Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
1.       This action is responsive to the communication filed on 2/05/2019.

Allowable Subject Matter
2.	Claims 21-22 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and the rejection under 35 USC 112 was overcome.

Claim Rejections – 35 USC 112
3.	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

4.	Claims 17-22 are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention. Regarding the term “authorization server”, the applicant’s specification doesn’t not clearly or distinctly disclose the structure for each claimed authorization server. Par [0054], lines 15-20 of the applicant’s specification discloses that the authorization server, among other servers and services, may be implemented on a virtual computing device and 

Claim Rejections – 35 USC 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office Action:
A patent may not be obtained through the invention is not identically disclosed or described as set forth in of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made. 

6.	Claims 1-7 and 10-16 are rejected under 35 USC 103 as being unpatentable over Ylonen et al (US 2013/0191631) in view of Vinsel et al (US 2018/0248778).
Regarding claim 1, Ylonen et al teaches a method of auditing network data packets within a secure network (par [0057], which discloses auditing in relation to secure shell sessions), the method comprising:
receiving, at a consumer endpoint, packet data from a second endpoint (par [0177], lines 19-21, which discloses that the packets may be exchanged between communicating endpoints), the packet data including at least a portion of a data packet (par [0111], which discloses encrypting packets transmitted between an initiating and destination devices), the packet data being encrypted with an encryption key associated with a packet auditing community of interest (par [0110], lines 8-10 and par [0111], which disclose negotiating a secure shell key between the initiating and destination devices to encrypt the packet exchanged between both devices and further transmitted to an auditing server) and having a routing header appended thereto, the routing header identifying the consumer endpoint (par [0107], lines 5-9, which discloses the packets transmitted including a header indicating the direction in which the packet was received from);
decrypting the packet data using the encryption key associated with the packet auditing community of interest (par [0112], lines 1-7, which discloses using the negotiated encryption key to decrypt the packet transmitted between the initiating and destination device); and
performing at least one packet auditing operation on the decrypted packet data (par [0116], lines 1-5, which discloses transmitting the decrypted packet to the audit server for executing an auditing session on the packet).
Ylonen et al does not explicitly teach removing at least a portion of the routing header identifying the consumer endpoint from the decrypted packet data.
Vinsel et al further teaches removing at least a portion of the routing header identifying the consumer endpoint from the decrypted packet data (par [0033], lines 16-20 & [0036], which disclose extracting relevant packet data, including IP header fields, from the received, decrypted packets).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the network monitoring and intrusion detection embodiment of Vinsel et al within the secure data auditing control system of Ylonen et al would provide the predictive result of reducing latency and preventing increased costs accrued during the packet auditing and intercepting (disclosed in par [0105] of Ylonen et al) by implementing the parallel, inline forwarding of monitored traffic and a latency timer for each packet analysis (as disclosed in par [0022], lines 21-27 and par [0044] of Vinsel et al) within the embodiment of Ylonen et al to 
Regarding claim 2, Ylonen et al teaches wherein the packet data includes the entire data packet (par [0051], which discloses the original packet being sent to the destination host), and wherein receiving the packet data from the second endpoint comprises receiving the packet data at a first network interface of the consumer endpoint (par [0089], lines 5-11 and par [0090], lines 7-10, which discloses devices including a crypto API to view logged audited data user devices including an interface for viewing the audited session data).
Regarding claim 3, Ylonen et al teaches forwarding the decrypted packet data from the consumer endpoint to the network via the second network interface of the consumer endpoint (par [0103], lines 6-10 & par [0104], lines 2-6, which disclose transmitting and decrypting the intercepted data to the destination device using API functionality).
Ylonen et al does not explicitly teach appending, to the decrypted packet data, a hardware address of a second network interface of the consumer endpoint different from the first network interface, and appending a hardware address that can be used to identify traffic on the network; and forwarding the decrypted packet data from the consumer endpoint to the network via the second network interface of the consumer endpoint; wherein the second network interface is a dedicated clear text communication interface.
