DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 12/23/2021 have been fully considered but they are not persuasive. 
1.  Before turning to applicant’s arguments, the examiner notes the following:
a.  Applicant argues El-Moussa’s teachings yet the figure the examiner has taken from El-Moussa looks HIGHLY SIMILAR to applicant’s figure #3.   Applicant’s figure #3 shows a Hello message and response and then a Client Key Exchange and then encrypted data flows whereupon it ends.   
b.  Next, applicant’s figure 4 looks HIGHLY SIMILAR to a router which is well known in the art and parses/filters traffic at several levels of the OSI MODEL (ie. Physical, Data Link and Network levels).  One skilled understands that application data transferred over a TCP/IP connection will be parsed/filtered at a “common service level” which is the TCP/IP layers (ie. Headers).  All Internet data runs on top of TCP/IP and that is the “common” service, thusly a router can filter/parse the traffic as is put forth in the applicant’s (broad) claim.
c.  Next is the fact that a data packet must be able to be parsed/filtered at the OSI MODEL’s upper layers (ie. Session, Presentation and Application layers) which can be thought of as a SOCKET (ie. exclusiver service).   A packet sent 
For example, USER A sends application data to a SERVER via a TCP/IP connection.  It will be parsed/filtered at the “common service level” which can be considered to be the TCP/IP routing function which is common to any/all data traversing the network links.    When it arrives at the Server, it is understood that a server can host multiple applications (think of a MICROSOFT Back-End Server hosting WORD, Powerpoint and Excel) – the data correctly routed to that server must have it’s exclusive service level” identifiers inspected so that the data can be correctly routed to the appropriate application.
Figure #1 below shows that Application data rides on top of TCP/IP (which is the common service level” as it traverses the network).  Figure 2 shows that when the MS EXCEL Application data arrives at its destination, it must be forwarded to the correct application on the Server (which is the exclusive service).

    PNG
    media_image1.png
    360
    640
    media_image1.png
    Greyscale

Thusly, the above discussion puts forth well known technology that reads on the applicant’s broad claims.  The device can be a router (or server) that uses TCP/IP headers and SOCKETS to identify common and exclusive service level data for routing/forwarding to the correct destination.

2.  Regarding applicant’s argument on page 10 that the packets aren’t analyzed and attributing common service is between a first service A start time and a second time of a start service B, the examiner is not swayed:

    PNG
    media_image2.png
    401
    882
    media_image2.png
    Greyscale



	The examiner disagrees with the applicant’s argument and notes that the claim(s) do not clearly define/limit what the concepts of an exclusive service and common service must be IN THE CLAIM, hence a broad, reasonable interpretation can be put forth.  
El-Moussa clearly shows in Figure 4 that there is a Client/Server interaction (whereby each side must analyze the packets being sent in order to understand what the other side is “saying” and what it wants to do – such as start an application).
Since the claim does not empirically define WHAT the exclusive service MUST BE, the examiner showed how El-Moussa has an EXCLUSIVE portion (figure 4 shows the actual APPLICATION Data flows) and also a common service (examiner broadly interpreted that the “common service” was the “middle portion” which is a common set of transmission for any/all encrypted communications.  Why?  Because the application is the exclusive application that is unique whereupon the encryption portion is something that can be additionally added to any/all applications and is considered to be common (ie. a bank/financial institution may have EXCEL spreadsheets which are encrypted when sent, hence EXCEL is the application/exclusive portion and the encryption is common to any data that is transmitted).  
In essence, the applicant has put forth a broad claim that does not define (in the claim) what their empirical definitions/limitations of that claim/limitation MUST BE.  This leaves open a broad, reasonable interpretation by the examiner.  In this specific case, the applicant has put forth the phrases “common service” and “exclusive service” (which have NO meaning in the art) and then argues that the examiner’s reasonable interpretation is NOT what they want it to be.
El-Moussa clearly shows that there is an exclusive service and a common service, as based on the examiner’s interpretation of those phrases.

