20 has been entered.
 
Claims 4 and 10 are cancelled.  Claims 1, 7, and 15 are amended.



Response to Arguments
Applicant's arguments filed 12/28/20 have been fully considered but they are not persuasive.  The claims have been amended to require the keying information be obtained by the traffic inspection service after the encrypted session is formed and by using the agent’s root-level privileges.  Applicant purports the prior art does not explicitly teach these features.  After careful consideration and review of the entire prior art after the encryption session is formed (col. 23, lines 23-26). Higgins even uses the example of overcoming protocols such as Diffie-Hellman which thwart passive monitoring.  Thus Higgins was aware of this problem and overcame it by having the NMC request the session keys after the fact.  Moreover the monitoring agent in the client (depicted as secret sharing engine 604) is taught to be a kernel level service (col. 26, lines 16-22).  This meets the claim’s broad term root-level.  In view of the foregoing, respectfully the rejection must be maintained.

Claim Rejections - 35 USC § 112
Claim cancelation renders this previous rejection moot.

Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claim 1-3, 6, 15-17, 19, and 20 is rejected under 35 U.S.C. 103 as being unpatentable over Higgins in view of USP Application Publication 2018/0026986 to Nanjo et al., hereinafter Nanjo.

As per claims 1 and 15, Higgins teaches a method comprising: 
obtaining, by a traffic inspection service executed by an intermediary device [NMC] and from a monitoring agent [secret sharing engine] executed by an endpoint device [client or server], keying information for an encrypted traffic session between the endpoint device and a remote entity (col. 29, line 60-col. 30, line 11)  the keying information a) comprises encryption keys exchanged between the endpoint device and the remote entity (col. 23, lines 16-18 and b) is obtained, after the encrypted traffic session is formed (col. 23, lines 23-26), by the monitoring agent using its root-level privileges at the endpoint device (col. 26, lines 16-24); 
providing, by the traffic inspection service, a notification to the monitoring agent that acknowledges receipt of the keying information (col. 30, lines 34-38); 

applying, by the traffic inspection service, a data privacy policy [categorizes data transfers (col. 6, lines 1-3 and 18-20) and inspects traffic; col. 22, lines 5-21] to the encrypted traffic session between the endpoint device and the remote entity, based on the decrypted traffic comprising a file (col. 6, lines 18-20) from the session (col. 23, lines 33-42 and col. 29, lines 45-50).
Higgins looks for files according to policies set, but does not explicitly teach blocking, by the traffic inspection service, the traffic session from delivering the encrypted traffic to the remote entity.  On the other hand Nanjo teaches blocking, by the traffic inspection service, the traffic session from delivering the encrypted traffic to the remote entity when the encrypted file does not conform to a network policy (0055-0058).  Access control is well known in the art.  Applying access control practices to enforce rules of the system does not produce any unpredictable results.  The system of Higgins could obviously block encrypted files from leaving the network as the network management computer are in such a position to do so (Fig. 4 and 5).  The claim is obvious because one of ordinary skill in the art can combine known methods which do not produce unpredictable results.  

As per claims 2 and 16, Higgins teaches the encrypted traffic session is a Transport Layer Security (TLS) session (col. 26, line 64).

As per claims 3 and 17, Higgins teaches the traffic inspection service is a firewall or intrusion detection system (col. 4, lines 65-67).

As per claims 6 and 19, Higgins teaches the monitoring agent provides the keying information based on a determination that a process tree on the endpoint device associated with the traffic session is untrusted (col. 31, lines 6-10).

As per claim 20, Higgins teaches the apparatus is located at an edge of a local network that includes the endpoint device (col. 20, lines 27-30).

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Higgins and Nanjo as applied to claim 1 and further in view of USP Application Publication 2010/0158009 to Lee et al hereinafter Lee.
As per claim 5, Higgins and Nanjo are silent in explicitly teaching blocking, by the traffic inspection service, all encrypted traffic associated with the endpoint device for which the traffic inspection service did not receive keying information from the monitoring agent.  Lee teaches blocking, by the traffic inspection service, all encrypted traffic associated with the endpoint device for which the traffic inspection service cannot decrypt (0046).  The NMC relies upon the keying information to be sent by the secret sharing engine in order to decrypt the data, inspect it, and decide what to do with it.  If it does not have the key information it cannot decrypt the data rendering the monitoring ineffective for its intended .  