Vinsel et al further teaches appending, to the decrypted packet data, a hardware address of a second network interface of the consumer endpoint different from the first network interface (par [0046], lines 15-30, which discloses configuring an inline tool MAC address with the received packet), and appending a hardware address that can be used to identify traffic on the claim 9, which discloses using the inline tool MAC address to determine of the outgoing packet comprises an injected packet); and
wherein the second network interface is a dedicated clear text communication interface (par [0033], lines 18-22, “containing only clear text data”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the network monitoring and intrusion detection embodiment of Vinsel et al within the secure data auditing control system of Ylonen et al would provide the predictive result previously disclosed regarding claim 1.
Regarding claim 4, Ylonen et al does not explicitly teach wherein appending the hardware address of the second network interface of the consumer endpoint comprises appending a media access control (MAC) address to the decrypted packet data.
Vinsel et al further teaches wherein appending the hardware address of the second network interface of the consumer endpoint comprises appending a media access control (MAC) address to the decrypted packet data (par [0046], lines 25-30, “injected packet based on a user-configurable MAC address”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the network monitoring and intrusion detection embodiment of Vinsel et al within the secure data auditing control system of Ylonen et al would provide the predictive result previously disclosed regarding claim 1.
Regarding claim 5, Ylonen et al teaches wherein the packet data received from the second endpoint includes a plurality of data packets (par [0029], which discloses a plurality of packets transmitted in the same session) and wherein the plurality of data packets include data transmitted or received by the second endpoint according to any of a plurality of communication protocols (par [0029] & [0101], lines 7-9, which disclose capturing session packets transmitted using UDP or TCP).
Regarding claim 6, Ylonen et al teaches wherein the packet data received from the second endpoint includes headers (par [0116], lines 1-5, “log packet headers”) and metadata of the data packet and less than the entire data packet (par [0145], lines 1-4, “data extracted from audit packets”).
Regarding claim 7, Ylonen et al teaches wherein the packet data received from the second endpoint includes the headers and metadata of a plurality of data packets (par [0107], which discloses the transmitted audited packets including headers indicating the direction in which the packet was received), and further wherein the plurality of headers and metadata of the plurality of data packets include data transmitted or received by the second endpoint according to any of a plurality of communication protocols (par [0116], which discloses transmitting packet headers using a negotiated, mutual encryption protocol).
Regarding claim 10, Ylonen et al teaches a network data packet auditing system (par [0057], which discloses auditing in relation to secure shell sessions), comprising:
a consumer endpoint (fig. 4, ‘430) including a programmable circuit communicatively connected to a memory storing a data packet routing service (fig. 4, ‘432 & fig. 5, ‘510), wherein the data packet routing service, when executed by the programmable circuit, causes the consumer endpoint to:
par [0177], lines 19-21, which discloses that the packets may be exchanged between communicating endpoints), the packet data including at least a portion of a data packet (par [0111], which discloses encrypting packets transmitted between an initiating and destination devices), the packet data being encrypted with an encryption key associated with a packet auditing community of interest (par [0110], lines 8-10 and par [0111], which disclose negotiating a secure shell key between the initiating and destination devices to encrypt the packet exchanged between both devices and further transmitted to an auditing server) and having a routing header appended thereto, the routing header identifying the consumer endpoint (par [0107], lines 5-9, which discloses the packets transmitted including a header indicating the direction in which the packet was received from);
decrypt the packet data using the encryption key associated with the packet auditing community of interest (par [0112], lines 1-7, which discloses using the negotiated encryption key to decrypt the packet transmitted between the initiating and destination device); and
perform at least one packet auditing operation on the decrypted packet data (par [0116], lines 1-5, which discloses transmitting the decrypted packet to the audit server for executing an auditing session on the packet).
