DETAILED ACTION
This is a non-final office action in response to applicant’s communication filed on 1/31/2020.
Claims 1-20 are pending and being considered.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Specification
The disclosure is objected to because of the following informalities: 
Para. [0042] last line, “me” may be typo.
Appropriate correction is required.
Claim Objections
Claims 1-3, 5-6, 8, 10-20 are objected to because of the following informalities:  
Claim 1 recites a method. Applicant is suggested to recite the method claim with a hardware device performing at least one action step.
Claims 1-3, 5-6, 8, 10-13, 15-20 recite “negotiated security level is below … threshold” or “negotiated security level is failing … threshold” interchangeably. Examiner notes failing … threshold means not satisfying … threshold while below … threshold means the value (of negotiated security level) is less than the threshold.
Claim 5 line 4 recites, “monitor a handshake between the source and the destination, an endpoint to the handshake requesting …”. It is not clear whether the recited “an endpoint” is the “source” or “destination” or another endpoint, since it the negotiated security level …”.
Claim 8 line 3, “analyzing …to identify a server name provide by the source to …” may read “analyzing …to identify a server name provided by the source to …” or more appropriated form. Line 4, “wherein destination is …” may read “wherein the destination is …”. Lines 4-5, “… an identify certificate …” may read “… an identity certificate …” or more appropriate form.
Claim 14, claim 19, missing period at end of the claim.
Claim 16 recites “A computer readable memory …”. Claims 17-20 appear to be dependent claims of claim 16. Claim 17 recites “The system of claim 16”, Claim 18 recites “The medium of claim 17”, claims 19-20 recite “The medium of claim 16”. Applicant is advised to clarify the subject matters to be consistent. If claim 16 recites A computer readable medium, applicant is suggested to recite A non-transitory computer readable medium to prevent possible concern of non-statutory subject matter.
Claim 17 line 3 recites “configure an endpoint to …”. See same concern as shown above for claim 5.
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 15, 20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 15, 20 each recites the limitation "the multiple destinations" in line 1.  There is insufficient antecedent basis for this limitation in the claim.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.

3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 10-11, 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey et al (US20150128205A1, hereinafter, “Mahaffey”), in view of Kurian et al (US20210067519A1, hereinafter, “Kurian”).
Regarding claim 1, Mahaffey teaches:
A method to remediate a communication using one or more network (Mahaffey, [Abstract] A security policy is applied to determine whether the security offered by the network connection is appropriate for the context), from a source through an intermediary to a destination, the one or more network communicatively coupled with a messaging system (Mahaffey, [0049] an intermediate proxy server, and [0050] This may be accomplished by using a tunneling protocol to tunnel traffic from one end point (i.e. source) to another end point (i.e. destination). And [0152] notification module (i.e. messaging system)), the method comprising: 
evaluating if the negotiated security level is below a threshold (Mahaffey, See Fig. 11 step 1125 to either 1130 or 1135, i.e. determine network connection based on a level of security requirement, i.e. threshold, to switch to terminate or maintain the network connection). Examiner notes claim recites a threshold without specific of arrange of the threshold value, therefore threshold is interpreted with BRI as a level of security requirement; 
(Mahaffey, [0108] a method includes detecting (i.e. capturing) the context (i.e. a portion of data) on the mobile device); 
determining characteristics of the communication based at least in part on the capturing (Mahaffey, [0108] assessing the current network connection, deciding what level of security is necessary for the context, and taking action to have the appropriate level of security on the network connection. When the destination context (running a particular application or class of application (e.g., banking app), or browsing to a particular location dictates, according to user preference or policy (set by user or by user's parent or by user's corporate administrator or set by the destination itself (e.g., a banking site that requires a secured connection be used)), then establishing a secured network connection); 
sending a message on the messaging system identifying the characteristics (Mahaffey, [0153] Accordingly, the notification (i.e. message) may display information about the current status of a secure network connection, such as a SNC connection, or various events and conditions that may be associated with a SNC connection.  For example, if a SNC connection is currently established and active, notification module 407 or notification module 457 (i.e. messaging system) may indicate that the mobile communications device is protected); and
performing a threat assessment for the communication based at least in part on the source, the destination, and the characteristics (Mahaffey, [0191] The assessment engine is responsible for evaluating or applying a connection policy based on the current context.  Network connection policy evaluations can occur before a connection is established, after a connection has been established, or while a connection is established. And [0402] techniques are provided for contextually assessing risk with respect to policy regarding the activities to be performed (application(s) to be used, or destination website to be contacted) and making decisions about establishing a secure (e.g., VPN) connection based on those contextual risk elements).  
