DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated on 01/29/2021.
Claims 1-21 and 27-35 have been amended, Claims 22-26 and 36 have been canceled.
Claims 1- 21 and 27-35 are submitted for examination.
Claims 1- 21 and 27-35 are pending.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Priority

This application filed on July 24, 2018 claims priority as continuation-in-part (CIP)  from application 14/544,987 filed on March 11, 2015 which claims priority as CIP from application 13/987,747 filed on August 27, 2013 which claims priority as CIP from application 13/373,586 filed on November 18, 2011. 


Response to Arguments
Applicant’s amendment filed on January 29, 2021 has Claims 1-21 and 27-35 amended and Claims 22-26 and 36 canceled.
Examiner acknowledge that priority issue has been addressed by filing a corrected Application Data Sheet.
The prior 35 U.S.C. 112 rejection of Claims 1, 27, 30 and 35 has been withdrawn in view of the amendment received on January 29, 2021.
The prior objection to drawings for Figures 1-7 and 28 have been withdrawn based on applicant’s persuasive remarks, however objection to Figures 22-27 and 54-63 are maintained. Examiner suggest adding descriptions (alphabetic) to elements as per specification. For example in Figure 22 element 20 is a network so add a label as “Network” along with the number 20.
The prior objection of dependent claims 2-21, 23-26, 28-29 and 31-34 has been withdrawn in view of the amendment received on January 29, 2021.
The prior 35 U.S.C. 101 rejection of Claims 1, 27, 30 and 35 is maintained. Examiner acknowledge that the applicant has amended claims reciting a “processor” however a processor can be a virtual processor. Examiner suggest adding a “hardware processor” and/or “memory” to overcome the 35 U.S.C. 101 rejection.
The prior 35 U.S.C. 112 rejection of Claim 35 has been withdrawn in view of amendment received on January 29, 2021.
Applicant’s remark filed on January 29, 2021, on bottom of page 24 regarding, “Claim I now provides "said identity recognizer (25) in said peering service (24) in said authentication device (18) for determining an identity (22) of a sender of said IP packet John et al. (US PGPUB. # US 2006/0236370) discloses, collector 6 associates session information, such as session information 98, with at least one object attribute by matching the client application network address included in the session information with at least one object attribute that has been associated with a network address obtained from an authentication packet. The Monitor Device Patent teaches various embodiments for associating a network address from an authentication packet with a set of object attributes. In accordance with one embodiment of the present invention, monitor 4 identifies authentication exchange packets from the packets received. For each authentication exchange packet identified, monitor 4 extracts a user ID and a network address from the authentication exchange packet and sends the user ID and network address to collector 6, which attempts to associate the user ID with user information maintained by the directory service. If collector 6 successfully associates the user ID and with user information maintained by the directory service, collector 6 creates an association between the network address extracted from the authentication packet and the user information. Collector 6 then records the association between the network address and the user information in a database. For example, control software 94 obtains the user information in the form of user object attributes, which control software 94 obtains from directory service 14. Control software 94 stores these user object attributes in memory store 24 in a suitable form, such as in database table 120, shown in FIG. 4. Control software 94 associates (Fig. 1, ¶95-¶96). A user ID and a network address are extracted 244 from each authentication exchange packet identified. The user ID is in the form of a Kerberos principal name if the authentication exchange packet identified complies with the Kerberos authentication protocol. In one variation of the embodiment of the present invention shown in FIG. 5, the type of network address extracted is a destination network address if the type of authentication exchange packet selected for identification 242 is an authentication exchange response packet. In another variation, the type of network address extracted is a source network address if the type of authentication exchange selected for identification 242 is an authentication exchange request packet. The user ID and the extracted network address are validated 246. Validation of the extracted user ID may be accomplished by, for example, determining whether the extracted user ID includes a user name that matches a user name attribute from one of the set of user object attributes previously stored in memory store 24 (shown in FIG. 1). If a match is found, the extracted user ID is deemed successfully validated. Validation of the extracted network address may be accomplished by determining whether a real user is logged on to the client that initiated the authentication exchange. In one embodiment of the present invention, this may be accomplished by using the extracted network address in a hostname request that is sent to a name (Fig. 9(242, 244, 246), ¶161-¶164). Umesawa teaches, “the group identifying unit 15 identifies whether information concerning the number of received SYN packets, included in the received entry, is held in a group identification table 120. If it is identified that the information is held, the group identifying unit 15 acquires, from the table 120, authentication information indicating the group corresponding to the number information, and transmits the authentication information to a resource management unit 16, together with the entry. FIG. 7C shows an example of the group identification table 120. As shown, the table 120 is a list in which the numbers of packets uniquely assigned to respective groups are made to correspond to group identification information items (in the embodiment, these items are group names, but may be group IDs instead)”. Thus person having an ordinary skill in the art would have combined John with Umesawa to determine an identification of a user sending a packet. The 
 Applicant’s remark, filed on January 29, 2021 on middle of page 25 regarding, “Moreover, each of claims 1, 27, 30. and 35 has been amended to provide the TCP header of the IP packet (12) is without an ACK bit. The specification makes clear that the TCP SYN/ACK processing is a response by a TCP/IP protocol stack upon receiving a TCP SYN message to establish, i.e. start, a TCP session. Spec, p. 36, ins 18-20. Thus, until a response is provided, the ACK bit is unset. Similarly, the specification provides the TCP SYN packet is one set to15 request a TCp connection. Spec. p. 36, lines 1-2”. Because the claims have been amended to clarify the unset ACK bit, the claims are patentable over a combination where Umesawa is the primary reference”, has been considered, however applicant’s amendment necessitates a new ground of rejection. Accordingly, newly cited art by John et al. (US PGPUB. # US 2006/0236370) discloses, “under TCP and referring to FIGS. 1 and 2A, a client application, such as client application 62a, initiates an application session by sending a SYN request to a server application, such as server application 64a. The SYN request includes the client application's network address 99a and port ID 62b and the server application's network address 99b and port ID 64b, which are respectively encapsulated in the source address, source port ID, destination address and destination port ID fields of a TCP packet having its SYN bit set and its ACK bit not set. This type of TCP packet is herein after referred to as a SYN packet, such as SYN packet 66a in FIG. 1”. (¶37). Thus John teaches, the TCP header of the IP packet (12) is without an ACK bit as ACK bit is not set.

The drawings figures 22-27 and 54-63 are objected to under 37 CFR 1.83(a) because they fail to show labels, descriptions as described in the specification.  Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. 




Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 27, 30 and 35 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. 
a.	Independent Claims 1, 22, 27, 30 and 35 recites, “An apparatus comprising………”. However, the body of the claim lacks definite structure indicative of a physical product. Therefore, the claim as a whole appears to be nothing more than computer software, and software per se does not fall within a statutory category. Examiner submits that some claim limitations recites “a network interface”, however it is not clear a network interface is a hardware or software as the interface could be a virtual interface.  Examiner suggest adding a hardware processor and/or memory to the claim elements in order to be patent-eligible under 35 U.S.C. 101. Examiner acknowledge that the applicant has amended the claims to include a processor, however a processor can be a virtual processor. Thus it is suggested to include a hardware processor and/or memory.
Dependent Claims 2-21, 28-29 and 31-34 does not recites any hardware structures.




Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 27, 30 and 35 recites the limitations, “An apparatus for authenticating the identify of network traffic using a network endpoint device (10)…..”. There is insufficient antecedent basis for the limitation in the claims.  It is not clear what “the identity of network traffic”, is referring to as no mentioning of “an identity of network traffic.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-5, 9-11, 14-16, 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”).
Regarding Claim 1, Umesawa teaches,
An apparatus for authenticating the identify of network traffic using a network endpoint device (10). the network endpoint device (10) having a processor, comprising: 
a network (20) (Fig. 1(3), ¶85, “a communication network 3 that includes an open network, such as the Internet”); 
said network endpoint device (10) (Fig.1 (2), ¶85, “client computers 2”), a remote network device (11) (Fig. 1(1), ¶85, “server computers 1”), and an authentication device (18) each being connected to said network (20) (Fig. 1, ¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, i.e. Examiner submits that one of the server acts as an authentication device);  
said authentication device (18) including a network interface (49) (Fig. 6, ¶112, “The transmitting unit 17 transfers, to the network 3, the SYN+ACK packet output from the resource management unit 16”, i.e. packets are transmitted via a network interface) [and a peering service (24)]; 
said network endpoint device (10) including at least one network interface (49) (Fig. 5, ¶100, “an access port with No. 80 is used for transmitting a SYN packet to a certain server computer 1”, i.e. client computer has a network interface and packets are transmitted);  
said network endpoint device (10) for receiving an IP packet (12) from said remote network device (11) using said network interface (49) (¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶96, “The server computer, in turn, transmits a connection request acknowledgement packet (in the first embodiment, this packet will be referred to as a synchronization acknowledgement (SYN+ACK) packet) to the client computer”); 
said IP packet (12) including a TCP header (14) (Fig. 3, ¶94) ;  
said network (20) for conveying said IP packet (12) to said authentication device (18) (¶43, “authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, ¶98, “the connection requesters that are allowed to access a certain server computer 1 are beforehand divided into a plurality of groups, and the number of transmissions of a connection request packet that differs between the groups is determined and used at least as authentication information for each group”, i.e. network is transmitting IP packet to an authentication server).
Umesawa does not teach explicitly,
[said authentication device (18) including a network interface (49)] and a peering service (24); 
said peering service (24) including an identity recognizer (25) and a first table of policy rules (27); 
said TCP header (14) including a TCP SYN bit (16) and without an ACK bit;
said identity recognizer (25) in said peering service (24) in said authentication device (18) for determining an identity (22) of a sender of said IP packet (12);
said peering service for selecting a policy rule (26) by matching said identity (22) from said first table of policy rules (27);
said authentication device (18) for applying said policy rule (26) to said IP packet (12).
However, Rao teaches,
[said authentication device (18) including a network interface (49)] and a peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”); 
said peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”) including an identity recognizer (25) (Fig. 3(52), ¶46, “an AAA module 52”) and a first table of policy rules (27) (Fig. 3(54), ¶46, “a policy module 54”); 
said identity recognizer (25) (Fig. 3(52), ¶46, “an AAA module 52”) in said peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”) [in said authentication device (18) for determining an identity (22) of a sender of said IP packet (12)]
said peering service for selecting a policy rule (26) by matching said identity (22) from said first table of policy rules (27) (¶46, “Credential module 50 may receive user credentials 32 and identify the packet as an authentication packet (e.g., 802.1X, WebAuth, MAB, etc.). AAA module 52 may forward user credentials 32 to representative AAA server 26. AAA server 26 may respond with representative user policy 34”, i.e. policy rule is selected based on matching an identity);
said authentication device (18) for applying said policy rule (26) to said IP packet (12) (¶46, “Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14. For example, policy module 54 may forward user policy 34 to VEM 20 for further processing, such as determining access to other network services”, i.e. policy rule is applied).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Rao with the invention of Umesawa.
Umesawa teaches an authentication device receiving an IP packet and identifying identity of the IP packet. Rao teaches, selecting policy rule and applying policy rule based on the identity.  Therefore, it would have been obvious to have selecting policy rule and applying policy rule based on the identity of Rao with providing an authentication device receiving an IP packet and identifying identity of the IP packet of Umesawa to apply policy rule based on identified user to provide secure session. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa and Rao does not teach explicitly,
said TCP header (14) including a TCP SYN bit (16) and without an ACK bit;
[said identity recognizer (25) in said peering service (24)] in said authentication device (18) for determining an identity (22) of a sender of said IP packet (12).
However John teaches,
said TCP header (14) including a TCP SYN bit (16) and without an ACK bit (¶37, “The SYN request includes the client application's network address 99a and port ID 62b and the server application's network address 99b and port ID 64b, which are respectively encapsulated in the source address, source port ID, destination address and destination port ID fields of a TCP packet having its SYN bit set and its ACK bit not set”, i.e. TCP header including a TCP SYN bit and without ACK bit as ACK bit is not set);
[said identity recognizer (25) in said peering service (24)] in said authentication device (18) for determining an identity (22) of a sender of said IP packet (12) (Fig. 1, ¶95, “monitor 4 extracts a user ID and a network address from the authentication exchange packet and sends the user ID and network address to collector 6, which attempts to associate the user ID with user information maintained by the directory service. If collector 6 successfully associates the user ID and with user information maintained by the directory service, collector 6 creates an association between the network address extracted from the authentication packet and the user information”, ¶96, Fig. 9(242, 244, 246), ¶161-¶163, ”The user ID and the extracted network address are validated 246. Validation of the extracted user ID may be accomplished by, for example, determining whether the extracted user ID includes a user name that matches a user name attribute from one of the set of user object attributes previously stored in memory store 24 (shown in FIG. 1)“, ¶164, i.e. identity of a sender of an IP packet is determined).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of John with the invention of Umesawa in view of Rao.
Umesawa in view of Rao teaches an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity.  John teaches, determining an identity of a sender of an IP packet. Therefore, it would have been obvious to have determining an identity of a sender of an IP packet of John into the teachings of Umesawa in view of Rao to apply policy rule based on identified user to provide secure session. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 

Regarding Claim 2, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
An apparatus as recited in Claim 1, in which conveying context information to said authentication device (18) along with said IP packet (12). (¶43, “authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, ¶98, “the connection requesters that are allowed to access a certain server computer 1 are beforehand divided into a plurality of groups, and the number of transmissions of a connection request packet that differs between the groups is determined and used at least as authentication information for each group”, i.e. network is transmitting IP packet to an authentication server ¶110, “The group identifying unit 15 identifies whether information concerning the number of received SYN packets, included in the received entry, is held in a group identification table 120. If it is identified that the information is held, the group identifying unit 15 acquires, from the table 120, authentication information indicating the group corresponding to the number information, and transmits the authentication information to a resource management unit 16, together with the entry”, i.e. group identifying information (context information) is conveyed along with the IP packet).

Regarding Claim 3, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 1, in which said network interface (49) information of said network endpoint device (10) is conveyed to said authentication device (18) along with said IP packet (12). (¶94, Fig. 3, ¶100, “a connection request packet generator 21 generates a SYN packet upon receiving, from a connection requester via a user interface (not shown), an instruction to request a connection to a certain server computer 1”, ¶101, “The connection establishment table 100 at least holds information on the number of transmissions of a SYN packet needed for the connection requester to establish a connection to each server computer 1”, Fig. 7B, ¶106,” Each entry includes the identification (e.g., client computer IP address) of a connection requester, the total number of SYN packets transmitted by the connection requester so far from the start of connection establishment and received by the server computer 1”, i.e. IP address (network interface information) is conveyed along with the IP packet).

Regarding Claim 4, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 1, in which said authentication device (18) is used by a plurality of said network endpoint devices (10) concurrently. (Fig. 1, ¶85, Fig. 7B (“Client A”, “Client C”), ¶106, “FIG. 7B shows an example of the connection control table 110. The connection control table 110 temporarily holds the entries currently subjected to connection establishment processing”, i.e. server (authentication device) is used by plurality of clients (endpoint devices)).

Regarding Claim 5, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 1, in which said network endpoint device (10) does not save context information regarding said IP packet (12). (¶103, “The unit 23 transmits the received IP packet to a connection request acknowledgement packet (SYN+ACK packet) determination unit 24, where it is determined whether the IP packet is a connection request acknowledgement packet (SYN+ACK packet) returned in response to any one of the SYN packets transmitted from the transmitting unit 22. If the IP packet is the SYN+ACK packet, the client computer 2 performs processing for establishing a connection to the target server computer 1”, ¶110, ¶112, “The transmitting unit 17 transfers, to the network 3, the SYN+ACK packet output from the resource management unit 16. The SYN+ACK packet is then received by the previously described receiving unit 23 of the client computer 2”, i.e. endpoint device does not save group identifying (context) information).

Regarding Claim 9, rejection of Claim 1 is included and for the same motivation Umesawa does not teach explicitly,
The apparatus as recited in Claim 1, in which 
said authentication device (18) for conveying a policy rule (26) to said network endpoint device (10) via said network (20); and 
said network endpoint device (10) for adding said policy rule (26) to a second table of policy rules (36).
However, Rao teaches,
The apparatus as recited in Claim 1, in which 
said authentication device (18) for conveying a policy rule (26) to said network endpoint device (10) via said network (20) (¶46, “AAA server 26 may respond with representative user policy 34. Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14. For example, policy module 54 may forward user policy 34 to VEM 20 for further processing”, i.e. AAA server conveys user policy to endpoint device); and 
said network endpoint device (10) for adding said policy rule (26) to a second table of policy rules (36) (Fig. 5(112, 114), ¶51, “At 112, NAC 24 may push user policy 34 to VEM 20. VEM 20 may distribute user policy 34 to services (e.g., VSG 58) at 114”).

Regarding Claim 10, rejection of Claim 9 is included and for the same motivation Umesawa does not teach explicitly,
The apparatus as recited in Claim 9, in which said policy rule (26) at said network endpoint device (10) expires after a period of time.
However Rao teaches,
The apparatus as recited in Claim 9, in which said policy rule (26) at said network endpoint device (10) expires after a period of time (¶33, “The VSG may inspect the packet, apply appropriate policies from user policy 34(1) and send a policy decision to vPath 22(1). vPath 22(1) may cache the policy decision in a flow table”, i.e. policy are stored in cache indicates that policy expires after certain time).

Regarding Claim 11, rejection of Claim 9 is included and for the same motivation Umesawa does not teach explicitly,
The apparatus as recited in Claim 9, further comprising: a peer authentication management application (44) for adding said policy rule (26) to said second table of policy rules (36).
However Rao teaches,
The apparatus as recited in Claim 9, further comprising: a peer authentication management application (44) for adding said policy rule (26) to said second table of policy rules (36) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”, ¶46, “Credential module 50 may receive user credentials 32 and identify the packet as an authentication packet (e.g., 802.1X, WebAuth, MAB, etc.). AAA module 52 may forward user credentials 32 to representative AAA server 26. AAA server 26 may respond with representative user policy 34”).

Regarding Claim 14, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 1, in which said authentication device (18) does not share with said network endpoint device (10) cryptographic keys necessary to perform said authentication (¶244, “the server computer 1 identifies the digital signature using, instead of the message authenticator, the public key of the client computer 2, when identifying a connection request packet”, i.e. Examiner submits that cryptographic keys are not shared to perform authentication).

Regarding Claim 15, rejection of Claim 1 is included and for the same motivation Umesawa does not teach explicitly,
The apparatus as recited in Claim 1, in which said network endpoint device (10) receives said IP packet (12), selects a matching policy rule (26) that matches some portion of said IP packet (12) from a second table of policy rules (36); and 
applies said policy rule (26) to said IP packet (12).
However, Rao teaches,
The apparatus as recited in Claim 1, in which said network endpoint device (10) receives said IP packet (12), selects a matching policy rule (26) that matches some portion of said IP packet (12) from a second table of policy rules (36) (¶46, “Credential module 50 may receive user credentials 32 and identify the packet as an authentication packet (e.g., 802.1X, WebAuth, MAB, etc.). AAA module 52 may forward user credentials 32 to representative AAA server 26. AAA server 26 may respond with representative user policy 34”, i.e. policy rule is selected based on matching an identity); and 
applies said policy rule (26) to said IP packet (12) (¶46, “Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14. For example, policy module 54 may forward user policy 34 to VEM 20 for further processing, such as determining access to other network services”, i.e. policy rule is applied).