Ylonen et al does not explicitly teach removing at least a portion of the routing header identifying the consumer endpoint from the decrypted packet data.
Vinsel et al further teaches removing at least a portion of the routing header identifying the consumer endpoint from the decrypted packet data (par [0033], lines 16-20 & [0036], which disclose extracting relevant packet data, including IP header fields, from the received, decrypted packets).
 Vinsel et al within the secure data auditing control system of Ylonen et al would provide the predictive result of reducing latency and preventing increased costs accrued during the packet auditing and intercepting (disclosed in par [0105] of Ylonen et al) by implementing the parallel, inline forwarding of monitored traffic and a latency timer for each packet analysis (as disclosed in par [0022], lines 21-27 and par [0044] of Vinsel et al) within the embodiment of Ylonen et al to ensure that each packet auditing session is performed within a predetermined maximum time period to reduce processing times for each session.
Regarding claim 11, Ylonen et al teaches wherein the packet data includes the entire data packet (par [0051], which discloses the original packet being sent to the destination host), and wherein receiving the packet data from the second endpoint comprises receiving the packet data at a first network interface of the consumer endpoint (par [0089], lines 5-11 and par [0090], lines 7-10, which discloses devices including a crypto API to view logged audited data user devices including an interface for viewing the audited session data).
Regarding claim 12, Ylonen et al teaches forwarding the decrypted packet data from the consumer endpoint to the network via the second network interface of the consumer endpoint (par [0103], lines 6-10 & par [0104], lines 2-6, which disclose transmitting and decrypting the intercepted data to the destination device using API functionality).
Ylonen et al does not explicitly teach appending, to the decrypted packet data, a hardware address of a second network interface of the consumer endpoint different from the first network interface, and appending a hardware address that can be used to identify traffic on the  forwarding the decrypted packet data from the consumer endpoint to the network via the second network interface of the consumer endpoint; wherein the second network interface is a dedicated clear text communication interface.
Vinsel et al further teaches appending, to the decrypted packet data, a hardware address of a second network interface of the consumer endpoint different from the first network interface (par [0046], lines 15-30, which discloses configuring an inline tool MAC address with the received packet), and appending a hardware address that can be used to identify traffic on the network (claim 9, which discloses using the inline tool MAC address to determine of the outgoing packet comprises an injected packet); and
wherein the second network interface is a dedicated clear text communication interface (par [0033], lines 18-22, “containing only clear text data”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the network monitoring and intrusion detection embodiment of Vinsel et al within the secure data auditing control system of Ylonen et al would provide the predictive result previously disclosed regarding claim 10.
Regarding claim 13, Ylonen et al does not explicitly teach wherein appending the hardware address of the second network interface of the consumer endpoint comprises appending a media access control (MAC) address to the decrypted packet data.
Vinsel et al further teaches wherein appending the hardware address of the second network interface of the consumer endpoint comprises appending a media access control (MAC) address to the decrypted packet data (par [0046], lines 25-30, “injected packet based on a user-configurable MAC address”).
 Vinsel et al within the secure data auditing control system of Ylonen et al would provide the predictive result previously disclosed regarding claim 10.
Regarding claim 14, Ylonen et al teaches wherein the packet data received from the second endpoint includes a plurality of data packets (par [0029], which discloses a plurality of packets transmitted in the same session) and wherein the plurality of data packets include data transmitted or received by the second endpoint according to any of a plurality of communication protocols (par [0029] & [0101], lines 7-9, which disclose capturing session packets transmitted using UDP or TCP).
Regarding claim 15, Ylonen et al teaches wherein the packet data received from the second endpoint includes headers (par [0116], lines 1-5, “log packet headers”) and metadata of the data packet and less than the entire data packet (par [0145], lines 1-4, “data extracted from audit packets”).
