DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is in response to the amendments filed on 11/23/2020. Claims 1, 2, 8, 9, 15, 16 and 18 have been amended. Claim 17 is canceled. Claim 21 is added in this amendment. Claims 1-16 and 18-21 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see page 9, filed 11/23/2020, with respect to the rejections of claims 2, 9, and 16 under 35 U.S.C. 112(b) have been fully considered and are persuasive.  Thus, the rejections have been withdrawn. 
 Applicant’s arguments, see pages 9-10, filed 11/23/2020, with respect to the rejections of claims 1-20 under 35 U.S.C. 101 have been fully considered and are persuasive.  Thus, the rejections have been withdrawn. 
Applicant’s arguments, see pages 11-12, filed 11/23/2020, with respect to the rejection of claims 1-4, 6-11, 13-18, and 20 under 35 U.S.C. 102 have been considered and are persuasive.  Thus, the rejections have been withdrawn. However, Applicant's amendment necessitated the new ground(s) of rejection as will be discussed below.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it 

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claim 21 is under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Claim 21 recites the limitation “permitting or blocking traffic from the service of the target domain based on identifying the service as benign or malware” in lines 4-5. However, the limitation is not described in the application as originally filed.
In this regard, the specification describes about determining or identifying if a service is benign or malware, for example, as in paragraph [0039] (“with this arrangement, at least one encrypted traffic analytics feature may be generated for each of the services hosted by the target domain and can be used to identify the services and/or to make assessments of whether the service is malware or benign (e.g., threat assessments 314 made by security monitoring system 310)” and paragraph [0033] (“security monitoring system 310 may determine that the identified service on the target domain is benign”), but does not describe about permitting or blocking traffic from the service of the target domain based on identifying the service as benign or malware. Furthermore, the specification does not describe anything about permitting or blocking traffic without regard the traffic being based on a benign or malicious service. As such, the limitation is not fully supported by the disclosure of the original application. The Examiner encourages Applicant to indicate the supporting parts for the limitation, if any.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-16 and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Katzir et al. (US 2018/0109542 A1; hereinafter, “Katzir”) in view of Ollmann (US 2010/0107257 A1; hereinafter, “Ollmann”).