Regarding Claim 16, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 1, in which 
said network endpoint device (10) receives said IP packet (12) (¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶96, “The server computer, in turn, transmits a connection request acknowledgement packet (in the first embodiment, this packet will be referred to as a synchronization acknowledgement (SYN+ACK) packet) to the client computer”); 
Umesawa does not teach explicitly,
selects a policy rule (26) that matches said network interface (49) information from a second table of policy rules (36); and applies said policy rule (26) to said IP packet (12).
However, Rao teaches,
selects a policy rule (26) that matches said network interface (49) information from a second table of policy rules (36) (¶46, “Credential module 50 may receive user credentials 32 and identify the packet as an authentication packet (e.g., 802.1X, WebAuth, MAB, etc.). AAA module 52 may forward user credentials 32 to representative AAA server 26. AAA server 26 may respond with representative user policy 34”, i.e. policy rule is selected based on matching an identity; and
applies said policy rule (26) to said IP packet (12) (¶46, “Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14. For example, policy module 54 may forward user policy 34 to VEM 20 for further processing, such as determining access to other network services”, i.e. policy rule is applied).

Regarding Claim 20, rejection of Claim 1 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 1, [in which a peer authentication management application (44)] conveys said IP packet (12) to said authentication device (18) (¶43, “authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, ¶98, “the connection requesters that are allowed to access a certain server computer 1 are beforehand divided into a plurality of groups, and the number of transmissions of a connection request packet that differs between the groups is determined and used at least as authentication information for each group”, i.e. network is transmitting IP packet to an authentication server).
Umesawa does not teach explicitly,
The apparatus as recited in Claim 1, in which a peer authentication management application (44) [conveys said IP packet (12) to said authentication device (18)].
However, Rao teaches,
The apparatus as recited in Claim 1, in which a peer authentication management application (44) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”) [conveys said IP packet (12) to said authentication device (18)].

Regarding Claim 21, rejection of Claim 15 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 15, in which 
said network endpoint device (10), upon receiving said IP Packet (12) from said remote network device (11) (¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶96, “The server computer, in turn, transmits a connection request acknowledgement packet (in the first embodiment, this packet will be referred to as a synchronization acknowledgement (SYN+ACK) packet) to the client computer”), [compares said IP packet (12) against entries in a second table of policy rules (36); and if 
said network endpoint device (10) fails to select a matching policy rule (26); 
said network endpoint device (10) then continues with said determination of said identity (22)].
Umesawa does not teach explicitly,
[said network endpoint device (10), upon receiving said IP Packet (12) from said remote network device (11)] compares said IP packet (12) against entries in a second table of policy rules (36); and if 
said network endpoint device (10) fails to select a matching policy rule (26); 
said network endpoint device (10) then continues with said determination of said identity (22).
However, Rao teaches,
[said network endpoint device (10), upon receiving said IP Packet (12) from said remote network device (11)] compares said IP packet (12) against entries in a second table of policy rules (36) (¶46, “Credential module 50 may receive user credentials 32 and identify the packet as an authentication packet (e.g., 802.1X, WebAuth, MAB, etc.). AAA module 52 may forward user credentials 32 to representative AAA server 26. AAA server 26 may respond with representative user policy 34”, i.e. policy rule is selected based on matching an identity); and if 
said network endpoint device (10) fails to select a matching policy rule (26); said network endpoint device (10) then continues with said determination of said identity (22) (¶46, “Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14. For example, policy module 54 may forward user policy 34 to VEM 20 for further processing, such as determining access to other network services”, i.e. policy rule is applied).



Claims 6-8 are rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”), and further in view of Chaturvedi et al. (US PGPUB. # US 2010/0312902, hereinafter “Chaturvedi”).

Regarding Claim 6, rejection of Claim 1 is included and Umesawa teaches,
The apparatus as recited in Claim 1, in which 
said network endpoint device (10) [including an authenticated session table (30)] and a TCP/IP protocol stack (32) (¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶87-91, i.e. endpoint device has a TCP/IP protocol stack); 
said authentication device (18) is used to convey said IP packet (12) to said network endpoint device (10) via said network (20) (¶43, “if the sender is authenticated; and transmitting the generated connection request acknowledgement packet to the network”, ¶45, “if the received connection request packets satisfy the access pattern information; and transmitting the generated connection request acknowledgement packet to the network”, ¶47, “if the sender is authenticated; and a transmitting unit configured to transmit the generated connection request acknowledgement packet to the network“, i.e. selected IP packets conveyed to an endpoint device); 
said network endpoint device (10) is used to create a session descriptor (28) in said authenticated session table (30); and 
said network endpoint device (10) is used convey said IP packet (12) is to said TCP/IP protocol stack (32) (¶103, “The unit 23 transmits the received IP packet to a connection request acknowledgement packet (SYN+ACK packet) determination unit 24, where it is determined whether the IP packet is a connection request acknowledgement packet (SYN+ACK packet) returned in response to any one of the SYN packets transmitted from the transmitting unit 22”, i.e. received packet is conveyed to TCP/IP protocol stack).
Combination of Umesawa, Rao and John does not teach explicitly,
[said network endpoint device (10)] including an authenticated session table (30) [and a TCP/IP protocol stack (32)]; 
said network endpoint device (10) is used to create a session descriptor (28) in said authenticated session table (30); 
However, Chaturvedi teaches,
[said network endpoint device (10)] including an authenticated session table (30) (¶67, “Upon authentication, the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online”, ¶79, ¶85, ¶89) [and a TCP/IP protocol stack (32)]; 
said network endpoint device (10) is used to create a session descriptor (28) in said authenticated session table (30) (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. a session descriptor is created); 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Chaturvedi with the invention of Umesawa in view of Rao and John.
Umesawa in view of Rao and John teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Regarding Claim 7, rejection of Claim 6 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 6, in which 
said authentication device (18) for conveying said context information and said network interface (49) information of said network endpoint device (10) to said network endpoint device (10) with said IP packet (12) (¶43, “if the sender is authenticated; and transmitting the generated connection request acknowledgement packet to the network”, ¶45, “if the received connection request packets satisfy the access pattern information; and transmitting the generated connection request acknowledgement packet to the network”, ¶47, “if the sender is authenticated; and a transmitting unit configured to transmit the generated connection request acknowledgement packet to the network“, i.e. selected IP packets conveyed to an endpoint device, ¶111, “the resource management unit 16 generates a SYN+ACK packet for one of SYN packets transmitted from client computers 2 that belong to the group, and transmits it to a transmitting unit 17”); and 
Combination of Umesawa, Rao and John does not teach explicitly,
said session descriptor (28) for storing said context information and said network interface information (49).
However, Chaturvedi teaches,
said session descriptor (28) for storing said context information and said network interface information (49) (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. a session descriptor is created and context information is stored).

Regarding Claim 8, rejection of Claim 6 is included and for the same motivation Umesawa teaches,
The apparatus as recited in Claim 6, in which said network endpoint device (10) for receiving authentication processing information with said IP packet (12); (¶43, “if the sender is authenticated; and transmitting the generated connection request acknowledgement packet to the network”, ¶45, “if the received connection request packets satisfy the access pattern information; and transmitting the generated connection request acknowledgement packet to the network”, ¶47, “if the sender is authenticated; and a transmitting unit configured to transmit the generated connection request acknowledgement packet to the network“, i.e. selected IP packets conveyed to an endpoint device, ¶110-¶111, “the resource management unit 16 generates a SYN+ACK packet for one of SYN packets transmitted from client computers 2 that belong to the group, and transmits it to a transmitting unit 17”, i.e. client device (network endpoint) receives authentication processing information);  and 
Combination of Umesawa, Rao and John does not teach explicitly,
said session descriptor (28) for storing said authentication processing information.
However, Chaturvedi teaches,
said session descriptor (28) for storing said authentication processing information (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. authentication processing is stored).





Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”), and further in view of Lloyd et al. (US PAT. # US 6,219,790, hereinafter “Lloyd”).

Regarding Claim 12, rejection of Claim 1 is included and combination of Umesawa, Rao and John does not teach explicitly,
The apparatus as recited in Claim 1, in which said authentication device (18) uses transport access control to perform authentication.
However, Lloyd teaches,
The apparatus as recited in Claim 1, in which said authentication device (18) uses transport access control to perform authentication (Abstract, “An AAA server comprises a plurality of Authentication transport protocol modules that interface with one or more clients using a native authentication transport protocol”, “the AAA server determines the details of the access request and identifies the permit required to authorize access”. (CL(5), LN(65-67), CL(6), LN(1-21), Fig. 3(308, 310), CL(11), LN(47-54),i.e. authentication device uses transport access control to perform authentication).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.

Umesawa in view of Rao and John teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity and determining an identity of a sender of an IP packet. Lloyd teaches, an authentication device authenticating a client using transport protocol. Therefore, it would have been obvious to have an authentication device authenticating a client using transport protocol of Lloyd into the teachings of Umesawa in view of Rao and John to provide a distributed security system capable of supporting a variety of authentication transport protocols used by a variety of client types and is capable of supporting accounting functionality from the same database used to store user authentication and authorization information. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”), and further in view of Adnan M. Alattar (US PGPB. # US 2011/0091066, hereinafter “Alattar”).

