DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This Office Action is in response to the amendment filed 04/22/2021.
Applicant’s filed Amendment after Notice of Allowance (Rule 312) on 4/22/2021 has been acknowledged. In this amendment, applicant amended claim 10 for minor informality reason. However the claims filed 4/22/2021 does not include the examiner’s amendment for independent claims 1, 19, 25 agreed upon and authorized by the applicant’s representative to enter as examiner amendment, see Notice of Allowance and Fee Due (PTOL-85) mailed 4/15/2021. Upon discussion with applicant’s representative, it is agreed the claims filed on 4/22/2021 should have included the examiner’s amendment previously presented. Examiner therefore issues the Supplemental Notice of Allowability herein. 
Response to Argument
Applicant’s argument, see pages 9-11 of the Remark filed 3/1/2021, with respect to claims over prior arts have been fully considered and are persuasive, further in view of the examiner’s amendments below. Upon examiner’s updated search on the features recited in the claims, examiner believes the case is in condition for allowance. Therefore the rejection under 35 U.S.C. 103 of claims 1-23, 25-26 has been withdrawn.
Allowable Subject Matter
Claims 1-23, 25-26 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to determination of encrypted connection between user device and host server being suspicious or normal encrypted connection by intercepting cryptographic certificates of host servers and based on the validity of the certificate, decrypt the encrypted connection or bypass the decryption of the encrypted connection, and override a certificate exception created by user device in a transparent proxy mode.
Claim 1 (similarly claims 19 and 25) identifies the uniquely distinct features “determining, by the network device, whether each encrypted connection is a suspicious connection or a normal connection based on an application of a certificate validation policy to each cryptographic certificate; responsive to determining that a first encrypted connection of the plurality of encrypted connections is a suspicious connection, causing decryption of the first encrypted connection or analysis of metadata associated with the first encrypted connection; responsive to determining that a second encrypted connection of the plurality of encrypted connections is a normal connection, causing bypass of decryption of the second encrypted connection or of analysis of metadata associated with the second encrypted connection; and overriding a certificate exception created by a user device of the plurality of user devices, in a transparent proxy mode without interfering with experiences of the plurality of user devices”. 
The prior art, Alrawais et al (US20170317837A1) discloses system and method for certificate validation. In particular Alrawais teaches comparing certificate information of host server to stored revocation information and terminating a connection between the server and client if the certificate matches a revoked certificate information.
 Buruganahalli et al (US20160359807A1) discloses system and method for destination extraction for secure protocols and applying security policy to filter traffic between client and remote server. In particular, Buruganahalli teaches that if the destination domain is in a blacklist the network communications between the client and the server are decrypted, otherwise the communications are not decrypted.
The prior art, Lifliand et al (US20110314270A1) discloses system and method of operating a computing device that allows inspecting data the device attempts to transmit over a network in an encrypted for presence of malware, viruses or confidential information. In particular, Lifliand teaches data inspection facility performs inspection of the unencrypted data to determine whether to allow transmission of the encrypted data over the network in a manner transparent to a user. 
The prior art, Frayman et al (US20180124085A1) discloses method to extract encryption metadata from messages establishing an encrypted connection between smart appliance and a remote server and determine whether malicious behavior is present in the messages. In particular Frayman teaches detection of malicious behavior or security threats based on the encryption metadata using behavior analysis engine.
The prior art, Kumar et al (US20180332078A1) discloses apparatus and method to perform secure socket layer protocol initialization and maintenance for virtual machine. In particular Kumar taches offloading encryption/decryption data between VM and server to reduce the potential bottleneck at the VM.
The prior arts, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claim 1 (similarly claims 19 and 25) of “determining, by the network 
Regarding the dependent claims: dependent claims 2-18, 20-23 and 26 are also allowed for incorporating the allowable feature recited in the independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Examiner’s Amendment
The application has been amended as follows: 
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Jordan Becker (650-838-4365) and further communication on 3/24/2021 (See PTO-413 interview summary mailed 4/15/2021). Applicant further amended claim 10 shown below as Currently Amended for minor informality reason in Amendment after Notice of Allowance (Rule 312). See PTO-413B interview summary attached.

