DETAILED ACTION
Responsive to the Applicant reply filed on 02/25/2021, Applicant’s amendments to claims have been entered and respective arguments carefully considered and responded in the following.  Claims 1-21 are presented for examination in this Office Action, with Claims 1, 8, and 15 being in independent form.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The claim amendments and remarks filed by the Applicant on 02/25/2021, have been carefully considered and are responded in the following.

In response to the Applicant arguments, page(s) 7 of the Remarks, regarding Claims 1-21 being rejected on the ground of obviousness double patenting, the applicant has chosen to hold the rejection in abeyance.  Accordingly, the rejection remains.

In response to the Applicant arguments, page(s) 12-14, regarding Claims 1-21 being rejected under 35 U.S.C. 112(b) for lacking sufficient antecedent basis, the Applicant arguments in view of the amendment are persuasive. Therefore, the 112 rejections are withdrawn.

Applicant’s arguments, page(s) 13-16 of the Remarks, with regards the rejection under 35 U.S.C. § 103 have been considered carefully. 
First, Applicant argues the validity of the McGrew reference stating that the instant application has “an earliest effective filing date of November 2, 2016, and McGrew is not prior 62/416683, filed on November 2, 2016, does not support the claim elements “first communication channel” and “second communication channel.”  It should be noted that a communication channel refers to either a wired transmission medium or a wireless connection over a telecommunication link such as a radio link. The instant claim 1 specifies the “first communication channel” and “second communication channel” which are not found in the Provisional Application No. 62/416,683.  Furthermore, the Provisional Application No. 62/416683 does not disclose the limitation for “detecting malicious behavior performed by the computing system or remote server, via the first and second communication channels, based on the public certificate” and the blocking action.  Also note that the Provisional Application No. 62/416683 does not rely on the public certificate solely for detecting malicious behavior.  Regarding the Provisional Application No. 62/477374, it discloses a traffic hub 105 that collects information about the local network and monitors processes on the computer to determine if those processes might be exhibiting malicious behavior; see paragraphs 14-15 of the disclosure.  However, the Provisional Application No. 62/477374 does not disclose using separate communication channels for detecting malicious behavior nor does intercept network communications via the “first communication channel” and “second communication channel.”  Evidently, the effective filing date of the instant application does not reach back to the filing date of the Provisional Application No. 62/477374, which is March 27, 2017.  Therefore, the Applicant’s arguments are not persuasive.
Secondly, the Applicant argues many features in claim 1 by reproducing most of the limitations in the claim; see page 15 of the Remarks, filed 02/25/2021.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For 

Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-21 of U.S. Patent No. 10,454,961 B2 (“USPAT 961” hereinafter). 
Although the claims at issue are not identical, they are not patentably distinct from each other because they claim the same subject matter of detecting malicious behavior based on the extracted public certificate from network traffic.

Regarding 1, USPAT 961 anticipates:
A network traffic hub for detecting malicious behavior based on network communications establishing an encrypted connection between a computing system and a remote server (USPAT 961, CLM. : A network traffic hub for detecting malicious behavior based on network communications establishing an encrypted connection between a smart appliance and a remote server), the network traffic hub comprising: 
a network interface communicatively coupled to a computing system via a first communication channel in a local network and communicatively coupled to a remote server via a second communication channel in a wide area network (USPAT 961, CLM. 1: a network interface communicatively coupled to a smart appliance via a first communication channel in a local network and communicatively coupled to a remote server via a second communication channel in a wide area network); 
a processor (USPAT 961, CLM. 1); and 
a memory storing program code (USPAT 961, CLM. 1), the program code when executed causes the processor to: 
USPAT 961, CLM. 1: intercept, via the first communication channel, a first network communication from the smart appliance for transmission, via the second communication channel, to the remote server); 
transmit, via the second communication channel, the first network communication to the remote server (USPAT 961, CLM. 1: transmit, via the second communication channel, the first network communication to the remote server); 
intercept, via the second communication channel, one or more second network communications from the remote server to the computing system, the one or more second network communications comprising a public certificate associated with the remote server (USPAT 961, CLM. 1: intercept, via the second communication channel, one or more second network communications from the remote server to the smart appliance, which is the computing system, the one or more second network communications comprising a public certificate associated with the remote server); 
extract the public certificate from the one or more second network communications (USPAT 961, CLM. 1: extract the public certificate and the identified subset of the one or more encryption algorithms from the one or more second network communications); 
transmit, via the first communication channel, the one or more second network communications to the computing system (USPAT 961, CLM. 1: transmit, via the first communication channel, the one or more second network communications to the smart appliance, which is the computing system); 
detect malicious behavior performed by the computing system or remote server, via the first and second communication channels, based on the public certificate (USPAT 961, CLM. 1: detect malicious behavior performed by the smart appliance or remote server, via the first and second communication channels, based on the encryption suite, public certificate, …); and 
block network communications between the computing system and the remote server in response to detecting malicious behavior in the network communications between the computing system and the remote server (USPAT 961, CLM. 1: block network communications between the smart appliance and the remote server in response to detecting malicious behavior in the network communications between the smart appliance and the remote server).

