DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 2/3/2022 has been entered. Claims 1-9, 12-13, 16-21, 24 are currently amended claims. Claims 1-24 are pending in the application.
The objection of claims 1, 5, 9, 13, 17, 21 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/20/2021, 12/23/2021, 1/4/2022, 3/8/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.

Response to Arguments
Applicant’s argument regarding double patenting (see page 10 of the Remark filed 2/3/2022) has been acknowledged and the double patenting rejection is maintained as record for further consideration.
Applicant’s arguments, see pages 10-14 of the Remarks filed 2/3/2022 regarding rejections under the 35 USC 103 on claims 1-24 as being unpatentable over the prior arts of record have been fully considered and asserted not persuasive. 

Claims are interpreted under broadest reasonable interpretation (see MPEP 2111.01 I). Claim 1 (similarly claims 9, 17) recites packet (encrypted packets, unencrypted packets) filtering. The packet is interpreted as data or message communicated over network. The unencrypted data of packet is interpreted as any data or message without being encrypted, communicated over network. Packet-filtering rules are rules based on which the data filtering is performed. 
Applicant argued, see pages 12-13 of the Remark, that none of the cited references teach, discloses, or otherwise suggest at least, as recited by claim 1, “determine whether the encrypted communication session corresponds to the packets comprising the unencrypted data by correlating, based on the logged at least a portion of the unencrypted data, the packets comprising the encrypted data with the packets comprising the unencrypted data”. Examiner acknowledges applicant’s perspective however respectively disagrees. Since the claim recites packets of unencrypted data and packets of encrypted data and correlating the packets with encrypted data with the packets of unencrypted data, nowhere in the claim suggests that the unencrypted data and encrypted data are in the same packet(s). On other hands, Mahadik teaches filtering encrypted communication based on encryption handshake (such as using a SSL 

Applicant’s further argument regarding dependent claims are therefore also not persuasive due to their dependency on the respective rejected independent claims.
Applicant is suggested to incorporate innovative features into independent claims to advance the case.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 9, 17 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claim 21 of parent co-pending Application No. 15/877,608 (hereinafter, “ ’608”), in view of Mahadik et al (US20140089661A1). See below the claims comparison table for claim comparison between the instant application and the parent co-pending application.
Claim 21 of copending application ‘608 discloses all of the limitations recited in claim 1 (similarly claim 9, claim 17) of the instant application, as seen in the table below, except those limitations as emphasized in bold, however Mahadik in the same area of endeavor teaches:
receive, from a plurality of different network threat-intelligence providers, one or more network-threat indicators (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query); generate, based on the one or more network-threat indicators, one or more packet-filtering rules configured to identify packets comprising data corresponding to the one or more network-threat indicators (Mahadik, [0022] Step S220, which includes, determining (i.e. generating) a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database…Step S220 may additionally include determining the resource access level according to rules set by a network administration interface); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the packet filtering system of ‘608 by receiving data regarding network-threat indicators from third party network intelligence provider such as Internet Resource Database/Admin Interface. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide the resource database with stored information such as domain names, URI/URL, etc. as well as respective resource access levels for internet traffic filtering (Mahadik, [Abstract]).
Claims Comparison Table
Instant Application 17/383,702

Co-pending Application 15/877,608
Claim 1 (similarly claims 9, 17). 
A packet-filtering system comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive, from a plurality of different network threat-intelligence providers, one or more network-threat indicators; 





generate, based on the one or more network-threat indicators, one or more packet-filtering rules configured to identify packets comprising data corresponding to the one or more network-threat indicators; 






filter, based on the one or more packet-filtering rules, a plurality of packets comprising unencrypted data; 


generate, based on the filtering the plurality of packets comprising the unencrypted data, log data indicating: an indication of the filtering based on the one or more packet-filtering rules; and at least a portion of the unencrypted data; 


receive, after the filtering the packets comprising the unencrypted data, packets comprising encrypted data as part of an encrypted communication session; 




determine whether the encrypted communication session corresponds to the packets comprising the unencrypted data by correlating, based on the logged at least a portion of the unencrypted data, the packets comprising the encrypted data with the packets comprising the unencrypted data; 


and filter, based on the one or more packet-filtering rules and based on determining that the encrypted communication session corresponds to the packets comprising the unencrypted data, the packets comprising the encrypted data.
Claim 21. 
A packet-filtering apparatus comprising: 
at least one processor configured to filter packets traversing a communications
link between a first network and a second network in accordance with a plurality of
packet-filtering rules; and memory storing instructions that when executed by the at least one processor cause the packet-filtering apparatus to: 

receive a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data;






determine whether the first

by one or more first packet-filtering rules of the plurality of packet-filtering rules;