PLEASE AMEND THE CLAIMS AS FOLLOWS:
Claim 1. (Currently Amended) 	A method comprising: 
intercepting, by a network device of a computer network, a plurality of cryptographic certificates of a plurality of host servers received in response to a plurality of requests for a plurality of encrypted connections between the plurality of host servers and a plurality of user devices; 
determining, by the network device, whether each encrypted connection is a suspicious connection or a normal connection based on an application of a certificate validation policy to each cryptographic certificate; 
responsive to determining that a first encrypted connection of the plurality of encrypted connections is a suspicious connection, causing decryption of the first encrypted connection or analysis of metadata associated with the first encrypted connection; 
responsive to determining that a second encrypted connection of the plurality of encrypted connections is a normal connection, causing bypass of decryption of the 
and overriding a certificate exception created by a user device of the plurality of user devices, in a transparent proxy mode without interfering with experiences of the plurality of user devices.

Claim 10. (Currently amended) 	The method of claim 1, wherein the network device has a trust store including a trusted attribute, and the determining whether each encrypted connection is a suspicious connection or a normal connection comprises: determining that an encrypted connection of the plurality of encrypted connections is a normal connection when its cryptographic certificate satisfies the trusted attribute; or determining that the encrypted connection is a suspicious connection when its cryptographic certificate does not satisfy the trusted attribute.

Claim 19. (Currently Amended) 	A method comprising: 
detecting, by a network device of a first network, a plurality of encrypted sessions between a plurality of user devices of the first network and at least one host device of a second network different from the first network; 
intercepting, by the network device, a cryptographic certificate during a handshake between each user device and each host device of each encrypted session; 

 
Amendment and Response to Office Action of December 2, 2020in response to determining that the first subset of the plurality of encrypted sessions corresponds to a plurality of suspicious sessions, identifying a malicious session by decrypting encrypted content of the first subset of the plurality of encrypted sessions and inspecting the decrypted content of the plurality of suspicious sessions, or analyzing metadata related to the plurality of suspicious sessions; 
performing, by the network device, an action to mitigate a harmful effect of the malicious session; 
determining, by the network device, that each encrypted session of a second subset of the plurality of encrypted sessions is associated with a trusted cryptographic certificate and thereby represents a non-suspicious session; 
in response to determining that the second subset of the plurality of encrypted sessions corresponds to a plurality of non-suspicious sessions, causing bypass of decryption of content of the second subset of the plurality of encrypted sessions or of analysis of metadata related to the plurality of non-suspicious sessions; and 
overriding a certificate exception created by a user device of the plurality of user devices, in a transparent proxy mode without interfering with experiences of the plurality of user devices.

Claim 25. (Currently Amended) 	A network device comprising: 

a memory storing instructions, execution of which by the processor causes the network device to: 
intercept information transmitted by a plurality of host servers in response to a plurality of requests from a plurality of user devices seeking a plurality of encrypted connections with the plurality of host servers; 
compare an identification of each host server to a blacklist of host servers such that any encrypted connection of a blacklisted host server is decrypted and inspected to identify malicious activity and any encrypted connection of a host server that is not blacklisted undergoes a cryptographic certificate validation process; 
responsive to identifying an invalid cryptographic certificate, blacklist a host server having the invalid cryptographic certificate, decrypt the encrypted connection of the plurality of encrypted connections having the invalid cryptographic certificate, or analyze metadata of the encrypted connection having the invalid cryptographic certificate to determine a malicious connection; and -7- 
150457450.1Amendment and Response to Office Action of December 2, 2020responsive to identifying a valid cryptographic certificate, allow the encrypted connection associated with the valid cryptographic certificate with a user device of the plurality of user devices and bypassing decryption of the encrypted connection associated with the valid cryptographic certificate; and 
override a certificate exception created by a user device of the plurality of user devices, in a transparent proxy mode without interfering with experiences of the plurality of user devices.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Chuang et al (US 8677466B1). Discloses a digital certificate may be extracted from communications between a web browser and a web server computer.  The digital certificate may be verified independent of the web browser by comparing the digital certificate against contents of a database containing digital certificates of legitimate websites or by consulting a remotely located security server computer.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 

/MICHAEL M LEE/Examiner, Art Unit 2436   

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436