DETAILED ACTION
This is a non-final office action in response to applicant’s preliminary amendment filed on 11/23/2021.
Claims 1-30 are pending and being considered. 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Priority
Applicant’s claim for the benefit of a prior-filed application (14/757,638, now US Patent No. 9,917,856B2, filed on 12/23/2015) under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. This application is a continuation of US Patent application No. 15/877,608 filed 1/23/2018.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 9/23/2021, 11/8/2021, 11/19/2021, 12/20/2021, 12/23/2021, and 1/4/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Claim Objections
Claims 1, 3-5, 9, 11-13, 17, 19-21, 24, 26-28 are objected to because of the following informalities:  
Claim 1 lines 6-7, “wherein each third-party network intelligence provider provides data …” may read “wherein each of the plurality of third-party threat intelligence providers provides the data …” or more appropriate form.  
Similarly for claim 9 lines 6-7, claim 17 line 4, claim 24 line 4.
Claim 1 lines 21-22, “… with one or more of the unencrypted packets” may read “… with the one or more 
Similarly for claims 9 line 19, claim 17 line 17, claim 24 line 15.
Claims 3-5, 11-13, 19-21, 26-28 each recites “the one or more of the unencrypted packets” which is suggested to read “the one or more 
Claims 3-5, 11-13, 19-21, 26-28 each recites “correlate (correlating) the at least one of the one or more encrypted packets …”, which may read “correlate (correlating) the .
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 2 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 2 line 5 recites limitation “the second IP address”. There is insufficient antecedent basis for this limitation in the claim.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 17 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 21 of co-pending Application No. 15/877,608 (hereinafter, “ ’608”), in view of Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in further view of Wang et al (US20140089661A1, hereinafter, “Wang”).
Claim 21 of copending application ‘608 discloses all of the limitations recited in claim 1 (similarly claim 17) of the instant application, as seen in the table below, except those limitations as emphasized in bold. However Mahadik in the same area of endeavor teaches:
receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party threat intelligence providers or third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data [comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake] comprises one or more of: an Internet Protocol (IP) address, or a domain name (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process (i.e. analyze) any DNS queries made by a device on a network…The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…) (see Wang below for the teaching of limitation(s) in bracket); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the packet filtering system of ‘608 by receiving data regarding network-threat indicators as domain name Internet Resource Database/Admin Interface. This would have been obvious because the 
The combination of ‘608 and Mahadik does not explicitly teach the following limitation(s), however Wang in the same area of endeavor teaches:
[analyze first unencrypted data contained in one or more unencrypted packets] (limitation in bracket taught by Mahadik as shown above), wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0018] the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract (i.e. analyze) the Server Name Indication (SNI) extension from the ClientHello message. And [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname the client is attempting to connect to during the handshaking procedure); correlate, based on determining that the first unencrypted data comprises the at least a portion of the TLS handshake, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets …, the one or more encrypted packets with one or more of the unencrypted packets (Wang, [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the packet filtering system of ‘608-Mahadik by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).
Dependent claim 6 is rejected by claim 21 of ‘608 as shown in the claim comparison table below.
Claims 9, 24 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 21 of co-pending Application No. 15/877,608 (hereinafter, “ ’608”), in view of Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in further view of Moore (US20140283004A1-IDS by applicant, hereinafter, “Moore”).
Claim 21 of copending application ‘608 discloses all of the limitations recited in claim 1 (similarly claim 17) of the instant application, as seen in the table below, except those limitations as emphasized in bold. However Mahadik in the same area of endeavor teaches:
(Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data [is associated with initiation of a Transmission Control Protocol (TCP) connection], and wherein the first unencrypted data comprises an Internet Protocol (IP) address (Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…) (see Moore below for the teaching of limitation(s) in bracket);
The combination of ‘608 and Mahadik does not explicitly teach the following limitation(s), however Moore in the same area of endeavor teaches:
(Moore, discloses filtering network data transfers based on packet header field values according packet filtering rule, see [Abstract]. And [0025] Referring to FIG. 3, dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria… for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP)…). And [0026] For example, rule 1 302 may specify that IP packets containing one or more TCP packets, originating from a source IP address that begins with 140.210); correlate, based on determining that the first unencrypted data is associated with the initiation of the TCP connection, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets (Moore, [0005] The filter may be capable of comparing certain packet header information (e.g., source and destination IP address(s). And [0039] The filtering process described herein may be viewed as having two (2) stages: A first stage in which the "5-tuple" of IP packet header field values and transport protocol (e.g., TCP, UDP, etc.) packet header field values may be filtered; and, a second stage in which application packet header field values may be filtered (e.g., by applying operator logic similar to that described above). Conceptually, the first stage may determine if the network policy allows any communications between the resources identified in the 5-tuple rule; if so, the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.) between the resources (i.e. correlate, i.e. if first stage determines allowing communication then second stage also allows the encrypted communication)); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the packet filtering system of ‘608-Mahadik by filtering TCP traffic with IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication with TCP/IP network protocol against attack (Moore, [Abstract], [0001-0002]).
Dependent claim 14 is rejected by claim 21 of ‘608 as shown in the claim comparison table below.
Claims Comparison Table
Instant Application
17/482,910
Co-pending Application 
15/877,608
Claim 1 (similarly claim 17).
A packet-filtering system comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 





receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises one or more of: an Internet Protocol (IP) address, or a domain name; compare the first unencrypted data to the plurality of network-threat indicators; determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 



















correlate, based on determining that the first unencrypted data comprises the at least a portion of the TLS handshake, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises 

filter, based on the correlating, the one or more encrypted packets.
Claim 21.
A packet-filtering apparatus comprising: 
at least one processor configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules; and memory storing instructions that when executed by the at least one processor cause the packet-filtering apparatus to: 









receive a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data;  determining whether the first unencrypted data corresponds to one or more network-threat indicators specified by one or more first packet-filtering rules of the plurality of packet-filtering rules; 






filter, responsive to determining that the first unencrypted data corresponds to the one or more network-threat indicators and based on at least one action specified by the one or more first packet-filtering rules of the plurality of packet-filtering rules, the plurality of first packets; 

generate, based on the filtering the plurality of first packets, log data indicating: an indication of the filtering; and at least a portion of the first unencrypted data; receive, after filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise encrypted data and second unencrypted data; 

correlate the plurality of first packets with the plurality of second packets by determining that the second unencrypted data corresponds to the at least a portion of the first unencrypted data in the log data; and 





filter, based on the one or more first packet-filtering rules and based on the correlating, the plurality of second packets.

Claim 9 (similarly claim 24). 
A packet-filtering system comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 




receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises an Internet Protocol (IP) address; compare the first unencrypted data to the plurality of network-threat indicators; determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 




















correlate, based on determining that the first unencrypted data is associated with the initiation of the TCP connection, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets; 

and filter, based on the correlating, the one or more encrypted packets.
Claim 21.
A packet-filtering apparatus comprising: 
at least one processor configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules; and memory storing instructions that when executed by the at least one processor cause the packet-filtering apparatus to: 








receive a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data;  determining whether the first unencrypted data corresponds to one or more network-threat indicators specified by one or more first packet-filtering rules of the plurality of packet-filtering rules; 






filter, responsive to determining that the first unencrypted data corresponds to the one or more network-threat indicators and based on at least one action specified by the one or 

generate, based on the filtering the plurality of first packets, log data indicating: an indication of the filtering; and at least a portion of the first unencrypted data; receive, after filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise encrypted data and second unencrypted data; 

correlate the plurality of first packets with the plurality of second packets by determining that the second unencrypted data corresponds to the at least a portion of the first unencrypted data in the log data; and 





filter, based on the one or more first packet-filtering rules and based on the correlating, the plurality of second packets.
Claim 6 (similarly claim 14). 
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the IP address or the domain name; and determine whether the second unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data.
Claim 21.



This is a provisional nonstatutory double patenting rejection because the co-pending application has not in fact been patented.
Claims 1, 17 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of co-pending Application No. 17/482,894 (hereinafter, “ ’894”), in view of Wang et al (US20140089661A1, hereinafter, “Wang”).
Claim 1 of copending application ‘894 discloses all of the limitations recited in claim 1 (similarly claim 17) of the instant application, as seen in the table below, except those limitations as emphasized in bold. However Wang in the same area of endeavor teaches:
[analyze first unencrypted data contained in one or more unencrypted packets] (see ‘894), wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0018] the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract (i.e. analyze) the Server Name Indication (SNI) extension from the ClientHello message. And [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname the client is attempting to connect to during the handshaking procedure); correlate, based on determining that the first unencrypted data comprises the at least a portion of the TLS handshake, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets …, the one or more encrypted packets with one or more of the unencrypted packets (Wang, [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the packet filtering system of ‘894 by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).
Dependent claim 3 (similarly claim 19) are rejected by claim 5 of ‘894; claim 4 (similarly claims 20) is rejected by claim 6 of ‘894; claim 5 (similarly claims 21) is rejected by claim 7 of ‘894; claim 6 is rejected by claim 10 of ‘894; claim 7 (similarly claim 22) is rejected by claim 15 of ‘894; claim 8 (similarly claims 23) is rejected by claim 8 of ‘894. Although the claims at issues are not identical, they are not patentably distinct from each other, as seen in the table below.
Claims 9, 24 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of co-pending Application No. 17/482,894 (hereinafter, “ ’894”), in view of Moore (US20140283004A1-IDS by applicant, hereinafter, “Moore”).

