DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This office action is in response to the communication filed on 8/7/2020.
Claims 1-12 are pending.

CLAIM OBJECTIONS
Claims 1-12 are objected to because of the following informalities:  The “VPN handler application” in claim 1 on lines 4 and 7 should be “VPN handler” because many instances in dependent claims and the specification only recite “VPN handler” (see claims 2-12 and Specification, [0032]-[0033]).
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of AIA  35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be 

Claim(s) 1-3, 5-10 is/are rejected under AIA  35 U.S.C. 103 as being unpatentable over Chang (US 9,608,962 B1) in view of Karunakaran et al. (US 2016/0277359) and Su et al. (US 2018/0131620, “Su”).

For claim 1, Chang discloses a system for controlling network traffic, the system comprising:
a mobile computing device (fig. 4, col. 4, l. 4, client as a mobile device), including: 
at least one processor and a memory (fig. 4) configured to execute at least one user application and a virtual private network (VPN) handler application on the mobile computing device (fig. 4, applications 26 and VPN handler 5), wherein the VPN handler application splits TCP and user datagram protocol (UDP) network traffic exiting the mobile computing device between a VPN tunnel and an external connection (col. 4, l. 34-61, fig. 3, steps 52, 58, 60, TCP or UDP traffic can be routed to a VPN (SSL VPN for TCP and IPSec VPN for UDP) or to a public network);
wherein the VPN handler routes the TCP network traffic either over the VPN tunnel or over the external connection in response to: obtaining a fully qualified domain name (FQDN); and determining whether the FQDN is associated with a public or a private network (col. 6, l. 32-43, col. 11, para. 3, determining whether the client accesses VPN-dependent traffic by monitoring URLs that needs a secure connection,  e.g. enterprise intraweb URLs, and establishing a VPN connection to route the VPN-dependent traffic; otherwise route VPN-independent traffic over a public network as in fig. 3, items 52 and 60).
Chang does not disclose: the at least one user application establishes a communications session with a transmission control protocol (TCP) listener device; traffic exiting or routing via an external socket.
Karunakaran discloses: the at least one user application establishes a communications session with a transmission control protocol (TCP) listener device, and traffic exiting or routing via an external socket (fig. 2A, [0035], [0062], [0070], packets from client app 214 are sent to TCP listener 222 via a tunnel handler 216 then sent out to network 270 via a socket).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Karunakaran’s teachings of TCP listener and socket to Chang’s teachings of VPN traffic splitting in order to implement conventional socket handling techniques (Karunakaran, [0062], [0070].)
Chang-Karunakaran does not disclose: the FQDN is corresponding with an IP address synchronization (SYN) packet used to initiate the communication session.
Su discloses: the FQDN is corresponding with an IP address synchronization (SYN) packet used to initiate the communication session ([0046], fig. 5, TCP SYN with an IP address is used to obtain a FQDN)
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Su’s teachings of obtaining a FQDN from a SYN 

For claim 2, Chang-Karunakaran-Su discloses the VPN handler encrypts and routes the TCP network traffic over the VPN tunnel in response to determining that the FQDN is associated with a private network (Chang, col. 6, l. 32-43, col. 11, para. 3).

For claim 3, Chang-Karunakaran-Su discloses the VPN handler routes an unencrypted version of the TCP network traffic over the external socket in response to determining that the FQDN is associated with a public network (Chang, col. 6, l. 32-43, col. 11, para. 3).

For claim 5, Chang discloses an access control table including a list of entries, where each entry includes a FQDN, and one or more permissions and/or policies associated with the FQDN (col. 7, par. 2, stored rules indicating which URLs are VPN-dependent or VPN-independent).
Chang does not disclose: one or more IP addresses corresponding with each FQDN.
Su discloses: one or more IP addresses corresponding with each FQDN (fig. 5, IP addresses and FQDN table).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Su’s teachings of associating a FQDN with IP 

For claim 6, Chang-Karunakaran-Su discloses the system includes a VPN gateway through which the mobile computing device establishes the VPN tunnel (Chang, fig. 1, VPN concentrator or gateway 18 connected to a VPN tunnel to the client), and wherein the access control table is stored on the VPN gateway (Chang, col. 7, par. 2, rules stored at the VPN concentrator).

For claim 7, Chang-Karunakaran-Su discloses the access control table is stored within the mobile client device (Chang, col. 7, par. 2, rules stored locally at the client device).

For claim 8, Chang-Karunakaran-Su discloses the VPN handler determines whether to route the TCP network traffic either over the VPN tunnel or over the external socket (Chang, col. 6, l. 32-43, col. 11, para. 3) by matching FQDNs associated with the TCP network traffic to the entries in the access control table, and processing data packets of the TCP network traffic according to the one or more permissions and/or policies of the matched entries (col. 7, par. 2, stored rules indicating which URLs are VPN-dependent or VPN-independent).
Chang does not disclose routing by matching an IP address of the SYN packet.
TCP SYN with an IP address is used to obtain a FQDN and used for traffic classification).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Su’s teachings of obtaining a FQDN from a SYN packet to Chang’s teachings of splitting private and public traffics in order to classify/split traffics by FQDNs (Su, [0008]). 

