DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the request for continued examination (RCE) dated April 26, 2021.
In the RCE dated on April 26, 2021, claims 1-3, 27-28, 30 and 35 have been amended, 13, 22-26, 29, 31 and 36 have been canceled and all other claims are previously presented.
Claims 1-12, 14-21, 27-28, 30 and 32-35 are allowed.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on April 26, 2021 has been entered.

Drawings
Replacement drawings figures 22-27 and 54-63 submitted on May 05, 2021 are accepted by the Examiner. 

Allowable Subject Matter
Claims 1-12, 14-21, 27-28, 30 and 32-35 are allowed.


Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance.
Independent Claim 1 is allowable based on the amendment presented on April 26, 2021.
Specifically, the independent Claim 1 now recites limitations as follows:

“An apparatus for authenticating an identify of network traffic using a network endpoint device (10), the network endpoint device (10) having a hardware 5processor, comprising: 
a network (20); 
said network endpoint device (10), a remote network device (11), and an authentication device (18) each being connected to said network (20); 
said authentication device (18) including a network interface (49) and a peering service 10(24); 
said peering service (24) including an identity recognizer (25) and a first table of policy rules (27); 
said network endpoint device (10) including at least one network interface (49); 
said network endpoint device (10) for receiving an IP packet (12) from said remote network device (11) using said network interface (49); 

said TCP header (14) including a TCP SYN bit (16) and without an ACK bit; 
said network (20) for conveying said IP packet (12) to said authentication device (18); said identity recognizer (25) in said peering service (24) in said authentication device 20(18) for determining an identity (22) of a sender of said IP packet (12); said peering service for selecting a policy rule (26) by matching said identity (22) from said first table of policy rules (27); 
said authentication device (18)  for authenticating said identity of network traffic, said authentication device (18) using statistical object identification for performing authentication, 
wherein said statistical object identification extracts a statistical object (1014F) from said IP packet (12);
 wherein said statistical object identification produces an accumulated statistical object (1014MA) upon an exact match of said statistical object (1014F) within in a plurality of statistical objects”.

