DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The following is a Non-Final Office Action in response to communications received on February 14, 2019. Claims 1-21 are pending and addressed below.

Specification
For the record, Examiner acknowledges that the Specification submitted on February 14, 2019 has been accepted.

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they do not include the following reference sign(s) mentioned in the description: 300 in Fig. 3 and 37’ in Fig. 4.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be 
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 204 in paragraphs [0017], [0018], [0020] and [0021].  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
Claims 3, 10 and 12 are objected to because of the following informalities:  
Claim 3 recites the phrase “a list of address of functions” which appears to be a misspelling of “a list of addresses
Claim 10 recites the phrase “decrypt and analyzing the routed traffic.” It is suggested the phrase be amended to “decrypt and analyze the routed traffic” for grammatical correctness.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3-7 and 14-17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 3 recites the limitation “the database.” There is insufficient antecedent basis for this limitation. Dependent claim 4 is rejected for containing the same indefinite language as claim 3 without further remedying the indefinite language. 
Claim 4 recites the limitation “the function.” There are multiple previously recited functions and it is unclear as to which particular function the limitation is referring. Claim 14 is rejected for similar reasons to claim 4.
Claim 5 recites the limitation “the version.” There is insufficient antecedent basis for this limitation. Claim 15 is rejected for similar reasons to claim 5. 
Claim 16 recites the limitation “the method of analysis.” There is insufficient antecedent basis for this limitation. Dependent claim 17 is rejected for containing the same indefinite language as claim 16 without further remedying the indefinite language.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 11-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter. Claim 11 is directed towards a system comprising “a processor” configured to perform various steps. The claimed processor is not specifically defined as being only a hardware processor. The processor may, therefore, be interpreted as a software/non-hardware processor. The body of the claim is not positively tied to hardware. Thus, the claim is considered to be directed towards software per se and is therefore, non-statutory. Dependent claims 12-20 are rejected for containing the same ineligible subject matter as claim 11 without further reciting the patent eligible subject matter. Applicant may overcome this rejection by, for example, adding the term “hardware” directly before the term “processor.”


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 10, 11, 20 and 21 are rejected under 35 U.S.C. 102(a)(1) and 102(a)(2) as being anticipated by Guo et al. (U.S. Patent No. 9,800,560 cited in the IDS filed on 8/6/2019 and hereinafter referred to as Guo).
As to claim 1, Guo discloses a method for analysis of content of encrypted traffic between processes, the method comprising: 
rerouting traffic between a first process executing on a first computing device and a second process, to a server, to determine that there is a protected connection established between the first process and the second process (col. 6 lines 4-24, col. 6 lines 44-58, col. 7 lines 30-53, col. 8 line 57 – col. 9 line 9, col. 12 line 49 – col. 13 line 24, and Figs. 2-3, Guo teaches intercepting session data between a first application process on a first device and a second application process on a second computing device by a server device. Guo teaches determining if the session data is encrypted to determine if a protected data transmission session exists); 
determining information related to an application pertaining to the first process (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches a location/address of an API function that generates session keys is determined); 
obtaining a session key for the protected connection by calling a function (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches obtaining the session key by calling the API function on behalf of the first application process), wherein the information comprises an address of the function to call to obtain the session key (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches the location/address of the API function that generates session keys is determined); 
decrypting and analyzing the rerouted traffic on the server between the first process and the second process using the session key to determine whether the traffic contains malicious objects (col. 13 line 25 – col. 14 line 11 and Fig. 3, Guo teaches decrypting and analyzing transmitted session data for determining if the session data contains malicious content); and 
in response to determining the traffic contains malicious objects, counteracting the malicious objects by blocking or rerouting the traffic (col. 13 line 25 – col. 14 line 11 and Fig. 3, Guo teaches performing a security action, such as blocking data reception, if the session data is found to contain malicious content.).
As to claim 10, Guo discloses the method of claim 1, wherein the application is a web browser (col. 7 lines 39-53, Guo teaches a web browser.).