Regarding Claim 13, rejection of Claim 1 is included and combination of Umesawa, Rao and John does not teach explicitly,
The apparatus as recited in Claim 1, in which said authentication device (18) uses statistical object identification to perform authentication.
However, Alattar teaches,
The apparatus as recited in Claim 1, in which said authentication device (18) uses statistical object identification to perform authentication (Abstract, “Digital watermark methods for encoding auxiliary data into a host signal are used to authenticate physical and electronic objects. One such method computes a content specific message dependent on the host signal, encodes the content specific message into a watermark signal, and embeds the watermark in the host signal such that the watermark signal is substantially imperceptible in the host signal”, ¶55, “Various forms of statistical analyses may be performed on a signal to identify places to locate the watermark”, ¶162, “the detector maps this ratio to a detection value based on a statistical analysis of unmarked images”, ¶240, “The characteristic computed at decoding time is then matched with the characteristic stored in the database to determine whether it is sufficiently close to the stored characteristic. If so, it is deemed valid; otherwise, it is rejected”, i.e. statistical object identification is used to perform an authentication).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.

Umesawa in view of Rao and John teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity and determining an identity of a sender of an IP packet. Alattar teaches, an authentication device authenticating a client using statistical object identification. Therefore, it would have been obvious to have an authentication device authenticating a client using statistical object identification of Alattar into the teachings of Umesawa in view of Rao and John  to protect data, assets. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Claims 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”), and further in view of Stephen Waller Melvin (US PAT. # US 8,301,753, hereinafter “Melvin”).

Regarding Claim 17, rejection of Claim 1 is included and combination of Umesawa, Rao and John does not teach explicitly,
The apparatus as recited in Claim 1, further comprising: 
a logging device (42); 
said logging device (42) for receiving log information (50) from said authentication device (18);  
said log information (50) including TCP/IP session information from said IP packet (12) and said network interface (49) of said network endpoint device (10) said IP packet was received on.
However, Melvin teaches,
The apparatus as recited in Claim 1, further comprising: 
a logging device (42) (Fig. 3(370), Fig. 5(590)); 
said logging device (42) for receiving log information (50) from said authentication device (18) (CL(3), LN(28-29), “Access Log 370 receives information from Web Server 360, NAT Gateway 330 and DHCP Server 340.”,CL(3), LN(34-48), i.e. access log (logging device) receive information form authentication device) ;  
said log information (50) including TCP/IP session information from said IP packet (12) and said network interface (49) of said network endpoint device (10) said IP packet was received on (CL(8), LN(28-40), “it may be sufficient that the information necessary to correlate a specific user with specific Internet activity is available if and when necessary”, i.e. session information is received).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.

Umesawa in view of Rao and John teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity and determining an identity of a sender of an IP packet. Melvin teaches, a logging device recording session activity. Therefore, it would have been obvious to have a logging device recording session activity of Melvin into the teachings of Umesawa in view of Rao and John to provide debugging and troubleshooting, detection and monitoring of abuse, statistical analysis, demographic analysis, report generation and other general business purposes. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Regarding Claim 18, rejection of Claim 1 is included and combination of Umesawa, Rao and John does not teach explicitly,
The apparatus as recited in Claim 1, further comprising: 
a logging device (42); 
said logging device (42) for receiving log information (50) from said authentication device (18);  
said log information (50) including said identity (22) from said IP packet (12).
However, Melvin teaches,
The apparatus as recited in Claim 1, further comprising: 
a logging device (42) (Fig. 3(370), Fig. 5(590)); 
said logging device (42) (Fig. 3(370), Fig. 5(590)) for receiving log information (50) from said authentication device (18) (CL(3), LN(28-29), “Access Log 370 receives information from Web Server 360, NAT Gateway 330 and DHCP Server 340.”,CL(3), LN(34-48), i.e. access log (logging device) receive information form authentication device);  
said log information (50) including said identity (22) from said IP packet (12) (CL(6), LN(51-60), “Included in each log entry is a date stamp, the name of the host generating the information, the process ID for the running process, a queue ID and a comma separated list of parameter/value pairs. One of the parameter/value pairs commonly logged is the name and IP address of the remote host the email is being received from or is being sent to”).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Melvin with the invention of Umesawa in view of Rao and John.
Umesawa in view of Rao and John teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity and determining an identity of a sender of an IP packet. Melvin teaches, a logging device recording session activity. Therefore, it would have been obvious to have a logging device recording session activity of Melvin  KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Regarding Claim 19, rejection of Claim 1 is included and combination of Umesawa and Rao does not teach explicitly,
The apparatus as recited in Claim 1, further comprising: 
a logging device (42); 
said logging device (42) for receiving log information (50) from said authentication device (18);  
said log information (50) including said policy rule (26) identity applied to said IP packet (12).
However, Melvin teaches,
The apparatus as recited in Claim 1, further comprising: 
a logging device (42) (Fig. 3(370), Fig. 5(590)); 
said logging device (42) for receiving log information (50) from said authentication device (18) (CL(3), LN(28-29), “Access Log 370 receives information from Web Server 360, NAT Gateway 330 and DHCP Server 340.”,CL(3), LN(34-48), i.e. access log (logging device) receive information form authentication device);  
said log information (50) including said policy rule (26) identity applied to said IP packet (12) (Fig. 4(460), CL(5), LN(47-56), “Remote Server 430, which is at IP address 66.102.7.104 receives a packet to port 80 from source IP address 63.198.33.202, port 3541. Remote Server logs the access as illustrated in information block 460”).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Melvin with the invention of Umesawa in view of Rao and John.
Umesawa in view of Rao and John teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity and determining an identity of a sender of an IP packet. Melvin teaches, a logging device recording session activity. Therefore, it would have been obvious to have a logging device recording session activity of Melvin into the teachings of Umesawa in view of Rao and John to provide debugging and troubleshooting, detection and monitoring of abuse, statistical analysis, demographic analysis, report generation and other general business purposes. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Claim 27 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Chaturvedi et al. (US PGPUB. # US 2010/0312902, hereinafter “Chaturvedi”)
Regarding Claim 27 Umesawa teaches,
An apparatus for authenticating the identify of network traffic using a network endpoint device (10), the network endpoint device (10) having a processor comprising: 
said network endpoint device (10) (Fig.1 (2), ¶85, “client computers 2”); 
said network endpoint device (10) including 
a TCP/IP protocol stack (32) (¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶87-91, i.e. endpoint device has a TCP/IP protocol stack); 
a network device driver (48) (Fig. 5, ¶100, “the connection request packet generator 21 refers to the connection establishment table 100, acquires information on the number of transmissions of a SYN packet, needed for the connection to the designated server computer 1, and outputs the generated SYN packet to a transmitting unit 22 a number of times corresponding to the acquired number of transmissions”, i.e. Examiner submits that a packet is transmitted to a server over network indicates that a network device driver is required); 
a network interface (49) (Fig. 5, ¶100, “an access port with No. 80 is used for transmitting a SYN packet to a certain server computer 1”, i.e. client computer has a network interface and packets are transmitted); and 
[said peer authentication driver (46)] for receiving an IP packet (12) from said TCP/IP protocol stack (32) (¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶96, “The server computer, in turn, transmits a connection request acknowledgement packet (in the first embodiment, this packet will be referred to as a synchronization acknowledgement (SYN+ACK) packet) to the client computer”); 
[said peer authentication driver (46) for locating a session descriptor (28) corresponding to said IP packet (12) in said authenticated session table (30); and
said peer authentication driver (46)] for processing said IP packet (12) in accordance with said session descriptor (28) (¶103, “The unit 23 transmits the received IP packet to a connection request acknowledgement packet (SYN+ACK packet) determination unit 24, where it is determined whether the IP packet is a connection request acknowledgement packet (SYN+ACK packet) returned in response to any one of the SYN packets transmitted from the transmitting unit 22”, i.e. received packet is conveyed to TCP/IP protocol stack);
Umesawa does not teach explicitly,
a peer authentication driver (46);  
an authenticated session table (30); 
said peer authentication driver (46) [for receiving an IP packet (12) from said TCP/IP protocol stack (32)];
said peer authentication driver (46) for locating a session descriptor (28) corresponding to said IP packet (12) in said authenticated session table (30); and
said peer authentication driver (46) [for processing said IP packet (12) in accordance with said session descriptor (28)].
However, Chaturvedi teaches,
(Fig. 2b(“Peer Control”), ¶48, “a peer control module”);  
an authenticated session table (30) (¶67, “Upon authentication, the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online”, ¶79, ¶85, ¶89); 
said peer authentication driver (46) (Fig. 2b(“Peer Control”), ¶48, “a peer control module”) [for receiving an IP packet (12) from said TCP/IP protocol stack (32)];
said peer authentication driver (46) for locating a session descriptor (28) corresponding to said IP packet (12) in said authenticated session table (30) (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. IP address is determined from the IP packet and the IP address is matched to determine online buddy indicates that a session descriptor is located to a corresponding IP address); and
said peer authentication driver (46) (Fig. 2b(“Peer Control”), ¶48, “a peer control module”) [for processing said IP packet (12) in accordance with said session descriptor (28)].
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Chaturvedi with the invention of Umesawa.
Umesawa teaches a network endpoint device having a TCP/IP protocol stack and conveying an IP packet to a protocol stack. Chaturvedi teaches, an authenticated device having a session table to process an IP packet.  Therefore, it would have been obvious to have an authenticated device having a session table to process an IP packet of Chaturvedi with a network endpoint device having a TCP/IP protocol stack and conveying an IP packet to a protocol stack of Umesawa to process an IP packet according to an authenticated session table. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 









Claim 28 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Chaturvedi et al. (US PGPUB. # US 2010/0312902, hereinafter “Chaturvedi”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of Lloyd et al. (US PAT. # US 6,219,790, hereinafter “Lloyd”).

