DETAILED ACTION
- Claims 21-40 are presented for examination.
- Claims 1-20 are cancelled.

Claim Objections
 Claims 28-36 are objected to because the recite “the product of..” a parent claim when the parent claims starting with claim 21 are method claims. These claims are read as reciting “the method of”. Correction is required.
Claims 28, 29, 35 and 36 are objected because they recite the terms “the pre-established communication pathway” which lack antecedent basis. For the purpose of examination, these recitations are interpreted as “the communication pathway”.

Double Patenting
 The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re LongL 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re 
 A timely filed terminal disclaimer in compliance with 37 CFR 1.321 (c) or 1.321 (d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
 Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
 Claims 21-40 are rejected on the ground of nonstatutory double patenting over claims 1-29 of Patent No. 10630642.
Claims 21-40 are rejected on the ground of nonstatutory double patenting over claims 1-28 of Patent No. 10397186.
Claims 21-40 are rejected on the ground of nonstatutory double patenting over claims 1-30 of Patent No. 10367811.
Claims 21-40 are rejected on the ground of nonstatutory double patenting over claims 1-30 of Patent No. 10361859.
Claims 21-40 are rejected on the ground of nonstatutory double patenting over claims 1-24 of Patent No. 10374803.
Claims 21-40 are rejected on the ground of nonstatutory double patenting over claims 1-22 of Patent No. 10375019.

Claims 21-40 are provisionally rejected on the ground of nonstatutory double patenting over claims 31-60 of copending Application No. 16/450221.
Claims 21-40 are provisionally rejected on the ground of nonstatutory double patenting over claims 1-30 of copending Application No. 16/228331.
The claims in the instant application are either anticipated or rendered obvious by the claims in the above patents and copending applications.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 21-40 are rejected under 35 U.S.C. 103 as being unpatentable over Verzun et al (US Pub.No.2016/0219024) in view of Wei et al (US Pub. No.2012/0144187).