Regarding the attributing traffic of a common service whose identification time is between a first identification time of a start of service A and a second identification of a start service B, the examiner again notes that this phrase is open to a broad/reasonable interpretation since the concept of a “common service” is not defined in the claim.  Based on that fact, the claim is merely putting forth when application data starts/flows in a process, nothing more, nothing less.
El-Moussa clearly shows in Figure 4 that the common service is begun AND the examiner showed how (See his figure on Page 6 of the NFOA) that there would be different start times if there are TWO exclusive applications being invoked.   The examiner’s rejection also showed how Ellison/Gallardo could be applied since they teach applications/programs that call other applications/programs.   This would also lead to a service start for A and B (since A invoked B) AND it would provide an identification time of the 1st Exclusive application that is between the first/second identification times AND the start service B is after the first identification time.
The examiner is not swayed by the applicant’s arguments.


3.  The applicant argues (page 10) that the examiner is using hindsight.  The examiner disagrees since he merely added Ellison/Gallardo to teach the missing limitations (ie. showing second time of a start service B and identification between first/second identification AND the start service B is a first start service whose ID time is after the first identification).
Ellison/Gallardo teach one application/program calling/invoking another program which inherently requires multiple start times, ie. begin service A which then calls service B, hence A started first and B was later – thusly there are different start times which can be monitored/tracked/identified.
When Ellison/Gallardo are added to El-Moussa, one skilled sees that packets are analyzed and there is common/exclusive services that, when invoked, will have different start times.

4.  The argument on Page 10 (bottom ) to page 11 is a repeat of the above and the examiner is not swayed.

5.  The claims are written in a confusing manner and use phrases that are not even known in the art (ie. common and exclusive services have no empirical meaning in the art).  Secondly, they use broad language (services, start times, etc.) and merely put forth when one service starts and another service starts – noting that multiple applications can be found on a device, literally any combination of applications and start times can be invoked by a person using the device.
Lastly, the applicant argues that they don’t see several passages of their claim being properly rejected but their claim language is broad and can be given a broad/reasonable interpretation.   Case in point, the applicant argues that they does see packets being analyzed BUT El-Moussa clearly shows client/server interaction – which inherently requires packets to be received, analyzed and acted on (ie. so that an application can be invoked and application data can flow – see his figure 4).
Thusly, the applicant is using broad/vague language to cloud the inventive concept and then argues from a point of broadness, which does not overcome the details found in the prior art teachings.

6.  The examiner invites the applicant to amend the claims with the allowable subject matter so that an allowance can be issued.