While Mahaffey teaches a secure network connection based on security policy, but does not explicitly teach negotiating a negotiated security level for the communication, however in the same field of endeavor Kurian teaches:
negotiating a negotiated security level for the communication (Kurian, discloses a set of adapter interfaces used to establish connection between device and servers based on security level. See Fig. 3 step 310 to 330 or 355 or 380, i.e. Send request to adapter interface to establish a connection (i.e. negotiating)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Kurian in the secure network connections of Mahaffey by selecting (negotiate) to establish connection based on security level requirement. This would have been obvious because the person having ordinary skill in the art would have been motivated to use adapter interface to establish connection according request to make the connection based on the level of security (Kurian, [Abstract]).

Regarding claim 10, Mahaffey-Kurian combination teaches:
A system to remediate a communication using one or more network, from a source through an intermediary to a destination (Mahaffey, [Abstract] A security policy is applied to determine whether the security offered by the network connection is appropriate for the context), the one or more network communicatively coupled with a messaging system (Mahaffey, [0049] an intermediate proxy server, and [0152] notification module), comprising: a processor; and memory coupled to the processor and storing instructions that, when executed by the processor (Mahaffey, Fig. 2 Processor and Memory and [0082] computer-implemented or computer-executable version of the program instructions), cause the system to perform: the steps substantially similar to the  method steps recited in claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 16, Mahaffey-Kurian combination teaches:
A computer readable memory having instructions stored thereon to remediate a communication using one or more network, from a source through an intermediary to a destination, the one or more network communicatively coupled with a messaging system, the instructions that, in response to execution by a processor (Mahaffey, [Abstract] A security policy is applied to determine whether the security offered by the network connection is appropriate for the context. And Fig. 2 Processor and Memory and [0082] computer-implemented or computer-executable version of the program instructions), are operable to perform: the steps substantially similar to the  method steps recited in claim 1 therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 11, claim 17, Mahaffey-Kurian combination further teaches:
(Mahaffey, See Fig. 15, from step 1515 to 1525 If the network connection does offer the appropriate level of security, maintain the network connection); and switching from the preferred security level to the negotiated security level, the negotiated security level failing the threshold (Mahaffey, Fig. 15, from step 1515 to 1520 to 1520 If the network connection does not offer the appropriate level of security, send instructions to terminate the network connection).

Claims 3, 12, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above, further in view of Gamble et al (US20210092141A1, hereinafter, “Gamble”).
Regarding claim 3, similarly claim 12, Mahaffey-Kurian combination teaches:
The method of claim 1, the system of claim 10, in which a cloud service hosts the destination and the cloud service provides a detector service (Mahaffey, [0055] Systems and methods are disclosed herein that may automatically detect when a secure connection should be established with a mobile communications device. And [0316] In a specific implementation, a method includes determining whether the destination is classified as a destination that is important to a corporation (e.g., one of its cloud service providers)), 
While the combination of Mahaffey-Kurian does not explicitly teach but in the same field of endeavor Gamble teaches:
(Gamble, discloses monitoring suspicious communication network traffic [Abstract]. And [0041] the threat detection server 110 may be a network communication monitoring device or a proxy server for logging details of transmitted communication messages among computing devices); enabling the detector service to receive the characteristics of the communication (Gamble, [0057] threat detection server 110 may detect changes to communication events that are expected to be periodic or expected to have defined characteristics (e.g., repetitive or deterministic in nature) for deducing a potential network or computing device breaches);  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gamble in the secure network connections of Mahaffey-Kurian by implementing a proxy server for logging details of transmitted communication messages. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect the communication messages that have shown changes of communication characteristics for monitoring suspicious communication network traffic (Gamble, [Abstract], [0057]).