Regarding Claim 28, rejection of Claim 27 is included and Umesawa teaches,
The apparatus as recited in Claim 27, further comprising: 
an authentication device (18) (Fig. 1, ¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, i.e. Examiner submits that one of the server acts as an authentication device); 
said authentication device (18) including a network interface (49) (Fig. 6, ¶112, “The transmitting unit 17 transfers, to the network 3, the SYN+ACK packet output from the resource management unit 16”, i.e. packets are transmitted via a network interface) [and a peering service (24)]; 
said authentication device (18) for performing authentication (¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network is a legitimate client computer”, ¶44-¶53,i.e. successfully authenticate an identity); 
said authentication device (18) for creating information to be conveyed to said network endpoint device (10) (¶112, The transmitting unit 17 transfers, to the network 3, the SYN+ACK packet output from the resource management unit 16. The SYN+ACK packet is then received by the previously described receiving unit 23 of the client computer 2”, i.e. authentication device creates an information to conveyed to client device (endpoint device)) [and stored in said session descriptor (28)]; 
Umesawa does not teach explicitly,
[said authentication device (18) including a network interface (49)] and a peering service (24); 
said peering service (24) including an identity recognizer (25) and a first table of policy rules (27); 
[said authentication device (18) for creating information to be conveyed to said network endpoint device (10)] and stored in said session descriptor (28); 
said authentication device (18) using transport access control to perform authentication.
However, Chaturvedi teaches,
[said authentication device (18) for creating information to be conveyed to said network endpoint device (10)] and stored in said session descriptor (28) (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. information is stored in a session descriptor); 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Rao with the invention of Umesawa.
Umesawa teaches a network endpoint device having a TCP/IP protocol stack and conveying an IP packet to a protocol stack. Chaturvedi teaches, an authenticated device having a session table to process an IP packet.  Therefore, it would have been obvious to have an authenticated device having a session table to process an IP packet of Chaturvedi with a network endpoint device having a TCP/IP protocol stack and conveying an IP packet to a protocol stack of Umesawa to process an IP packet according to an authenticated session table. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa and Chaturvedi does not teach explicitly,
[said authentication device (18) including a network interface (49)] and a peering service (24); 
said peering service (24) including an identity recognizer (25) and a first table of policy rules (27); 
said authentication device (18) using transport access control to perform authentication.
However, Rao teaches,
[said authentication device (18) including a network interface (49)] and a peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”); 
said peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”) including an identity recognizer (25) (Fig. 3(52), ¶46, “an AAA module 52”)  and a first table of policy rules (27) (Fig. 3(54), ¶46, “a policy module 54”); 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Rao with the invention of Umesawa in view of Chaturvedi .
Umesawa in view of Chaturvedi teaches an authentication device receiving an IP packet and identifying identity of the IP packet and an authenticated device having a session table to process an IP packet. Rao teaches, selecting policy rule and applying policy rule based on the identity.  Therefore, it would have been obvious to have selecting policy rule and applying policy rule based on the identity of Rao into the teachings of Umesawa in view of Chaturvedi to apply policy rule based on identified user to provide secure session. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa, Rao and Chaturvedi does not teach explicitly,
said authentication device (18) using transport access control to perform authentication.
However, Lloyd teaches,
said authentication device (18) using transport access control to perform authentication (Abstract, “An AAA server comprises a plurality of Authentication transport protocol modules that interface with one or more clients using a native authentication transport protocol”, “the AAA server determines the details of the access request and identifies the permit required to authorize access”. (CL(5), LN(65-67), CL(6), LN(1-21), Fig. 3(308, 310), CL(11), LN(47-54),i.e. authentication device uses transport access control to perform authentication).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Lloyd with the invention of Umesawa in view of Chaturvedi and Rao.
Umesawa in view of Chaturvedi and Rao teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and an authenticated device having a session table to process an IP packet and selecting policy rule and applying policy rule based on the identity. Lloyd teaches, an authentication device authenticating a client using transport protocol. Therefore, it would have been obvious to have an authentication device authenticating a client using transport protocol of Lloyd   KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).


Claim 29 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Chaturvedi et al. (US PGPUB. # US 2010/0312902, hereinafter “Chaturvedi”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of Adnan M. Alattar (US PGPB. # US 2011/0091066, hereinafter “Alattar”).

Regarding Claim 29, rejection of Claim 27 is included and Umesawa teaches,
The apparatus as recited in Claim 27, further comprising: 
an authentication device (18) (Fig. 1, ¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, i.e. Examiner submits that one of the server acts as an authentication device); 
said authentication device (18) including a network interface (49) (Fig. 6, ¶112, “The transmitting unit 17 transfers, to the network 3, the SYN+ACK packet output from the resource management unit 16”, i.e. packets are transmitted via a network interface) [and a peering service (24)]; 
said authentication device (18) for performing authentication (¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network is a legitimate client computer”, ¶44-¶53,i.e. successfully authenticate an identity); 
said authentication device (18) for creating information to be conveyed to said network endpoint device (10) (¶112, The transmitting unit 17 transfers, to the network 3, the SYN+ACK packet output from the resource management unit 16. The SYN+ACK packet is then received by the previously described receiving unit 23 of the client computer 2”, i.e. authentication device creates an information to conveyed to client device (endpoint device)) [and stored in said session descriptor (28)]; 
Umesawa does not teach explicitly,
[said authentication device (18) including a network interface (49)] and a peering service (24); 
said peering service (24) including an identity recognizer (25) and a first table of policy rules (27); 
[said authentication device (18) for creating information to be conveyed to said network endpoint device (10)] and stored in said session descriptor (28); 
said authentication device (18) using statistical object identification to perform authentication.
However, Chaturvedi teaches,
[said authentication device (18) for creating information to be conveyed to said network endpoint device (10)] and stored in said session descriptor (28) (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. information is stored in a session descriptor); 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Rao with the invention of Umesawa.
Umesawa teaches a network endpoint device having a TCP/IP protocol stack and conveying an IP packet to a protocol stack. Chaturvedi teaches, an authenticated device having a session table to process an IP packet.  Therefore, it would have been obvious to have an authenticated device having a session table to process an IP packet of Chaturvedi with a network endpoint device having a TCP/IP protocol stack and conveying an IP packet to a protocol stack of Umesawa to process an IP packet according to an authenticated session table. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa and Chaturvedi does not teach explicitly,
[said authentication device (18) including a network interface (49)] and a peering service (24); 
said peering service (24) including an identity recognizer (25) and a first table of policy rules (27); 
said authentication device (18) using statistical object identification to perform authentication.
However, Rao teaches,
[said authentication device (18) including a network interface (49)] and a peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”); 
said peering service (24) (Fig. 1, ¶37, “A node may be any electronic device, client, server, peer, service, application, or other object capable of sending, receiving, or forwarding information over communications channels in a network”) including an identity recognizer (25) (Fig. 3(52), ¶46, “an AAA module 52”)  and a first table of policy rules (27) (Fig. 3(54), ¶46, “a policy module 54”); 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Rao with the invention of Umesawa in view of Chaturvedi .
KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa, Chaturvedi and Rao does not teach explicitly,
said authentication device (18) using statistical object identification to perform authentication.
However, Alattar teaches,
said authentication device (18) using statistical object identification to perform authentication (Abstract, “Digital watermark methods for encoding auxiliary data into a host signal are used to authenticate physical and electronic objects. One such method computes a content specific message dependent on the host signal, encodes the content specific message into a watermark signal, and embeds the watermark in the host signal such that the watermark signal is substantially imperceptible in the host signal”, ¶55, “Various forms of statistical analyses may be performed on a signal to identify places to locate the watermark”, ¶162, “the detector maps this ratio to a detection value based on a statistical analysis of unmarked images”, ¶240, “The characteristic computed at decoding time is then matched with the characteristic stored in the database to determine whether it is sufficiently close to the stored characteristic. If so, it is deemed valid; otherwise, it is rejected”, i.e. statistical object identification is used to perform an authentication).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Alattar with the invention of Umesawa in view of Chaturvedi and Rao.
Umesawa in view of Chaturvedi and Rao teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and an authenticated device having a session table to process an IP packet and selecting policy rule and applying policy rule based on the identity. Alattar teaches, an authentication device authenticating a client using statistical object identification. Therefore, it would have been obvious to have an authentication device authenticating a client using statistical object identification of Alattar into the teachings of Umesawa in view of Chaturvedi and Rao to protect data, assets. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).




Claims 30, 33 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Flowers Jr. et al. (US PGPUB. # US 2003/0105812, hereinafter “Flowers”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”).