Regarding claim 16, Ylonen et al teaches wherein the packet data received from the second endpoint includes the headers and metadata of a plurality of data packets (par [0107], which discloses the transmitted audited packets including headers indicating the direction in which the packet was received), and further wherein the plurality of headers and metadata of the plurality of data packets include data transmitted or received by the second endpoint according to any of a plurality of communication protocols (par [0116], which discloses transmitting packet headers using a negotiated, mutual encryption protocol).
Claims 8-9 are rejected under 35 USC 103 as being unpatentable over Ylonen et al (US 2013/0191631) in view of Vinsel et al (US 2018/0248778), further in view of Yato et al (US 2008/0219445).
Regarding claim 8, Ylonen et al and Vinsel et al do not explicitly teach wherein the packet data includes the contents of a second data packet sent or received by the second endpoint using an encryption key of a second community of interest different from the encryption key associated with the packet auditing community of interest.
Yato et al further teaches the wherein the packet data includes the contents of a second data packet sent or received by the second endpoint using an encryption key of a second community of interest different from the encryption key associated with the packet auditing community of interest (par [0005], which discloses obtaining a key associated with a third user to enabling auditing of communication exchanged after the key is obtained, but not enabling auditing of communication received before the key was obtained).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the encrypted communication auditing environment of Yato et al within the secure data auditing control and intrusion detection systems of Ylonen et al and Vinsel et al would provide the improvement of adding more expedient and precise auditing of data when dictating particular segments to be audited based on factors such as only auditing data received during a specific parameter, which would prevent analysis of data non intended to be audited (as disclosed in par [0005] ofYato et al).
Regarding claim 9, Ylonen et al and Vinsel et al do not explicitly teach transmitting, from a server, a message to the second endpoint enabling transmission of packet data to the  transmitting, from a server, a message to the second endpoint changing a transmission characteristic of packet data to the consumer endpoint without interrupting transmission of the packet data.
Yato et al further teaches transmitting, from a server, a message to the second endpoint enabling transmission of packet data to the consumer endpoint (par [0071], lines 13-18, “enable audit communications”) and transmitting, from a server, a message to the second endpoint changing a transmission characteristic of packet data to the consumer endpoint without interrupting transmission of the packet data (par [0156], lines 11-21, “encrypted communication session” & “during the communication session to be audited”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the encrypted communication auditing environment of Yato et al within the secure data auditing control and intrusion detection systems of Ylonen et al and Vinsel et al would provide the improvement of disclosed regarding claim 8.
8.	Claims 17-18 and 20 are rejected under 35 USC 103 as being unpatentable over Ylonen et al (US 2013/0191631) in view of Yato et al (US 2008/0219445).
Regarding claim 17, Ylonen et al teaches an enterprise security management network data packet auditing system (par [0057], which discloses auditing in relation to secure shell sessions), comprising:
an enterprise security management system (par [0086], lines 1-4, “management interface ‘301”);
a database configured to store auditing configuration data (par [0089], lines 4-10, which discloses database servers for logging audited data);
par [0112], lines 1-7, which discloses using a negotiated encryption key to decrypt the packet transmitted between the initiating and destination device), the packet data including at least a portion of one or more data packets, received from endpoints and (par [0110], lines 8-10 and par [0111], which disclose negotiating a secure shell key between the initiating and destination devices to encrypt the packet exchanged between both devices and further transmitted to an auditing server and par [0112], lines 1-7, which discloses using the negotiated encryption key to decrypt the packet transmitted between the initiating and destination device), and perform at least one packet auditing operation on the decrypted packet data (par [0116], lines 1-5, which discloses transmitting the decrypted packet to the audit server for executing an auditing session on the packet).
Ylonen et al does not explicitly teach a secure application programming interface configured to receive messages to enable or disable network data packet auditing at any of a plurality of endpoints within an enterprise network; an authorization server configured to enable or disable network data packet auditing on one or more of the plurality of endpoints within the enterprise network in response to messages received at the secure application programming interface; and the packet data including data encrypted with a common community of interest key to form decrypted packet data.
