Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
	Claims 21 – 33, 35 – 38, and 41 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4, and 7 - 19  of U.S. Patent No. 10,999,295. Although the claims at issue are not identical, they are not patentably distinct from each other because each element in the pending claims is anticipated by a corresponding element in a patented claim, as illustrated in the tables presented below.
Pending claim 21. A method, comprising: 


monitoring 

one or more flows of encrypted traffic between at least one Internet Protocol (IP) address and a network;

based on the monitoring, without decrypting the flows, identifying that a particular type of action was performed at the IP address at an action-time; 


receiving, from a node in the network, an indication that an action of the particular type was performed;



in response to receiving the indication, 

identifying an approximate action-time of the action; 



ascertaining that a difference between the approximate action-time and the action-time is within a predefined range;


in response to ascertaining that the difference is within the predefined range, 
identifying the IP address as a candidate source of the action;

in response to identifying the IP address as a candidate source of the action, 


associating information relating to the action with at least one descriptor that is based on the IP address; 



and generating an output that indicates the association.
Patented claim 1. system, comprising: a communication interface; and a processor, configured to: 
monitor, 
via the communication interface, 
one or more flows of encrypted traffic between at least one Internet Protocol (IP) address and a network, 

based on the monitoring, without decrypting the flows, identify that a particular type of action was performed at the IP address at an action-time or identify that content was uploaded from the IP address at one or more upload-times, 
receive, from anode in the network, an indication that an action of the particular type was performed or one or more units of user-action details (UUADs) specifying respective units of content that were uploaded using a particular user-identifier,
in response to receiving the indication 
or UUADs,
identify an approximate action-time of the action or identify respective approximate upload-times at which the units of content were uploaded, 

ascertain that a difference between the approximate action-time and the action- time is within a predefined range or ascertain that respective differences between at least some of the approximate upload-times and respective ones of the upload-times are each within a predefined range, 

in response to ascertaining, 



in response to identifying the IP address as a candidate source of the action or the source of uploaded content, 

associate information relating to the action with at least one descriptor that is based on the IP address or associate the particular user-identifier with at least one descriptor that is based on the IP address, 

and, generate an output that indicates the association


Pending claim 21 recites that the traffic flow monitored is between a node in a peer-to-peer network. This language is absent from patented claim 1, but is recited in dependent patented claim 18, as illustrated below.

Pending claim 21. . . .  and a peer-to-peer (P2P) network
Patented claim 18. . . . wherein the network is a peer-to-peer (P2P) networ.


Pending claim 22. . . . receiving the indication by receiving a unit of user-action details (UUAD) specifying details of the action
Patented claim 9. . . receive the indication by receiving a unit of user-action details (UUAD) specifying details of the action.


Pending claim 23. . . . wherein the action includes a blockchain transaction
Patented claim 10.. . .  wherein the action includes a blockchain transaction


Pending claim 24. . . . receiving the indication by receiving a hash of the transaction
Patented claim 11. . . . receive the indication by receiving a hash of the transaction


Pending claim 25. . .  wherein the descriptor includes the IP address.
Patented claim 1. . . .  at least one descriptor that is based on the IP address . . . 


Pending claim 26. . . .  wherein the descriptor consists of the IP address
Patented claim 1. . . .  at least one descriptor that is based on the IP address . . .


Pending claim 27 . . . . wherein the descriptor is selected from the group of descriptors consisting of: a device-identifier of a device that used the IP address, an account- identifier of an account to which the IP address was provisioned, and an attribute of a user who used the IP address.
Patented claim 4. . . . wherein the descriptor is selected from the group of descriptors consisting of: a device-identifier of a device that used the IP address, an account-identifier of an account to which the IP address was provisioned, and an attribute of a user who used the IP address.


Pending claim 28 . . . . computing a likelihood that the IP address was the source of the action; and based on the likelihood, computing a level of confidence for associating the information with the descriptor, wherein generating the output comprises generating the output in response to the level of confidence.
Patented claim 12 . . . compute a likelihood that the 
IP address was the source of the action, and based on the likelihood, compute a level of confidence for associating the information with the descriptor, wherein the processor is configured to generate 
the output in response to the level of confidence


Pending claim 29 . . . computing the likelihood based on the difference between the approximate action-time and the action-time.
Patented claim 13 . . . compute the likelihood based on the difference between the approximate action-time and the action-time


Pending claim 30. . . . computing the likelihood comprises computing the likelihood based on respective receipt-times at which the indication was received by the node and by the other nodes.
Patented claim 14. . . .  compute the likelihood based on respective receipt-times at which the indication was received by the node and by the other nodes


Pending claim 31 . . . wherein 
identifying that the particular type of action was performed comprises identifying that the particular type of action was performed by identifying 
a block of packets, belonging to the flows, that was generated in response to the particular type of action, wherein the information is derived from a unit of user-action details (UUAD) specifying details of the action, wherein the method further comprises 

identifying a degree of correlation between a 
block- size of the block of packets and a UUAD-size of the UUAD, and wherein computing the likelihood comprises computing the likelihood in response to the degree of correlation.
Patented claim 15 . . . 
identify that the particular type of action was performed by identifying 

a block of packets, belonging to the flows, that was generated in response to the particular type of action, wherein the information is derived from a unit of user-action details (UUAD) specifying details of the action, wherein the processor is further configured to

 identify a degree of correlation between a 
block-size of the block of packets and a UUAD-size of the UUAD, and wherein the processor is configured to compute the likelihood in response to the degree of correlation.