Regarding claim 1:
Katzir teaches: 
A method (claim 11) comprising:
obtaining telemetry data for one or more domains within a network, the telemetry data for the one or more domains including both encrypted traffic analytics information associated with network traffic in the network and traffic flow information associated with the network traffic (para. [0041]: The monitoring device passes the encrypted traffic, along with the corresponding unencrypted traffic (or “unencrypted communication”) derived from the encrypted traffic, to processor 34 … (Alternatively, the processor may receive the encrypted traffic directly from the application and/or the server, and/or via a separate network tap monitoring the communication between the application and the application server; para. [0036]: send and receive communication via network 64. --- It is noted that encrypted traffic and unencrypted traffic teaches telemetry data; the application and/or the server teaches one or more domains; network 64 teaches a network; encrypted traffic along with the corresponding unencrypted traffic teaches both encrypted traffic analytics information associated with traffic flow information);
for each domain of the one or more domains, generating a model comprising a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature (para. [0048]: the processor ascertains the correspondence between the encrypted communication and the unencrypted communication, by matching each unit of unencrypted communication with a respective unit of encrypted communication that was exchanged with the same application as was the unencrypted communication. (Alternatively, the processor may match each unit of encrypted communication with a respective unit of unencrypted communication.); para. [0043]: In some embodiments, more than one user may be monitored in the above-described manner, such as to generate a larger and/or more diverse learning set. (If necessary, more than one monitoring device may be used.) Using techniques described herein, a respective learning set may be constructed for each relevant application, each learning set covering any number of relevant types of actions; para. [0073]: the techniques described above with respect to FIGS. 2-3 may be performed separately for each application of interest. In some embodiments, the processor builds respective learning sets for a plurality of applications, in parallel to each other, as communication is received from the monitoring device. --- It is noted that more than one user (application) teaches the one or more domains; generate learning set teaches generating a model; match each unit of encrypted communication with a respective unit of unencrypted communication teaches a mapping from a plurality of traffic flow information features to at least one encrypted traffic analytics feature);
generating a database comprising generated models for each of the one or more domains (para. [0041]: The processor then stores these features and labels, in association with each other, in the database; para. [0044]: Upon a particular learning set for a particular application containing a sufficient number of labeled observations, another processor 66 (or processor 34) retrieves the learning set from database 36… --- It is noted that data base teaches a database; learning set and features and labels teaches models; a particular learning set for a particular application teaches models for each of the one or more domains);
obtaining telemetry data for a target domain that includes traffic flow information without encrypted traffic analytics information (para. [0033]: Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow (In other words, using the unencrypted communication, the type of action that generated the encrypted flow may be automatically ascertained); para. [0064]: Upon establishing that an unencrypted block corresponds to a particular encrypted block, the processor infers, based on information contained in the unencrypted block, the type of user action in response to which the encrypted block was generated. For example, if unencrypted block 48a indicates a “send mail” user action, the processor may infer that corresponding encrypted block 52a was generated in response to a “send mail” action. --- It is noted that unencrypted and encrypted blocks teaches telemetry data; a “send mail” and information contained in the unencrypted block teaches traffic information; an application and/or the application server) teaches a target domain, since the application or the application server sends or receives a traffic for which a classifier classifies the encrypted traffic; and without decrypting the encrypted flow teaches without encrypted traffic analytics information); 
(para. [0033]: Since the unencrypted flow indicates the type of action that was performed by the user, the correspondence between the encrypted flow and the unencrypted flow may be used to automatically label the encrypted flow, without decrypting the encrypted flow; para. [0064]: Upon establishing that an unencrypted block corresponds to a particular encrypted block, the processor infers, based on information contained in the unencrypted block, the type of user action in response to which the encrypted block was generated. For example, if unencrypted block 48a indicates a “send mail” user action, the processor may infer that corresponding encrypted block 52a was generated in response to a “send mail” action.; para. [0072]: Using the stored features and labels (which together constitute a learning set), the processor automatically learns to ascertain, for subsequent encrypted communication exchanged between the application and the server, respective types of actions in response to which the subsequent encrypted communication was generated. --- It is noted that infers the type of user action and ascertain, for subsequent encrypted communication, respective types of actions in response to which the encrypted block was generated teaches determining at least one encrypted traffic analytics feature of the target domain; based on information contained in the unencrypted block teaches based on a plurality of traffic flow information features of the target domain; and using the stored features and labels (which together constitute a learning set) teaches using the database); and
… identifying the service hosted on the target domain based on the at least one encrypted traffic analytics feature (para. [0047]: Upon receiving encrypted communication from the monitoring device, the processor first ascertains the application with which the communication was exchanged. In some cases, such ascertainment may be based on a domain name that appears in the communicated packets. (Such information is typically not encrypted.) For example, based on the domain name “facebook.com,” the processor may infer that the communication was exchanged with the Facebook application. In the event that a domain handles multiple services, the processor may ascertain the application from a Server Name Indication (SNI) within the relevant TLS request. --- It is noted that a domain handles multiple services, the processor may ascertain the application from a Server Name Indication (SNI) teaches identifying the service hosted on the target domain; a domain teaches a target domain; ascertains the application with which the communication was exchanged teaches based on the at least one encrypted traffic analytics feature).
Katzir is silent about: 
determining whether a service is benign or malware by identifying the service hosted on the target domain based on … traffic.
Ollmann teaches: 
determining whether a service is benign or malware by identifying the service hosted on the target domain based on … traffic (para. [0029]: A remote scanning tool or agent program is run on the remote computer system in step 702 for remotely connecting to the host computer system over a network and to obtain a list of open network ports on the host computer system. In step 704, the remote scanning tool or agent program remotely connects to the host computer system to enumerate and list currently running or active network services and their respective ports in use in the host computer system; para. [0030]: In step 802, the results correlation computer system receives the local scanning results from the host computer system and, in step 804, the results correlation computer system receives the remote scanning results from the remote computer system. The results correlation computer system running a results correlation engine compares in step 806 the local list (corresponding to the local scan) and the remote list (corresponding to the remote scan) of network services running on the host computer system for any discrepancies. Any discrepancies found represent hidden services and are indicative of unwanted software or malware. --- It is noted that services running on the host computer system teaches the service hosted on the target domain; enumerate and list currently running or active network services and their respective ports in use in the host computer system teaches identifying the service hosted on the target domain; discrepancies found represent hidden services and are indicative of unwanted software or malware teaches determining whether a service is benign or malware; and the results correlation computer system receives the remote scanning results from the remote computer system teaches based on traffic).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Katzir’s system by enhancing Katzir’s monitoring device to determine whether services running a host computer system (i.e., a domain) includes an unwanted or malware or a hidden service by monitoring the communication from the services, as taught by Ollmann, in order to protect the host computer system and to prevent malicious traffic from flowing over a computer network. 
In this regard, Katzir describes that 
In some cases, law-enforcement or security agencies may wish to monitor communication over a computer network, such as the Internet, in order to identify activities taking place on the computer network. A challenge in doing so, however, is that many applications use encrypted protocols, such that the traffic exchanged by these applications is encrypted. Examples of such applications include Gmail, Facebook, and Twitter. Examples of encrypted protocols include the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol. (See para. [0002])
The motivation is to allow the law-enforcement or security agencies to identify any harmful activities taking place on services over computer network even though the traffic exchanged by these services is encrypted, and thereby protecting the computer network from the malicious services.

