Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received November 23, 2021.  Claims 1, 7, 14, 25, 27-29, 31, 34, and 64 have been amended.  Claims 67 and 68 has been added.  Claim 24 and 57 has been canceled.  Therefore, claims 1-10, 12-23, 25-34, 36-38, 43, 45, 55, 63-64, and 67-68 are pending and addressed below. 


Information Disclosure Statement
The information disclosure statement filed 10/12/2021 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.  



Based on claim’s amendments, the Examiner rejects claims 1-10, 12-23, 25-34, 36-38, 43, 45, 55, 63-64, and 67-68 with the new ground of rejections



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-6, 8-15, 22-23, 25-30, 34, 36-38, 43, 45, 55, 63 are rejected under 35 U.S.C. 103 as being unpatentable over John et al. (US2006/0236370 A1, publish date 10/19/2006) (on Applicants IDS filed 02/10/2020) in view of Berlin (US2006/0184792 A1, publish date 08/17/2006).

Claims 1, 34:
With respect to claims 1, 34, John et al. discloses a system/method (a computer system for enforcing a security policy defined for a networked environment, Figure 1), comprising: 
a network interface (network interface 34, 0027); and 
a processor (a packet processing engine 32, 0027), configured to:
receive, via the network interface, a request originating from a request- origin application (a client application, such as client application 62a, sending a SYN request to a server application, 0037) and directed to a request-destination application (to a server application, such as server application 64a, 0037) that runs on a request-destination device (The destination address in a SYN packet is typically the network address assigned to another computing device, such as device 68, hosting a server application, such as server application 64a, 0038), 
subsequently to receiving the request, communicate the request to the request-destination device (an ACK response may be used to establish a second pathway through which the client and server applications can exchange data if the server application uses a destination port ID that is different from the source port ID received from the SYN packet in the ACK packet's destination port ID field, 0045), 
(an "ACK packet", such as ACK packet 66b in FIG. 1, 0045), from the request-destination application, to the request (an ACK response that 
corresponds to the initial SYN packet, 0042), 
while holding the response (may be modified to include storing 208 the session information and/or receiving additional packets from the computer network instead of ending, After the security policy is enforced 206, the method flow returns to receiving 200 another packet instead of ending, 0148), identify information contained in at least one log entry ("log entries", 0123) that was recorded by the request-destination application responsively to the request (session information, 0145), and 
perform a function in response to the information (A security policy defined for the network environment is enforced 206 by using the session information and the object attribute(s) to determine whether the packet violates the security policy, 0147).

John et al. does not disclose identify, from among multiple log entries recorded by the request- destination application, at least one log entry as having been recorded responsively to the request, while holding the response, identify, in the at least one log entry, information associated with the request or with the response as claimed. 

Berlin teaches a software tool to protect desktops and servers within the enterprise from unwanted software, including both known and unknown viruses, process-based worms, (0001), identify, from among multiple log entries recorded by the request- destination application (Database 104 may store data used by the TI server 102, including the Approved List, the Forbidden List, and other software, table of entries, 0056) (Processes, 202, 206, 204, Figure 3), at least one log entry as having been recorded responsively to the request, while holding the response, identify, in the at least one log entry (when a process request occurs at 220, Protection Agent 200 may determine, at 222, if the requested process file is on the Approved List (the known-good list) 202, if the requested process file is on the Forbidden List (the known-bad list) 204, Protection Agent 200 may be configured to request approval from the protection software executing on TI Server 102, as shown at 232 (0078-0080, Figure 3), information associated with the request or with the response (it may be determined if the forbidden process file is allowed to execute as indicated at 1130, If the forbidden process file is allowed to execute, the method may proceed to 920, If the forbidden process request is to be logged, information associated with the forbidden process request may be stored in UMF 278 at 930. For instance, information associated with the forbidden process request may comprise a TotalImmunity Identification and Forbidden-Run status. The forbidden process request may be passed through to be executed at 940, 0180, 0187) (Figure 9A, 9B).

John et al. and Berlin are analogous art because they are from the same field of endeavor of Network Traffic/applications.