Kurian further teaches: and receiving an analysis of the communication indicating at least an origin of the negotiated security level below the threshold (Kurian, [0040] … attempt to connect to the device 115 that submitted connection request 150 using the highest available security standards; if the connection attempt with the highest security standards fails (i.e. origin of the negotiated security level below the threshold): [set a connection flag equal to zero; while the connection flag is equal to zero: [set the current standards variable equal to the next highest standards; attempt to connect to device 115 using these next highest security standards).  

Regarding claim 18, Mahaffey-Kurian combination teaches:
The medium of claim 17, in which a cloud service hosts the destination and the cloud service provides a detector service (Mahaffey, [0055] Systems and methods are disclosed herein that may automatically detect when a secure connection should be established with a mobile communications device. And [0316] In a specific implementation, a method includes determining whether the destination is classified as a destination that is important to a corporation (e.g., one of its cloud service providers)), the instructions including further instructions that, in response to execution by a processor, are operable to perform: 
While the combination of Mahaffey-Kurian does not explicitly teach but in the same field of endeavor Gamble teaches:
instruct the intermediary to perform the capturing (Gamble, discloses monitoring suspicious communication network traffic [Abstract]. And [0041] the threat detection server 110 may be a network communication monitoring device or a proxy server for logging details of transmitted communication messages among computing devices); enable the detector service to receive the characteristics of the communication (Gamble, [0057] threat detection server 110 may detect changes to communication events that are expected to be periodic or expected to have defined characteristics (e.g., repetitive or deterministic in nature) for deducing a potential network or computing device breaches); 

Kurian further teaches: and receive an analysis of the communication indicating at least an origin of the negotiated security level below the threshold (Kurian, [0040] … attempt to connect to the device 115 that submitted connection request 150 using the highest available security standards; if the connection attempt with the highest security standards fails (i.e. origin of the negotiated security level below the threshold): [set a connection flag equal to zero; while the connection flag is equal to zero: [set the current standards variable equal to the next highest standards; attempt to connect to device 115 using these next highest security standards).  

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above to claim 1, further in view of Ceragioli et al (US20100030839A1, hereinafter, “Ceragioli”).
Regarding claim 4, Mahaffey-Kurian combination teaches:
The method of claim 1, in which one or more clients, including the source, communicate with one or more servers, including the destination (Mahaffey, see [Abstract]), 

through one or more firewalls, including the intermediary (Ceragioli, Fig. 7 108 external edge nodes (i.e. firewall) including firewall application module 348, a list of available proxy servers 336 (i.e. intermediary)), the method further comprising: selecting the intermediary from among the firewalls (Ceragioli, [0031] In step 154, one of a plurality of proxy servers is selected to receive the data communications based on a list of available proxy servers); instructing the intermediary to perform the capturing the portion of the data (Ceragioli, [0031] Data communications are received by the perimeter network 102 as shown in step 152.  In step 154, one of a plurality of proxy servers is selected to receive the data communications based on a list of available proxy servers…In step 156, the data communications are transmitted to the selected one of the plurality of proxy servers 110a-n in the perimeter network 102); and instructing the intermediary to block the communication between the source and the destination based at least in part on the threat assessment (Ceragioli, [0027] The proxy server 110 then transmits the data communications from a second port 134a-n of the proxy server 110 over the second secure connection 142. By blocking direct access to the internal network 104, the proxy server 110 provides security for data communications from the external network 106 to the internal network 104. Examiner notes it is obvious to one ordinary skilled in the art that proxy server with firewall is used to block communication for security reason with threat assessment taught by Mahaffey).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ceragioli in the .