Regarding claim 2:
Katzir in view of Ollmann teaches: 

Katzir further teaches: 
… generating from the database an encrypted traffic analytics feature for the target domain based on similarities between the plurality of traffic flow information features and another set of traffic flow information features associated with the encrypted traffic analytics feature in the database (para. [0044]: Upon a particular learning set for a particular application containing a sufficient number of labeled observations, another processor 66 (or processor 34) retrieves the learning set from database 36, and applies a suitable machine-learning algorithm (e.g., a decision-tree algorithm or support-vector-machine algorithm) to the learning set. (As known in the art, the labeled observations may be divided into various sets, such as a training set, testing set, and validation set. The term “learning set,” as used herein, generally refers to the full collection of labeled observations, not only to the training set.) The machine-learning algorithm thus learns a classifier 68, which is capable of “classifying,” i.e., labeling, encrypted traffic exchanged with the application, based on the relevant features of the encrypted traffic. Subsequently, processor 66 (or another processor) may use the classifier to label encrypted traffic, i.e., deduce the types of user actions in response to which the encrypted traffic was generated. --- It is noted that retrieves the learning set from database and label encrypted traffic teaches generating from the database an encrypted traffic analytics feature for the target domain; based on the relevant features of the encrypted traffic teaches based on similarities between the plurality of traffic flow information features and another set of traffic flow information features. Further noted that for the sake of examination, the limitation “generating from the database …” is interpreted as selecting or retrieving or similar meaning in light of the specification).

Regarding claim 3:
Katzir in view of Ollmann teaches: 

Katzir further teaches: 
wherein the traffic flow information for the target domain is enriched with the determined at least one encrypted traffic analytics feature (FIG. 3 & para. [0071]: By way of example, FIG. 3 shows multiple entries in database 36, corresponding to respective encrypted blocks. Each of the entries includes: (i) an identifier of the block, (ii) an “observation,” including features of the block, which may be represented as a vector of features F1, F2, etc. that were extracted from the block, and (iii) a label that indicates the type of user action in response to which the block was generated. (It is noted that FIG. 3 shows only one way, of many possible ways, in which the processor may store the features and labels.); para. [0072]: Using the stored features and labels (which together constitute a learning set), the processor automatically learns to ascertain, for subsequent encrypted communication exchanged between the application and the server, respective types of actions in response to which the subsequent encrypted communication was generated. For example, the processor may learn that a particular combination of features, when observed in an encrypted block, indicates that the encrypted block was generated in response to a “reply” action. Subsequently, upon the processor (or another processor employing the learned classifier) observing this combination of features in a block of encrypted communication, the processor may automatically label the block as a “reply” block. --- It is noted that the block teaches the traffic flow information for the target domain; and FIG. 3 and combination of features teaches enriched with the determined at least one encrypted traffic analytics feature. Also, noted that the claim and the specification do not specifically define what the limitation “enrich”, thus under the broadest reasonable interpretation, it is interpreted as obtaining or adding or combining any information relating to the encrypted traffic).

