DETAILED ACTION
1.	This action is responsive to the communication filed on July 9, 2021.  Claims 1-29 are pending.  Claims 7, 15, and 23 are cancelled and claims 27-29 are newly added by the applicant. At this time, claims 1-6, 8-14, 16-22, and 24-29 are rejected.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
3.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 1-6, 8-14, 16-22, and 24-29 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-21 10, 715, 493 B1.  Although the conflicting claims are not identical, they are not patentably distinct from each other because the two inventions have similar subject matter, especially wherein enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.
Claims 1-6, 8-14, 16-22, and 24-29 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10, 944, 721 B2.  Although the conflicting claims are not identical, they are not patentably distinct from each other because the two inventions have similar subject matter, especially wherein enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.
Claims 1-6, 8-14, 16-22, and 24-29 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-24 of U.S. Patent No. 11, 063, 909 B1.  Although the conflicting claims are not identical, they are not the two inventions have similar subject matter, especially wherein enterprise users' mobile devices typically access the Internet without being protected by the enterprise's network security policy, which exposes the enterprise network to Internet-mediated attack by malicious actors. This is because the conventional approach to protecting the mobile devices and associated enterprise network is to tunnel all of the devices' Internet communications to the enterprise network, which is very inefficient since typically only a very small percentage of Internet communications originating from an enterprise's mobile devices are communicating with Internet hosts that are associated with threats. In the present disclosure, the mobile device efficiently identifies which communications are associated with Internet threats, and tunnels only such identified traffic to the enterprise network, where actions may be taken to protect the enterprise network.
Claim Rejections - 35 USC § 103
4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
5.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. 
6.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary 

7.	The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. 	Determining the scope and contents of the prior art.
2. 	Ascertaining the differences between the prior art and the claims at issue.
3.	Resolving the level of ordinary skill in the pertinent art.
8.	Considering objective evidence present in the application indicating obviousness or nonobviousness.
9.	Claims 1, 3-6, 8-11, 13-14, 16-19, 21-22, and 24-29 are rejected under 35 U.S.C. 103 as being unpatentable over Bell; Carol A. et al. (US 6880005 B1), in view of Ahn; David K. et al. (US 20170324709 A1), and further in view of Tuvell; George et al. (US 20070240222 A1).
a.	Referring to claim 1:
		i.	Bell teaches a method comprising:
(1)	receiving, by a computing device, a plurality of packet filtering rules, wherein the plurality of packet filtering rules were automatically created or altered based on malicious traffic information received from a plurality of cyber threat intelligence providers (see column 2, lines 16-33 of Bell; see also the combination of teaching between Bell and Ahn for malicious traffic information received from a plurality of cyber threat intelligence providers);
(2)	generating, based on resource constraints of a mobile device, a policy data structure that represents the plurality of packet filtering rules (see column 2, lines 16-33 of Bell; see also the combination of teaching between Bell and Tuvell for mobile device);
(3)	sending, to the mobile device, the policy data structure, wherein the policy data structure is configured to cause the mobile device to, based on a determination that a first attribute of a packet is represented in the policy data structure, transmit the packet to a packet filtering device via a network tunnel gateway (see column 1, line 40 through column 2, lines 15; column 7, lines 39-60 of Bell; see also the combination of teaching between Bell and Tuvell for mobile device);
(4)	generating, based on the resource constraints of the mobile device, a new policy data structure that represents a new plurality of packet filtering rules (see column 2, lines 16-33 of Bell; see also the combination of teaching between Bell and Tuvell for mobile device);
(5)	sending, to the mobile device, the new policy data structure (see column 1, lines 40-56 of Bell; see also the combination of teaching between Bell and Tuvell for mobile device).
ii.	Although Bell teaches the claimed subject matter, Bell is not clear (if indeed is not inherited) or silent on the capability of disclosing malicious traffic information received from a plurality of cyber threat intelligence providers.  On the other hand, Ahn teaches malicious traffic information received from a plurality of cyber threat intelligence providers (see paragraph [0007] of Ahn).
iii.	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to:
(1)	have modified the invention of Bell with the teaching of Ahn for capturing network packets for cyber threat analysis (see paragraph [0002] of Ahn).
iv.	The ordinary skilled person would have been motivated to:
(1)	have modified the invention of Bell with the teaching of Ahn for efficiently detecting threat incidents for cyber threat analysis (see paragraph [0007] of Ahn).
			v.	Although the combination of teaching between Bell and Ahn teaches the claimed subject matter, they are silent on the capability of disclosing mobile device.  On the other hand, Tuvell teaches mobile device (see paragraph [0043] of Tuvell).
vi.	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to:
(see paragraph [0002] of Tuvell).
vii.	The ordinary skilled person would have been motivated to:
(1)	have modified the modified-invention of Bell with the teaching of Tuvell wherein with the growing popularity of smart phones and the potential for greater interaction between mobile phones, there is a need to be able to update mobile devices as soon as new malware is identified (see paragraph [0013] of Tuvell).
b.	Referring to claim 3:
		i.	The combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter.  Bell further teaches:
(1)	wherein generating the new policy data structure comprises combining two or more rules (see column 2, lines 16-61 of Bell).
c.	Referring to claim 4:
		i.	The combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter.  Bell further teaches:
(1)	wherein generating the new policy data structure comprises adding a new rule to the policy data structure (see column 2, lines 16-61 of Bell).
d.	Referring to claims 5, 13, and 21:
		i.	The combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter.  Bell further teaches:
(1)	wherein the new policy data structure causes the mobile device to, based on a determination that a second attribute of a second packet is represented in the new policy data structure, transmit the second packet to the packet filtering device via the network tunnel gateway, and wherein, prior to sending the new policy data structure, the policy data structure was configured to cause the mobile device to transmit packets having the second attribute to their respective destinations without transmitting the packets to the packet filtering device via the network tunnel gateway (see column 1, line 40 through column 2, lines 15; column 7, lines 39-60 of Bell).
e.	Referring to claims 6, 14, and 22:

(1)	wherein at least one of the new plurality of packet filtering rules indicates a rule action, and wherein the new policy data structure is configured to cause the mobile device to perform the rule action on a received packet (see column 2, lines 16-61 of Bell).
f.	Referring to claims 8, 16, and 24:
		i.	The combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter.  Tuvell further teaches:
(1)	wherein the resource constraints of the mobile device comprise an available memory of the mobile device (see paragraph [0054] of Tuvell).
g.	Referring to claims 9, 17, and 25:
		i.	The combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter.  Bell further teaches:
(1)	wherein the policy data structure is configured to cause logging of a packet based on the first attribute (see column 2, lines 16-33; column 4, lines 57-67 of Bell; see also paragraph [0007] of Ahn).
h.	Referring to claims 10, 18, and 26:
		i.	The combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter.  Ahn further teaches:
(1)	wherein the new policy data structure comprises an updated version of the policy data structure (see paragraph [0049] of Ahn).
i.	Referring to claim 11:
i.	These claims consist one or more non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause a computing device to perform the method of claim 1, thus they are rejected with the same rationale applied against claim 1 above.
j.	Referring to claim 19:
i.	These claims consist an apparatus to implement the method of claim 1, thus they are rejected with the same rationale applied against claim 1 above.
k.	Referring to claims 27-29:

(1)	wherein at least two of the plurality of cyber threat intelligence providers are managed by different organizations (see paragraph [0021, 0027] of Ahn).
10.	Claims 2, 12, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bell; Carol A. et al. (US 6880005 B1), in view of Ahn; David K. et al. (US 20170324709 A1), in view of Tuvell; George et al. (US 20070240222 A1), and further in view of Sengupta; Sudipta et al. (US 9436596 B2).
b.	Referring to claims 2, 12, and 20:
		i.	Although the combination of teaching between Bell, Ahn, and Tuvell teaches the claimed subject matter, they are silent on the capability of showing a Bloom filter or a Cuckoo filter.  On the other hand,  Sengupta teaches:
(1)	wherein the policy data structure is a probabilistic data structure that comprises one or more of a Bloom filter or a Cuckoo filter (see column 1, lines 45-60 of Sengupta).
ii.	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to:
(1)	have modified the modified-invention of Bell with the teaching of Sengupta wherein a data structure (e.g., a bloom filter pair is used to track (to a high probability) whether a data item has been recently accessed (see column 1, lines 55-58 of Sengupta).
iii.	The ordinary skilled person would have been motivated to:
(1)	have modified the modified-invention of Bell with the teaching of Sengupta wherein another data structure (a bloom filter) indicates to a high probability whether a data item has been destaged to the hard disk store (see column 1, lines 58-60 of Sengupta).
Information Disclosure Statement
11.	The information disclosure statement (IDS) filed on July 9, 2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Conclusion

	Any inquiry concerning this communication or earlier communications from the examiner should be directed to Thanhnga B. Truong whose telephone number is 571-272-3858. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached at 571-272-8878.  The fax and   phone numbers for the organization where this application or proceeding is assigned is 571-273-8300.
Any inquiry of a general nature or relating to the status of this application or proceeding should be directed to the receptionist whose telephone number is 571-272-2100.

/THANHNGA B TRUONG/Primary Examiner, Art Unit 2438                                                                                                                                                                                                        
November 4, 2021