Independent claims 8 and 18 are rejected for the same reason as claim 1.
Regarding dependent claims 2-7, 9-14, and 16-21 of the present application, they are obvious variants of the same subject matter as found in the claims of USPAT 961, and thereby rejected under the judicially created doctrine of obviousness-type double patenting.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claims 1-3, 5, 7-10, 12, 14-17, 19, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over McGrew (US 20190190961 A1) in view of Vissamsetty (US 20180013788 A1; hereinafter “Vissa”).

As per claim 1, McGrew teaches a network traffic hub for detecting malicious behavior based on network communications establishing an encrypted connection between a computing system and a remote server (McGrew, par. 0038-0040: router CE-2; par. 0066-0069: traffic analyzer 604 … to decrypt ServerHello message 614 and obtain the server certificate of server 606; see FIG. 3 illustrating that the edge router CE-2 captures traffic information between node 10 and server 154 flows; par. 0038-0039), the network traffic hub comprising: 
a network interface communicatively coupled to the computing system via a first communication channel in a local network and communicatively coupled to a remote server via a second communication channel in a wide area network (McGrew, par. 0028-0029: network interface 210); 
a processor (par. 0030: processor 220); and 
a memory storing program code, the program code when executed causes the processor  (McGrew, par. 0030: the memory 240 comprises a plurality of storage locations) to: 
intercept, via the first communication channel, a first network communication from the computing system for transmission, via the second communication channel, to the remote server (McGrew, par. 0038-0040: capture information about traffic; consider the case of edge 
intercept, via the second communication channel, one or more second network communications from the remote server to the computing system, the one or more second network communications comprising a public certificate associated with the remote server (McGrew, par. 0057: generate and send probes to servers, to capture information about the servers, such as their certificate information); 
extract the public certificate from the one or more second network communications; transmit, via the first communication channel, the one or more second network communications to the computing system (McGrew, par. 0074-0075: extract server certificate); 
detect malicious behavior performed by the computing system or remote server, via the first and second communication channels, based on the public certificate (McGrew, par. 0068: mimic the ClientHello message 608 sent by client 602, to ensure that server 606 treats both client 602 and traffic analyzer 604 the same way; if server 606 behaves differently … determine [that] the traffic between the client and the server is malicious; par. 0076); and 
block subsequent network communications between the computing system and the remote server in response to detecting malicious behavior in the network communications between the computing system and the remote server (McGrew, par. 0076: blocking the traffic as one of the mitigation actions in the network).
However, McGrew does not explicitly disclose that the CE-2 router transmits the captured network communication to the remote server. This aspect of the claim is identified as a further difference.
In a related art, Vissa teaches:

McGrew and Vissa are analogous art, because they are in a similar field of endeavor in improving network communications against malicious attacks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Vissa’s attacker system to modify McGrew’s CE-2 router to add functions of response to the malicious messages.  For this combination, the motivation would have been to improve the function of a traffic analyzer or hub to detect the source of the malicious attack.

As per claim 2, the references as combined above teach the network traffic hub of claim 1, further comprising program code to allow, responsive to a lack of detection of malicious behavior in the network communications between the computing system and the remote server, continued network traffic communications between the computing system and the remote server (McGrew, par. 0055-0057: "benign" traffic is allowed to go through).

As per claim 3, the references as combined above teach the network traffic hub of claim 1, wherein the program code to detect malicious behavior further comprises program code to detect malicious behavior using a threat detection model (McGrew, par. 0055, 0063, and 0076: classifying the traffic to be "malicious" and blocking the "malicious" traffic).

As per claim 5, the references as combined above teach the network traffic hub of claim 3, wherein the threat detection model is a machine-learned model (McGrew, par. 0032-0033: 

As per claim 7, the references as combined above teach the network traffic hub of claim 1, further comprising program code to receive a designation, from a behavior analysis engine, of whether malicious behavior is present in the first network communication or the one or more second network communications based on analysis from a threat detection model (McGrew, par. 0055: output resulting traffic classification 514, that means, the output designating whether the analyzed part of communications is "malicious" and "benign" traffic; par. 0063: For example, in the case of traffic classification 514 indicating the presence of malicious traffic, classification 514 can be used to cause the performance of a mitigation action, such as sending an alert to an administrator or security expert).