As to claim 11, Guo discloses a system for analysis of content of encrypted traffic between processes, the system comprising: 
a processor (col. 3 lines 16-34, Guo teaches a processor) configured to: 
reroute traffic between a first process executing on a first computing device and a second process, to a server, to determine that there is a protected connection established between the first process and the second process (col. 6 lines 4-24, col. 6 lines 44-58, col. 7 lines 30-53, col. 8 line 57 – col. 9 line 9, col. 12 line 49 – col. 13 line 24, and Figs. 2-3, Guo teaches intercepting session data between a first application process on a first device and a second application process on a second computing device by a server device. Guo teaches determining if the session data is encrypted to determine if a protected data transmission session exists); 
determine information related to an application pertaining to the first process (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches a location/address of an API function that generates session keys is determined); 
(col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches obtaining the session key by calling the API function on behalf of the first application process), wherein the information comprises an address of the function to call to obtain the session key (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches the location/address of the API function that generates session keys is determined); 
decrypt and analyzing the rerouted traffic on the server between the first process and the second process using the session key to determine whether the traffic contains malicious objects (col. 13 line 25 – col. 14 line 11 and Fig. 3, Guo teaches decrypting and analyzing transmitted session data for determining if the session data contains malicious content); and 
in response to determining the traffic contains malicious objects, counteract the malicious objects by blocking or rerouting the traffic (col. 13 line 25 – col. 14 line 11 and Fig. 3, Guo teaches performing a security action, such as blocking data reception, if the session data is found to contain malicious content.).
As to claim 20, Guo discloses the system of claim 11, wherein the application is a web browser (col. 7 lines 39-53, Guo teaches a web browser.).

As to claim 21, Guo discloses a non-transitory computer-readable medium (col. 3 lines 16-34, Guo teaches code in memory), storing thereon 
rerouting traffic between a first process executing on a first computing device and a second process, to a server, to determine that there is a protected connection established between the first process and the second process (col. 6 lines 4-24, col. 6 lines 44-58, col. 7 lines 30-53, col. 8 line 57 – col. 9 line 9, col. 12 line 49 – col. 13 line 24, and Figs. 2-3, Guo teaches intercepting session data between a first application process on a first device and a second application process on a second computing device by a server device. Guo teaches determining if the session data is encrypted to determine if a protected data transmission session exists); 
determining information related to an application pertaining to the first process (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches a location/address of an API function that generates session keys is determined); 
obtaining a session key for the protected connection by calling a function (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches obtaining the session key by calling the API function on behalf of the first application process), wherein the information comprises an address of the function to call to obtain the session key (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches the location/address of the API function that generates session keys is determined); 
(col. 13 line 25 – col. 14 line 11 and Fig. 3, Guo teaches decrypting and analyzing transmitted session data for determining if the session data contains malicious content); and 
in response to determining the traffic contains malicious objects, counteracting the malicious objects by blocking or rerouting the traffic (col. 13 line 25 – col. 14 line 11 and Fig. 3, Guo teaches performing a security action, such as blocking data reception, if the session data is found to contain malicious content.).

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Guo as applied to claim 1 above, and further in view of Lifliand et al. (U.S. Pub. No. 2011/0314270 and hereinafter referred to as Lifliand).
As to claim 2, Guo discloses the method of claim 1, further comprising: obtaining the session key by instructing the program module to intercept a function called in establishing the protected connection (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches a monitoring agent intercepts a function call for the session key.). While Guo discloses the claimed program module, Guo is not entirely clear on injecting a program module into an address space of the first process as claimed. However, Lifliand does disclose
injecting a program module into an address space of the first process (paragraphs [0048], [0058] and [0062]-[0064], Lifliand teaches an interception component is loaded into a process space of an application.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Lifliand for injecting a program module into an address space of the first process because this would improve session key retrieval efficiency. Also, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Lifliand for injecting a program module into an address space of the first process because Guo already discloses a program module stored in a memory on a first device and it would be a simple substitution to place the .

Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Guo and Lifliand as applied to claim 2 above, and further in view of Brylyn (U.S. Pub. No. 2014/0122454).
As to claim 3, the combination of teachings between Guo and Lifliand disclose the method of claim 2. The combination of teachings between Guo and Lifliand does not specifically disclose wherein the information related to the application is determined by querying the database containing a list of address of functions that return the session key for a plurality of applications as claimed (although Guo does disclose functions that return session keys as described above). However, Brylyn does disclose
wherein the information related to the application is determined by querying the database containing a list of address of functions that return the session key for a plurality of applications as claimed (although Guo does disclose functions that return session keys (paragraph [0042], Brylyn teaches maintaining a database of addresses for functions to allow for later hooking of the functions.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the modified invention of Guo with the teachings of Brylyn for querying the database containing a list of address of functions because this would improve efficiency.
claim 4, the combination of teachings between Guo, Lifliand and Brylyn disclose the method of claim 3, further comprising: 
finding the function in an import table of the application using the address retrieved from the database (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches hooking based on a method table with addresses. paragraph [0042], Brylyn teaches maintaining a database of addresses for functions to allow for later hooking of the functions); and 
placing a pointer to an intercepting function that copies the session key in place of the function called in establishing the protected connection (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches replacing a memory address of the session key function in the table with a memory address of a function to intercept the session key.).
Examiner supplies the same rationale for the combination of the references as in claim 3 above.

Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Guo as applied to claim 11 above, and further in view of Brylyn (U.S. Pub. No. 2014/0122454).
As to claim 12, Guo discloses the system of claim 11. Guo does not specifically disclose wherein the information is determined by querying a database containing a list of address of functions that return the session key for a plurality of applications as claimed (although Guo does disclose functions that return session keys as described above). However, Brylyn does disclose
(paragraph [0042], Brylyn teaches maintaining a database of addresses for functions to allow for later hooking of the functions.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Brylyn for querying a database containing a list of address of functions because this would improve efficiency.
As to claim 13, the combination of teachings between Guo and Brylyn disclose the system of claim 12, the processor further configured to: intercept a function called in establishing the protected connection (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches replacing a memory address of the session key function in the table with a memory address of a function to intercept the session key.).
Examiner supplies the same rationale for the combination of the references as in claim 12 above.
As to claim 14, the combination of teachings between Guo and Brylyn disclose the system of claim 13, the processor further configured to: 
find the function in an import table of the application using the address retrieved from the database (col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches hooking based on a method table with addresses. paragraph [0042], Brylyn teaches maintaining a database of addresses for functions to allow for later hooking of the functions); and 
(col. 9 line 65 – col. 10 line 14, col. 11 lines 8-53, and Fig. 3, Guo teaches replacing a memory address of the session key function in the table with a memory address of a function to intercept the session key.).
Examiner supplies the same rationale for the combination of the references as in claim 12 above.

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Guo as applied to claims 1 and 11 above, and further in view of Le Van Gong et al. (U.S. Pub. No. 2019/0306132 and hereinafter referred to as Le Van Gong).
As to claim 5, Guo discloses the method of claim 1. Guo does not specifically disclose wherein the information is determined based at least on the version of the application as claimed. However, Le Van Gong does disclose
wherein the information is determined based at least on the version of the application (paragraphs [0046]-[0047], Le Van Gong teaches determining a type of application including a version and using the type to determine information as part of traffic inspection.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Le Van Gong for having the information be determined based at least on the version of the application because this would improve efficiency.

claim 15, Guo discloses the system of claim 11. Guo does not specifically disclose wherein the information is determined based at least on the version of the application as claimed. However, Le Van Gong does disclose
wherein the information is determined based at least on the version of the application (paragraphs [0046]-[0047], Le Van Gong teaches determining a type of application including a version and using the type to determine information as part of traffic inspection.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Le Van Gong for having the information be determined based at least on the version of the application because this would improve efficiency.

Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Guo as applied to claims 1 and 11 above, and further in view of Brabson (U.S. Pub. No. 2012/0201142).
As to claim 8, Guo discloses the method of claim 1, wherein the server is a proxy server and the analysis is performed synchronously, wherein the traffic rerouted through the proxy server is delayed until analysis is complete (col. 6 lines 44-58, col. 12 line 49 – col. 13 line 24 and Fig. 2, Guo teaches traffic is received at the server and analyzed and the traffic is not forwarded until the analysis is complete (i.e. synchronous).). Guo does not specifically disclose the malicious objects are removed from the traffic as claimed. However, Brabson does disclose
(paragraphs [0009], [0028] and [0081], Brabson teaches a proxy inspecting and removing malware from data packets.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Brabson for removing the malicious objects because this would improve security and user experience.

As to claim 18, Guo discloses the system of claim 11, wherein the server is a proxy server and the analysis is performed synchronously, wherein the traffic rerouted through the proxy server is delayed until analysis is complete (col. 6 lines 44-58, col. 12 line 49 – col. 13 line 24 and Fig. 2, Guo teaches traffic is received at the server and analyzed and the traffic is not forwarded until the analysis is complete (i.e. synchronous).). Guo does not specifically disclose the malicious objects are removed from the traffic as claimed. However, Brabson does disclose
the malicious objects are removed from the traffic (paragraphs [0009], [0028] and [0081], Brabson teaches a proxy inspecting and removing malware from data packets.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Brabson for removing the malicious objects because this would improve security and user experience.

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Guo as applied to claims 1 and 11 above, and further in view of Bennett et al. (U.S. Pub. No. 2015/0120959 and hereinafter referred to as Bennett).
As to claim 9, Guo discloses the method of claim 1, wherein the server is a proxy server (col. 6 lines 44-58, col. 12 line 49 – col. 13 line 24 and Fig. 2, Guo teaches traffic is received at the server and.). Guo does not specifically disclose the analysis is performed asynchronously, wherein the analysis is performed continuously without delaying traffic rerouted through the proxy server as claimed. However, Bennett does disclose
the analysis is performed asynchronously, wherein the analysis is performed continuously without delaying traffic rerouted through the proxy server (paragraphs [0112], [0113], [0115], [0247] and Fig. 1A, Bennett teaches continuous traffic analysis where the analysis may be asynchronous.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Bennett for performing the analysis continuously because this would improve security.

As to claim 19, Guo discloses the system of claim 11, wherein the server is a proxy server (col. 6 lines 44-58, col. 12 line 49 – col. 13 line 24 and Fig. 2, Guo teaches traffic is received at the server and.). Guo does not specifically disclose the analysis is performed asynchronously, wherein the analysis is 
the analysis is performed asynchronously, wherein the analysis is performed continuously without delaying traffic rerouted through the proxy server (paragraphs [0112], [0113], [0115], [0247] and Fig. 1A, Bennett teaches continuous traffic analysis where the analysis may be asynchronous.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Guo with the teachings of Bennett for performing the analysis continuously because this would improve security.

Allowable Subject Matter
Claims 6-7 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
Claims 16-17 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 101 and 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), 2nd paragraph, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
Claim 6 recites, inter alia, “verifying, prior to intercepting, compatibility of the version of the application with the method of analysis of content of the traffic between the first process and the second process.” While the prior art does show checking a version of an application and determining capabilities of an application, the prior art 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Bannister et al. (U.S. Pub. No. 2020/0236093) – cited for teaching checking for encrypting function calls to retrieve a session key – paragraphs [0043]-[0044]
Patil et al. (U.S. Pub. No. 2017/0315999) – cited for teaching hooking by replacing an original address in an import table with a new address and completing a function call using the original address by the replacement code – paragraph [0038]
Ben-Shalom et al. (U.S. Pub. No. 2015/0007316) – cited for teaching monitoring traffic synchronously – Abstract and paragraph [0047] 
Moore et al. (U.S. Patent No. 10,079,810) – cited for teaching a key capture agent used for obtaining a session key and decrypting/analyzing traffic – Fig. 2 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to THADDEUS J PLECHA whose telephone number is (571)270-7506.  The examiner can normally be reached on M-F 8-4:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 571-272-3787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.