Re Claim 21. Verzun discloses a method for securing communication of information between a user-application and a remote computing device, comprising executing communication management operations in or in conjunction with the user-application, the communication management operations comprising: i) negotiating an encrypted The client device is normally placed in a separate security zone from the cloud, and it must first become an authorized SDNP client, a step which involves installing in the client device a software package specific to the device's security zone, typically via a download from an SDNP administration server.  The client device is linked to the SDNP cloud through a gateway media node in the cloud.  The gateway media node has access to the shared secrets pertaining to both the cloud and the client's device's security zone, but the client device does not have access to the shared secrets pertaining to the SDNP cloud) [Verzun, para.0449], (i.e. Layer 6 is also responsible for encryption, i.e. formatting and encrypting data before sending across a network, and conversely decrypting data and reformatting it before presenting it to the application layer. For example, upon receiving a tab-delineated data file sent in an encrypted format over the Internet, Layer 6, once it has decrypted the file according to negotiated decryption keys, can reformat the data for importation into a row-column based spreadsheet, e.g. Excel, or a relational data base such as Oracle.  To enhance security, encryption and decryption by Layer 6 can be restricted to authorized senders and recipients whose identity is confirmed a priori via a Layer 5 authentication procedure.) [Verzun, para.0285], the network security software running in a kernel of the remote computing device (i.e. each ) [Verzun, para.0431]; ii) exchanging [non-public] device identification codes with the network security software via the encrypted communication pathway (i.e. FIG. 31A, where client's device 526B, either a tablet or notebook, requests a web page from host 526A, typically a web server. In the exchange, client 526B sends a IP datagram comprising a Layer-3 IP header 529 having an IP address 527B with a numeric value "IP address B" to a host server at an IP address 527A having a numeric value "IP address A". Encapsulated within the payload of the Layer-3  datagram, the client also sends a Layer-4  transport header 530 containing its own source port number 528A with an ad hoc value of 9,999. The port request is sent to host port 80--a reserved HTTP port 528A used for web browser downloads of web pages) [Verzun, para.00252-0253, Fig.31A], [Verzun para.0285]; (i.e. FIG. 31B illustrates the reply for the client's request for services. As shown, all the directions of the arrows are reversed and all source and destination IP addresses and #s are swapped from the prior illustration. In the exchange, an IP datagram containing an Layer-3 IP header 537 is sent from a source IP address 531 having a numeric value "IP ) [Verzun, para.0254-0255, Fig.31B]; 
	Verzun does not explicitly disclose that the device identification codes are non-public, however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention that Verzun is suggesting this feature because Verzun states that unless a media node is registered as a valid SDNP node running on a qualified server in the SDNP name server or its equivalent function, data packets sent from that node to other SDNP media nodes will be ignored and discarded.  In a similar manner, only clients registered on an SDNP name server may contact a SDNP media node.  Like unregistered servers, data packets received from sources other than registered SDNP clients will be ignored and immediately discarded [Verzun, para.0422] and therefore it yields the expected result that the identification codes are available only to registered devices and therefore are non-public.
 	Verzun does not explicitly disclose whereas Wei does: iii) comparing an identification code for the remote computing device received during the exchanging with receiving an inbound data packet that contains an operation command for the device, comparing the layer 2 header MAC addresses, IP addresses, port numbers and protocol number with an access control list, if there is a disparity between thelayer 2 header MAC addresses, IP addresses, port numbers or protocol number, and the access control list, dropping the data packet, comparing the layer 3 header source address, destination address and protocol number with the access control list, if there is a disparity between the layer 3 header source address, destination address or protocol number, and the access control list, dropping the data packet, comparing the layer 4 header sequence number and acknowledgement number with a connection status, if the layer 4 sequence number or acknowledgement number does not conform with the connection status, dropping the data packet, [Wei, para.0018]; iv) receiving a message via the encrypted communication pathway, the message comprising: (a) the information; and (b) an encrypted parameter; and v) matching a decrypted form of a first portion of the parameter with a preconfigured identifier for the process, to confirm that the information originates from an authorized process on the remote computing device (i.e. receiving an inbound data packet that contains an operation command for the device, …………………decrypting the layer 7 (application layer) data into a predetermined communication protocol, comparing the application ) [Wei, para.0018].
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify Verzun with Wei because it would be desirable to have an application layer security proxy to protect substation automation systems.  The application layer security proxy inspects an inbound data packet at the application layer, and either drops the data packet, forwards the data packet, or processes the data packet rather than dropping it in order to maintain the communications network connection, the later two according to a predefined role-based access control policy [Wei, para.0014].
Re Claim 22. Verzun in view of Wei discloses the method of claim 21, Wei further discloses comprising: matching a decrypted form of a second portion of the parameter with a preconfigured information type identifier (i.e. decrypting the layer 7 (application layer) data into a predetermined communication protocol, ………………. comparing the operation command with a Role-Based Access Control (RBAC) comprising, if the operation command is authorized by the RBAC, the operation command is reassembled into a data packet according to the application layer communication protocol, and if the operation command is not ) [Wei, para.0018].
The same motivation to modify with Wei, as in claim 1, applies. 
Re Claim 23. Verzun in view of Wei discloses the method of claim 22, Wei further discloses comprising: (a) using the preconfigured information type identifier to obtain a data definition for the information; and (b) evaluating the information to determine whether the information complies with the data definition (i.e. decrypting the layer 7 (application layer) data into a predetermined communication protocol, ………………comparing the operation command with a Role-Based Access Control (RBAC) comprising, if the operation command is authorized by the RBAC, the operation command is reassembled into a data packet according to the application layer communication protocol, and if the operation command is not authorized by the RBAC, the operation command is changed to an invalid operation command for the device and reassembled into a data packet according to the application layer communication protocol) [Wei, para.0018].
The same motivation to modify with Wei, as in claim 1, applies. 
Re Claim 24. Verzun in view of Wei discloses the method of claim 23, Verzun further discloses comprising: (a) using the preconfigured information type identifier to obtain an So while some port #s are open and assigned as needed at the election of the server, others are reserved for use in UDP packets, for TCP packets or for both) [Verzun, para.0255].
 