For claim 9, Chang-Karunakaran-Su discloses the VPN handler determines whether to route the UDP network traffic either over the VPN tunnel or over the external socket by matching any of a source port, a destination port, or an IP address of the UDP network traffic to the entries in the access control table, and processing data packets of the UDP network traffic according to the one or more permissions and/or policies of the matched entries (Chang, col. 4, l. 34-61, fig. 3, steps 52, 58, 60, TCP or UDP traffic can be routed to a VPN (SSL VPN for TCP and IPSec VPN for UDP) or to a public network, at least based on extracted IP addresses in col. 5 l. 16-24).

For claim 10, Chang does not disclose a domain name service (DNS) cache that maps IP addresses to FQDNs; wherein the VPN handler populates the FQDNs in the entries of the access control table when the entries are lacking FQDNs corresponding to the IP addresses, using the DNS cache to obtain the FQDNs corresponding to the IP addresses.
FQDN-IP address table is the DNS cache for looking up domain name and IP address, [0041], [0051], the table is self-updating to populate domain names and IP addresses)
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Su’s teachings of obtaining a FQDN from a SYN packet to Chang-Karunakaran’s teachings of splitting private and public traffics in order to classify/split traffics by FQDNs or IP addresses (Su, [0008]). 

Claim(s) 4 is/are rejected under AIA  35 U.S.C. 103 as being unpatentable over Chang-Karunakaran-Su in view of Kadosh et al. (US 10,419,965 B1, “Kadosh”).

For claim 4, Chang discloses the VPN handler extracts information from the UDP network traffic including an IP address, encrypts and routes the UDP network traffic over the VPN tunnel in response to determining that any of the extracted information is associated with a private network, and routes an unencrypted version of the UDP network traffic over the external socket in response to determining that any of the extracted information is associated with a public network (col. 4, l. 34-61, fig. 3, steps 52, 58, 60, TCP or UDP traffic can be routed to a VPN (SSL VPN for TCP and IPSec VPN for UDP) or to a public network, at least based on extracted IP addresses in col. 5 l. 16-24).
Chang does not disclose extracting information from the UDP network traffic including an IP address, a source port, and a destination port.
Kadosh discloses disclose extracting information from the UDP network traffic including an IP address, a source port, and a destination port (col. 6, l. 51-65). 
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Kadosh’ teachings of 5-tuple packet information classification to Chang-Karunakaran-Su’s teachings of splitting private and public traffics in order to adopt fine-grained TCP or UDP traffic classification (Kadosh, (col. 6, l. 51-65)). 

Claim(s) 11 is/are rejected under AIA  35 U.S.C. 103 as being unpatentable over Chang-Karunakaran-Su in view of Dillon (US 2016/0323186).

For claim 11, Chang does not disclose the VPN handler adds entries to the access control table when IP addresses associated with the network traffic are known but no entries for the IP addresses exist in the access control table, by issuing a reverse DNS query to the DNS cache to reverse resolve the IP addresses to the FQDNs.
Dillon discloses the VPN handler adds entries to the access control table when IP addresses associated with the network traffic are known but no entries for the IP addresses exist in the access control table, by issuing a reverse DNS query to the DNS cache to reverse resolve the IP addresses to the FQDNs (fig. 3, [0122], steps 310, 320, looking up a domain name from a cache when only IP address of a flow is known in order to classify the flow according to the IP address-domain name).
It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to apply Dillon’s teachings of reverse DNS lookups to Chang-Karunakaran-Su’s teachings of splitting private and public traffics in order to classify/split traffics by FQDNs or IP addresses if FQDNs are unknown. 

Allowable Subject Matter and Reasons for Allowance
Claim 12 would be allowable if rewritten to include all of the limitations of the base claim and any intervening claims.

The following is an examiner's statement of reasons for allowance:
By interpreting the claims in light of the Specification, the Examiner finds the claimed invention to be patentably distinct from the prior art of records. Specifically, the prior art of records, individually or in combination, fail to explicitly teach, suggest or render obvious the claimed invention as recited in claim 12: “the VPN handler identifies entries of the access control table that each lack the one or more permissions and/or policies associated with the FQDN, sends the entries to a VPN gateway through which the mobile computing device establishes the VPN tunnel, and the VPN gateway returns new entries that each include the one or more permissions and/or policies associated with the FQDN for updating the identified entries” in claim 12. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is included in form PTO 892.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Hieu Hoang whose telephone number is 571-270-1253. The examiner can normally be reached on Monday-Friday, 9 a.m. to 6 p.m., EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HIEU T HOANG/           Primary Examiner, Art Unit 2452