DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The Office Action is in response to claims filed on 3/4/2021 where claims 1, 4, 8, 11, 15, and 17 are amended Claims 1 – 20 are pending and ready for examination.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Response to Arguments

Applicant’s arguments with respect to the newly amended subject matter have been considered but are moot based on a new prior art rejection comprising Yu (US 2020/0313903) (see e.g. [0100])

The Examiner also notes the encryption scheme provided by the Applicant’s amendment is also contemplated by:

 Bahrami (US 2021/0067337); see e.g. [0018]
Mason (US 2016/0337320); see e.g.  [0036]
Adachi (US 2005/0256923); see e.g. [0046]

Claim Rejections - 35 USC § 103

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 8, and 15 are rejected under 35 USC 103 as being unpatentable over Arisankala (US 2020/0177564) in view of Yu (US 2020/0313903) and in further view of Alexander (US 8,898,784)
Regarding claim 1, Arisankala discloses a method comprising:
intercepting an encrypted network request, the network request transmitted by a client device to a network endpoint (Arisankala;
see e.g. [0095] “ ... interception/introspection of Hypertext Transfer Protocol (HTTPs) connections or other secure  connections ...”
see e.g. [0098] “  ... the network device may intercept, decrypt, and inspect traffic ...”);
identifying a network service associated with the network endpoint based on unencrypted properties of the encrypted network request (Arisankala; 
see e.g. [0094] “ ... perform intelligent application steering based on, for instance, uniform resource locator (URL) ...”
see e.g. [0094] “ ... Hypertext Transfer Protocol Secure (HTTPS) connection ... implement URL-based application steering ...”); 
identifying, based on the encrypted network request and a series of subsequent encrypted  network requests issued by the client device, an action taken by the client device, the action comprising an activity performed during a session established with the network service (Arisankala;
see e.g. [0047] “ ... performance monitoring, measurement and data collection  activities on clients ...”
see e.g. [0048] “ ... monitor ... based upon an occurrence of given event(s), or in real time during operation of network environment 100 ... session connections to an application ... database transactions”  
see e.g. [0045] “ ... application may be a server-based or a remote-based application related to real-time communications, such as applications for streaming graphics, streaming video an ... delivery of remote desktops or workspaces ... infrastructure as a service (IaaS), workspace as a service (WaaS), software as a service  (SaaS) or platform as a service (PaaS)”); and
 updating a catalog of network interactions using the network service and the action (Arisankla; Arisankla teaches continuously storing (i.e. updating a catalog using a conventional storage) application (network service) and activities;
see e.g. [0047] “ ... performance monitoring, measurement and data collection  activities on clients ...”
see e.g. [0048] “ ... monitor ... based upon an occurrence of given event(s), or in real time during operation of network environment 100 ... session connections to an application ... database transactions”
see e.g. [0004] “ ... cloud based network applications, including some high priority network applications, use a secure connection ...”
The Examiner notes that data collection is equivalent to storing (i.e. updating a catalog) in association with the network service and the action as Arisankala performs this function in order to provide for an enhanced Quality of Service;
see e.g. [0093] “ ... enhanced Quality of Service (QoS), steering, and/or policy enforcement for HTTTP traffic via intelligent in line path discovery of Transport Layer Security (TLS) terminating node”).
Arisankala does not expressly disclose:
the encrypted network request comprising an encrypted portion and a plaintext portion, the unencrypted properties determined based on the plaintext portion
However in analogous art Yu discloses:
the encrypted network request comprising an encrypted portion and a plaintext portion, the unencrypted properties determined based on the plaintext portion (Yu;
see e.g. [0100] “ ... the user device 502 generates the request to include a first portion and a second portion including encrypted data, the  encrypted data including access data and a first hash value, the first hash value being generated as a hash of the plaintext data ...”
see e.g. [0086] “P is a plaintext portion (e.g., URL of data source that is to be queried”)
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. 
The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests.
As evidence of the above with respect to cataloging, Alexander in analogous art discloses:
cataloging (see e.g. Column 4, Lines 47 – 59  “ ... network cataloging includes but is not limited to ... computer network traffic and activity ... trace-route to map paths between nodes ... interacting, with the network to elicit a response to garner information about the network ...”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Alexander’s catalog. The motivation being solution provides for increased activities in storing network services and associated actions.
Regarding claim 8, claim 8 is the corresponding non-transitory storage medium claim of method claim 1 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 15, claim 15 is the corresponding device claim of method claim 1 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Claims 2 – 3 , 9 and 16 are rejected under 35 USC 103 as being unpatentable over Arisankala in view of Yu and in further view of  Alexander and in further view of Zhao (US 2020/0280584))
Regarding claim 2, although Arisankala in view of Yu and in further view of  Alexander discloses  the method of claim 1 and teaches extracting and/or identifying URLs while inspecting secure connection data (see e.g. [0099], [0100], Arisankala suggests but does not expressly disclose the identifying the network service comprising extracting a host and domain from a plaintext portion of a TLS handshake.
However in analogous art Zhao discloses:
the identifying the network service comprising extracting a host and domain from a plaintext portion of a TLS handshake (Zhao;
see e.g. [0092] “ ... a domain name of a TLS stream is determined using an SNI field or a common name filed in a handshake message of the TLS stream, to identify an application corresponding to the TLS stream ... this is because these fields carry a domain name (Host name) .. the domain name carries information about a server that sends data of the stream, a part of the domain name may indicate the application. For example, if the domain name is books.google.com, it may be learned that the application is a book application of GOOGLE, or id the domain name is mail.google.com, it may be learned that the application is a GMAIL application of GOOGLE, In other words, the two fields carry application related information, and in other approaches, a meaning of a value (domain name) of a field is parsed to indicate an application”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Zhao’s introspection scheme detailed above. The motivation being that the combined invention provides for increased efficiencies in delivering services to client devices.
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests.