Re Claim 25. Verzun in view of Wei discloses the method of claim 23, Wei further discloses comprising: (a) using the preconfigured information type identifier to obtain a list of allowed commands; and (b) evaluating the information to determine whether the information comprises a command present on the list of allowed commands (i.e. comparing the operation command with a Role-Based Access Control (RBAC) comprising, if the operation command is authorized by the RBAC, the operation command is reassembled into a data packet according to the application layer communication protocol, and if the operation command is not authorized by the RBAC, the operation command is changed to an invalid operation command for the device) [Wei, para.0018]. 
The same motivation to modify with Wei, as in claim 1, applies. 
Re Claim 26. Verzun in view of Wei discloses the method of claim 21, Verzun further discloses wherein the identification code is obtained from a network packet (i.e. Layer 4, transport header 530 containing its own source port number 528A with an ad hoc value of 9,999. The port request is sent to ) [Verzun, para.0252, Fig. 31B, depicts layer 4 in  item 538 source and destination port numbers].  
 
Re Claim 27. Verzun in view of Wei discloses the method of claim 21, Verzun further discloses wherein the identification code is obtained from a portion of the network packet that is higher-than-OSI layer three and lower-than-OSI layer six (i.e. Layer 4, transport header 530 containing its own source port number 528A with an ad hoc value of 9,999. The port request is sent to host port 80--a reserved HTTP port 528A used for web browser downloads of web pages) [Verzun, para.0252, Fig. 31B, depicts layer 4 in  item 538 source and destination port numbers]. 

Re Claim 28. Verzun in view of Wei discloses the method of claim 21, Verzun further discloses wherein the communication management operations further comprise: i) causing a network stack to send a first application identifier to the remote computing device via the pre-established communication pathway; ii) receiving, after the network stack sends the first application identifier, a second application identifier for a remote application program, the remote application program running on the remote computing device; and iii) comparing the second application identifier with a pre-established value for the second application program (i.e. This process is illustrated in FIG. 34, where notebook 35 having a numeric IP address "NB" and dynamic port assignment requests a file from file server 21A by ) [Verzun, para.309-0312].  

Re Claim 29. Verzun in view of Wei discloses the method of claim 21, Verzun further discloses wherein the communication management operations further comprise: i) causing the network stack to send a data type identifier to the remote computing device via the pre-established communication pathway; ii) receiving, after the network stack sends the data type identifier, the data type identifier from the remote computing device; and iii) comparing the received data type identifier with a pre-established value for the remote computing (i.e. This process is illustrated in FIG. 34, where notebook 35 having a numeric IP address "NB" and dynamic port assignment requests a file from file server 21A by sending IP packet 580 as an FTP request using TCP transport, to port #21, the FTP control port of the file server. The resulting IP packet 580 includes destination IP address "S1", the destination port #21, along with its source IP address "NB", and its ad hoc port #9999. Since port #21 represents the control port for requesting ) [Verzun, para.309-0312].    

Re Claim 30. Verzun in view of Wei discloses the method of claim 29, Verzun further discloses wherein the communication management operations further comprise: i) causing a data packet to be transmitted from a first port to the network stack, the data packet comprising a payload and a second port number; and ii) sending a command to assemble a packet segment for the received data packet, the packet segment comprising the payload, the first application identifier, and the data type identifier (i.e. This process is illustrated in FIG. 34, where notebook 35 having a numeric IP address "NB" and dynamic port assignment requests a file from file server 21A by sending IP packet 580 as an FTP request using TCP transport, to port #21, the FTP control port of the file server. The resulting IP packet 580 includes destination IP address "S1", the destination port #21, along with its source IP address "NB", and its ad hoc port #9999. Since port #21 represents the control port for requesting file transfer services, file server 21A knows that notebook 35 is requesting a file and expects login information to confirm the packet's destination IP address and port number) [Verzun, para.309-0312].   

Re Claim 31. Verzun in view of Wei discloses the method of claim 30, Verzun further discloses wherein the communication management operations further comprise: translating the payload to a format expected by the second application program (i.e. Layer 6 is also responsible for encryption, i.e. formatting and encrypting data before sending across a network, and conversely decrypting data and reformatting it before presenting it to the application layer. For example, upon receiving a tab-delineated data file sent in an encrypted format over the Internet, Layer 6, once it has decrypted the file according to negotiated decryption keys, can reformat the data for importation into a row-column based spreadsheet, e.g. Excel, or a relational data base such as Oracle) [Verzun, para.0285, see also para.00318-0319]. 