Regarding Claim 30 Umesawa teaches,
An apparatus for authenticating the identify of network traffic using a network endpoint device (10), the network endpoint device (10) having a processor comprising: 
a network (20) (Fig. 1(3), ¶85, “a communication network 3 that includes an open network, such as the Internet”); said network (20) for conveying a plurality of IP packets (12) (¶85, “a communication network 3 that includes an open network, such as the Internet”, ¶86, “communication between each server computer 1 and client computer 2 is performed using TCP/IP”, ¶88, i.e. network conveys plurality of IP packets); 
said network endpoint device (10) (Fig.1 (2), ¶85, “client computers 2”); said network endpoint device (10) being connected to said network (20) (Fig.1 (2), ¶85, “client computers 2”, ¶86, i.e. client is connected to the network); 
a remote network device (11); said remote network device (11) being connected to said network (20) (Fig. 1(1), ¶85, “server computers 1”, ¶86, i.e. server computer is connected to the network); 
[a peer authentication driver (46); said peer authentication driver (46) being installed within said remote network device (11); said peer authentication driver (46)] providing security for said network (20) by monitoring said plurality of IP packets (12) (¶46, “if each of the certain port numbers is included in the predetermined port numbers; and monitoring the second table to generate a connection request acknowledgement packet in response to one of the received connection request packets”, ¶49, “a receiving unit configured to receive a plurality of connection request packets from the network; a monitor which monitors whether the received connection request packets satisfy the access pattern information”,¶50, “a monitor which monitors the second storage and detects whether all accessed port numbers stored in relation to the identification information are identical to the predetermined port numbers”, i.e. monitors plurality of IP packets to provide security);  and 
an authentication device (18); said authentication device (18) being connected to said network (20) (Fig. 1, ¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, i.e. Examiner submits that one of the server acts as an authentication device);  
[said peer authentication driver (46)] communicating with said authentication device (18) (¶43, “authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, ¶98, “the connection requesters that are allowed to access a certain server computer 1 are beforehand divided into a plurality of groups, and the number of transmissions of a connection request packet that differs between the groups is determined and used at least as authentication information for each group”, i.e. network is transmitting IP packet to an authentication server indicates that drivers are communicating with authentication device); 
[said peer authentication driver (46)] for selecting IP packets (12) [containing a TCP SYN bit (16) and without an ACK bit] from said plurality of IP packets (12) (¶100, “a connection request packet generator 21 generates a SYN packet upon receiving, from a connection requester via a user interface, “the connection request packet generator 21 refers to the connection establishment table 100, acquires information on the number of transmissions of a SYN packet, needed for the connection to the designated server computer 1, and outputs the generated SYN packet to a transmitting unit 22 a number of times corresponding to the acquired number of transmissions”, i.e. IP packets are selected);  
[said peer authentication driver (46)] for sending said selected IP packets (12) [containing a TCP SYN bit (16) and without an ACK bit] to said authentication device (18) for authentication (¶100, “In general, an access port with No. 80 is used for transmitting a SYN packet to a certain server computer 1. Therefore, in the first embodiment, too, an access port with No. 80 is used. It is a matter of course that if there is an agreement in which an access port with No. M is used instead of the access port with No. 80, the access port with No. M is used. Further, an agreement may be set so that a plurality of access ports are accessed in order in units of a predetermined number of ports”, i.e. IP packets containing SYN bit are transmitted to the server (authentication device));  
said authentication device (18) sending said selected IP packets (12) back to [said peer authentication driver (46)] when said selected IP packets (12) are authenticated (¶43, “if the sender is authenticated; and transmitting the generated connection request acknowledgement packet to the network”, ¶45, “if the received connection request packets satisfy the access pattern information; and transmitting the generated connection request acknowledgement packet to the network”, ¶47, “if the sender is authenticated; and a transmitting unit configured to transmit the generated connection request acknowledgement packet to the network“, i.e. selected IP packets are sent back if IP packets are authenticated) ;
[said peer authentication driver (46)] sending said authenticated selected IP packets (12) to a TCP/IP protocol stack (32) in said remote network device (11) (¶103, “The unit 23 transmits the received IP packet to a connection request acknowledgement packet (SYN+ACK packet) determination unit 24, where it is determined whether the IP packet is a connection request acknowledgement packet (SYN+ACK packet) returned in response to any one of the SYN packets transmitted from the transmitting unit 22”, i.e. received packet is conveyed to TCP/IP protocol stack).
Umesawa does not teach explicitly,
a peer authentication driver (46); said peer authentication driver (46) being installed within said remote network device (11); said peer authentication driver (46) [providing security for said network (20) by monitoring said plurality of IP packets (12)];
said peer authentication driver (46) [communicating with said authentication device (18)]; 
said peer authentication driver (46) [for selecting IP packets (12)] containing a TCP SYN bit (16) and without an ACK bit [from said plurality of IP packets (12)];  
said peer authentication driver (46) [for sending said selected IP packets (12)] containing a TCP SYN bit (16) and without an ACK bit [to said authentication device (18) for authentication];  
[said authentication device (18) sending said selected IP packets (12) back to] said peer authentication driver (46) [if said selected IP packets (12) are authenticated];
said peer authentication driver (46) [sending said authenticated selected IP packets (12) to a TCP/IP protocol stack (32) in said remote network device (11)].
However, Flowers teaches,
a peer authentication driver (46) (Fig. 1(43)); said peer authentication driver (46) being installed within said remote network device (11) (Fig. 1(43), ¶51, “The web server provides standard web browser interactivity to the user but runs a peer service client application to allow access to the peer-to-peer communication services, i.e. peer authentication driver is installed in a server (remote network device), ¶55, “The Peer Switch functionality (11) is responsible for authenticating users into a Peer Switch community”); said peer authentication driver (46) (Fig. 1(43)) [providing security for said network (20) by monitoring said plurality of IP packets (12)];
said peer authentication driver (46) (Fig. 1(43)) [communicating with said authentication device (18)]; 
said peer authentication driver (46) (Fig. 1(43)) [for selecting IP packets (12) containing a TCP SYN bit (16) and without an ACK bit from said plurality of IP packets (12)];  
said peer authentication driver (46) (Fig. 1(43))  [for sending said selected IP packets (12) containing a TCP SYN bit (16) and without an ACK bit to said authentication device (18) for authentication];  
[said authentication device (18) sending said selected IP packets (12) back to] said peer authentication driver (46) (Fig. 1(43)) [when said selected IP packets (12) are authenticated];
said peer authentication driver (46) (Fig. 1(43)) [sending said authenticated selected IP packets (12) to a TCP/IP protocol stack (32) in said remote network device (11)].
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Flowers with the invention of Umesawa.
Umesawa teaches an authentication device authenticates IP packets and provide authenticated IP packets back to the requester. Flowers teaches, a peer authentication application for communication. Therefore, it would have been obvious to have a peer authentication application for communication of Flowers with an authentication device authenticates IP packets and provide authenticated IP packets back to the requester of Umesawa to process an IP packet for an authentication to provide secure communication. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa and Flowers does not teach explicitly,
[said peer authentication driver (46) for selecting IP packets (12)] containing a TCP SYN bit (16) and without an ACK bit [from said plurality of IP packets (12)];  
[said peer authentication driver (46) for sending said selected IP packets (12)] containing a TCP SYN bit (16) and without an ACK bit [to said authentication device (18) for authentication]; 
However John teaches,
 [said peer authentication driver (46) for selecting IP packets (12)] containing a TCP SYN bit (16) and without an ACK bit (¶37, “The SYN request includes the client application's network address 99a and port ID 62b and the server application's network address 99b and port ID 64b, which are respectively encapsulated in the source address, source port ID, destination address and destination port ID fields of a TCP packet having its SYN bit set and its ACK bit not set”, i.e. TCP header including a TCP SYN bit and without ACK bit as ACK bit is not set) [from said plurality of IP packets (12)];  
[said peer authentication driver (46) for sending said selected IP packets (12)] containing a TCP SYN bit (16) and without an ACK bit (¶37, “The SYN request includes the client application's network address 99a and port ID 62b and the server application's network address 99b and port ID 64b, which are respectively encapsulated in the source address, source port ID, destination address and destination port ID fields of a TCP packet having its SYN bit set and its ACK bit not set”, i.e. TCP header including a TCP SYN bit and without ACK bit as ACK bit is not set) [to said authentication device (18) for authentication]; 
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of John with the invention of Umesawa in view of Flowers.
Umesawa in view of Flowers teaches an authentication device authenticates IP packets and provide authenticated IP packets back to the requester and a peer authentication application for communication. John teaches, a TCP packet having a SYN bit and without ACK bit. Therefore, it would have been obvious to have a TCP packet having a SYN bit and without ACK bit of John into the teachings of Umesawa in view of Flowers to process an IP packet for an authentication to provide secure communication. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 


Regarding Claim 33 rejection of Claim 30 is included and for the same motivation  Umesawa teaches,
The apparatus as recited in Claim 30, in which said remote network device (11), having received said authenticated selected IP packets (12) from said authentication device (18) (¶43, “if the sender is authenticated; and transmitting the generated connection request acknowledgement packet to the network”, ¶45, “if the received connection request packets satisfy the access pattern information; and transmitting the generated connection request acknowledgement packet to the network”, ¶47, “if the sender is authenticated; and a transmitting unit configured to transmit the generated connection request acknowledgement packet to the network“, i.e. selected IP packets are sent back if IP packets are authenticated), sends all subsequent IP packets (12) belonging to the same TCP session to said TCP/IP protocol stack (32) in said remote network device (11) (¶103, “The unit 23 transmits the received IP packet to a connection request acknowledgement packet (SYN+ACK packet) determination unit 24, where it is determined whether the IP packet is a connection request acknowledgement packet (SYN+ACK packet) returned in response to any one of the SYN packets transmitted from the transmitting unit 22”, i.e. received packet is conveyed to TCP/IP protocol stack).

Regarding Claim 34 rejection of Claim 30 is included and for the same motivation  Umesawa teaches,
The apparatus as recited in Claim 30, in which said authentication device (18) authenticates said plurality of IP packets (12) without said authentication device (18) being located along the path of IP packets (12) traversing said network (20) between said network endpoint device (10) and said remote network device (11) (¶43, “if the sender is authenticated; and transmitting the generated connection request acknowledgement packet to the network”, ¶45, “if the received connection request packets satisfy the access pattern information; and transmitting the generated connection request acknowledgement packet to the network”, ¶47, “if the sender is authenticated; and a transmitting unit configured to transmit the generated connection request acknowledgement packet to the network“, i.e. authenticates plurality of IP packets. Authentication device doesn’t have to locate between client device (endpoint device) and remote network device).



