Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the claims filed 3/29/2019.  Claims 1-20 are pending.  Claims 1 (a system), 9 (a non-transitory CRM), and 17 (a method) are independent.


Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 4, 8, 9, 12, 16, 17, and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ellard et al., US 2015/0358285 (published 2015-12).
As to claims 1, 9, and 17 Ellard discloses the machine/CRM/method comprising: 
A verification device, comprising: 
one or more memories; and (“The mass storage 1016 may include a machine-readable medium 1022 on which is stored one or more sets of data structures or instructions 1024 (e.g., software) embodying or utilized by any one or more of the techniques or functions described herein.” Ellard ¶ 81)

receive a first network connection request, that does not include a domain name server (DNS) query (A DNS query would be executed in Ellard Fig. 6, prior to Fig. 7. See Ellard ¶¶ 33-38 describing the gateway and ¶¶ 24-26 describing the DNS lookup mechanism.), for establishment of a connection to a target destination; (“outbound traffic may be received. The outbound traffic may originate from any device within the protected network.” Ellard ¶ 60. Discussing Ellard Fig. 7)
determine whether information identifying the target destination matches information identifying a permissible destination, (“At 704, a determination as to whether a local destination-address of the outbound traffic is mapped to an external address.” Elard ¶ 61) included in a set of permissible destinations (the mapping, see Elard ¶¶ 55-56 and Fig. 3, table 310), identified in connection with a second network connection request, (the DNS lookup of Fig. 6, resulting in the adding of the mapping. See Elard ¶¶ 23 and 26)
wherein the second network connection request included a prior DNS query (“At 602, a domain name server may receive a DNS lookup request.” Ellard ¶ 53) and was received prior to the first network connection request being received, (Fig. 6 step 610/612 creates the mapping used in Ellard step 702 in ¶ 61)
wherein a prior security verification was performed in connection with the second network connection request and the prior DNS query; and (“At 604, the domain-name server may optionally check to determine if the requested domain 
selectively establish (“At 710, the outbound traffic is transmitted with the destination address translated to be the actual external address.” Ellard ¶ 63) or block (“If the local destination-address is not included in a mapping to an external address, then, at 706, the outbound traffic is blocked.” Ellard ¶ 62) the connection to the target destination as a response to the first network connection request based on whether the information identifying the target destination matches the information identifying the permissible destination (“At 704, a determination as to whether a local destination-address of the outbound traffic is mapped to an external address.” Ellard ¶ 61), included in the set of permissible destinations (the mapping), identified in connection with the second network connection request. (“At 612, the domain name sever may provide the mapping to the gateway. In the scenario where the mapping indicates that the address 192.0.43.10 is mapped to 10.1.1.1 both addresses are provided to the gateway.” Ellard ¶ 57. Mapping performed after the domain is allowed in step 604, see above.)

As to claims 4, 12, and 20, Ellard discloses the machine/CRM/method of claims 1, 9, and 17 and further discloses:
wherein the one or more processors, when selectively establishing (“At 710, the outbound traffic is transmitted with the destination address translated to be the actual external address.” Ellard ¶ 63) or blocking (“If the local destination-address is not included in a mapping to an external address, then, at 706, the outbound traffic is blocked.” Ellard ¶ 62) the connection to the target destination, are to: 


As to claims 8 and 16, Ellard discloses the machine/CRM/method of claims 1 and 9 and further discloses:
wherein the information identifying the target destination is an Internet protocol (IP) address and the information identifying the permissible destination is the same IP address. (“client-A 304 may transmit a first packet-A 316 to the gateway 308 with a source address of 198.51.100.3 and a destination address of 10.1.1.1, …. The gateway 308, upon receipt of the first packet-A 316 may reference the mapping store 310 and replace the destination address of 10.1.1.1 with address 192.0.43.10” Ellard ¶ 38. The destination address of client A is found in the mapping table, resulting in an allowed transmission.)


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have 

Claims 2, 3, 10, 11, 18, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ellard et al., US 2015/0358285 (published 2015-12).
As to claims 2, 10, and 18, Ellard discloses the machine/CRM/method of claims 1, 9, and 17 and further discloses:
wherein the one or more processors are further to: 
receive, before receiving the first network connection request, the second network connection request; (“At 602, a domain name server may receive a DNS lookup request.” Ellard ¶ 53)
establish, after receiving the second network connection request and before receiving the first network connection request, (“At 614, the local address for the requested hostname is provided to the requesting device.” Ellard ¶ 58) 
and store, before receiving the first network connection request, information indicating that the target destination is the permissible destination based on success of the prior security verification (“At 612, the domain name sever may provide the mapping to the gateway. In the scenario where the mapping indicates that the address 192.0.43.10 is mapped to 10.1.1.1 both addresses are provided to the gateway.” Ellard ¶ 57) in connection with establishment of the prior connection to the target destination; and (“At 604, the domain-name server may optionally check to determine if the requested domain is prohibited from access.” Ellard ¶ 54)
wherein the one or more processors, when selectively establishing or blocking the connection, are to: 


	Ellard does not explicitly disclose:
a prior connection to the target destination;
(In Ellard Fig. 7, all traffic that has a matching mapping from Fig. 6, step 612, is permitted. Traffic being a plurality of packets.  However, Ellard does not explicitly disclose that more than one packet to any destination is processed in Ellard Fig. 7.  Note that Figure 6 is handling the DNS address discovery/mapping and not a connection to a destination.)

