DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted by applicant dated 03/16/2020 has been considered by the examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim 20 is rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  
As per claim 20, the claim recite(s) a device comprising components which may be interpreted simply as software, which does not fall under one of the four statutory categories.  The recitation of "a processor" does not limit the claim to hardware, since processors are not necessarily considered as hardware and may refer to software.  It is suggested to amend the limitation to “a hardware processor”.  The recitation of "computer readable medium" does not limit the claim to statutory subject matter, since computer readable medium may refer to a signal or carrier wave.  The examiner suggest amending the limitation to recite a non-transitory computer readable medium.	

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1, 4-5, 11, 14-15 and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Yung USPN7,778,194.
As per claim 1, Yung teaches a method comprising: inspecting, by a processor, payloads of data packets belonging to a new encrypted data flow for a secure sockets layer certificate, wherein evidence of a transport control protocol handshake has been previously detected in the new encrypted data flow (Yung col 7 lines 15-65, col 8 lines 50-65, col 11 lines 5 – col 13 line 30, determining a new TCP data flow, determining if the new flow is an encrypted data flow (e.g. SSL data flow), and inspecting data packets and determining whether a packet payload includes a certificate); 
detecting, by the processor, the secure sockets layer certificate in a payload of one of the data packets (Yung col 13 lines 20-30, determining a certificate in a packet payload); and 
extracting, by the processor, the secure sockets layer certificate from the payload of the one of the data packets (Yung col 13 lines 20-30, extracting certificate from payload).  

As per claim 4, Yung teaches the method of claim 1, further comprising: extracting information from the secure sockets layer certificate (Yung col 13 lines 20-40, extract information from the certificate).  

As per claim 5, Yung teaches the method of claim 4, wherein the information includes an identity of a holder of the secure sockets layer certificate (Yung col 13 lines 20-40, extract common name from certificate). 

As per claims 11, 14-15 and 20, the claims claim a non-transitory computer readable medium and a device essentially corresponding to the method claims 1 and 4-5 above, and they are rejected, at least for the same reasons.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-3, 6-10, 12-13 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Yung.
As per claim 2, Yung teaches the method of claim 1, wherein the evidence of a transport control protocol handshake is detected by a first module that forwards the data packets to another module performing the inspecting, the detecting, and the extracting (Yung col 6 lines 45-55, col 7 lines 15- col 8 line 5, col 8 lines 50-65, col 11 lines 5 – col 13 line 30, traffic monitoring functionality may be deployed in multiple network devices.  Detect evidence of TCP flow and pass packet to classification engine). 
Although Yung does not explicitly disclose detecting by a first device that forwards the data packet to another device performing the inspecting, the detecting, and the extracting, it would have been obvious to one of ordinary skill in the art to separate the functions of the traffic monitoring device into separate devices, since constructing a formerly integral structure in various elements involves only routine skill in the art.

As per claim 3, Yung teaches the method of claim 1, further comprising: ignoring future data packets of the new encrypted data flow subsequent to the detecting (Yung col 12 lines 5-25, traffic classification engine… maintains an SSL packet flow count… pass the first N SSL packets associated with a given connection to the encrypted flow module 88 for further classification… the threshold parameter, N, is set to twenty and is applied to SSL packets regardless of the transmission direction.  The packets corresponding to the SSL handshake are generally contained in the first group of SSL packets in the flow.  Often times, after the handshake, the encrypted packets yield no new, explicitly-presented information that would aid in classification of the data flows.  Accordingly, by properly configuring and applying this threshold, only the initial packets, which are generally meaningful in classifying the flow, are passed to encrypted flow module 88 eliminating unneeded processing overhead.) (It is obvious to one of ordinary skill in the art that the detection of the certificate occurs while inspecting packets of the SSL handshake.  It is obvious to one of ordinary skill in the art that only packets of the SSL handshake are inspected and packets after the SSL handshake are ignored.  Therefore packets subsequent to the detection of the certificate are ignored).  