Claim 31 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Flowers Jr. et al. (US PGPUB. # US 2003/0105812, hereinafter “Flowers”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”), and further in view of Adnan M. Alattar (US PGPB. # US 2011/0091066, hereinafter “Alattar”).

Regarding Claim 31, rejection of Claim 30 is included and combination of Umesawa, Flowers and John does not teach explicitly,
An apparatus as recited in Claim 30, in which said authentication device (18) uses Statistical Object Identification to authenticate said selected IP packets (12).
However, Alattar teaches,
An apparatus as recited in Claim 30, in which said authentication device (18) uses Statistical Object Identification to authenticate said selected IP packets (12) (Abstract, “Digital watermark methods for encoding auxiliary data into a host signal are used to authenticate physical and electronic objects. One such method computes a content specific message dependent on the host signal, encodes the content specific message into a watermark signal, and embeds the watermark in the host signal such that the watermark signal is substantially imperceptible in the host signal”, ¶55, “Various forms of statistical analyses may be performed on a signal to identify places to locate the watermark”, ¶162, “the detector maps this ratio to a detection value based on a statistical analysis of unmarked images”, ¶240, “The characteristic computed at decoding time is then matched with the characteristic stored in the database to determine whether it is sufficiently close to the stored characteristic. If so, it is deemed valid; otherwise, it is rejected”, i.e. statistical object identification is used to perform an authentication).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Alattar with the invention of Umesawa in view of Flowers and John.
Umesawa in view of Flowers and John teaches an authentication device authenticates IP packets and provide authenticated IP packets back to the requester and a peer authentication application for communication and a TCP packet having a SYN bit and without ACK bit. Alattar teaches, an authentication device authenticating a client using statistical object identification. Therefore, it would have been obvious to have an authentication device authenticating a client using statistical object identification of Alattar into the teachings of Umesawa in view of Flowers and John to  KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Flowers Jr. et al. (US PGPUB. # US 2003/0105812, hereinafter “Flowers”), and further in view of John et al. (US PGPUB. # US 2006/0236370, hereinafter “John”), and further in view of Lloyd et al. (US PAT. # US 6,219,790, hereinafter “Lloyd”).

Regarding Claim 32, rejection of Claim 30 is included and combination of Umesawa, Flowers and John does not teach explicitly,
An apparatus as recited in Claim 30, in which said authentication device (18) uses Transport Access Control to authenticate said selected IP packets (12).
However, Lloyd teaches,
An apparatus as recited in Claim 30, in which said authentication device (18) uses Transport Access Control to authenticate said selected IP packets (12) (Abstract, “An AAA server comprises a plurality of Authentication transport protocol modules that interface with one or more clients using a native authentication transport protocol”, “the AAA server determines the details of the access request and identifies the permit required to authorize access”. (CL(5), LN(65-67), CL(6), LN(1-21), Fig. 3(308, 310), CL(11), LN(47-54),i.e. authentication device uses transport access control to perform authentication).
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Lloyd with the invention of Umesawa in view of Flowers’ and John.
Umesawa in view of Flowers and John teaches an authentication device authenticates IP packets and provide authenticated IP packets back to the requester and a peer authentication application for communication and a TCP packet having a SYN bit and without ACK bit. Lloyd teaches, an authentication device authenticating a client using transport protocol. Therefore, it would have been obvious to have an authentication device authenticating a client using transport protocol of Lloyd into the teachings of Umesawa in view of Flowers and John to provide a distributed security system capable of supporting a variety of authentication transport protocols used by a variety of client types and is capable of supporting accounting functionality from the same database used to store user authentication and authorization information.  KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).