Claim 2:
With respect to claim 2, John et al. discloses wherein the request includes a request to access a resource (a client application, such as client application 62a, initiates an application session by sending a SYN request to a server application, such as server application 64a, 0037).

Claims 3, 36:
With respect to claims 3, 36, John et al. discloses wherein the request includes an authentication request (packet processing engine 32 to identify authentication exchange packets of the required type, such as a request or response type, 0101).

Claims 4, 37:
With respect to claims 4, 37, John et al. discloses wherein the authentication request uses a Kerberos protocol ("Kerberos Protocol", 0059, 0066) and is encrypted using Flexible Authentication Secure Tunneling (FAST) (a temporary encryption key, called a "session key".  The authentication service 25 encrypts the contents of the authentication exchange response packet using the initiator's secret-key., After receiving the authentication exchange response packet, the initiator decrypts it by using the initiator's secret key, enabling the initiator to obtain the session key., 0109), and wherein the request-destination application includes a Kerberos Key Distribution Center (KDC) (The Kerberos protocol also defines the method of exchanging the secret-key, which is sometimes referred to as an "authentication exchange" process, 0108).

Claims 5, 38:
With respect to claims 5, 38, John et al. discloses wherein the authentication request uses a Netlogon protocol (pertaining to network authentication-related activities that occur, such as user logon and logoff events, on network environment 8, 0123), wherein the request-destination device includes a Domain Controller in a Windows domain (a server providing DNS (Domain Name System) services may be accessed or used to provide a name service.  In addition, WINS (Windows Internet Name service), or other name services may be used.  DNS and WINS are commonly known, 0114) (using a Microsoft brand operating system, such as Microsoft Windows Server 2003, 0125), and wherein the request-destination application includes Active Directory Domain Services (networked environment 8 may provide access to a server, such as server 10, running a Windows.RTM.  brand operating system, such as Windows.RTM.  2003 Server, which typically includes Active Directory.  Active Directory is a LDAP-based directory service, 0057).

Claim 6:
With respect to claim 6, John et al. discloses wherein the request includes a request to verify that a user is authorized to access a resource (authenticated real users, such as real users 18-1 through 18-n, who have logged-on to devices 16-1 through 
16-n, 0057).

Claim 8:
With respect to claim 8, John et al. discloses wherein the processor is configured to receive the request from the request-destination device (an ACK response may be used to establish a second pathway through which the client and server applications can exchange data if the server application uses a destination port ID that is different from the source port ID received from the SYN packet in the ACK packet's destination port ID field, 0045).

Claim 9:
With respect to claim 9, John et al. discloses wherein the request-origin application runs on a request-origin device, and wherein the processor is configured to receive the request from the request-origin device (the source address in a SYN packet is typically the network address assigned to a computing device, such as device 16-1, that hosts a client application, such as client application 62a, 0038, Figure 1).

Claims 10, 43:
With respect to claims 10, 43, John et al. discloses wherein a message selected from the group of messages (messages that were encrypted using either the initiator's secret-key or the target network entity's secret-key, 0110) consisting of: 
the request, and the response is encrypted, and wherein the processor is configured to perform the function without first decrypting the message (a temporary encryption key, called a "session key".  The authentication service 25 encrypts the contents of the authentication exchange response packet using the initiator's secret-key, After receiving the authentication exchange response packet, the initiator decrypts it by using the initiator's secret key, enabling the initiator to obtain the session key., 0109), and wherein the request-destination application includes a Kerberos Key Distribution Center (KDC) (The Kerberos protocol also defines the method of exchanging the secret-key, which is sometimes referred to as an "authentication exchange" process, 0108).

Claims 12, 45:
With respect to claims 12, 45, John et al. discloses wherein the processor is configured to, in performing the function, while holding the response (may be modified to include storing 208 the session information and/or receiving additional packets from the computer network instead of ending, After the security policy is enforced 206, the method flow returns to receiving 200 another packet instead of ending, 0148), request authentication from a user who submitted the request (authenticated real users, such as real users 18-1 through 18-n, who have logged-on to devices 16-1 through 16-n, 0057).