Claims 5-6 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian-Ceragioli combination as applied above to claim 4, further in view of Mehta et al (US20190089736A1, hereinafter, “Mehta”).
Regarding claim 5, Mahaffey-Kurian-Ceragioli teaches:
The method of claim 4, in which a detector service is configured to execute a program to direct the detector service to perform the threat assessment (Mahaffey, [0055] Systems and methods are disclosed herein that may automatically detect when a secure connection should be established with a mobile communications device), the method comprising: 
While the combination of Mahaffey-Kurian-Ceragioli does not explicitly teach following limitation(s) however in the similar field of endeavor Mehta teaches:
monitor a handshake between the source and the destination, an endpoint to the handshake requesting communication at a preferred security level, and the handshake establishing a negotiated security level below the threshold; instructing the intermediary to provide the portion of the data to the detector service (Mehta, discloses techniques to detect traffic between web server and client for forged web browsers [Abstract], and [0027] The information monitored includes the various fields in the HTTP request headers sent by the browser, … Other behavior is also tested and observed, such as the protocol version (i.e., HTTP version) that the browser uses to perform the initial handshake with the web server, or the manner in which the web browser responds to a request from the web server to fall back to an older protocol version than the browser used initially (i.e. handshake establishing a negotiated security level below the threshold)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mehta in the secure network connections of Mahaffey-Kurian-Ceragioli by passive detection of forged web browsers. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect the forged web browsers based on attribute data points from client and connection behavior to prevent attacks on web servers (Mehta, [Abstract], [0002-0003]).
Kurian further teaches: and receiving from the detector service an indicator of an origin for the handshake establishing the negotiated security level below the threshold (Kurian, [0040] … attempt to connect to the device 115 that submitted connection request 150 using the highest available security standards; if the connection attempt with the highest security standards fails (i.e. origin of the negotiated security level below the threshold)).  

Regarding claim 6, Mahaffey-Kurian-Ceragioli-Mehta further teaches:
The method of claim 5, further comprising: determining the origin is the source (Kurian, [0055] In step 310, security tool 105 uses router module 140 to determine the security level associated with device 115. Examiner notes that the establishment of connection is based on the security level associated with device, therefore the issue with client is the origin); 
Ceragioli further teaches: and instructing the intermediary to block at least communication from the source using the negotiated security level failing the threshold (Ceragioli, [0027] The proxy server 110 then transmits the data communications from a second port 134a-n of the proxy server 110 over the second secure connection 142. By blocking direct access to the internal network 104, the proxy server 110 provides security for data communications from the external network 106 to the internal network 104).  

Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above to claim 1 and 10 respectively, further in view of Lorch et al (US20200159926A1, hereinafter, “Lorch”) and Gamble et al (US20210092141A1, hereinafter, “Gamble”).
Regarding claim 7, similarly claim 14, Mahaffey-Kurian teaches:
The method of claim 1, the system of claim 10, further comprising: including the characteristics in the message (Mahaffey, [0153] Accordingly, the notification (i.e. message) may display information (i.e. characteristics) about the current status of a secure network connection); 
While the combination of Mahaffey-Kurian does not explicitly teach following limitation(s) however in the similar field of endeavor Lorch teaches:
and storing the characteristics of the communication with a cloud service, wherein the cloud service is to run a detector service (Lorch, discloses performing threat detection in a cloud-based system on stored data from Customer Premises Equipment [Abstract] The monitored system may periodically send artifacts (e.g., database records, binaries, program code, business data) (i.e. characteristics of the communication) to a repository for storage…The cloud-based system can compare a snapshot of the artifacts against prior snapshots, and generate a change log.  This change log can then be provided to a threat detection system (i.e. detector service) for analysis. And [0023] a firewall may be deployed between CPE 102 and cloud platform 110 (and possibly threat detection system 108)) [to access the intermediary and direct the intermediary to perform the capturing the portion of data]. (See Gamble below for limitation in bracket]
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Lorch in the secure network connections of Mahaffey-Kurian by sending artifacts data from monitored system to repository for storage in a cloud to allow threat detection system for threat detection using artifact change analysis. This would have been obvious because the person having ordinary skill in the art would have been motivated to perform the threat detection in cloud service which can facilitate improved threat detection even security incident has occurred on the customer equipment (Lorch, [Abstract], [0024]).