Re Claim 32. Verzun in view of Wei discloses the method of claim 30, Verzun further discloses wherein the communication management operations further comprise: confirming the payload conforms to a data model pre-assigned to the data type (i.e. the network or Internet layer, comprises packets called "datagrams" containing Internet Protocol (IP) information used for routing an IP packet including whether the packet contains IPv4 or IPv6 data and the corresponding source and destination IP addresses as well as information regarding the nature of the payload contained within the packet, i.e. whether the type of transport protocol used comprises Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or something else) [Verzun, para.0077].   

Re Claim 33. Verzun in view of Wei discloses the method of claim 30, Verzun further discloses wherein the communication management operations further comprise: confirming the payload conforms to a data range pre-assigned to the destination port number (i.e. So while some port #s are open and assigned as needed at the election of the server, others are reserved for use in UDP packets, for TCP packets or for both) [Verzun, para.0255]. 

Re Claim 34. Verzun in view of Wei discloses the method of claim 30, Verzun further discloses wherein the communication management operations further comprise: confirming the payload conforms to an allowed command type pre-assigned to the destination port number (i.e. So although the requesting port number 9,999 is arbitrarily assigned in an ad hoc manner from the next open port number, the destination port 80 has a specific meaning for the requested service as a web page request) [Verzun, para.0255].

Re Claim 35. Verzun in view of Wei discloses the method of claim 34, Verzun further discloses wherein the payload is translated to a pre- established format, the pre-established format determined from the data type identifier (i.e. Layer 6 is also responsible for encryption, i.e. formatting and encrypting data before sending across a network, and conversely decrypting data and reformatting it before presenting it to the application layer. For example, upon receiving a tab-delineated data file ) [Verzun, para.0285, see also para.00318-0319].