As per claim 6, Yung teaches the method of claim 4, wherein information includes a serial number of the secure sockets layer certificate (Yung col 10 lines 45-60, certificate including serial number).  
Yung does not explicitly disclose extracting serial number of the secure sockets layer certificate.
Yung teaches SSL certificate including various information such as serial number (Yung col 10 lines 45-60).  Yung also discloses extracting information from a certificate and creating an entry in an SSL state table with the information of the certificate (Yung col 13 lines 20-30).  Yung further discloses the SSL state table includes information such as certificate common name and may also include other fields based on other attributes of the certificate (Yung col 13 lines 30-45).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yung to include extracting the serial number of the certificate because the results would have been predictable and resulted in the serial number being extracted and populated in the SSL state table.

As per claim 7, Yung teaches the method of claim 4, wherein information includes an expiration date of the secure sockets layer certificate (Yung col 10 lines 45-60, certificate including validity period). 
Yung does not explicitly disclose extracting an expiration date of the secure sockets layer certificate.
Yung teaches SSL certificate including various information such as validity period (Yung col 10 lines 45-60).  Yung also discloses extracting information from a certificate and creating an entry in an SSL state table with the information of the certificate (Yung col 13 lines 20-30).  Yung further discloses the SSL state table includes information such as certificate common name and may also include other fields based on other attributes of the certificate (Yung col 13 lines 30-45).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yung to include extracting the validity period of the certificate because the results would have been predictable and resulted in the validity period being extracted and populated in the SSL state table.

As per claim 8, Yung teaches the method of claim 4, wherein information includes a copy of a public key belonging to a holder of the secure sockets layer certificate (Yung col 10 lines 45-60, certificate including public key).  
Yung does not explicitly disclose extracting a public key of the secure sockets layer certificate.
Yung teaches SSL certificate including various information such as public key (Yung col 10 lines 45-60).  Yung also discloses extracting information from a certificate and creating an entry in an SSL state table with the information of the certificate (Yung col 13 lines 20-30).  Yung further discloses the SSL state table includes information such as certificate common name and may also include other fields based on other attributes of the certificate (Yung col 13 lines 30-45).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yung to include extracting the public key of the certificate because the results would have been predictable and resulted in the public key being extracted and populated in the SSL state table.

As per claim 9, Yung teaches the method of claim 4, wherein information includes a digital signature of an authority who issued the secure sockets layer certificate (Yung col 10 lines 45-60, certificate including signature of CA).  
Yung does not explicitly disclose extracting a digital signature of the secure sockets layer certificate.
Yung teaches SSL certificate including various information such as a signature of a CA (Yung col 10 lines 45-60).  Yung also discloses extracting information from a certificate and creating an entry in an SSL state table with the information of the certificate (Yung col 13 lines 20-30).  Yung further discloses the SSL state table includes information such as certificate common name and may also include other fields based on other attributes of the certificate (Yung col 13 lines 30-45).
Thus it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Yung to include extracting the digital signature of the certificate because the results would have been predictable and resulted in the digital signature being extracted and populated in the SSL state table.

As per claim 10, Yung teaches the method of claim 1, further comprising: forwarding packet which includes the secure sockets layer certificate to a module for extraction of information (Yung col 6 lines 45-55, col 8 lines 1-10, col 13 lines 15-40, traffic monitoring functionality may be deployed in multiple network devices.  Forwarding packets to classification engine/encrypted flow module to extract information of the certificate).  
Although Yung does not explicitly disclose forwarding the secure sockets layer certificate to another device for extraction of information, it would have been obvious to one of ordinary skill in the art to separate the functions of the traffic monitoring device into separate devices, since constructing a formerly integral structure in various elements involves only routine skill in the art.

As per claims 12-13 and 16-19, the claims claim a non-transitory computer readable medium essentially corresponding to the method claims 2-3 and 6-9 above, and they are rejected, at least for the same reasons.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HENRY TSANG whose telephone number is (571)270-7959. The examiner can normally be reached M-F 8am - 5pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571) 272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/HENRY TSANG/Primary Examiner, Art Unit 2495