While the combination of Mahaffey-Kurian-Lorch does not explicitly teach but in the same field of endeavor Gamble teaches:
to access the intermediary and direct the intermediary to perform the capturing the portion of data (Gamble, [0040] the threat detection server 110 may include features of a proxy server … for monitoring communication events, or generating or storing network traffic logs of communication events among any one of the client devices 130 or the external computing device 160. And [0041] the threat detection server 110 may be a network communication monitoring device or a proxy server for logging details (i.e. capturing the portion of data) of transmitted communication messages among computing devices).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gamble in the secure network connections of Mahaffey-Kurian-Lorch by implementing a proxy server for logging details of transmitted communication messages. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect the communication messages that have shown changes of communication characteristics for monitoring suspicious communication network traffic (Gamble, [Abstract], [0057]).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above to claim 1, further in view of Wyatt et al (US20170346853A1, hereinafter, “Wyatt”) and Holtmanns et al (US20070240205A1, hereinafter, “Holtmanns”).
Regarding claim 8, Mahaffey-Kurian teaches:
The method of claim 1, 
While the combination of Mahaffey-Kurian does not explicitly teach following limitation(s) however in the same field of endeavor Wyatt teaches:
in which multiple destinations share a network address with the destination, the method further comprising: analyzing the portion of data to identify a server name provide by the source to identify the destination for the communication, wherein destination is configured (Wyatt, [0123] In an embodiment, AMD 304 or CSP 310 may use connection endpoints from computing device 200's connection history as probe endpoint servers… The stored information may include any of the information mentioned above under the "Client Response" heading, such as the tested endpoint probe server name and address, the complete DER-encoded host certificates presented by the server as its certification path, the SPKI Hash of all certificates on the presented certificate path identified as trusted by the client TLS engine); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wyatt in the secure network connections of Mahaffey-Kurian by identifying server name with multiple destinations with presented certificate. This would have been obvious because the person having ordinary skill in the art would have been motivated to detecting and preventing MITM (man-in-the-middle) attacks to protect the security of network connections (Wyatt, [Abstract]).
While the combination of Mahaffey-Kurian-Wyatt does not explicitly teach following limitation(s) however in the same field of endeavor Holtmanns teaches:
identifying a requestor for the negotiated security level below the threshold (Holtmanns, [0014] the method further comprises the step of comparing, at the application entity (i.e. requestor), the determined security level of the credential with a desired security level of the application using the returned credential, wherein the application entity refrains from executing the application, for which the returned credential is requested, if the comparing yields that the determined security level of the credential is lower than the desired security level of the application (i.e. below the threshold)); and including, in the (Holtmanns, [0015] the method further comprises the step of notifying a network application function, NAF, entity of the generic bootstrapping architecture about the returned credential quality information). Examiner notes the bootstrapping architecture includes application entity, requestor, and server.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Holtmanns in the secure network connections of Mahaffey-Kurian-Wyatt by identifying the application entity as requestor for establishing connection of user equipment with server. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine security level of the credential of the application entity with desired security level for establishment of generic bootstrapping of user equipment (Holtmanns, [Abstract]).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian-Wyatt-Holtmanns combination as applied above to claim 8, further in view of Gamble et al (US20210092141A1, hereinafter, “Gamble”), Harguideguy et al (US20200220875A1, hereinafter, “Harguideguy”) and Nguyen et al (US20160191549A1, hereinafter, “Nguyen”).