As per claim 8, McGrew teaches a method for detecting malicious behavior based on network communications establishing an encrypted connection between a computing system and a remote server, comprising: 
intercepting, by a network traffic hub in a local network, a first network communication from the computing system in the local network, for transmission to a remote server in a wide area network (McGrew, par. 0038-0040: capture information about traffic; consider the case of edge router CE-2 through which the traffic between node 10 and server 154 flows.  In this case, the first network communication is from node 10 to CE-2, and the second communication from CE-2 to server 154. It should be noted that capturing traffic information is the same as intercepting communications); 
intercepting, by the network traffic hub, one or more second network communications from the remote server to the computing system, the one or more second network communications comprising a public certificate associated with the remote (McGrew, par. 0057: 
extracting the public certificate from the one or more second network communications; transmitting, by the network traffic hub, the one or more second network communications to the computing system (McGrew, par. 0074-0075: extract server certificate); 
detecting malicious behavior performed by the computing system or remote server, based on the public certificate (McGrew, par. 0068: mimic the ClientHello message 608 sent by client 602, to ensure that server 606 treats both client 602 and traffic analyzer 604 the same way; if server 606 behaves differently … determine [that] the traffic between the client and the server is malicious; par. 0076); and 
blocking network communications between the computing system and the remote server, responsive to detecting malicious behavior in the network communications between the computing system and the remote server by the network traffic hub (McGrew, par. 0076: blocking the traffic as one of the mitigation actions in the network).
However, McGrew does not explicitly disclose that the CE-2 router transmits the captured network communication to the remote server. This aspect of the claim is identified as a further difference.
In a related art, Vissa teaches:
transmitting, by the network traffic hub, the first network communication to the remote server (Vissa, par. 0032 and 0036-0039: an attacker system 110 … transmitting 222 the fake credentials to the source IP address; par. 0076: an attacker system 110 may also intercept the router solicitation messages and send 512 RA messages referencing the attacker system 110); 
McGrew and Vissa are analogous art, because they are in a similar field of endeavor in improving network communications against malicious attacks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Vissa’s attacker system to modify McGrew’s CE-2 router to add 

As per claim 9, the references as combined above teach the method of claim 8, further comprising, responsive to not detecting malicious behavior in the network communications between the computing system and the remote server, allowing continued network traffic communications between the computing system and the remote server by the network traffic hub (McGrew, par. 0055-0057: "benign" traffic is allowed to go through).

As per claim 10, the references as combined above teach the method of claim 8, wherein detecting malicious behavior uses a threat detection model (McGrew, par. 0055, 0063, and 0076: classifying the traffic to be "malicious" and blocking the "malicious" traffic; par. 0079: using certain models for purposes of malware detection).

As per claim 12, the references as combined above teach the method of claim 10, wherein the threat detection model is a machine-learned model (McGrew, par. 0032-0033: Traffic analysis process 248 may employ any number of machine learning techniques, to classify the gathered telemetry data; par. 0036: a machine learning model).

As per claim 14, the references as combined above teach the method of claim 8, further comprising receiving, from a behavior analysis engine a designation of whether malicious behavior is present in the first network communication or the one or more second network communications based on analysis from a threat detection model (McGrew, par. 0055: output resulting traffic classification 514, that means, the output designating whether the analyzed part of communications is "malicious" and "benign" traffic; par. 0063: For example, in the case of 