[analyze first unencrypted data contained in one or more unencrypted packets] (see ‘894), wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises an Internet Protocol (IP) address (Moore, discloses filtering network data transfers based on packet header field values according packet filtering rule, see [Abstract]. And [0025] Referring to FIG. 3, dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria… for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP)…). And [0026] For example, rule 1 302 may specify that IP packets containing one or more TCP packets, originating from a source IP address that begins with 140.210); correlate, based on determining that the first unencrypted data is associated with the initiation of the TCP connection, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets (Moore, [0005] The filter may be capable of comparing certain packet header information (e.g., source and destination IP address(s). And [0039] The filtering process described herein may be viewed as having two (2) stages: A first stage in which the "5-tuple" of IP packet header field values and transport protocol (e.g., TCP, UDP, etc.) packet header field values may be filtered; and, a second stage in which application packet header field values may be filtered (e.g., by applying operator logic similar to that described above). Conceptually, the first stage may determine if the network policy allows any communications between the resources identified in the 5-tuple rule; if so, the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.) between the resources (i.e. correlate, i.e. if first stage determines allowing communication then second stage also allows the encrypted communication)); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the packet filtering system of ‘894 by filtering TCP traffic with IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication with TCP/IP network protocol against attack (Moore, [Abstract], [0001-0002]).
Dependent claim 11 (similarly claim 26) are rejected by claim 5 of ‘894; claim 12 (similarly claim 27) is rejected by claim 6 of ‘894; claim 13 (similarly claim 28) is rejected by claim 7 of ‘894; claim 14 is rejected by claim 10 of ‘894; claim 16 (similarly claim 30) is rejected by claim 8 of ‘894. Although the claims at issues are not identical, they are not patentably distinct from each other, as seen in the table below.
Claims Comparison Table
Instant Application
17/482,910
Co-pending Application 
17/482,894
Claim 1 (similarly claim 17).

one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises one or more of: an Internet Protocol (IP) address, or a domain name; 

compare the first unencrypted data to the plurality of network-threat indicators; 

determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 

correlate, based on determining that the first unencrypted data comprises the at least a portion of the TLS handshake, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets; and 

filter, based on the correlating, the one or more encrypted packets.
Claim 1 (claims 9). 

one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address; 

compare the first unencrypted data to the plurality of network-threat indicators; 

determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 

correlate, based on determining that the first unencrypted data comprises the at least a portion of the DNS query, and based on determining that second unencrypted data contained in one or more encrypted packets comprises the IP address, at least one of the one or more encrypted packets with one or more of the unencrypted packets; and 


filter, based on the correlating, the one or more encrypted packets.
Claim 9 (similarly claim 24). 
A packet-filtering system comprising: 


receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises an Internet Protocol (IP) address; 


compare the first unencrypted data to the plurality of network-threat indicators; 

determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 

correlate, based on determining that the first unencrypted data is associated with the initiation of the TCP connection, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets; 

and filter, based on the correlating, the one or more encrypted packets.
Claim 1 (claims 9). 
A packet-filtering system comprising: 


receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address; 

compare the first unencrypted data to the plurality of network-threat indicators; 

determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 

correlate, based on determining that the first unencrypted data comprises the at least a portion of the DNS query, and based on determining that second unencrypted data contained in one or more encrypted packets comprises the IP address, at least one of the one or more encrypted packets with one or more of the unencrypted packets; and 


filter, based on the correlating, the one or more encrypted packets.
Claim 3 (similarly claims 11, 19, & 26).
The packet-filtering system of claim 1, wherein the instructions, when executed by 
Claim 5.
The packet-filtering system of claim 1, wherein the instructions, when executed by 
Claim 4 (similarly claims 12, 20, & 27). 
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data.
Claim 6. 
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data.
Claim 5 (similarly claims 13, 21, & 28). 
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets further based on a port number associated with the first unencrypted data.
Claim 7.
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets further based on a port number associated with the first unencrypted data.
Claim 6 (similarly claim 14). 
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the IP address or the domain name; and determine whether the second unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data.
Claim 10. 
The packet-filtering system of claim 9, wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the domain name or the IP address corresponding to the domain name; and determine whether the second unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data.
Claim 7 (similarly claim 22).
The packet-filtering system of claim 1, wherein the TLS handshake comprises one or 
Claim 15.
The packet-filtering system of claim 9, wherein the first unencrypted data further 
Claim 8 (similarly claims 16, 23, & 30).  
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets.
Claim 8.
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted 3Application No. 17/482,894Docket No.: 007742.00235 packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets.