Pending claim 32 . . . approximate action-time is a time at which the indication was received by the node
Patented claim 7 . . . approximate upload-times are respective times at which the UUADs were received.


Pending claim 33 . . . wherein the information is derived from a unit of user- action details (UUAD) specifying details of the action.
Patented claim 9 . . . receive the indication by receiving a unit of user-action details (UUAD) specifying details of the action.


Pending claim 35 . . . wherein the UUAD indicates that the action was performed at a particular time, and wherein the approximate action-time is the particular time.
Patented claim 8 . . . wherein the UUADs indicate that the units of content were uploaded at respective particular times, and wherein the approximate upload-times are the particular times.


Pending claim 36 . . . wherein the UUAD indicates that the action was performed under a particular user-identifier, and wherein the information includes the particular user-identifier
Patented claim 16 . . . wherein the UUAD indicates that the action was performed at a particular time or under a particular user-identifier.


Pending claim 37 . . . wherein the particular user-identifier includes a blockchain address.
Patented claim 10 . . . wherein the action includes a blockchain transaction.


Pending claim 38 . . . monitoring one or more other flows of encrypted traffic between another IP address and the P2P network; based on the monitoring of the other flows, identifying that the particular type of action was performed at the other IP address at 
Patented claim 17 . . . monitor one or more other flows of encrypted traffic between another IP address and the P2P network, based on the monitoring of 

as another candidate source of the action, in response to another difference between the approximate action-time and the other action-time being within the predefined range, and in response to identifying the other IP address as another candidate source, associate the particular user-identifier with another descriptor that is based on the other IP address.


Pending claim 41 . . . in response to
identifying that the particular type of action was performed, using the node, 
querying another node in the P2P network for any indications of new actions; and receiving the indication, by the node, in response to the querying.
Patented claim 19 . . . in response to the processor identifying that the particular type of action was performed, 
query another node in the P2P network for any indications of new actions, and receive the 
indication in response to the querying.



Subject Matter Allowable over Prior Art
	Claims 21 - 41 would be allowable, absent the pending Double Patenting rejections.	Claims 34, 39, and 40 are objected to, as they are not subject to pending rejections but depend on rejected claims.	The closet prior art is Conti (Conti, Mauro et al. “Analyzing Android Encrypted Network Traffic to Identify User Actions.” IEEE Transactions on Information Forensics and Security 11: 114-125. (Year: 2016)). Conti anticipates several important elements invention and its operating environment, which involves, e.g., eavesdropping (e.g., via a router or network tap) on encrypted communications as they originate from a client and correlating those encrypted communications with public content postings by noting timing correspondence between when the encrypted communications originated and when the public content postings were made. This is described on pg. 115, right column, lines 2 – 9 in Conti as:
	“A censorship government may try to identify a dissident who spreads anti-government 	propaganda using an anonymous social network account. Comparing the time of the 	public posts with the time of the actions (inferred with our method), the government 	can guess the identity of that anonymous dissident.”
	Conti also operates in an environment utilizing encrypted communication (Conti, pg. 117, right column, lines 43-46), and performs their analysis (which includes identification of action types) without requiring decryption of the monitored information flows (Conti, pg. 114, right column lines 57-64). However, Conti lacks disclosure corresponding to the claimed operation in a peer-to-peer environment, as well as other claimed implementation details such as utilization of candidate IP addresses and how the IP addresses are correlated with a “descriptor that is based on the IP addresses”.Anstey (US-20200111066-A1) is also highly relevant to the claimed invention. Anstey anticipates operation in a peer-to-peer environment (Anstey, [32,48]), including blockchain based peer-to-peer operations such as in a BitCoin transaction (Anstey, [44]).  Anstey additionally  uses event timing as in a method for determining the origin of presumably anonymous transactions (Anstey, [74-77]). However, instead of determining a “descriptor that is based on the IP address”, Anstey is instead determining the IP address itself. Anstey’s focus on BitCoin transactions also results in architectural differences when contrasted with the disclosure of Conti (e.g., how the actions of interest are monitored and the presence of encryption in the communications). 	Bajaria (US-20210105249-A1) is another prior art reference that performs steps to associate account identifiers with IP addresses (Bajaria, [23, 49-51]). However Bajaria associations are for determining the account holder of a domain name (e.g., that “1.1.1.1” corresponds to “abc.com”), and performs this association by monitoring visitors to a site rather than by intercepting encrypted communication in a peer-to-peer enviornment.
	Katzir-2008 (US-20080285464-A1) is generally relevant to the claimed invention, and includes a method to associate traffic with entity identities utilizing communications patterns and then reports those associations (Katzir-2008, Fig. 2, [80]).
	Katzir-2018 (US-20180109542-A1) is also relevant, and includes discussions regarding monitoring encrypted traffic in order to associate particular actions with the encrypted traffic (without relying on decrypting the traffic; Katzir-2018, [36,41-43]). Time differences and thresholds are also utilized (Katzir-2018, [55,59]). However, the focus of Katzir-2018 is geared toward discovering the action in the encrypted data while the present invention performs Altman (US-9641444-B2) is also relevant to the present invention, and includes mechanisms for correlating users with IP addresses based on monitored traffic flows (col. 3 lines 51 – 67). Monitoring of encrypted traffic is also supported (col. 4 lines 28 – 41). However, the action identification and particular mechanisms used in the present disclosure for pairing observed actions with encrypted events is lacking in Altman.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WILLIAM TROST can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JOHN MACILWINEN
Primary Examiner
Art Unit 2442



/JOHN M MACILWINEN/Primary Examiner, Art Unit 2442