The cited reference by Umesawa et al. (US PGPUB. # US 2005/0094637) teaches, a network (Fig. 1 (3)), network endpoint device (Fig. 1 (2)), an authentication device (Fig. 1), a remote network device (Fig. 1 (2)). It further discloses, both authentication device and network endpoint device having a network interface. A network endpoint device receives IP packets from the remote network device. (¶86). The received IP packet includes a TCP header. (¶94). The network endpoint device communicates received IP packet to the authentication device. (¶43).
The reference by Rao et al. (US PGPUB. # US 2013/0332962) discloses, a peering service. (¶37). FIG. 3 is a simplified block diagram illustrating example details of an embodiment of communication system 10. Representative NAC 24 includes a processor 45, a memory element 48, a credential module 50, an AAA module 52, and a policy module 54. Representative VM 16 may send representative user credentials 32 to representative VEM 20. VEM 20 may forward user credentials 32 to NAC 24. Credential module 50 may receive user credentials 32 and identify the packet as an authentication packet (e.g., 802.1X, WebAuth, MAB, etc.). AAA module 52 may forward user credentials 32 to representative AAA server 26. AAA server 26 may respond with representative user policy 34. Policy module 54 may receive user policy 34 and facilitate enforcement of user policy 34 across DCV network 14. For example, policy module 54 may forward user policy 34 to VEM 20 for further processing, such as determining access to other network services. If no user policy 34 is received by NAC 24, a default all-access allowed policy may be enforced for the user. (¶46). Thus Rao discloses, an identity recognizer (Fig. 3(52), “an AAA module 52”). A first table policy rules. (Fig. 3(54), “a policy module 54”)
The reference by John et al. (US PGPUB. # US 2006/0236370) discloses, a client application, such as client application 62a, initiates an application session by sending a SYN request to a server application, such as server application 64a. The SYN request includes the client application's network address 99a and port ID 62b and the server application's network address 99b and port ID 64b, which are respectively encapsulated in the source address, source port ID, destination address and destination port ID fields of a TCP packet having its SYN bit set and its ACK bit not set. (Fig. 1, ¶37). Collector 6 associates session information, such as session information 98, with at least one object attribute by matching the client application network address included in the session information with at least one object attribute that has been associated with a network address obtained from an authentication packet. The Monitor Device Patent teaches various embodiments for associating a network address from an authentication packet with a set of object attributes. In accordance with one embodiment of the present invention, monitor 4 identifies authentication exchange packets from the packets received. For each authentication exchange packet identified, monitor 4 extracts a user ID and a network address from the authentication exchange packet and sends the user ID and network address to collector 6, which attempts to associate the user ID with user information maintained by the directory service. If collector 6 successfully associates the user ID and with user information maintained by the directory service, collector 6 creates an association between the network address extracted from the authentication packet and the user information. Collector 6 then records the (Fig. 1, ¶95). Validation of the extracted network address may be accomplished by determining whether a real user is logged on to the client that initiated the authentication exchange. In one embodiment of the present invention, this may be accomplished by using the extracted network address in a hostname request that is sent to a name service 27 (shown in FIG. 1) on the networked environment. Upon receiving the hostname request, name service 27 will perform a reverse look-up. If a hostname exists that has been assigned to a client having the same network address as the extracted network address, the name service will reply with that hostname. If the hostname is returned, control software 94 sends a user account query to the client having the hostname. The client having the hostname responds to the user account query by returning a list of user accounts currently logged onto the client at the time the user account query is received. Control software 94 reviews the list of user accounts and if it finds, a user account having a user name matching the extracted user ID, which in this example is a user name, control software 94 deems valid the extracted network address. (¶164).
The reference by Adnan M. Alattar (US PGPUB. # US 2011/0091066) discloses, various forms of statistical analyses may be performed on a signal to identify places to locate the watermark, and to identify places where to extract the watermark. For example, a statistical analysis can identify portions of a host image that have noise-like properties that are likely to make recovery of the watermark signal difficult. Similarly, statistical analyses may be used to (¶55). After the encoder has completed encoding a watermark into an object, it analyzes the watermarked object and derives a characteristic or set of characteristics that describe attributes of it. This attribute can be a characteristic signal manifested in a transform domain or in the native domain of the watermarked signal. For example, the attribute may be the location or location of frequency coefficients that have signal energy above a given level. It may be an identifier of a color and a corresponding range of watermark signal strength in that color. For an image object, this characteristic may be measured by printing the watermarked image, scanning the image back to a digital domain, and then computing the characteristic. Next, the characteristic is stored in a database entry that is referenced via a database index in the watermark message. At decoding time, the characteristic is re-computed by scanning the watermarked image. The characteristic computed at decoding time is then matched with the characteristic stored in the database to determine whether it is sufficiently close to the stored characteristic. If so, it is deemed valid. (¶240).
Ragepalli et al. (US PGPUB. # US 2009/0063665) discloses, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network (Abstract).
A. David Shay (US PGPUB. # US 2004/0098619) discloses, a source node initiates a request for network services, such as session establishment, database access, or application access. Known network resources and authorized user information is stored in a database at a network portal along with access policy rules that are device and user dependent. Identification of the source node is required before the source node can construct a transformed packet header that is included with a synchronization packet before transmission to a destination node. An appliance or firewall in the communications network receives and authenticates the synchronization packet before releasing the packet to its intended destination. The authentication process includes verification of the access policy associated with the source node. Once received at the destination node, the transformed packet header is reformed by extracting a key index value. The extracted key index is subsequently used to transform the packet header in the response transmitted to the source node. (Abstract).
Chunduri et al. (US PGPUB. # US 2013/0024684) discloses, 
a network element supports Transmission Control Protocol Authentication Option (TCP-AO) with a Key Management Protocol (KMP) to authenticate TCP segments over a TCP session. The network element negotiates multiple traffic (Abstract).
However, each of the cited references or reference from the updated search, at least, fails to teach or suggest the limitations regarding “……..
said authentication device (18)  for authenticating said identity of network traffic, said authentication device (18) using statistical object identification for performing authentication, 
wherein said statistical object identification extracts a statistical object (1014F) from said IP packet (12);
 wherein said statistical object identification produces an accumulated statistical object (1014MA) upon an exact match of said statistical object (1014F) within in a plurality of statistical objects”, in combination with the rest of the limitations recited in the independent claim(s).

None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 1 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claims 27, 30 and 35 are also an apparatus claim of above apparatus claim 1, and therefore, they are also allowed.
Claims 2-12 and 14-21 depend on the allowed claim 1, and therefore, they are also allowed.
Claim 28 depend on the allowed claim 27, and therefore, it is also allowed.
Claims 32-34 depend on the allowed claim 30, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316.  The examiner can normally be reached on M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-






/DARSHAN I DHRUV/Primary Examiner, Art Unit 2498