This is a provisional nonstatutory double patenting rejection because the co-pending application has not in fact been patented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 5, 7-8, 17-18, 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Wang et al (US20130312054A1-IDS by Applicant, hereinafter, “Wang”), further in view of Buruganahalli et al (US 9,419,942 B1-IDS by applicant, hereinafter, “Buruganahalli”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
(Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party threat intelligence providers or third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data [comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake] comprises one or more of: an Internet Protocol (IP) address, or a domain name (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process (i.e. analyze) any DNS queries made by a device on a network…The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…); (see Wang below for the teaching of limitation(s) in bracket) 
(Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query (i.e. DNS query, i.e. network-threat indicators) and determines (i.e. compare) a categorization of the query (e.g., permitted, partially-permitted, or restricted). Upon determining the categorization of the query, the DNS proxy server no preferably returns an IP address to the originating machine); 
correlate, based on determining that the first unencrypted data comprises the at least a portion of [the TLS] handshake, and [based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address], the one or more encrypted packets with one or more of the unencrypted packets (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake (i.e. TLS handshake with further teaching of Wang shown below) when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake…The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); 
(Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).  
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data such as DNS query and detecting domain during handshake but does not explicitly teach unencrypted data comprises TLS handshake and unencrypted data contained in respective packet headers of one or more encrypted packets, however in the same field of endeavor Wang teaches:
[analyze first unencrypted data contained in one or more unencrypted packets] (see Mahadik shown above), wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0018] the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract (i.e. analyze) the Server Name Indication (SNI) extension from the ClientHello message. And [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname the client is attempting to connect to during the handshaking procedure), and [wherein the at least a portion of the TLS handshake comprises one or more ; 
correlate, based on determining that the first unencrypted data comprises the at least a portion of the TLS handshake, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets [comprises the IP address], the one or more encrypted packets with one or more of the unencrypted packets (Wang, [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).

correlate, [based on determining that the first unencrypted data comprises the at least a portion of the TLS handshake] (see Wang shown above, also taught by Buruganahalli shown below), and based on determining that second unencrypted data [contained in respective packet headers] (see Wang shown above) of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets (Buruganahalli, discloses traffic filtering using a security device based on destination domain extraction for secure connection, see [Abstract]. And [Col. 4 line 63-Col 5 line 5] Thus, SNI is an extension to the TLS protocol that indicates what hostname (e.g., destination domain) that the client is attempting to connect to at the start of the handshaking process for setting a secure TLS communication channel/session between a client and a remote server. This standard extension for SNI was developed to allow a server to present multiple certificates on the same IP address and port number and, as a result, allows multiple secure (HTTPS) websites (e.g., and/or any other service over TLS) to be served using the same IP address . And [Col. 9 lines 7-14] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis… user identification is then determined (e.g., user ID can be deduced based on the source IP address). A policy check engine 106 determines whether any policies can be applied based on the IP address and port number); 


Regarding claim 17, Mahadik-Wang-Buruganahalli combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: method steps substantially similar to the method steps performed by the packet-filtering system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 18, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the at least a portion of the TLS handshake comprises the domain name, and wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: determine, based on the domain name and using a Domain Name System (DNS) query, the second IP address (Buruganahalli, [Col. 3 lines 18-25] Application firewalls can also perform application layer filtering (e.g., application layer filtering firewalls or second generation firewalls, which work on the application level of the TCP/IP stack). Application layer filtering firewalls or application firewalls can generally identify certain applications and protocols (e.g., web browsing using HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request (i.e. DNS query),… And [Col. 5 lines 25-32] This extracted hostname data (e.g., destination domain) can then be used by the firewall to perform an action(s) based on a firewall policy (e.g., the domain name can be extracted by parsing the client hello message to extract the host name from the server_name field of the SNI extension, which can then be used to apply firewall policies or take responsive actions based on this information without having to wait for data to be decrypted),

Regarding claim 5, similarly claim 21, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets further based on a port number associated with the first unencrypted data (Buruganahalli, [Col. 9 lines 7-10] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis).  