Regarding claim 4:
Katzir in view of Ollmann teaches: 
 	The method of claim 4.
Katzir further teaches: 
wherein the target domain hosts at least two different services (para. [0047]: For example, based on the domain name “facebook.com,” the processor may infer that the communication was exchanged with the Facebook application. In the event that a domain handles multiple services, the processor may ascertain the application from a Server Name Indication (SNI) within the relevant TLS request. --- It is noted that a domain teaches the target domain; handle multiple services teaches hosts at least two different services); and
wherein identity information associated with each service of the at least two different services is obtained using the traffic flow information that has been enriched with the determined at least one encrypted traffic analytics feature (FIG. 3 & para. [0071]: By way of example, FIG. 3 shows multiple entries in database 36, corresponding to respective encrypted blocks. Each of the entries includes: (i) an identifier of the block, (ii) an “observation,” including features of the block, which may be represented as a vector of features F1, F2, etc. that were extracted from the block, and (iii) a label that indicates the type of user action in response to which the block was generated. (It is noted that FIG. 3 shows only one way, of many possible ways, in which the processor may store the features and labels.); para. [0072]: Using the stored features and labels (which together constitute a learning set), the processor automatically learns to ascertain, for subsequent encrypted communication exchanged between the application and the server, respective types of actions in response to which the subsequent encrypted communication was generated. For example, the processor may learn that a particular combination of features, when observed in an encrypted block, indicates that the encrypted block was generated in response to a “reply” action. Subsequently, upon the processor (or another processor employing the learned classifier) observing this combination of features in a block of encrypted communication, the processor may automatically label the block as a “reply” block. --- It is noted that in FIG. 3, identifier teaches identity information; the identifiers are associated with action types which teaches each service of the at least two different services; and the combination of features teaches obtained using the traffic flow information enriched with the determined at least one encrypted traffic analytics feature).

Regarding claim 5: 
Katzir in view of Ollmann teaches: 
 	The method of claim 4, further comprising …
Katzir is silent about: 
… identifying one of the at least two different services as malware.
Ollmann teaches: 
… identifying one of the at least two different services as malware (para. [0029]: A remote scanning tool or agent program is run on the remote computer system in step 702 for remotely connecting to the host computer system over a network and to obtain a list of open network ports on the host computer system. In step 704, the remote scanning tool or agent program remotely connects to the host computer system to enumerate and list currently running or active network services and their respective ports in use in the host computer system; para. [0030]: In step 802, the results correlation computer system receives the local scanning results from the host computer system and, in step 804, the results correlation computer system receives the remote scanning results from the remote computer system. The results correlation computer system running a results correlation engine compares in step 806 the local list (corresponding to the local scan) and the remote list (corresponding to the remote scan) of network services running on the host computer system for any discrepancies. Any discrepancies found represent hidden services and are indicative of unwanted software or malware. --- It is noted that discrepancies found represent hidden services and are indicative of unwanted software or malware teaches identifying one of the at least two different services as malware).
The motivation for claim 1 is applicable for claim 5. 

Regarding claim 6:
Katzir in view of Ollmann teaches: 
 	The method of claim 1.
Katzir further teaches: 
wherein the encrypted traffic analytics information includes one or more of sequence of packet lengths and times (SPLT), byte distribution, initial data packet (IDP) information, or transport layer security (TLS) data (para. [0002]: Examples of encrypted protocols include the Secure Sockets Layer (SSL) protocol and the Transport Layer Security (TLS) protocol; para. [0047]: For example, based on the domain name “facebook.com,” the processor may infer that the communication was exchanged with the Facebook application. In the event that a domain handles multiple services, the processor may ascertain the application from a Server Name Indication (SNI) within the relevant TLS request).

Regarding claim 7:
Katzir in view of Ollmann teaches: 
 	The method of claim 1.
Katzir further teaches: 
wherein the traffic flow information includes one or more of a port number, transferred bytes, transferred packets, Internet Protocol (IP) addresses, elapsed time, periodicity, flow rate, protocol, collector interface, or Transmission Control Protocol (TCP) flags (para. [0049]: Typically, the processor identifies each packet as a transmit packet or a receive packet, based on the (unencrypted) source and destination port numbers that appear in the packet; para. [0028]: relevant features related to the numbers of packets, the sizes of the packets, the timing of the packets).