Claim 13:
With respect to claim 13, John et al. discloses wherein the processor is configured to, in performing the function, while holding the response (may be modified to include storing 208 the session information and/or receiving additional packets from the computer network instead of ending, After the security policy is enforced 206, the method flow returns to receiving 200 another packet instead of ending, 0148), request approval of the request from an individual other than a user who submitted the request (device 16-1 through 16-n may also be configured to respond to a query seeking the log-on status of users having a user account on the client, 0069).

Claim 14:
With respect to claim 14, John et al. discloses wherein the processor is configured to, in performing the function, prevent the response from being communicated to the request-origin application (to determine whether the packet violates the security policy, causes monitor 4 to either drop the packet or return the packet to the networked environment or any combination of the foregoing, 0140) (a set of actions that should be taken if it is found that a packet violates the security policy, actions in the security policy may include to reporting, dropping or both the packet from which the session information was generated, 0141).

Claim 15:
With respect to claim 15, John et al. discloses wherein the request belongs to a communication session, and wherein the processor is further configured to, in performing the function, cause the communication session to terminate (The application session may be terminated by the client application, 0048) (to determine whether the packet violates the security policy, causes monitor 4 to either drop the packet or return the packet to the networked environment or any combination of the foregoing, 0140) (a set of actions that should be taken if it is found that a packet violates the security policy, actions in the security policy may include to reporting, dropping or both the packet from which the session information was generated, 0141).

Claims 22, 55:
With respect to claims 22, 55, John et al. discloses wherein the information includes an identity of a user who submitted the request (authenticated real users, such as real users 18-1 through 18-n, who have logged-on to devices 16-1 through 
16-n, 0057).



Claim 23:
With respect to claim 23, John et al. discloses wherein the log entry (obtains event log 148, 0123) includes a Windows Event Log entry (WINS (Windows Internet Name service), or other name services may be used.  DNS and WINS are commonly known, 0114) (using a Microsoft brand operating system, such as Microsoft Windows Server 2003, 0125) (networked environment 8 may provide access to a server, such as server 10, running a Windows.RTM.  brand operating system, such as Windows.RTM.  2003 Server, which typically includes Active Directory.  Active Directory is a LDAP-based directory service, 0057).

Claim 25:
With respect to claim 25, John et al. discloses wherein the processor is further configured to, prior to communicating the request to the request-destination device, record metadata that are associated with the request, and wherein the processor is configured to identify the log entry from among the multiple log entries by identifying the recorded metadata in the log entry (Obtaining event log 148, extract a user name and a network address from event log 148.  Control software 94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time stamp extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).


Claim 26:
With respect to claim 26, John et al. discloses wherein the metadata include a session identifier (Obtaining event log 148, extract a user name and a network address from event log 148.  Control software 94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time stamp extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claim 27:
With respect to claim 27, John et al. discloses wherein the processor is further configured to, prior to communicating the request to the request-destination device, modify the request to include a particular marker, and wherein the processor is configured to identify the log entry from among the multiple log entries by identifying the particular marker in the log entry (Obtaining event log 148 enables control software 94 to extract at least one category item that can be used for associating packets from network traffic traversing on networked environment 8, 0124).

Claim 28:
With respect to claim 28, John et al. discloses wherein the processor is configured to identify the log entry from among the multiple log entries by identifying, in the log entry, an identifier of a communication interface via which the request was communicated to the request-destination device (Obtaining event log 148, extract a user name and a network address from event log 148.  Control software 94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time stamp extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claim 29:
With respect to claim 29, John et al. discloses wherein the processor is configured to identify the log entry from among the multiple log entries by identifying a correspondence between a log-entry time of the log entry and a request-communication time at which the request was communicated to the request- destination device (Obtaining event log 148 enables control software 94 to extract at least one category item that can be used for associating packets from network traffic traversing on networked environment 8.  For example, control software 94 may extract a user name and a network address from event log 148.  Control software 
94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time tamp 
extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claims 30, 63:
With respect to claim 29, John et al. discloses wherein the request is a first request (a client application, such as client application 62a, sending a SYN request to a server application, 0037), and wherein the processor is further configured to: subsequently to communicating the first request, receive a second request directed to the request-destination device, and refrain from communicating the second request to the request-destination device before the log entry is entered (The application session may be terminated by the client application when the client sends a FIN request, which includes the client and server applications' control connections used during the application session subject to the FIN request, 0048).