Regarding claim 7, similarly claim 22, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the TLS handshake comprises one or more of: a ClientHello message generated by the client, or a certificate message generated by the server (Buruganahalli, [Col. 5 lines 32] This extracted hostname data (e.g., destination domain) can then be used by the firewall to perform an action(s) based on a firewall policy (e.g., the domain name can be extracted by parsing the client hello message to extract the host name from the server_name field of the SNI extension, which can then be used to apply firewall policies or take responsive actions based on this information without having to wait for data to be decrypted)).  

Regarding claim 8, similarly claim 23, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets (Buruganahalli, [Col. 5 lines 52-58] Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy). For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked (i.e. prevent) and decryption is not required).  

Claims 3-4, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Buruganahalli as applied above, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 3, similarly claim 19, Mahadik-Wang-Buruganahalli combination teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets (See the teachings of Mahadik-Wang-Buruganahalli presented for claim 1), 
While the combination of Mahadik-Wang-Buruganahalli does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  


Regarding claim 4, similarly claim 20, Mahadik-Wang-Buruganahalli combination teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets (See the teachings of Mahadik-Wang-Buruganahalli presented for claim 1),
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Buruganahalli by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Buruganahalli as applied above to claim 1, further in view of Dubrovsky et al (US20140373156A1, hereinafter, “Dubrovsky”).
Regarding claim 6, Mahadik-Wang-Buruganahalli combination teaches:
The packet-filtering system of claim 1, 
While the combination of Mahadik-Wang-Buruganahalli does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log data). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)); and determine whether the second unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data (Dubrovsky, [0027] If the table 206 contains the extracted URL and/or IP address, the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated). Examiner notes encrypted packets are taught by Mahadik-Wang-Buruganahalli as shown above for claim 1.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik-Wang-Buruganahalli by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).

Claims 9-10, 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Moore (US20140283004A1-IDS by Applicant, hereinafter, “Moore”).
Regarding claim 9, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive data from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides data regarding a plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data [is associated with initiation of a Transmission Control Protocol (TCP) connection], and wherein the first unencrypted data comprises an Internet Protocol (IP) address (Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…); (see Moore below for the teaching of limitation(s) in bracket) 
compare the first unencrypted data to the plurality of network-threat indicators; determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators (Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query (i.e. DNS query, i.e. network-threat indicators) and determines (i.e. compare) a categorization of the query (e.g., permitted, partially-permitted, or restricted). Upon determining the categorization of the query, the DNS proxy server no preferably returns an IP address to the originating machine); 
correlate, based on determining that the first unencrypted data is [associated with the initiation of the TCP connection, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address], the one or more encrypted packets with one or more of the unencrypted packets (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); 
and filter, based on the correlating, the one or more encrypted packets (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).  
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data associated with HTTP, HTTPS traffic but does not explicitly teach associated with initiation of a TCP connection and unencrypted data contained in respective packet headers of one or more encrypted packets, however in the same field of endeavor Moore teaches:
(Moore, discloses filtering network data transfers based on packet header field values according packet filtering rule, see [Abstract]. And [0025] Referring to FIG. 3, dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria… for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP)…). And [0026] For example, rule 1 302 may specify that IP packets containing one or more TCP packets, originating from a source IP address that begins with 140.210);
correlate, based on determining that the first unencrypted data is associated with the initiation of the TCP connection, and based on determining that second unencrypted data contained in respective packet headers of one or more encrypted packets comprises the IP address, the one or more encrypted packets with one or more of the unencrypted packets (Moore, [0005] The filter may be capable of comparing certain packet header information (e.g., source and destination IP address(s). And [0039] The filtering process described herein may be viewed as having two (2) stages: A first stage in which the "5-tuple" of IP packet header field values and transport protocol (e.g., TCP, UDP, etc.) packet header field values may be filtered; and, a second stage in which application packet header field values may be filtered (e.g., by applying operator logic similar to that described above). Conceptually, the first stage may determine if the network policy allows any communications between the resources identified in the 5-tuple rule; if so, the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.) between the resources (i.e. correlate, i.e. if first stage determines allowing communication then second stage also allows the encrypted communication));
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik by filtering TCP traffic with IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication with TCP/IP network protocol against attack (Moore, [Abstract], [0001-0002]).