Regarding claim 9, Mahaffey-Kurian-Wyatt-Holtmanns teaches:
The method of claim 8, 
While the combination of Mahaffey-Kurian-Wyatt-Holtmanns does not explicitly teach but in the same field of endeavor Gamble teaches:
(Gamble, discloses monitoring suspicious communication network traffic [Abstract]. And [0041] the threat detection server 110 may be a network communication monitoring device or a proxy server for logging details of transmitted communication messages among computing devices); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Gamble in the secure network connections of Mahaffey-Kurian-Wyatt-Holtmanns by implementing a proxy server for logging details of transmitted communication messages. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect the communication messages that have shown changes of communication characteristics for monitoring suspicious communication network traffic (Gamble, [Abstract], [0057]).
While the combination of Mahaffey-Kurian-Wyatt-Holtmanns-Gamble does not explicitly teach but in the same field of endeavor Harguideguy teaches:
if the requestor is the source: configuring the intermediary to block a further communication from the source, and including an indicator of blocking the further communication in the characteristics (Harguideguy, [0094] The anomalies or indicators of compromise may be transmitted back to proxies within the proxy cluster, and may be used by proxies within the proxy cluster to terminate existing connections and block subsequent requests or messages from clients (i.e. source) associated with the identified anomalies or indicators of compromise); 

The combination of Mahaffey-Kurian-Wyatt-Holtmanns-Gamble-Harguideguy does not explicitly teach but in the similar field of endeavor Nguyen teaches:
and if the requestor is the destination: flagging the communication for review (Nguyen, [0080] This information, although simple, can contribute to identification of suspicious entities or traffic flows on the network.  If a known dedicated file server is observed engaging in HTTP communication with another entity, such action would be a good reason to flag it for further monitoring or investigation).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Nguyen in the secure network connections of Mahaffey-Kurian-Wyatt-Holtmanns-Gamble-Harguideguy by flagging server’s communication with another entity based on metadata records for review. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the rich metadata for network security monitoring and analysis (Nguyen, [Abstract], [0080]).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above to claim 10, further in view of Ceragioli et al (US20100030839A1, hereinafter, “Ceragioli”) and Mehta et al (US20190089736A1, hereinafter, “Mehta”).
Regarding claim 13, Mahaffey-Kurian combination teaches:
The system of claim 10, 
While the combination of Mahaffey-Kurian does not explicitly teach however in the similar field of endeavor Ceragioli teaches:
in which the intermediary is a firewall, and the destination has associated therewith a detector service to perform the threat assessment, the instructions including further instructions to cause the system to perform: select the intermediary from a plurality of firewalls associated with the destination (Ceragioli, [0031] In step 154, one of a plurality of proxy servers is selected to receive the data communications based on a list of available proxy servers); enable the intermediary to capture the portion of the data (Ceragioli, [0031] Data communications are received by the perimeter network 102 as shown in step 152.  In step 154, one of a plurality of proxy servers is selected to receive the data communications based on a list of available proxy servers…In step 156, the data communications are transmitted to the selected one of the plurality of proxy servers 110a-n in the perimeter network 102); instruct the intermediary to block the communication between the source and the destination based at least in part on the threat assessment (Ceragioli, [0027] The proxy server 110 then transmits the data communications from a second port 134a-n of the proxy server 110 over the second secure connection 142. By blocking direct access to the internal network 104, the proxy server 110 provides security for data communications from the external network 106 to the internal network 104. Examiner notes it is obvious to one ordinary skilled in the art that proxy server with firewall is used to block communication for security reason with threat assessment taught by Mahaffey); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ceragioli in the secure network connections of Mahaffey-Kurian by selecting proxy server from a list of available proxy servers in load balancing. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the benefit of load balancing to select proxy server for blocking communication for secure data communication (Ceragioli, [Abstract], [0027], [0031]).