Claims 31-33, 64 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US2012/0113857 A1, publish date 05/10/2012) in view of John et al. (US2006/0236370 A1, publish date 10/19/2006). (on Applicants IDS filed 02/10/2020) further in view of Berlin (US2006/0184792 A1, publish date 08/17/2006).

Claims 31, 64:
With respect to claims 31, 64, Narayanaswamy et al. discloses a system/method (environment 100, Figure 1), comprising: 
a network interface (a communication interface 260, 0022); and 
a processor (a processor 220, 0022), configured to: 
receive, from a security application (Traffic analyzer 310 may receive network traffic in the form of packets, 0029) (Figure 3, 310), a request originating from a request- origin application (network traffic transmitted in network 140, such as data transmitted from client 110, 0039) (client 110) and directed to a request-destination application (server 20, traffic analyzer 310 may receive a packet from a client, such as client 110, for transmission to a server, such as server 120, 0047), 
subsequently to receiving the request, communicate the request to the request-destination application (traffic analyzer 310 may process an initial packet, tentatively identify the packet as being associated with a particular traffic flow, store a copy of the packet, and transmit the packet towards its destination, 0052), 
subsequently to communicating the request to the request-destination application, receive a response, from the request-destination application, to the request (When traffic analyzer 310 receives a response packet to the initial packet, as an initial STC packet, traffic analyzer 310 may confirm the tentative identification of the traffic flow, 0052), and 
communicate the response, and at least one log entry recorded (may include storing, as entries in a table, information identifying a number of traffic flows and a corresponding number of port numbers, where one of the entries stores information identifying one of the traffic flows and a corresponding one of the port numbers, 0003) by the request-destination application responsively to the request, to the security application (Assume that the traffic analyzer determines, based on the initial packet (i.e., HTTP GET packet) and the response packet (i.e., the HTTP 200 OK packet), that the packets are HTTP packets associated with a HTTP traffic flow. The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow, 0059), without communicating the response to the request-origin application (The traffic analyzer may also transmit the response packet to the Client, 0059).

John et al. teaches at least one log entry (obtains event log 148, 0123).

Narayanaswamy et al. and John et al. are analogous art because they are from the same field of endeavor of Network Traffic.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use John et al. in Narayanaswamy et al. for at least one log entry as claimed for purposes of providing network security that accurately logs, blocks or both the occurrence of selected activity on a networked environment, reducing the likelihood of blocking or reporting permissible types of activity or data and therefore maximizing the protection of network traffic.

Neither Narayanaswamy et al. nor John et al. disclose receive the response from the security application, the response including an alteration made by the security application responsively to information in the log entry, and in response to receiving the response from the security application, communicate the response to the request-origin application as claimed. 

Berlin teaches a software tool to protect desktops and servers within the enterprise from unwanted software, including both known and unknown viruses, process-based worms, spy-ware and mal-ware (0001), log entry (Database 104 may store data used by the TI server 102, including the Approved List, the Forbidden List, and other software, table of entries, 0056) (Processes, 202, 206, 204, Figure 3) (when a process request occurs at 220, Protection Agent 200 may determine, at 222, if the requested process file is on the Approved List (the known-good list) 202, if the requested process file is on the Forbidden List (the known-bad list) 204, Protection Agent 200 may be configured to request approval from the protection software executing on TI Server 102, as shown at 232 (0078-0080, Figure 3), 
receive the response from the security application, the response including an alteration made by the security application responsively to information in the log entry, and in response to receiving the response from the security application, communicate the response to the request-origin application (it may be determined if the forbidden process file is allowed to execute as indicated at 1130, If the forbidden process file is allowed to execute, the method may proceed to 920, If the forbidden process request is to be logged, information associated with the forbidden process request may be stored in UMF 278 at 930. For instance, information associated with the forbidden process request may comprise a TotalImmunity Identification and Forbidden-Run status. The forbidden process request may be passed through to be executed at 940, 0180, 0187) (Figure 9A, 9B).