Regarding claim 24, Mahadik-Moore combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: method steps substantially similar to the method steps performed by the packet-filtering system of claim 9, therefore is rejected with same rational set forth as rejection of claim 9 above.

Regarding claim 10, similarly claim 25, Mahadik-Moore combination further teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the at least a portion of the first unencrypted data comprises a domain name, and wherein the instructions, (Mahadik, [0014] a system for securing network traffic of a preferred embodiment includes a domain name system (DNS) proxy server 110. And [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names… Access is generally allowed but additionally monitored by the web proxy server 130. A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address).  

Claims 11-12, 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore as applied above, further in view of Williams (US9875355B1, hereinafter, “Williams”).
Regarding claim 11, similarly claim 26, Mahadik-Moore combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets (See the teachings of Mahadik-Moore presented for claim 9), 
While the combination of Mahadik-Moore does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Moore by comparing DNS requests based on timestamp associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp associated with previously made DNS request for malicious request or response (Williams, [Abstract]).  

Regarding claim 12, similarly claim 27, Mahadik-Moore combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets (See the teachings of Mahadik-Moore presented for claim 9), 
While the combination of Mahadik-Moore does not explicitly teach but in the same field of endeavor Williams teaches:
(Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Moore by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 13, 16, 28, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore as applied above, further in view of Buruganahalli et al (US 9,419,942B1, hereinafter, “Buruganahalli”).
Regarding claim 13, similarly claim 28, Mahadik-Moore combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets (See the teachings of Mahadik-Moore presented for claim 9), 
While the combination of Mahadik-Moore does not explicitly teach but in the same field of endeavor Buruganahalli teaches:
further based on a port number associated with the first unencrypted data (Buruganahalli, [Col. 9 lines 7-10] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Moore by filtering traffic based on packet filtering rules on inspected packets associated with port number. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address and port number to allows multiple secure (HTTPS) websites to be served using the same IP address for the purpose of network traffic filtering (Buruganahalli, [Abstract], Col. 9 lines 7-10).

Regarding claim 16, similarly claim 30, Mahadik-Moore combination teaches:
The packet-filtering system of claim 9, the method of claim 24,
While the combination of Mahadik-Moore teaches packet filtering but does not explicitly teach prevent further transmission of the one or more encrypted packets however in the same field of endeavor Buruganahalli teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets (Buruganahalli, [Col. 5 lines 52-58] Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy). For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked (i.e. prevent) and decryption is not required).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Moore by filtering traffic based on packet filtering rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address and port number to block encrypted traffic that violates firewall policy (Buruganahalli, [Abstract], Col. 5 lines 52-58).

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore as applied above to claim 9, further in view of Dubrovsky et al (US20140373156A1, hereinafter, “Dubrovsky”).
Regarding claim 14, Mahadik-Moore combination teaches:
The packet-filtering system of claim 9, 
While the combination of Mahadik-Moore does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and the IP address (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log data). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)); and determine whether the second unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data (Dubrovsky, [0027] If the table 206 contains the extracted URL and/or IP address, the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated). Examiner notes encrypted packets are taught by Mahadik-Moore as shown above for claim 1.
.  

Claims 15, 29 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore as applied above, further in view of Li et al (US20080077705A1, hereinafter, “Li”).
Regarding claim 15, similarly claim 29, Mahadik-Moore combination teaches:
The packet-filtering system of claim 9, the method of claim 24, 
While the combination of Mahadik-Moore does not explicitly teach but in the same field of endeavor Li teaches:
wherein the first unencrypted data comprises one of: a SYN handshake message, or an ACK handshake message (Li, discloses packet classification according to packet classification rules in packet filtering, see [Abstract], [0004-0006]. And [0010] Like firewalls, proxies can filter traffic based on many packet attributes, such as source IP address and/or port, and destination IP address and/or port. In addition, proxies can filter traffic based on destination service such as hypertext transfer protocol (HTTP)… And [0074] If the inbound packet produces a SYN-cookie match, this implies that the packet is a TCP ACK packet sent by a client as the final step in a three-way handshake establishing a new connection).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Li in the method of selectively filtering internet traffic of Mahadik-Moore by recognizing packet being TCP ACK packet in a three-way handshake to establish new connection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify application and protocols by using proxy to perform filtering operation (Li, [Abstract], [0011]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Baehr et al (US5878231A). Discloses data packet screening between private network and public network based on content, state information and other criteria including source and destination.
White et al (US20150052601A1). Discloses methods and system for rapid filtering of opaque data traffic.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436                                                                                                                                                                                                        


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436