While the combination of Mahaffey-Kurian-Ceragioli does not explicitly teach following limitation(s) however in the similar field of endeavor Mehta teaches:
monitor a handshake between the source and the destination, the handshake requesting communication at a preferred security level, and the handshake establishing a negotiated security level failing the threshold; instruct the intermediary to provide the portion of the data to the detector service (Mehta, discloses techniques to detect traffic between web server and client for forged web browsers [Abstract], and [0027] The information monitored includes the various fields in the HTTP request headers sent by the browser, … Other behavior is also tested and observed, such as the protocol version (i.e., HTTP version) that the browser uses to perform the initial handshake with the web server, or the manner in which the web browser responds to a request from the web server to fall back to an older protocol version than the browser used initially (i.e. handshake establishing a negotiated security level below the threshold)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mehta in the secure network connections of Mahaffey-Kurian-Ceragioli by passive detection of forged web browsers. This would have been obvious because the person having ordinary skill in the art would have been motivated to detect the forged web browsers based on attribute data points from client and connection behavior to prevent attacks on web servers (Mehta, [Abstract], [0002-0003]).
Kurian further teaches: receive from the detector service an indicator of a responsible entity responsible for establishing the negotiated security level (Kurian, [0040] … attempt to connect to the device 115 that submitted connection request 150 using the highest available security standards; if the connection attempt with the highest security standards fails (i.e. origin of the negotiated security level below the threshold));
Ceragioli further teaches: and -39 -Attorney Docket No. 8665-0194 (4626US)instruct the intermediary to block, at least temporarily, selected communication from the responsible entity (Ceragioli, [0027] The proxy server 110 then transmits the data communications from a second port 134a-n of the proxy server 110 over the second secure connection 142. By blocking direct access to the internal network 104, the proxy server 110 provides security for data communications from the external network 106 to the internal network 104).

Claims 15, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above, further in view of Wyatt et al (US20170346853A1, hereinafter, “Wyatt”), Holtmanns et al (US20070240205A1, hereinafter, “Holtmanns”) and Nguyen et al (US20160191549A1, hereinafter, “Nguyen”).
Regarding claim 15, similarly claim 20, Mahaffey-Kurian teaches:
The system of claim 10, the medium of claim 16,
While the combination of Mahaffey-Kurian does not explicitly teach following limitation(s) however in the same field of endeavor Wyatt teaches:
in which the multiple destinations share a network address with the destination and a server name for the destination is included in the negotiating, the instructions including further instructions to cause the system to perform: analyze the portion of data to identify the server name (Wyatt, [0123] In an embodiment, AMD 304 or CSP 310 may use connection endpoints from computing device 200's connection history as probe endpoint servers… The stored information may include any of the information mentioned above under the "Client Response" heading, such as the tested endpoint probe server name and address, the complete DER-encoded host certificates presented by the server as its certification path, the SPKI Hash of all certificates on the presented certificate path identified as trusted by the client TLS engine); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wyatt in the secure network connections of Mahaffey-Kurian by identifying server name with multiple destinations with presented certificate. This would have been obvious because the person 
While the combination of Mahaffey-Kurian-Wyatt does not explicitly teach following limitation(s) however in the same field of endeavor Holtmanns teaches:
identify an initiator of the negotiated security level below the threshold (Holtmanns, [0014] the method further comprises the step of comparing, at the application entity (i.e. requestor), the determined security level of the credential with a desired security level of the application using the returned credential, wherein the application entity refrains from executing the application, for which the returned credential is requested, if the comparing yields that the determined security level of the credential is lower than the desired security level of the application (i.e. below the threshold)); and include within the characteristics at least the server name and the initiator (Holtmanns, [0015] the method further comprises the step of notifying a network application function, NAF, entity of the generic bootstrapping architecture about the returned credential quality information). Examiner notes the bootstrapping architecture includes application entity, requestor, and server.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Holtmanns in the secure network connections of Mahaffey-Kurian-Wyatt by identifying the application entity as requestor for establishing connection of user equipment with server. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine security level of the credential of the application entity with desired security level for establishment of generic bootstrapping of user equipment (Holtmanns, [Abstract]).