7.  The Office Action previously sent is found below is made FINAL.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 3, 10 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over El-Moussa et al. US 2017/0013000 and further in view of { Ellison et al. US 2015/0215293 OR Gallardo  US 20150254119 }
As per claim 1, El-Moussa et al. US 2017/0013000 teaches a common service traffic attribution method, comprising: 
obtaining a feature of a packet in traffic, wherein the feature comprises a ciphertext feature having one or more of a sequence, a length, or a transmission direction of an encrypted packet (Figure 4 shows a Client/Server interaction that has initial “startup” communications (CLIENT HELLO thru SERVER FINISHED) and then Encrypted Communications for the APPLICATION #412, hence El-Moussa can monitor/analyze all the data packets sent/received in the device shown in Figure 5); 
analyzing the traffic based on the feature, to identify a start service (Figure 4 shows START-UP Service in the upper portion), an exclusive service (Figure 4 shows APPLICATION DATA which is exclusive to that specific application), and a common service in the traffic (Fig. 4 - Common Service is broadly interpreted as the being more of the middle portion which is a common set of transmission for any/all encrypted communications), wherein the start service is a service invoked in an application startup phase (Figure 4 shows the upper portion is begun when the user wishes to invoke the APPLICATION), the exclusive service is a service invoked by only one application (Figure 4 shows only ONE APPLICATION being invoked), and the common service is a service invoked by a plurality of applications (The upper/middle portions would be used by any encrypted communications supporting a plurality of applications between the client and server); and 
[From Para #74]  “…Subsequently, the tasks indicated at 410 generally relate to the creation of an encrypted connection using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol. As will be familiar to those skilled in the art, the SSL and TLS protocols are cryptographic protocols at the application layer of the Internet Protocol Suite that use asymmetric cryptography to securely establish a symmetric session key for encrypting data communicated between endpoints. Thus, subsequent to the establishment of the secure connection at steps 410, a secure SSL or TLS session is provided between the client 402 and server 404, as indicated by the broken line 412. Subsequently, an application protocol for exchanging data between software applications executing at each of the client 402 and server 404 is established. Such an application protocol can be a standardized or application specific protocol and can include an initial set of messages for establishing an application protocol connection, referred to in FIG. 4 as an application handshake. Examples of applications protocols include internet protocols such as, inter alia: FTP (file transfer protocol); Telnet; SSH (secure shell); SMTP (simple mail transfer protocol); IMAP (internet message access protocol); POP (post office protocol); SNMP (simple network management protocol); HTTP (hypertext transfer protocol); and CMIP (common management information protocol). Further, applications protocols can include service or application specific protocols such as, inter alia: AFP (Apple filing protocol, formerly AppleTalk); JNDI (Java naming and directory interface); SOAP (simple object access protocol); RDP (remote desktop protocol); NFS (network file system); X Window System; Java remote method protocol; and very many others. Yet further, bespoke application protocols can operate at the application layer such as, inter alia: database access protocols such as Oracle Net; messaging protocols such as Apple iMessage or Google Wave Federation Protocol; voice or media protocols such as the proprietary Skype protocol; cryptocurrency protocols such as BitCoin protocol; and very many others.
[0075] A handshake phase of an application protocol can include negotiation, configuration, authentication, further or alternative cryptographic setup, authorization and/or access control, information exchange, parameter configuration, sequencing and the like.
attributing traffic of a common service (Fig. 4, upper portion) -- whose identification time is “AFTER” a first identification time of a start service A (interpreted as a start service for the exclusive application being AFTER the common portion (Fig. 4’s upper portion) and would be before any other/second identification time of another start service (ie. for another application) -- to an application that invokes an exclusive service (Figure 4, lower portion showing Application data) whose identification time is “AFTER” the first identification time (The Application would be identified/sent after the first identification time (Fig. 4 upper portion), wherein the start service A is any identified start service (upper portion of figure 4), 
The figure below shows the examiner’s interpretation IF THERE ARE TWO EXCLUSIVE APPLICATIONS being invoked – it shows El-Moussa’s figure 4 with an added section at the BOTTOM to show the second exclusive application being invoked after the first exclusive application.  Thusly, the Start/Common phase data would be associated with the 1st exclusive application (and if there was a 2nd application, the that would follow the 1st exclusive application and THERE WOULD BE a first and second identification time of start service for 1st and 2nd applications (where start service A is for the 1st exclusive application and start service B is for any that is AFTER the 1st exclusive application)

    PNG
    media_image3.png
    360
    640
    media_image3.png
    Greyscale

	 
	
But is silent on
	a second identification time of a start service B AND whose identification time is between the first identification time and the second identification time AND and the start service B is a first start service whose identification time is after the first identification time.
	El-Moussa does not contemplate first identifications for Start Service A or B nor an identification being “between” the first/second identification times nor a start service B being after the first identification.
	The examiner interprets that the above would be applicable if there were two/multiple exclusive applications that could be invoked (as is shown in the examiner’s figure above).  Then there WOULD BE a second identification time of start service B AND ALSO an identification time BETWEEN first/second identification times AND ALSO a start service B that is after the first identification time.
	The examiner notes that Ellison or Gallardo each teach the ability for one application to invoke another application, which would clearly show a service start for A and B (since A invoked B) AND it would have an identification time of the 1st Exclusive application that is between the first/second identification times AND the start service B is after the first identification time:
	a.  Ellison et al. US 2015/0215293 teaches a first application that can invoke another application:
Abstract Paragraph - ABTX (1):
    Systems and methods are described for securely and efficiently processing electronic content. In one embodiment, a first application running on a first computing system establishes a secure channel with a second computing system, the secure channel being secured by one or more cryptographic session keys. The first application obtains a license from the second computing system via the secure channel, the license being encrypted using at least one of the one or more cryptographic session keys, the license comprising a content decryption key, the content decryption key being further encrypted using at least one of the one or more cryptographic session keys or one or more keys derived therefrom. The first application invokes a second application to decrypt the license using at least one of the one or more cryptographic session keys, and further invokes the second application to decrypt the content decryption key using at least one of the one or more cryptographic session keys or one or more keys derived therefrom, and to decrypt a piece of content using the content decryption key. The first application then provides access to the decrypted piece of content in accordance with the license
b. Gallardo  US 20150254119 teaches a first application that can invoke a second application:
[0003] In the past where the memory capacity of mobile devices was not as much of a problem, there were situations where a first application A may invoke a second application B to retrieve some data.