Yato et al further teaches a secure application programming interface configured to receive messages to enable or disable network data packet auditing at any of a plurality of endpoints within an enterprise network (par [0071], lines 13-18, “enable audit communications of an encrypted communication session”); 
par [0005] & fig. 3, which disclose a service providing server implementing to permit communication initiation and enabling communication auditing after a key is obtained); and 
the packet data including data encrypted with a common community of interest key to form decrypted packet data (par [0231], lines 12-16 and [0233], which discloses a plurality of users having access to stored shared keys).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the encrypted communication auditing environment of Yato et al within the secure data auditing control system of Ylonen et al would provide the improvement of adding more expedient and precise auditing of data when dictating particular segments to be audited based on factors such as only auditing data received during a specific parameter, which would prevent analysis of data non intended to be audited (as disclosed in par [0005] of Yato et al).
Regarding claim 18, Ylonen et al does not explicitly teach one or more endpoints configured to copy packet data, encrypt copied packet data with the common community of interest key and send encrypted copied packet data to a consumer endpoint within the enterprise network in response to being enabled by the authorization server.
Yato et al further teaches one or more endpoints configured to copy packet data, encrypt copied packet data with the common community of interest key (par [0009], lines 1-20, which discloses encrypting a transmitted packet copy using one of the plurality of shared keys stored in the key management database) and send encrypted copied packet data to a consumer par [0054], “copy of the received encrypted packet”).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the encrypted communication auditing environment of Yato et al within the secure data auditing control system of Ylonen et al according to the motivation addressed regarding claim 17.
Regarding claim 20, Ylonen et al teaches wherein the one or more endpoints are further configured to transmit or receive packet data according to a plurality of communication protocols (par [0029] & [0101], lines 7-9, which disclose a plurality of packets transmitted in the same session & capturing session packets transmitted using UDP or TCP).
9.	Claim 19 is rejected under 35 USC 103 as being unpatentable over Ylonen et al (US 2013/0191631), in view of Yato et al (US 2008/0219445), further in view of Vinsel et al (US 2018/0248778).
Regarding claim 19, Ylonen et al teaches a packet inspection server configured to inspect the modified decrypted data packets received from the one or more consumer endpoints (par [0030-0033], which discloses an audit server implemented to audit decrypted data captured by an interceptor).
Ylonen et al does not explicitly teach wherein the one or more consumer endpoints are further configured to attach MAC headers to the decrypted packet data to form modified decrypted packet data, and send the modified decrypted packet data packets to the enterprise network via a dedicated clear text communication interface.
 wherein the one or more consumer endpoints are further configured to attach MAC headers to the decrypted packet data to form modified decrypted packet data (par [0046], lines 15-30, which discloses received decrypted, injected packets including a configurable MAC address); and
send the modified decrypted packet data packets to the enterprise network via a dedicated clear text communication interface (par [0033], lines 18-22, which discloses decrypted packets containing only clear text data being transmitted).
It would have been obvious to one of ordinary skill in the art before the effective date of the invention to combine the encrypted communication auditing environment of Vinsel et al within the secure data auditing control systems of Ylonen et al and Yato et al would provide the predictive result of reducing latency and preventing increased costs accrued during the packet auditing sessions (disclosed by Ylonen et al and Yato et al) by implementing the parallel, inline forwarding of monitored traffic and a latency timer for each packet analysis (as disclosed in par [0022], lines 21-27 and par [0044] of Vinsel et al) within the embodiments of Ylonen et al and Yato et al to ensure that each packet auditing session is performed within a predetermined maximum time period to reduce processing times for each session.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Randy A. Scott whose telephone number is (571) 272-3797. The examiner can normally be reached on Monday-Thursday 7:30 am-5:00 pm, second Fridays 7:30 am-4pm.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RANDY A SCOTT/Primary Examiner, Art Unit 2439                                                                                                                                                                                                        20210216