Regarding claim 8:
Claim 8 recites a non-transitory computer readable storage media which corresponds to a method of claim 1, and additionally contains a processor and instructions. 
However, Katzir teaches a processor and instructions (claim 11: using a processor, automatically ascertaining respective types of the actions. --- It is noted that ascertaining teaches one of instructions).
Therefore claim 8 is rejected by applying the same rationale used to reject claim 1 above and the teachings discussed above.

Regarding claim 9:
Claim 9 recites the non-transitory computer readable storage media which corresponds to the method of claim 2, and contains no additional limitations. Therefore claim 9 is rejected by applying the same rationale used to reject claim 2 above.

Regarding claim 10:
Claim 10 recites the non-transitory computer readable storage media which corresponds to the method of claim 3, and contains no additional limitations. Therefore claim 10 is rejected by applying the same rationale used to reject claim 3 above.

Regarding claim 11:
Claim 11 recites the non-transitory computer readable storage media which corresponds to the method of claim 4, and contains no additional limitations. Therefore claim 11 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 12:
Claim 12 recites the non-transitory computer readable storage media which corresponds to the method of claim 5, and contains no additional limitations. Therefore claim 12 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 13:
Claim 13 recites the non-transitory computer readable storage media which corresponds to the method of claim 6, and contains no additional limitations. Therefore claim 13 is rejected by applying the same rationale used to reject claim 6 above.

Regarding claim 14:
Claim 14 recites the non-transitory computer readable storage media which corresponds to the method of claim 7, and contains no additional limitations. Therefore claim 14 is rejected by applying the same rationale used to reject claim 7 above.

Regarding claim 15:
Claim 15 recites an apparatus which corresponds to a method of claim 1, and additionally contains: 
a communication interface configured to enable network communications with a plurality of devices in a network; and
a processor coupled with the communication interface.
However, Katzir further teaches: 
a communication interface configured to enable network communications with a plurality of devices in a network (FIG. 1 & para. [0036]: a network interface controller (NIC) 33, configured to send and receive communication via network 64); and
(para. [0036]: Processor 35 sends and receives communication via the network interface.)
Therefore claim 15 is rejected by applying the same rationale used to reject claim 1 above and the teachings discussed above.

Regarding claim 16:
Claim 16 recites the apparatus which corresponds to the method of claim 2, and contains no additional limitations. Therefore claim 16 is rejected by applying the same rationale used to reject claim 2 above.

Regarding claim 18:
Claim 18 recites the apparatus which corresponds to the method of claim 4, and contains no additional limitations. Therefore claim 18 is rejected by applying the same rationale used to reject claim 4 above.

Regarding claim 19:
Claim 19 recites the apparatus which corresponds to the method of claim 5, and contains no additional limitations. Therefore claim 15 is rejected by applying the same rationale used to reject claim 5 above.

Regarding claim 20:
Claim 20 recites the apparatus which corresponds to the method of claim 7, and contains no additional limitations. Therefore claim 20 is rejected by applying the same rationale used to reject claim 7 above.