Narayanaswamy et al., John et al. and Berlin are analogous art because they are from the same field of endeavor of Network Traffic/applications.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Berlin in Narayanaswamy et al. and John et al. for receive the response from the security application, the response including an alteration made by the security application responsively to information in the log entry, and in response to receiving the response from the security application, communicate the response to the request-origin application as claimed for providing protection of software/resources since updating of protection software is getting more difficult as the number of viruses and virus variants and spy-ware applications continues to increase and therefore improved methods are desired for creating and managing protection related software, there is a need for improved protection software which prevents unwanted software from being installed on computer systems. (See Berlin, 0005, 0011)

Claim 32:
With respect to claim 32, Narayanaswamy et al. discloses wherein the processor is further configured to, prior to receiving the request from the security application: receive the request from the request-origin application, and forward the request to the security application (The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow.  The traffic analyzer may also transmit the response packet to the client. 0059).


Claim 33:
With respect to claim 33, the combination of Narayanaswamy et al., John et al., and Berlin discloses the limitations of claim 31, as addressed. 

John et al. discloses wherein the authentication request uses a Netlogon protocol (pertaining to network authentication-related activities that occur, such as user logon and logoff events, on network environment 8, 0123), wherein the request-destination device includes a Domain Controller in a Windows domain (a server providing DNS (Domain Name System) services may be accessed or used to provide a name service.  In addition, WINS (Windows Internet Name service), or other name services may be used.  DNS and WINS are commonly known, 0114) (using a Microsoft brand operating system, such as Microsoft Windows Server 2003, 0125), and wherein the request-destination application includes Active Directory Domain Services (networked environment 8 may provide access to a server, such as server 10, running a Windows.RTM.  brand operating system, such as Windows.RTM.  2003 Server, which typically includes Active Directory.  Active Directory is a LDAP-based directory service, 0057).

Narayanaswamy et al. and John et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining Narayanaswamy et al. and John et al. is recited in claim 31.  


Claims 7, 16-21 are rejected under 35 U.S.C. 103 as being unpatentable over John et al. (US2006/0236370 A1, publish date 10/19/2006) in view of Berlin (US2006/0184792 A1, publish date 08/17/2006) further in view of Narayanaswamy et al. (US2012/0113857 A1, publish date 05/10/2012). (on Applicants IDS filed 02/10/2020)

Claim 7:
With respect to claim 7, the combination of John et al. and Berlin discloses the limitations of claim 1, as addressed. 

John et al. does not disclose wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the log entries from the request-destination device as claimed. 

Berlin teaches a software tool to protect desktops and servers within the enterprise from unwanted software, including both known and unknown viruses, process-based worms, spy-ware and mal-ware (0001), receive the log entries from the request-destination device (Database 104 may store data used by the TI server 102, including the Approved List, the Forbidden List, and other software, table of entries, 0056) (Processes, 202, 206, 204, Figure 3).  
John et al. and Berlin are analogous art because they are from the same field of endeavor of Network Traffic/applications.

The motivation for combining John et al. and Berlin is recited in claim 1.

Narayanaswamy et al. discloses wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the at least one log entry from the request-destination device (Assume that the traffic analyzer determines, based on the initial packet (i.e., HTTP GET packet) and the response packet (i.e., the HTTP 200 OK packet), that the packets are HTTP packets associated with a HTTP traffic flow.  The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow, 0059).

John et al., Berlin and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Narayanaswamy et al. in John et al. for wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the at least one log entry from the request-destination device as claimed for purposes of not monitoring traffic passively and monitoring appliance may gather statistics, record activity, and/or analyze the packet for security purposes and therefore maximizing the protection of network traffic.

Claim 16:
With respect to claim 16, John et al. and Berlin discloses the limitations of claim 1, as addressed. 

John et al. does not disclose wherein the processor is further configured to, subsequently to identifying the information, cause the response to be communicated to the request-origin application as claimed. 