Claim 35 is rejected under 35 U.S.C. 103 as being unpatentable over Umesawa et al. (US PGPUB. # US 2005/0094637) herein after “Umesawa”), and further in view of Rao et al. (US PGPUB. # US 2013/0332982, hereinafter “Rao”), and further in view of Chaturvedi et al. (US PGPUB. # US 2010/0312902, hereinafter “Chaturvedi”)
Regarding Claim 35 Umesawa teaches,
An apparatus for authenticating the identify of network traffic using a network-endpoint device (10), the network endpoint device (10) having a processor comprising: 
a network (20) (Fig. 1(3), ¶85, “a communication network 3 that includes an open network, such as the Internet”); said network (20) being an insecure communication system (Fig. 1(3), ¶85, “a communication network 3 that includes an open network, such as the Internet”, Examiner submits that the network is an open network (internet) it is an insecure communication); 
said network endpoint device (10) (Fig.1 (2), ¶85, “client computers 2”); said network endpoint device (10) having an identity (22) (Abstract, “each group including users allowed to access server computer”, ¶40, “each group including a plurality of users allowed to access the server computer”, ¶101, “each client computer 2 may be constructed such that a connection requester (user) inputs, via a user interface (not shown)”, i.e. endpoint device has an identity);  
a remote network device (11) (Fig. 1(1), ¶85, “server computers 1”); 
said network endpoint device (10) and said remote network device (11) being connected to said network (20) (Fig. 1, ¶85, “server computers 1 and client computers 2 are connected via a communication network 3 that includes an open network”, i.e. Examiner submits that client (end point device) and server (remote network device) are connected to the network); 
said network endpoint device (10) for making a request to said remote network device (11) via said network (20) (¶101, “each client computer 2 may be constructed such that a connection requester (user) inputs, via a user interface (not shown), information, such as the number of transmissions, necessary to generate a SYN packet”, ¶102, “In each client computer 2, the transmitting unit 22 is used to transmit IP packets to the network 3, i.e. client (end point device) makes a request to a server (remote network device)) ;
said request including an identity representation of said identity (22) (¶110, “The group identifying unit 15 identifies whether information concerning the number of received SYN packets, included in the received entry, is held in a group identification table 120. If it is identified that the information is held, the group identifying unit 15 acquires, from the table 120, authentication information indicating the group corresponding to the number information, and transmits the authentication information to a resource management unit 16”, i.e. request includes an identity representation); 
said identity representation being cryptographically secured for a purpose of enabling authentication (¶44, “authenticating a sender of the connection request packets based on the prestored cipher key and authentication information acquired from the connection request packets”, ¶48,¶243 i.e. identity is secured for the purpose of enabling authentication); 
said identity representation being cryptographically secured for an additional purpose of preventing spoofing of said identity representation (¶44, ¶48, ¶243, “prevents a person with no cipher key from generating or decrypting encrypted information”, i.e. prevent spoofing of identity representation); 
an authentication device (18) (Fig. 1, ¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network”, i.e. Examiner submits that one of the server acts as an authentication device); 
 said remote network device (11) and said authentication device (18) being connected to said network (20) (Fig. 1, ¶85, “server computers 1 and client computers 2 are connected via a communication network 3 that includes an open network”, i.e. Examiner submits that client (end point device) and servers (remote network device, authentication device) are connected to the network);
said authentication device (18) having a cryptographic key for performing authentication of said identity representation (¶44, “authenticating a sender of the connection request packets based on the prestored cipher key and authentication information acquired from the connection request packets”, i.e. authenticating device has a cryptographic key to perform authentication);
said cryptographic key being not present at said remote network device (11) (¶244, “the server computer 1 identifies the digital signature using, instead of the message authenticator, the public key of the client computer 2, when identifying a connection request packet”, i.e. Examiner submits that public key is not present in the remote network device);
said authentication device (18) for performing an authentication process successfully authenticating said identity representation (¶43, “there is provided an authentication method for use in a server computer for authenticating that a client computer connected to the server computer via a network is a legitimate client computer”, ¶44-¶53,i.e. successfully authenticate an identity);
said authentication process operating non-interactively for a purpose of not responding to said network endpoint device (10) until said authentication has completed (¶118, “If no SYN+ACK packet is received for the predetermined period, it is determined that authentication has failed, thereby finishing authentication processing”, ¶119, “If, on the other hand, a SYN+ACK packet corresponding to at least one of the SYN packets is received from the server computer 1, the client computer 2 transmits an acknowledgement packet (ACK packet) to the server computer 1 (step C108). As a result, a connection is established between the client computer 2 and server computer 1”, i.e. server does not respond until the authentication has completed);
said authentication device (18) also for determining said identity (22) associated with said authenticated identity representation (¶110, “The group identifying unit 15 identifies whether information concerning the number of received SYN packets, included in the received entry, is held in a group identification table 120. If it is identified that the information is held, the group identifying unit 15 acquires, from the table 120”, Fig. 8 (C108), ¶119, “a SYN+ACK packet corresponding to at least one of the SYN packets is received from the server computer 1, the client computer 2 transmits an acknowledgement packet (ACK packet) to the server computer 1 (step C108). As a result, a connection is established between the client computer 2 and server computer 1”, ¶145, “it is necessary to estimate the type of each packet as well as the number of connection request packets. This being so, the security of the server is further enhanced”);
said network endpoint device (10) establishing said authenticated communications to said remote network device (11) via said network (20) (¶119, “a connection is established between the client computer 2 and server computer 1”, i.e. connection is established).
Umesawa does not teach explicitly,
said remote network device (11) for communicating securely with said authentication deice (18) via said network (20);
said remote network device (11) communicating said request to said authentication device (18) for a purpose of determining said identity (22) from said identity representation in said request;
said remote network device (11) communicating said request to said authentication device (18) for a purpose of authenticating said identity representation in said request; 
said remote network device (11) communicating said request to said authentication device (18) for a purpose of determining said the authority of said identity to access said remote network device (11); 
said authentication process operating non-interactively with respect to said network endpoint device (10);
said authentication device (18) also for determining said authority of said identity (22) to access said remote network device (11);
said authentication device (18) including a first table of policy rules (27);
said authority being described by said first table of policy rules (27);
said authentication device (18) also for determining that said identity (22) has the authority to access said remote network device (11);
said authentication device (18) also for communicating a response to said remote network device (11) including said request;
said remote network device (11) also for receiving said response including said request from said authentication device (18);
said remote network device (11) including an authenticated session table (30);
said authenticated session table (30) including at least one session descriptor (28);
said remote network device (11) establishing an authenticated communications by adding a session descriptor (28) to said authenticated session table (30) using information contained in said response and said request;
However, Rao teaches,
said remote network device (11) (Fig. 1(24(1), 24(2), 24(N)) for communicating securely with said authentication deice (18) (Fig. 1(“AAA Server”, 26(1), 26(2), 26(N))) via said network (20) (Fig. 1(28(1), 28(2), 28(N), ¶18, “network access controls (NACs) 24(1)-24(N) that communicate with VEMs 20(1)-20(P). NACs 24(1)-24(N) may communicate with respective Authentication, Authorization, and Accounting (AAA) servers 26(1)-26(N) over third party cloud networks 28(1)-28(N)”);
said remote network device (11) communicating said request to said authentication device (18) for a purpose of determining said identity (22) from said identity representation in said request (¶18, “NACs 24(1)-24(N) can communicate with respective AAA servers 26(1)-26(M) to authenticate and authorize users 30(1)-30(R) on VMs 16(1)-16(M)”, i.e. communicate for the purpose of identification);
said remote network device (11) communicating said request to said authentication device (18) for a purpose of authenticating said identity representation in said request (¶18, “NACs”, 24(1)-24(N) can communicate with respective AAA servers 26(1)-26(M) to authenticate and authorize users 30(1)-30(R) on VMs 16(1)-16(M)”, i.e. communicate for the purpose of authenticating an identity); 
said remote network device (11) communicating said request to said authentication device (18) for a purpose of determining said the authority of said identity to access said remote network device (11) (¶18, “NACs 24(1)-24(N) can communicate with respective AAA servers 26(1)-26(M) to authenticate and authorize users 30(1)-30(R) on VMs 16(1)-16(M)”, i.e. communicate to determine authorization (authority) of identity of the remote network device); 
said authentication process operating non-interactively with respect to said network endpoint device (10) (Fig. 1 (“VM” (16(1), 16(2), 16(M), Fig. 1 (NAC”, (24(1), 24(2), 24(N)), Fig. 1(“AAA Server”, 26(1), 26(2), 26(N)), ¶18, “Fig. 1(“AAA Server”, 26(1), 26(2), 26(N)), ¶18, “Tenants 12(1)-12(N) may further include network access controls (NACs) 24(1)-24(N) that communicate with VEMs 20(1)-20(P). NACs 24(1)-24(N) may communicate with respective Authentication, Authorization, and Accounting (AAA) servers 26(1)-26(N) over third party cloud networks 28(1)-28(N)”, i.e. process is non-interactively with respect to client (endpoint device))  ;
said authentication device (18) also for determining said authority of said identity (22) to access said remote network device (11) (¶18, “NACs 24(1)-24(N) can communicate with respective AAA servers 26(1)-26(M) to authenticate and authorize users 30(1)-30(R) on VMs 16(1)-16(M)”, i.e. communicate to determine authorization (authority) of identity of the remote network device);
said authentication device (18) including a first table of policy rules (27) (Fig. 1(Policy Rules), (34(1), 34(2), 34(R)), ¶20, “The authorization information from AAA servers 26(1)-26(N) may be in a form of user policy 34(1)-34(R), which can include permissions and privileges for respective users 30(1)-30(R) to access resources within DVS network 14”, i.e. policy rules are considered as table of policy rules);
said authority being described by said first table of policy rules (27) (¶20, “user policy 34(1)-34(R), which can include permissions and privileges for respective users 30(1)-30(R) to access resources within DVS network 14”, i.e. permission (authority) is described in the policy rules);
said authentication device (18) also for determining that said identity (22) has the authority to access said remote network device (11) (¶47, “AAA server 26 may validate the supplicant's user credentials 32 and determine what network access the supplicant should receive. In one embodiment, AAA server 26 may be a RADIUS server. AAA server 26 may query backend identity databases to validate user credentials 32 and send user policy 34”, i.e. determines whether a user (identity) has authority to access remote network device);
said authentication device (18) also for communicating a response to said remote network device (11) including said request (¶46, “AAA server 26 may respond with representative user policy 34. Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14”, i.e. a response is communicated);
said remote network device (11) also for receiving said response including said request from said authentication device (18) (¶46, “AAA server 26 may respond with representative user policy 34. “, “For example, policy module 54 may forward user policy 34 to VEM 20 for further processing, such as determining access to other network services”, i.e. remote network device receives response from the authentication device);
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Rao with the invention of Umesawa.
Umesawa teaches an authentication device receiving an IP packet and identifying identity of the IP packet. Rao teaches, selecting policy rule and applying policy rule based on the identity.  Therefore, it would have been obvious to have selecting policy rule and applying policy rule based on the identity of Rao with providing an authentication device receiving an IP packet and identifying identity of the IP packet of Umesawa to apply policy rule based on identified user to provide secure session. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007). 
Combination of Umesawa and Rao does not teach explicitly,
said remote network device (11) including an authenticated session table (30);
said authenticated session table (30) including at least one session descriptor (28);
said remote network device (11) establishing an authenticated communications by adding a session descriptor (28) to said authenticated session table (30) using information contained in said response and said request;
However, Chaturvedi teaches,
said remote network device (11) including an authenticated session table (30) (¶67, “Upon authentication, the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online”, ¶79, ¶85, ¶89);
said authenticated session table (30) including at least one session descriptor (28) (¶41, “authentication is based on the transmission control protocol/internet protocol ( TCP/IP)“, ¶67, “the access server 102 updates a session table residing on the server to indicate that the user ID currently associated with the endpoint 104 is online. The access server 102 also retrieves a buddy list associated with the user ID currently used by the endpoint 104 and identifies which of the buddies (if any) are online using the session table”, ¶79, ¶85, ¶89, i.e. IP address is determined from the IP packet and the IP address is matched to determine online buddy indicates that IP packet is matched to a session descriptor);
said remote network device (11) establishing an authenticated communications by adding a session descriptor (28) to said authenticated session table (30) using information contained in said response and said request (Fig. 4(412), ¶68, “the endpoint 106 sends a message directly to the endpoint 104 to notify the endpoint 104 that the endpoint 106 is now online This also provides the endpoint 104 with the address information needed to communicate directly with the endpoint 106. In step 412, one or more communication sessions may be established directly between the endpoints 104 and 106”, i.e. authenticated communication is established);
As per KSR vs Teleflex, combining prior art elements according to known methods (device, product) to yield predictable results may be used to create a prima facie case of obviousness.
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Chaturvedi with the invention of Umesawa in view of Rao.
Umesawa in view of Rao teaches, an authentication device receiving an IP packet and identifying identity of the IP packet and selecting policy rule and applying policy rule based on the identity. Chaturvedi teaches, an authenticated device having a session table to process an IP packet. Therefore, it would have been obvious to have an authenticated device having a session table to process an IP packet of Chaturvedi into the teachings of Umesawa in view of Rao to process an IP packet according to an authenticated session table. KSR Int’l v. Teleflex Inc., 127 S. Ct. 1727, 1740-41, 82 USPQ2d 1385, 1396 (2007).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.  Refer to PTO-892, Notice of References Cited for a listing of analogous art.
Bagepalli et al. (US PGPUB. # US 2009/0063665) discloses, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.
Nakamoto et al. (US PGPUB. # US 2014/0304765) discloses, a network architecture that eliminates anonymous traffic, reduces a threat surface, and enforces policies is described herein. A method based on this network architecture includes receiving, by a processor, an IP packet entering a network, inserting, by the processor, an identity-based interne protocol (IMP) shim between a header and a body of the IP packet and incorporating, by the processor, an identity of a source and a destination of the IP packet in the shim. 
Wing et al. (US PGPUB. # US 2014/0237539) discloses, identity based security features and policies are applied to endpoint devices behind an intermediary device, such as a network address translation device. The access network switch authenticates an endpoint based on a user identity and a credential. A hypertext transfer protocol (HTTP) packet is generated or modified to include the user identity in an inline header. The HTTP packet including the user identity is sent to a policy enforcement device to look up one or more policies for the endpoint. The access switch receives traffic from the policy enforcement device that is filtered according the user identity. Subsequent TCP connections may also include identity information within the TCP USER_HINT option in a synchronization packet thus allowing identity propagation for other applications and protocols.
Matthew Stebe (US PGPUB. # US 2014/0304776) discloses, a method for authenticating an assertion of a source in an environment of distributed control include receiving a notification of the assertion; determining an entity responsible for maintaining an authenticated list of assertions by the source based on a first trusted public record, determining an assertion authenticator for the entity based on a second trusted public record, determining one or more assertions of the source from the assertion authenticator, and authenticating the assertion based on the determined one or more assertions.
Patti et al. (US PGPUB. # US 2013/0073854) discloses, a record of user accounts including: a user identifier and a public encryption key; an access control list (ACL) defining an access control policy including: permissions defining access to data objects associated with the ACL and an ACL key list including copies of a an ACL key .

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DARSHAN I DHRUV/          Examiner, Art Unit 2498