Claims 7-9, 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Higgins in view of Nanjo and in view of USP Application Publication 2003/0191963 to Balissat et al hereinafter Balissat.

As per claim 7, Higgins teaches detecting, by a monitoring agent of a device, a handshake between the device and a remote entity to form an encrypted traffic session (col. 24, line 40); capturing, by the monitoring agent, keying information for the session from the handshake (col 24, line 40); and
 providing, by the monitoring agent, the captured keying information to a traffic inspection service, wherein the traffic inspection service uses the keying information to decrypt encrypted traffic from the encrypted traffic session col. 30, lines 11-13 and 38-40) and applies a data privacy policy [categorizes data transfers (col. 6, lines 1-3 and 18-20) and inspects traffic; col. 22, lines 5-21]policy to the traffic session based on the decrypted traffic (col. 29, lines 45-50 and col. 23, lines 33-42).
Higgins looks for files according to policies set, but does not explicitly teach blocking, by the traffic inspection service, the traffic session from delivering the encrypted traffic to the remote entity.  On the other hand Nanjo teaches 
 Higgins does not explicitly teach delaying, by the monitoring agent, providing of the encrypted traffic from the device to the remote entity, until the traffic inspection service acknowledges receipt of the provided keying information. Balissat teaches a similar system in which a traffic monitoring device buffers the packets while decrypting and inspecting (0085).  If the data in the decrypted packet conforms to a network policy the original encrypted packet is then allowed to proceed to its destination.  Delaying the packet gives the system time to block or stop malicious packets from leaving the network.  Delaying the packet would for example prevent data loss.  Having the secret sharing engine delay the traffic while the NMC inspects it improves the security of the system by not allowing packets would could result in data loss from leaving the network.

As per claim 8, it is rejected for the same reasons as claim 2.
As per claim 9, it is rejected for the same reasons as claim 3.

As per claim 11, Higgins teaches determining, by the monitoring agent, that a process tree on the device associated with the traffic session is untrusted, wherein the monitoring agent provides the keying information for the session to the traffic inspection service based on the determination that the process tree associated with the traffic session is untrusted (col. 31, lines 6-10).

As per claim 12, Higgins teaches obtaining, by the monitoring agent, an acknowledgement from the traffic inspection service that acknowledges receipt of the keying information (col. 30, lines 34-38).
As per claim 13, Higgins teaches capturing the keying information for the session from the handshake comprises: capturing, by the monitoring agent, the keying information from a memory space of a process of the device that is associated with the handshake (col. 24, line 40).
As per claim 14, Higgins teaches obtaining, by the monitoring agent, data from the traffic inspection service that causes the monitoring agent to capture the keying information (col. 29, lines 60-65).





18 is rejected under 35 U.S.C. 103 as being unpatentable over Higgins and Nanjo as applied to claim 15 and further in view of Balissat.
As per claim 18, Higgins and Nanjo do not explicitly teach delaying, by the monitoring agent, providing of the encrypted traffic from the device to the remote entity, until the traffic inspection service acknowledges receipt of the provided keying information. Balissat teaches a similar system in which a traffic monitoring device buffers the packets while decrypting and inspecting them (0085).  If the data in the decrypted packet conforms to a network policy the original encrypted packet is then allowed to proceed to its destination.  Delaying the packet gives the system time to block or stop malicious packets from leaving the network.  Delaying the packet would for example prevent data loss.  Having the secret sharing engine delay the traffic while the NMC inspects it improves the security of the system by not allowing packets would could result in data loss from leaving the network.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL R. VAUGHAN whose telephone number is (571)270-7316.  The examiner can normally be reached on Monday - Thursday, 7:30am - 5:00pm, EST.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/MICHAEL R VAUGHAN/
Primary Examiner, Art Unit 2431