DETAILED ACTION
This Office action is in response to a non-provisional utility patent application filed by Applicant on 12/30/2019.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 7-12, 14 rejected under 35 U.S.C. 103 as being unpatentable over Weis (U.S. Pat. App. Pub. 2006/0239218 A1) in view of Rochon (U.S. Pat. App. Pub. 2015/0237069 A1).
Regarding claim 1, Weis discloses: a method comprising: receiving, by a network security device protecting a private network, a packet associated with a network traffic flow between a source computing device and a destination computing device within the private network (detecting replayed packets into a network where the system receives a packet for the first time. Weis paras. 0047-0048.); responsive to receipt of the packet from the source computing device, determining, (assigning a timestamp associated with the detected first time a packet is received and referring to this time at pseudo-time. Weis para. 0048.); when said determining is affirmative, then identifying, by the network security device, an anti-replay policy associated with the network traffic flow and whether the anti-replay policy is intended to override a global anti-replay policy of the network security device (ESP and HA type packets are designed for replay protection through the use of sequence numbers. Weis para. 0012. The standard type of replay protection using sequence numbers is interpreted as the recited global anti-replay policy architecture of the network security device. Additional data and steps are introduced into the during the ESP Integrity Value Check (IVC) processing. Weis para. 0097. A clock-based replay protection is incorporated into the authentication value. Weis para. 0102. When the clock-based timestamp data are received and determined in an ESP packet, the additional policy of checking the timestamps for replay protection is implemented beyond the original (or global) ESP sequence checking. Weis paras. 0061 and 0114.); when said identifying is affirmative, then performing, by the network security device, one or more anti-replay security checks in accordance with the anti-replay policy (when an authenticated pseudo-timestamp is included, the receiver employs that additional clock-based replay protection and determines that a packet was sent recently within a configurable window of time. Weis para. 0062.).
Weis does not disclose: when said identifying is negative, then performing, by the network security device, the one or more anti-replay security checks in accordance with the global anti-replay policy.
However, Rochon does disclose: when said identifying is negative, then performing, by the network security device, the one or more anti-replay security checks in accordance with the global anti-replay policy (within IPSec, the ESP is a standard protocol handles by recipient machines. Rochon paras. 0003-0004. The ESP provides an anti-replay feature whereby the sending node includes a sequence number on each packet and when received the recipient checks for the sequence number to detect a replay attack. Rochon para. 0004. The primary reference employs a special capability to the standard ESP protocol.  It would be obvious to one of ordinary skill in the art that the system be able to handle all standard packets and implement the special case when timestamps are detected in the standard header.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify a special timestamp based packet delivery window to detect replay attacks of Weis with the standard sequence number-based replay detection of the ESP protocol based upon the teachings of Rochon. The motivation being that the networking hardware would be able to handle all standard packets and implement a special case when timestamps are detected in the standard header.
Regarding claim 2, Weis in view of Rochon discloses the limitations of claim 1, wherein the anti-replay policy indicates any of a default value, a disable value, a loose value or a tight value (ICV values are calculated in a variety of ways including based upon a chosen authentication method per the RFC 2406, section 3.3.4. Weis paras. 0111-0112. This amounts to a default value.).  
Regarding claim 3, Weis in view of Rochon discloses the limitations of claim 1, wherein the packet is generated by an automated process running on the source computing device and that implements a non-standard Transmission Control Protocol (TCP) stack (communications systems are used to implement the IPSec protocol of packet generation operated by the operating system that supervises the input/output operations associated with the logic and IPSec protocol process. Weis para. 0052.).  
Regarding claim 4, Weis in view of Rochon discloses the limitations of claim 1, wherein the anti-replay policy is identified based on one or more attributes of the packet (the policy employs the pseudo-timestamp method of determining the time window to detect replay attacks based upon the underlying IPSec protocol structured packets received from the network. Weis para. 0062.)
Regarding claim 5, Weis in view of Rochon discloses the limitations of claim 4, wherein the one or more attributes include a protocol, a source Internet Protocol (IP) address, a destination IP address, a source port and a destination port (the policy employs the pseudo-timestamp method of determining the time window to detect replay attacks based upon the underlying IPSec protocol structured packets received from the network. Weis para. 0062.).  
Regarding claim 7, Weis in view of Rochon discloses the limitations of claim 1, wherein the network security device is any or a combination of a firewall and a content filtering device (the IPSec protocol is designed to filter packets on the network for the purpose of accepting only packets that don’t belong on the network. Weis para. 0008.).  
Regarding claim 8, Weis discloses: a non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a network security device, causes the one or more processors to perform a method comprising: receiving, by the network security device protecting a private network, a packet associated with a network traffic flow between a source computing device and a destination computing device within the private network (detecting replayed packets into a network where the system receives a packet for the first time. Weis paras. 0047-0048.); responsive to receipt of the packet from the source computing device, determining, by the network security device, whether the packet is a first packet of the network traffic flow observed by the network security device (assigning a timestamp associated with the detected first time a packet is received and referring to this time at pseudo-time. Weis para. 0048.); when said determining is affirmative, then identifying, by the network security device, an anti-replay policy associated with the network traffic flow and whether the anti-replay policy is intended to override a global anti-replay policy of the network security device (ESP and HA type packets are designed for replay protection through the use of sequence numbers. Weis para. 0012. The standard type of replay protection using sequence numbers is interpreted as the recited global anti-replay policy architecture of the network security device. Additional data and steps are introduced into the during the ESP Integrity Value Check (IVC) processing. Weis para. 0097. A clock-based replay protection is incorporated into the authentication value. Weis para. 0102. When the clock-based timestamp data are received and determined in an ESP packet, the additional policy of checking the timestamps for replay protection is implemented beyond the original (or global) ESP sequence checking. Weis paras. 0061 and 0114.); when said identifying is affirmative, then performing, by the network security device, one or more anti-replay security checks in accordance with the anti-replay policy (when an authenticated pseudo-timestamp is included, the receiver employs that additional clock-based replay protection and determines that a packet was sent recently within a configurable window of time. Weis para. 0062.).