Re Claim 36. Verzun in view of Wei discloses the method of claim 33, Verzun further discloses wherein the pre-established communication pathway has a one-to-one correspondence to an n-tuple comprising the first application identifier, the second application identifier, the second port number, and the data type identifier  (i.e. Since port #21 represents the control port for requesting file transfer services,) [Verzun, para.0309, Fig.34], [also Verzun, Fig.22-23, Fig.28A-B, Fig.30 and 34 also show source and destination ports, applications, protocol]. 
Re Claim 37. Verzun in view of Wei discloses the method of claim 21, Wei further discloses wherein the comparing is initiated in a kernel space of the computing device (i.e. The security proxy 301 framework processes inbound and outbound data packets and may be implemented as a computer that includes a processor 401, memory 403, storage 405, software and other components……..The RBAC 421 specifies who is authorized to access the device that the security proxy 301 is coupled to and what operations they are authorized to perform) [Wei, para.0034-0039].
	The same motivation to modify with Wei, as in claim 1, applies.
Re Claim 38. Verzun discloses a method for securing communication of information between a first application running on a first computing device and a second computing device, comprising executing communication management operations in or in conjunction with the first application and a network security program running on the second computing device (i.e. The client device is normally placed in a separate security zone from the cloud, and it must first become an authorized SDNP client, a step which involves installing in the client device a software package specific to the device's security zone, typically via a download from an SDNP administration server.  The client device is linked to the SDNP cloud through a gateway media node in the cloud.  The gateway media node has access to the shared secrets pertaining to both the cloud and the client's device's security zone, but the client device does not have access to the shared secrets pertaining to the SDNP cloud) [Verzun, para.0449], (i.e. Layer 6 is also responsible for encryption, i.e. formatting and encrypting data before sending across a network, and conversely decrypting data and reformatting it before presenting it to the application layer. For example, upon receiving a tab-delineated data file sent in an encrypted format over the Internet, Layer 6, once it has decrypted the file according to negotiated decryption keys, can reformat the data for importation into a row-column based spreadsheet, e.g. Excel, or a relational data base such as Oracle.  To enhance security, encryption and decryption by Layer .) [Verzun, para.0285], the communication management operations comprising: i) executing application space commands to cause a network stack of the first computing device to send a [nonpublic] first identification code from a first computing device of the at least two networked computing devices to a second computing device of the at least two networked computing devices via a communication pathway (i.e. FIG. 31A, where client's device 526B, either a tablet or notebook, requests a web page from host 526A, typically a web server. In the exchange, client 526B sends a IP datagram comprising a Layer-3 IP header 529 having an IP address 527B with a numeric value "IP address B" to a host server at an IP address 527A having a numeric value "IP address A". Encapsulated within the payload of the Layer-3  datagram, the client also sends a Layer-4  transport header 530 containing its own source port number 528A with an ad hoc value of 9,999. The port request is sent to host port 80--a reserved HTTP port 528A used for web browser downloads of web pages) [Verzun, para.00252-0253, Fig.31A], the communication pathway pre-established on the network (i.e. After negotiation is completed and an authentication method is selected, communication may commence) [Verzun, para.0282]; ii) receiving, after the network stack sends the [nonpublic] first identification code, a [nonpublic] second identification code from the second computing device; and iv) configuring a kernel of the second nonpublic] second identification code from the second computing device to the first computing device (i.e. FIG. 31B illustrates the reply for the client's request for services. As shown, all the directions of the arrows are reversed and all source and destination IP addresses and #s are swapped from the prior illustration. In the exchange, an IP datagram containing an Layer-3 IP header 537 is sent from a source IP address 531 having a numeric value "IP address A" to a destination IP address 532 having a numeric value "IP address B". Encapsulated within the Layer 3 datagram, a Layer-4 transport header 538 includes source port 533 having a numeric value of port # “80” and a destination prort 534 having a numeric value of port # "9,999". Embedded within IP packet payload 539, the response to the services request is payload (data) 536 which may contain HTML code for creating a web page) [Verzun, para.0254-0255, Fig.31B]; 
Verzun does not explicitly disclose that the device identification codes are non-public, however it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention that Verzun is suggesting this feature because Verzun states that unless a media node is registered as a valid SDNP node running on a qualified server in the SDNP name server or its equivalent function, data packets sent from that node to other SDNP media nodes will be ignored and discarded.  In a similar manner, only clients registered on an SDNP name server  [Verzun, para.0422] and therefore it yields the expected result that the identification codes are available only to registered devices and therefore are non-public.
Verzun does not explicitly disclose whereas Wei does: iii) confirming that the second computing device is an authorized computing device on the network (i.e. receiving an inbound data packet that contains an operation command for the device, comparing the layer 2 header MAC addresses, IP addresses, port numbers and protocol number with an access control list, if there is a disparity between thelayer 2 header MAC addresses, IP addresses, port numbers or protocol number, and the access control list, dropping the data packet, comparing the layer 3 header source address, destination address and protocol number with the access control list, if there is a disparity between the layer 3 header source address, destination address or protocol number, and the access control list, dropping the data packet, comparing the layer 4 header sequence number and acknowledgement number with a connection status, if the layer 4 sequence number or acknowledgement number does not conform with the connection status, dropping the data packet, [Wei, para.0018];
it would be desirable to have an application layer security proxy to protect substation automation systems.  The application layer security proxy inspects an inbound data packet at the application layer, and either drops the data packet, forwards the data packet, or processes the data packet rather than dropping it in order to maintain the communications network connection, the later two according to a predefined role-based access control policy. [Wei, para.0014].
Re Claim 39. Verzun in view of Wei discloses the method of claim 38, Verzun further discloses wherein the communication management operations are configured to obtain the nonpublic second identification code from a network packet (i.e. Layer 4, transport header 530 containing its own source port number 528A with an ad hoc value of 9,999. The port request is sent to host port 80--a reserved HTTP port 528A used for web browser downloads of web pages) [Verzun, para.0252, Fig. 31B, depicts layer 4 in  item 538 source and destination port numbers].   

Re Claim 40. Verzun in view of Wei discloses the method of claim 39, Verzun further discloses wherein the nonpublic second identification code is obtained from a portion of the network packet that is higher-than-OSI layer three and lower- than-OSI layer six (i.e. Layer 4, transport header 530 containing its own source port ) [Verzun, para.0252, Fig. 31B, depicts layer 4 in  item 538 source and destination port numbers].

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NOURA ZOUBAIR whose telephone number is (571)270-7285.  The examiner can normally be reached on Monday - Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571-272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434