	The figure below shows starting a first exclusive application which invokes a second exclusive application which provides for “..attributing traffic of a common service whose identification time is between a first identification time of a start service A and a second identification time of a start service B to an application that invokes an exclusive service whose identification time is between the first identification time and the second identification time, wherein the start service A is any identified start service, and the start service B is a first start service whose identification time is after the first identification time” since now there are two applications, two service starts and two exclusive applications (hence the first exclusive application will start, invoke the second exclusive application and then there can be a time in between the two start services (that is discussed in the claim passage above).
    PNG
    media_image4.png
    360
    640
    media_image4.png
    Greyscale


	It would have been obvious to one skilled in the art at the time of the invention's filing date, to modify El-Moussa, such that there is a second identification time of a start service B AND whose identification time is between the first identification time and the second identification time AND and the start service B is a first start service whose identification time is after the first identification time, to provide the ability to attribute common traffic to an exclusive application when there are multiple start services (A and B) – to optimally correlate common traffic to an (exclusive) application for monitoring/billing, etc..




	As per claim 3, the combo teaches claim 1, before the obtaining the feature, further comprising: 
filtering the traffic based on Internet Protocol (IP) information of the traffic (El-Moussa teaches the ability to identify protocol(s) that are used over the network connections, which reads on filtering based on a protocol to determine if the connection is carrying malicious code/traffic):
 [0015] Advantageously, malicious encrypted network traffic is identified by: monitoring network traffic over the network to detect a network connection as a new network connection; identifying characteristics of the network connection to determine a protocol of the network connection; retrieving, from the data store, a definition of a portion of network traffic for a network connection based on the determined protocol; evaluating an estimated measure of entropy for a portion of network traffic of the new network connection based on the retrieved definition; comparing the estimated measure of entropy with a dictionary of one or more entropy measures, each of the one or more entropy measures being associated with a portion of network traffic of a malicious encrypted network connection, so as to determine if malicious encrypted network traffic is communicated over the network connection.
[0082] The analyzer 522 is operable to analyze a new network connection identified by the monitor 520 to identify characteristics of the network connection to determine an application protocol of the network connection. The determination of an application protocol is made with reference to a protocol information store 524 storing one or more characteristics of application protocols as one or more criteria. The criteria, when satisfied, are suitable for identifying a protocol of a network connection. In one embodiment, an application protocol for a network connection is determined based on an identification of port numbers for the network connection since port numbers are generally application specific. Internet Protocol Suite ports numbered from 0 to 1023 are designated well-known ports for most widely-used network services. Ports 1024 to 49151 are registered ports assigned by the Internet Assigned Numbers Authority (IANA) for specific services. Some application protocols adopt ports unofficially and through convention and widespread usage become synonymous with their adopted port numbers. A list of ports and associated application protocols is available from IANA as "Service Name and Transport Protocol Port Number Registry" (2014, available from www.iana.org/assignments/service-names-port-numbers/service-names-port-nu- mbers.txt). 


As per claim 10, this claim is entirely rejected as per the rejection of claim 1 (See above).  Note that the prior art teach “..A computer system, comprising a memory and a processor, wherein the memory is configured to store a computer readable instruction, which when executed by the processor, causes the processor to perform a common service traffic attribution method”, See Figures 1-3, 5, 6a, 6b, 9 and 12-17 which show a computer system (with memory/processor) to store the code that executes the process steps shown. 


As per claim 17, this claim is entirely rejected as per the rejection of claim 1 (See above).  Note that the prior art teaches “..A non-transitory computer-readable medium storing computer instructions for common service traffic attribution, that when executed by one or more processors, cause the one or more processors to perform a method”, See Figures 1-3, 5, 6a, 6b, 9 and 12-17 which show a computer system (with memory/processor) to store the code that executes the process steps shown. 



Allowable Subject Matter
1.  Claims 7-9 and 14-16 are allowed.
These claims put forth slightly different technical designs that are not found in the prior art, either alone or in combination.


2.  Claims 2, 4-6, 11-13 and 18-20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
These claims recite highly detailed technical designs that are not found in at least the prior art of record, either alone or in combination.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHEN M. D'AGOSTA whose telephone number is (571)272-7862. The examiner can normally be reached 8am to 4pm (IFW).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Edan (Dan) Orgad can be reached on 571-272-7884. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/STEPHEN M D AGOSTA/Primary Examiner, Art Unit 2414