As per claim 15, McGrew teaches a non-transitory computer-readable medium comprising stored program code, the program code comprised of computer-executable instructions that, when executed by a processor (McGrew, par. 0038-0040: router CE-2; par. 0066-0069: traffic analyzer 604 … obtains the server certificate of server 606; see FIG. 3 illustrating that the edge router CE-2 captures traffic information between node 10 and server 154 flows; par. 0038-0039), causes the processor to: 
intercept, via a first communication channel in a local network, a first network communication from a computing system for transmission, via a second communication channel in a wide area network, to a remote server (McGrew, par. 0038-0040: capture information about traffic; consider the case of edge router CE-2 through which the traffic between node 10 and server 154 flows.  In this case, the first network communication is from node 10 to CE-2, and the second communication from CE-2 to server 154. It should be noted that capturing traffic information is the same as intercepting communications); 
intercept, via the second communication channel, one or more second network communications from the remote server to the computing system, the one or more second network communications comprising a public certificate associated with the remote server (McGrew, par. 0057: generate and send probes to servers, to capture information about the servers, such as their certificate information); 
extract the public certificate from the one or more second network communications (McGrew, par. 0074-0075: extract server certificate); 
detect malicious behavior performed by the computing system or remote server, via the first and second communication channels, based on the public certificate (McGrew, par. 0068: 
block network communications between the computing system and the remote server, in response to detecting malicious behavior in the network communications between the computing system and the remote server (McGrew, par. 0076: blocking the traffic as one of the mitigation actions in the network).
However, McGrew does not explicitly disclose that the CE-2 router transmits the captured network communication to the remote server. This aspect of the claim is identified as a further difference.
In a related art, Vissa teaches:
transmit, via the first communication channel, the one or more second network communications to the computing system (Vissa, par. 0032 and 0036-0039: an attacker system 110 … transmitting 222 the fake credentials to the source IP address; par. 0076: an attacker system 110 may also intercept the router solicitation messages and send 512 RA messages referencing the attacker system 110); 
McGrew and Vissa are analogous art, because they are in a similar field of endeavor in improving network communications against malicious attacks.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to combine them and to use Vissa’s attacker system to modify McGrew’s CE-2 router to add functions of response to the malicious messages.  For this combination, the motivation would have been to improve the function of a traffic analyzer or hub to detect the source of the malicious attack.

As per claim 16, the references as combined above teach the non-transitory computer-readable medium of claim 15, further comprising, responsive to not detecting malicious behavior McGrew, par. 0055-0057: "benign" traffic is allowed to go through).

As per claim 17, the references as combined above teach the non-transitory computer-readable medium of claim 15, wherein the program code further comprises instruction to detect malicious behavior using a threat detection model (McGrew, par. 0055, 0063, and 0076: classifying the traffic to be "malicious" and blocking the "malicious" traffic; par. 0079: using machine learning models for purposes of malware detection).


As per claim 19, the references as combined above teach the non-transitory computer-readable medium of claim 17, wherein the threat detection model is a machine-learned model (McGrew, par. 0032-0033: Traffic analysis process 248 may employ any number of machine learning techniques, to classify the gathered telemetry data; par. 0036: a machine learning model).

As per claim 21, the references as combined above teach the non-transitory computer-readable medium of claim 15, further comprising program code to receive a designation, from a behavior analysis engine, of whether malicious behavior is present in the first network communication or the one or more second network communications based on analysis from a threat detection model (McGrew, par. 0055: output resulting traffic classification 514, that means, the output designating whether the analyzed part of communications is "malicious" and "benign" traffic; par. 0063: For example, in the case of traffic classification 514 indicating the presence of malicious traffic, classification 514 can be used to cause the performance of a mitigation action, such as sending an alert to an administrator or security expert).

Claims 4, 11, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over McGrew  and Vissa, as applied to claim 1, and further in view of Markley (NPL: Markey, et al. "Using Decision Tree Analysis for Intrusion Detection: A How-To Guide." Jun 5, 2011. 33 pages.)

As per claim 4, the references of McGrew and Vissa as combined above teach the network traffic hub of claim 3, but do not explicitly disclose …. This aspect of the claim is identified as a further difference.
In a related art, Markley teaches:
wherein the threat detection model is a decision tree (Markley, FIG. 1: Decision Tree Example; classification algorithms create a decision tree … by identifying parterns in an existing dataset; page 3).
Markley is analogous art to the claimed invention in a similar field of endeavor in improving network communications.  Thus, it would have been obvious to one of ordinary in the art, before the effective filing date of the claimed invention, to modify the system of McGrew and Vissa with Markley to include a decision tree for the threat detection model. For this combination, the motivation would have been to improve the efficiency in computing process.

Claims 11 and 18 are rejected for the same reason as that given to claim 4 because they each recite the same limitation as claim 4.


Allowable Subject Matter
Claim 6, 13, and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

The claims 6, 13, and 20 each recite elements of “wherein the threat detection model is trained using known-malicious training data and known-benign training data, 
the known-malicious training data comprising examples where a secure connection between a computing system and a remote server is attacked while the secure connection was being established and 
the known-benign training data comprising examples where a secure connection between a computing system and a remote server is successful connected without being compromised.”  These features, in combination with the other limitations in their base claims, are not anticipated by, nor made obvious over the prior art of record.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Don G Zhao/
Examiner, Art Unit 2493
03/22/2021