Regarding claim 21:
Katzir in view of Ollmann teaches: 
The method of claim 1, further comprising: 
Katzir further teaches: 
selecting a model for the target domain from among a plurality of models stored in the database (para. [0044]: Upon a particular learning set for a particular application containing a sufficient number of labeled observations, another processor 66 (or processor 34) retrieves the learning set from database 36, and applies a suitable machine-learning algorithm (e.g., a decision-tree algorithm or support-vector-machine algorithm) to the learning set. (As known in the art, the labeled observations may be divided into various sets, such as a training set, testing set, and validation set. The term “learning set,” as used herein, generally refers to the full collection of labeled observations, not only to the training set.) The machine-learning algorithm thus learns a classifier 68, which is capable of “classifying,” i.e., labeling, encrypted traffic exchanged with the application, based on the relevant features of the encrypted traffic. Subsequently, processor 66 (or another processor) may use the classifier to label encrypted traffic, i.e., deduce the types of user actions in response to which the encrypted traffic was generated. --- It is noted that retrieves the learning set from database teaches selecting a model for the target domain from among a plurality of models stored in the database); and 
… 
wherein the at least one encrypted traffic analytics feature of the target domain is determined based on the plurality of traffic flow information features of the target domain and the model selected for the target domain (para. [0048]: the processor ascertains the correspondence between the encrypted communication and the unencrypted communication, by matching each unit of unencrypted communication with a respective unit of encrypted communication that was exchanged with the same application as was the unencrypted communication. (Alternatively, the processor may match each unit of encrypted communication with a respective unit of unencrypted communication.); para. [0043]: In some embodiments, more than one user may be monitored in the above-described manner, such as to generate a larger and/or more diverse learning set. (If necessary, more than one monitoring device may be used.) Using techniques described herein, a respective learning set may be constructed for each relevant application, each learning set covering any number of relevant types of actions; para. [0073]: the techniques described above with respect to FIGS. 2-3 may be performed separately for each application of interest. In some embodiments, the processor builds respective learning sets for a plurality of applications, in parallel to each other, as communication is received from the monitoring device; para. [0044]: Upon a particular learning set for a particular application containing a sufficient number of labeled observations, another processor 66 (or processor 34) retrieves the learning set from database 36, and applies a suitable machine-learning algorithm (e.g., a decision-tree algorithm or support-vector-machine algorithm) to the learning set. (As known in the art, the labeled observations may be divided into various sets, such as a training set, testing set, and validation set. The term “learning set,” as used herein, generally refers to the full collection of labeled observations, not only to the training set.) The machine-learning algorithm thus learns a classifier 68, which is capable of “classifying,” i.e., labeling, encrypted traffic exchanged with the application, based on the relevant features of the encrypted traffic. Subsequently, processor 66 (or another processor) may use the classifier to label encrypted traffic, i.e., deduce the types of user actions in response to which the encrypted traffic was generated. --- It is noted that generate a larger and/or more diverse learning set by matching each unit of encrypted communication with a respective unit of unencrypted communication teaches the at least one encrypted traffic analytics feature of the target domain is determined based on the plurality of traffic flow information features of the target domain; and retrieves the learning set from database and label encrypted traffic teaches the at least one encrypted traffic analytics feature of the target domain is determined based on the model selected for the target domain).
Katzir is silent about: 
permitting or blocking traffic from the service of the target domain based on identifying the service as benign or malware.
Ollmann teaches: 
permitting or blocking traffic from the service of the target domain based on identifying the service as benign or malware (para. [0029]: A remote scanning tool or agent program is run on the remote computer system in step 702 for remotely connecting to the host computer system over a network and to obtain a list of open network ports on the host computer system. In step 704, the remote scanning tool or agent program remotely connects to the host computer system to enumerate and list currently running or active network services and their respective ports in use in the host computer system; para. [0030]: In step 802, the results correlation computer system receives the local scanning results from the host computer system and, in step 804, the results correlation computer system receives the remote scanning results from the remote computer system. The results correlation computer system running a results correlation engine compares in step 806 the local list (corresponding to the local scan) and the remote list (corresponding to the remote scan) of network services running on the host computer system for any discrepancies. Any discrepancies found represent hidden services and are indicative of unwanted software or malware … Further, in step 816, the results correlation engine flags or identifies the “suspicious” host computer system as possibly infected. Additionally, in step 818, further tests are run on the flagged host computer system and the flagged host computer system is monitored to evaluate the nature of the discrepancy found and the malicious or unwanted software currently installed on the host computer system, ending the process. --- It is noted that discrepancies found represent hidden services and are indicative of unwanted software or malware teaches based on identifying the service as benign or malware; and it is inherent to block traffic from an infected computer system, i.e., infected domain). 
. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Kohout et al. (US 2018/0103056 A1; hereinafter, “Kohout”) discloses a device and a method which captures contextual traffic data regarding the encrypted traffic flow from one or more unencrypted packets associated with the client, and performs a classification of the encrypted traffic flow by using the contextual traffic data as input to a machine learning-based classifier.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR PATEL can be reached on (571)-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/W.Y./Examiner, Art Unit 2491                                                                                                                                                                                                        




/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491