	It would have been obvious to a person of ordinary skill in the art to transmit multiple packets to the same destination and process said packets in the traffic gateway of Ellard Fig. 7.  Where the first packet would correspond to “a prior connection to the target destination” and a subsequent packet would correspond to “the connection”.  It would have been obvious to a person of ordinary skill in the art before the effective filing date to modify Ellard by transmitting a plurality of packets to a common destination 

As to claims 3, 11, and 19, Ellard discloses the machine/CRM/method of claims 2, 10, and 18 and further discloses:
wherein the one or more processors are further to: 
perform the prior security verification on the second network connection request based on receiving the second network connection request; and (“At 604, the domain-name server may optionally check to determine if the requested domain is prohibited from access.” Ellard ¶ 54)
establish the prior connection (e.g. the first packet, as modified in claim 2) based on performing the prior security verification. (“At 612, the domain name sever may provide the mapping to the gateway. In the scenario where the mapping indicates that the address 192.0.43.10 is mapped to 10.1.1.1 both addresses are provided to the gateway.” Ellard ¶ 57. Mapping performed after the domain is allowed in step 604, see above.)

Claims 5, 7, 13, and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ellard et al., US 2015/0358285 (published 2015-12), in view of Sarnikowski et al., US 6,959,006 (published 2005-10).

	wherein the one or more processors are further to: receive information identifying one or more permissible destinations; and add the one or more permissible destinations to the set of permissible destinations.

	Sarnikowski discloses:
wherein the one or more processors are further to: receive information identifying one or more permissible destinations; and add the one or more permissible destinations to the set of permissible destinations. (“On request from block 310, LDP block 312 examines the local policy decision cache for a matching entry. In case the decision is not in the cache, block 312 communicates with the policy server to get the appropriate decision. The policy decision is then sent to the Policy Enforcement Point (PEP), block 310, and the local cache is updated for all future references.” Sarnikowski Col. 8, ln. 9.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ellard with Sarnikowski by including a policy server to obtain blacklist information on which domains or addresses should be blocked by the gateway of Ellard.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Ellard with Sarnikowski in order to obtain information on malicious or undesirable domains that should be blocked by the system of Ellard (e.g. Fig. 6); thereby allowing the system to 

As to claims 7 and 15, Ellard discloses the machine/CRM/method of claims 1, and 9 but does not disclose:
wherein the one or more processors are further to: provide information indicating a set of destinations to a validation device; and receive validation information indicating that a subset of the set of destinations are validated for inclusion in the set of permissible destinations.

Sarnikowski discloses:
wherein the one or more processors are further to: provide information indicating a set of destinations to a validation device; and receive validation information indicating that a subset of the set of destinations are validated for inclusion in the set of permissible destinations.
 (“On request from block 310, LDP block 312 examines the local policy decision cache for a matching entry. In case the decision is not in the cache, block 312 communicates with the policy server to get the appropriate decision. The policy decision is then sent to the Policy Enforcement Point (PEP), block 310, and the local cache is updated for all future references.” Sarnikowski Col. 8, ln. 9.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ellard with Sarnikowski by including a policy server to .



Claims 6 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ellard et al., US 2015/0358285 (published 2015-12), in view of Smith, US 2016/0330287 (published 2016-11).
As to claims 6 and 14, Ellard discloses the machine/CRM/method of claims 1 and 9 and further discloses:
receive information identifying a user device associated with the first network connection request; and (“A client device 104, … may communicate with server 106 … by transmitting a packet 108 … to the gateway 100. The packet 108 may contain a destination address (e.g., IP address 192.0.43.10) of the server 106 and an origin address (e.g., IP address 198.51.100.3) of the client 104.” Ellard ¶ 21)

Ellard does not disclose:


Smith discloses: 
wherein the one or more processors, when selectively establishing or blocking the connection to the target destination, are to: selectively establish or block the connection to the target destination based on the information identifying the user device associated with the first network connection request. (“A content request (which may be a single packet, multiple packets, or otherwise), which in general contains information indicative of the IP address of the user device as well as that of the chosen content server 9, …. An entry on the exception list 8 for the tuple <user IP address, good content IP address, time> means that the user device has recently looked up the IP address of the content server 9 from the DNS server 4 for a website that should not be subject to filtering, so the content request can be forwarded to the content server 9 (s315).” Smith ¶ 85).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ellard with Smith by checking both the user IP address and the destination IP address to condition user access based on a recent DNS lookup, as is done in Smith ¶ 85.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Ellard with Smith .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Nema et al., US 2020/0112537, discloses a system for domain name and ip-address whitelists.
Bazzi et al., US 2016/0164946, discloses a system for filtering network traffic by authorizing only traffic that is preceded by a DNS request.
Wood, US 2019/0081952, discloses blocking DNS requests based on a whitelist and domain owner.
Reddy et al., US 2017/0331780, discloses a domain whitelist that is based on domain name and a determination on whether the domain shares an IP address with other domains.


Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165.  The examiner can normally be reached on M, W-F 8-5.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MICHAEL W CHAO/Examiner, Art Unit 2492