Regarding claim 3, Arisankala in view of Yu and in further view of Alexander and in further view of Zhao disclose he method of claim 2, however Arisankala does not expressly disclose the extracting the host and domain from the plaintext portion of the TLS handshake comprising extracting the host and domain from a sever name identification extension field of a client hello issued during the TLS handshake.
However in analogous art Zhao discloses:
the extracting the host and domain from the plaintext portion of the TLS handshake (Zhao;
see e.g. [0092] “ ... a domain name of a TLS stream is determined using an SNI field or a common name filed in a handshake message of the TLS stream, to identify an application corresponding to the TLS stream ... this is because these fields carry a domain name (Host name) .. the domain name carries information about a server that sends data of the stream, a part of the domain name may indicate the application. For example, if the domain name is books.google.com, it may be learned that the application is a book application of GOOGLE, or id the domain name is mail.google.com, it may be learned that the application is a GMAIL application of GOOGLE, In other words, the two fields carry application related information, and in other approaches, a meaning of a value (domain name) of a field is parsed to indicate an application”) comprising extracting the host and domain from a sever name identification extension field of a client hello issued during the TLS handshake (Zhao;
see e.g. [0101] “The type may have different levels. For example for an extension field extension ec_point_format (len=2), extension is a type, and ec_point_formats is also a type ... For example, in the Client Hello Message, 11 is used to indicate a type of an extension field ...”.
see e.g. [0100} “ the handshake message usually includes three parts type, length, and value. Each or any combination of the three parts may be referred to as a feature of the field”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Zhao’s introspection scheme detailed above comprising extension fields. The motivation being that the combined invention provides for increased efficiencies in delivering services to client devices.
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests
Regarding claim 9, claim 9 is the corresponding non transitory computer readable storage medium claim of method claim 2 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.

Regarding claim 16, claim 16 is the corresponding device claim of method claim 1 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Claims 4 – 5, 11 – 12, and 17 - 18 are rejected under 35 USC 103 as being unpatentable over Arisankala in view of Yu and in further view of  Alexander and in further view of Anderson (US 2019/0245866)
Regarding claim 4,   Arisankala in view of Yu and in further view of  Alexander disclose the method of claim 1 and teaches the monitoring of transaction bursts (see e.g. Arisankala [0048]), but does not expressly disclose 
further comprising training a predictive model using transaction bursts, the training the predictive model comprising:
extracting one or more transaction properties from the transaction burst; 
assigning the one or more transaction properties to a label, the label comprising one or more of a network service and an action; and 
training the predictive model with labeled data.
However in analogous art Anderson teaches:
(Anderson;
see e.g. [0039] “ ... traffic analysis 248 may assess telemetry data for a plurality of traffic flows based on any number of different conditions ... temporal characteristics ...
see e.g. [0096] “ ... traffic analysis process 248 may also include a machine learning  classifier 512 that is configured to apply  one or more labels to an HTTP transaction contained within the TLS records 502 ...”)

extracting one or more transaction properties from the transaction burst (Anderson; see e.g. [0096] “ ... labels may be inferred characteristics (e.g. fields and/or filed values) ...”) 

assigning the one or more transaction properties to a label, the label comprising one or more of a network service and an action (Anderson, see e.g. [0096] “ ... traffic analysis process 248 may also include a machine learning  classifier 512 that is configured to apply  one or more labels to an HTTP transaction contained within the TLS records 502 ...”;
see e.g. TABLE 1 illustrating network service and actions;
training the predictive model with the labeled data (see e.g. [0035] “Traffic analysis process 248 may employ any number of machine learning techniques ... use an underlying model M ... The learning processing then operates by adjusting the parameters .. use the model M to classify new data points, such as information regarding new traffic flows in the network ...”).

	Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Anderson’s machine learning, modeling, and labeling schemes. The motivation being that the combined invention provides for increase efficiencies in providing application and services.
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests

Regarding claim 5, Arisankala in view of Yu and in further view of Alexander and in further view of Anderson   disclose the method of claim 4, the one or more transaction properties comprising a property selected from the group consisting of:
a transmission control protocol (TCP) port; an Internet Protocol (IP) address space; a size of a datagram; a response time; a number of requests in the transaction burst; and a network route trace (Arisankala; see e.g. [0048] “ ... end- user response times ...”) (Anderson; see e.g. [0101] “The average packet size in bytes”)
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Anderson’s machine learning, modeling, and labeling schemes. The motivation being that the combined invention provides for increase efficiencies in providing application and services.
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests
Regarding claim 11, claim 11 is the corresponding non-transitory storage medium claim of method claim 4 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 12, claim 12 is the corresponding non-transitory storage medium claim of method claim 5 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 17, claim 17 is the corresponding device claim of method claim 4 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 18, claim 18 is the corresponding device claim of method claim 5 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.

Claims 6, 13, and 19 are rejected under 35 USC 103 as being unpatentable over Arisankala in view of Yu and in further view of  Alexander and in further view of Shammilian (US 2015/0312352)
Regarding claim 6, Arisankala in view of Yu and in further view of  Alexander disclose the method of claim 1, further comprising:
(Arisankala; see e.g. [0094] “ ... decrypt traffic and perform intelligent application steering based on .. uniform resource locator (URL) or other information in traffic ...” see e.g. [0111] “ ... packet may include a source address ... a destination address .. a session identifier .. “); and 
However Arisankala does not expressly disclose
updating a mapping using the IP address and the network service, the mapping comprising a mapping of IP addresses to network services.
However in analogous art Shamilian discloses:
updating a mapping using the IP address and the network service, the mapping comprising a mapping of IP addresses to network services (Shamilian;
see e.g. [0048] “ ... updates a mapping 405 between the service names .. and the service connection information for the service conncection to include the new IP address ...”
see e.g. [0021] “ The endpoints 110 may be any devices which may communicate at the application layer ... end user device and a network-based device ... various combinations ...”).
Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Shamilian’s mapping scheme. The motivation being the combined invention provides for increased efficiencies of providing services.
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests
Regarding claim 13, claim 13 is the corresponding non-transitory storage medium claim of method claim 6 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Regarding claim 19, claim 19 is the corresponding device claim of method claim 6 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.
Claims 7, 14, and 20 are rejected under 35 USC 103 as being unpatentable over Arisankala in view of Yu and in further view of Alexander in view of Peles (US 2006/0029016)
Regarding claim 7, Arisankala in view of Yu and in further view of  Alexander disclose the method of claim 1, further comprising:
extracting a property from the encrypted network request, the property selected from the group consisting of response size, response time, network route, and uniform resource identifier (URI) header length (Arisankala; see e.g. [0048] “ ... end- user response times ...”); However Arisankala strongly suggests but does not expressly disclose and
 updating a mapping using the property and the network service, the mapping comprising a mapping of properties to network services.
However in analogous art Peles discloses:
(Peles teaches mapping applications and network responsiveness providing one of ordinary skill in the art to perform the task on a continuous basis;
see e.g. [0033] “ ...  response time  ... collecting response time information from the plurality of application debugging switches and mapping application and network responsiveness ...”)
	Therefore it would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Peles’ mapping scheme. The motivation being the combined solution provides for increased efficiencies in managing services consumed by client devices.
Therefore it would be prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Arisankala with Yu’s encryption scheme. The motivation being the combined invention provides for increased efficiencies and enhanced services for facilitating client requests

Regarding claim 14, claim 14 is the corresponding non-transitory storage medium claim of method claim 7 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.

Regarding claim 20, claim 20 is the corresponding device claim of method claim 7 comprising the same and/or similar matter and is considered an obvious variation; therefore it is rejected under the same rationale.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

/TODD L BARKER/Primary Examiner, Art Unit 2449