Weis does not disclose: when said identifying is negative, then performing, by the network security device, the one or more anti-replay security checks in accordance with the global anti-replay policy.  
However, Rochon does disclose: when said identifying is negative, then performing, by the network security device, the one or more anti-replay security checks in accordance with the global anti-replay policy (within IPSec, the ESP is a standard protocol handles by recipient machines. Rochon paras. 0003-0004. The ESP provides an anti-replay feature whereby the sending node includes a sequence number on each packet and when received the recipient checks for the sequence number to detect a replay attack. Rochon para. 0004. The primary reference employs a special capability to the standard ESP protocol.  It would be obvious to one of ordinary skill in the art that the system be able to handle all standard packets and implement the special case when timestamps are detected in the standard header.).
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify a special timestamp based packet delivery window to detect replay attacks of Weis with the standard sequence number-based replay detection of the ESP protocol based upon the teachings of Rochon. The motivation being that the networking hardware would be able to handle all standard packets and implement a special case when timestamps are detected in the standard header.
Regarding claim 9, Weis in view of Rochon discloses the limitations of claim 8, wherein the anti-replay policy indicates any of a default value, a disable value, a loose value or a tight value (ICV values are calculated in a variety of ways including based upon a chosen authentication method per the RFC 2406, section 3.3.4. Weis paras. 0111-0112. This amounts to a default value.)
Regarding claim 10, Weis in view of Rochon discloses the limitations of claim 8, wherein the packet is generated by an automated process running on the source computing device and that implements a non-standard TCP stack (communications systems are used to implement the IPSec protocol of packet generation operated by the operating system that supervises the input/output operations associated with the logic and IPSec protocol process. Weis para. 0052.).  
Regarding claim 11, Weis in view of Rochon discloses the limitations of claim 8, wherein the anti-replay policy is identified based on one or more attributes of the packet (the policy employs the pseudo-timestamp method of determining the time window to detect replay attacks based upon the underlying IPSec protocol structured packets received from the network. Weis para. 0062.).  
Regarding claim 12, Weis in view of Rochon discloses the limitations of claim 11, wherein the one or more attributes include a protocol, a source Internet Protocol (IP) address, a destination IP address, a source port and a destination port (the policy employs the pseudo-timestamp method of determining the time window to detect replay attacks based upon the underlying IPSec protocol structured packets received from the network. Weis para. 0062.).  
Regarding claim 14, Weis in view of Rochon discloses the limitations of claim 8, wherein the network security device is any or a combination of a firewall and a content filtering device (the IPSec protocol is designed to filter packets on the network for the purpose of accepting only packets that don’t belong on the network. Weis para. 0008.).

Claims 6, 13 rejected under 35 U.S.C. 103 as being unpatentable over Weis in view of Rochon in view of Gadde (U.S. Pat. 8,646,090 B1).
Regarding claim 6, Weis in view of Rochon discloses the limitations of claim 1. Weis in view of Rochon does not disclose: wherein the anti-replay policy and the global anti-replay policy are defined by an administrator of the network security device.
However, Gadde does disclose: wherein the anti-replay policy and the global anti-replay policy are defined by an administrator of the network security device (the administrator sets the threshold window for measuring the receipt delay and detection of the replay attack. Gadde col. 7, ll. 11-32.).  
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify a special timestamp based packet delivery window to detect replay attacks of Weis with defining the anti-replay policies by the security administrator based upon the teachings of Gadde.  The motivation being to be able to adjust the sensitivity of the detection mechanism. Gadde col. 7, ll. 11-32.
Regarding claim 13, Weis in view of Rochon discloses the limitations of claim 8. Weis in view of Rochon does not disclose: wherein the anti-replay policy and the global anti-replay policy are defined by an administrator of the network security device.
However, Gadde does disclose: wherein the anti-replay policy and the global anti-replay policy are defined by an administrator of the network security device (the administrator sets the threshold window for measuring the receipt delay and detection of the replay attack. Gadde col. 7, ll. 11-32.).  
Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify a special timestamp based packet delivery window to detect replay attacks of Weis with defining the anti-replay policies by the security administrator based upon the teachings of Gadde.  The motivation being to be able to adjust the sensitivity of the detection mechanism. Gadde col. 7, ll. 11-32.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Narayanaswamy (U.S. Pat. App. Pub. 2009/0328219 A1), dynamically applying different policies based upon determination of receipt of a first packet; Sahin (U.S. Pat. App. Pub. 2016/0080505 A1), handling received network packets based upon whether they are a first packet from a source; Allen (U.S. Pat. App. Pub. 2009/0190585 A1), identifying a first packet in received network traffic; Modi (U.S. Pat. 9,531,624 B2), characterizing a packet based upon being associated with a first packet; Ansari (U.S. Pat. App. Pub. 2016/0072717 A1), determining an appropriate flow policy based upon a first packet; and Xiong (U.S. Pat. App. Pub. 2003/0061507 A1), employing both a sequence counter and an anti-replay window. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VANCE M LITTLE whose telephone number is (571) 270-0408.  The examiner can normally be reached on Monday - Friday 9:30am - 5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/VANCE M LITTLE/Examiner, Art Unit 2493