and if the initiator is the destination, flagging the communication for review (Nguyen, [0080] This information, although simple, can contribute to identification of suspicious entities or traffic flows on the network. If a known dedicated file server is observed engaging in HTTP communication with another entity, such action would be a good reason to flag it for further monitoring or investigation).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Nguyen in the secure network connections of Mahaffey-Kurian-Wyatt-Holtmanns by flagging server’s communication with another entity based on metadata records for review. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the rich metadata for network security monitoring and analysis (Nguyen, [Abstract], [0080]).

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Mahaffey-Kurian combination as applied above to claim 16, further in view of Ceragioli et al (US20100030839A1, hereinafter, “Ceragioli”) and Mehta et al (US20190089736A1, hereinafter, “Mehta”).
Regarding claim 19, Mahaffey-Kurian combination teaches:
The medium of claim 16, 
While the combination of Mahaffey-Kurian does not explicitly teach however in the similar field of endeavor Ceragioli teaches:
(Ceragioli, [0031] In step 154, one of a plurality of proxy servers is selected to receive the data communications based on a list of available proxy servers); enable the intermediary to capture the portion of the data (Ceragioli, [0031] Data communications are received by the perimeter network 102 as shown in step 152.  In step 154, one of a plurality of proxy servers is selected to receive the data communications based on a list of available proxy servers…In step 156, the data communications are transmitted to the selected one of the plurality of proxy servers 110a-n in the perimeter network 102); instruct the intermediary to block the communication between the source and the destination based at least in part on the threat assessment (Ceragioli, [0027] The proxy server 110 then transmits the data communications from a second port 134a-n of the proxy server 110 over the second secure connection 142. By blocking direct access to the internal network 104, the proxy server 110 provides security for data communications from the external network 106 to the internal network 104. Examiner notes it is obvious to one ordinary skilled in the art that proxy server with firewall is used to block communication for security reason with threat assessment taught by Mahaffey); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ceragioli in the secure network connections of Mahaffey-Kurian by selecting proxy server from a list of available proxy servers in load balancing. This would have been obvious because the person 
While the combination of Mahaffey-Kurian-Ceragioli does not explicitly teach following limitation(s) however in the similar field of endeavor Mehta teaches:
monitor a handshake between the source and the destination, the handshake at least partially configured for communication at a preferred security level, and the handshake establishing a negotiated security level failing the threshold; instruct the intermediary to provide the portion of the data to the detector service (Mehta, discloses techniques to detect traffic between web server and client for forged web browsers [Abstract], and [0027] The information monitored includes the various fields in the HTTP request headers sent by the browser, … Other behavior is also tested and observed, such as the protocol version (i.e., HTTP version) that the browser uses to perform the initial handshake with the web server, or the manner in which the web browser responds to a request from the web server to fall back to an older protocol version than the browser used initially (i.e. handshake establishing a negotiated security level below the threshold));  -41 -Attorney Docket No. 8665-0194 (4626US) 
Kurian further teaches: receive from the detector service an indicator of a responsible entity responsible for the handshake establishing the negotiated security level (Kurian, [0040] … attempt to connect to the device 115 that submitted connection request 150 using the highest available security standards; if the connection attempt with the highest security standards fails (i.e. origin of the negotiated security level below the threshold)); determine the responsible entity is the source (Kurian, [0055] In step 310, security tool 105 uses router module 140 to determine the security level associated with device 115. Examiner notes that the establishment of connection is based on the security level associated with device, therefore the issue with client is the origin); 
Ceragioli further teaches: and instruct the intermediary to block, at least temporarily, selected communication from the responsible entity (Ceragioli, [0027] The proxy server 110 then transmits the data communications from a second port 134a-n of the proxy server 110 over the second secure connection 142. By blocking direct access to the internal network 104, the proxy server 110 provides security for data communications from the external network 106 to the internal network 104).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Cox et al (US20130227272A1). Discloses techniques to enable client to dynamically determine whether to use the preferred protocol when connecting to a particular host.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436