However, Narayanaswamy et al. discloses wherein the processor is further configured to, subsequently to identifying the information, cause the response to be communicated to the request-origin application (The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow.  The traffic analyzer may also transmit the response packet to the client. 0059).

John et al., Berlin and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Narayanaswamy et al. in John et al. for wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the at least one log entry from the request-destination device as claimed for purposes of not monitoring traffic passively and monitoring appliance may gather statistics, record activity, and/or analyze the packet for security purposes and therefore maximizing the protection of network traffic.

Claim 17:
With respect to claim 17, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Narayanaswamy et al. discloses wherein the processor is configured to cause the response to be communicated to the request-origin application by communicating the response to the request-destination device for forwarding to the request-origin application (The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow.  The traffic analyzer may also transmit the response packet to the client. 0059).

John et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al. and Narayanaswamy et al. is recited in claim 16.

Claim 18:
With respect to claim 18, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Narayanaswamy et al. discloses wherein the request-origin application runs on a request-origin device, and wherein the processor is configured to cause the response to be communicated to the request-origin application by communicating the response to the request-origin device (Client 110 may include a device, such as a personal computer, a laptop computer, a personal digital assistant (PDA), a wireless telephone, or another type of computation or communication device.  Client 110 may communicate with server 120 over network 140 via wired and/or wireless connections, 0017).

John et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al. and Narayanaswamy et al. is recited in claim 16.

Claim 19:
With respect to claim 19, the combination of John et al., Berlin and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Berlin teaches a software tool to protect desktops and servers within the enterprise from unwanted software, including both known and unknown viruses, process-based worms, spy-ware and mal-ware (0001), log entries Database 104 may store data used by the TI server 102, including the Approved List, the Forbidden List, and other software, table of entries, 0056) (Processes, 202, 206, 204, Figure 3),
wherein the processor is configured to, in performing the function, prior to causing the response to be communicated to the request-origin application, alter the response (it may be determined if the forbidden process file is allowed to execute as indicated at 1130, If the forbidden process file is allowed to execute, the method may proceed to 920, If the forbidden process request is to be logged, information associated with the forbidden process request may be stored in UMF 278 at 930. For instance, information associated with the forbidden process request may comprise a TotalImmunity Identification and Forbidden-Run status. The forbidden process request may be passed through to be executed at 940, 0180, 0187) (Figure 9A, 9B).

John et al., Berlin and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al., Berlin and Narayanaswamy et al. is recited in claim 1.

Claim 20:
With respect to claim 20, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Berlin teaches a software tool to protect desktops and servers within the enterprise from unwanted software, including both known and unknown viruses, process-based worms, spy-ware and mal-ware (0001), log entries Database 104 may store data used by the TI server 102, including the Approved List, the Forbidden List, and other software, table of entries, 0056) (Processes, 202, 206, 204, Figure 3),
wherein the response initially indicates that the request was approved, and wherein the processor is configured to alter the response to indicate that the request was denied 
 (it may be determined if the forbidden process file is allowed to execute as indicated at 1130, If the forbidden process file is allowed to execute, the method may proceed to 920, If the forbidden process request is to be logged, information associated with the forbidden process request may be stored in UMF 278 at 930. For instance, information associated with the forbidden process request may comprise a TotalImmunity Identification and Forbidden-Run status. The forbidden process request may be passed through to be executed at 940, 0180, 0187) (Figure 9A, 9B).

John et al., Berlin and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al., Berlin and Narayanaswamy et al. is recited in claim 1.

Claim 21:
With respect to claim 21, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Narayanaswamy et al. discloses wherein the response indicates that the request was approved and allows the request- origin application to access a resource (after an application session is established, the client and server applications may then conduct their application session by sending packets to each other as required, 0047), and wherein the processor is configured to, in performing the function, subsequently to causing the response to be communicated to the request-origin application, terminate access of the request-origin application to the resource after a predetermined amount of time (The application session may be terminated by the client application when the client sends a FIN request, which includes the client and server applications' control connections used during the application session subject to the FIN request, 0048).

John et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al. and Narayanaswamy et al. is recited in claim 16.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm., every other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433