filter, responsive to determining that the first unencrypted data corresponds to the one or more network-threat indicators the plurality of first packets;

generate, based on the filtering the plurality of first packets, log data indicating:
an indication of the filtering of the plurality of first packets; and at least a portion of the first unencrypted data; 



receive, after the filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise: encrypted data and respective packet headers comprising second unencrypted data; 

determine whether the plurality of second packets correspond to an encrypted communication session associated with the plurality of first packets by 9Application No. 15/877,608Docket No.: 007742.00109\US Response to Office Action dated 11.17.2021 determining
that the second unencrypted data corresponds to the logged at least a portion of the first unencrypted data; 


and filter, responsive to determining that the encrypted communication session corresponds to the logged at least a portion of the first unencrypted data, and based on at least one action specified by the one or more first packet-filtering rules of the plurality of packet-filtering rules, the plurality of second packets.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-3, 5-6, 9-11, 13-14, 17-19, 21-22 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Dubrovsky et al (US20140373156A1-IDS by applicant, hereinafter, “Dubrovsky”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive, from a plurality of different network threat-intelligence providers, one or more network-threat indicators (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query); 
one or more network- threat indicators (Mahadik, [0022] Step S220, which includes, determining (i.e. generating) a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database…Step S220 may additionally include determining the resource access level according to rules set by a network administration interface); 
filter, based on the one or more packet-filtering rules, a plurality of packets comprising unencrypted data (Mahadik, [0022] …domains are classified as permitted, partially-permitted, and restricted (i.e. filtering). Permitted resources are resources that are fully trusted and deemed safe. Restricted resources are resources that are untrusted, malicious, inappropriate, or otherwise undesirable for some users of a network. Restricted resources are typically blocked for users without permission to view. Partially-permitted resources are resources that have portions that could be permitted or restricted); 
receive, after the filtering the packets comprising the unencrypted data, packets comprising encrypted data as part of an encrypted communication session (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain (i.e. unencrypted data) is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted. Examiner notes encrypted communication is after the handshake, i.e. filtering with unencrypted data);
determine whether the encrypted communication session corresponds to the packets comprising the unencrypted data by correlating, based on the [logged] at least a portion of the unencrypted data, the packets comprising the encrypted data with the packets comprising the unencrypted data (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); (see Dubrovsky below for limitation in bracket)
and filter, based on the one or more packet-filtering rules, and based on determining that the encrypted communication session corresponds to the packets comprising the unencrypted data, the packets comprising the encrypted data (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain (i.e. if encrypted traffic is correlated to the unencrypted data) is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic (i.e. filtering)). 
While Mahadik does not explicitly teach generation of log data and using log data for correlating the packet data however in the same field of endeavor Dubrovsky teaches:
generate, based on the filtering the plurality of packets comprising the unencrypted data, log data indicating: an indication of the filtering based on the one or more packet-filtering rules; and at least a portion of the unencrypted data (Dubrovsky, (Dubrovsky, discloses method of accessing digital document based on previous knowledge of document content, see [Abstract], [0007]). And [0026] Meanwhile, the network access device 201 may extract the URL of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein) (i.e. log data). And referring to Fig. 3 steps 305 and 306 (i.e. storing log data)); logged at least a portion of the unencrypted data (Dubrovsky, [0022] data structure to maintain any previous failed requests for access certain documents of remote nodes that have been detected to have offensive data such as viruses or spywares).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet 

Regarding claim 9, Mahadik-Dubrovsky combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: method steps substantially similar to the method steps performed by packet-filtering system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 17, Mahadik-Dubrovsky combination teaches:
One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors of a packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]. And [0042] instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such as RAMs, ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives, floppy drives, or any suitable device. The computer-executable component is preferably a processor), cause the packet-filtering system to: perform method steps substantially similar to the method steps performed by packet-filtering system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 10, claim 18, Mahadik-Dubrovsky combination further teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the packets comprising the encrypted data based on the one or more packet-filtering rules (Mahadik, referring to Fig. 2 of securing network traffic. And [0022] Step S220 may additionally include determining the resource access level according to rules (i.e. packet-filtering rules) set by a network administration interface. These rules function to enable the method to enforce conditional access restrictions to resources. For example, an administrator may place time limits on access to a particular domain, restrict all access for a particular user, or setup any suitable network access restriction rule.).

Regarding claim 3, similarly claim 11, claim 19, Mahadik-Dubrovsky combination further teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the packets comprising the encrypted data by forwarding the packets comprising the encrypted data to a proxy device (Mahadik, see Fig. 1 web proxy server 130. And [0017] The web proxy server 130 of a preferred embodiment functions to provide a form of traffic monitoring for resources not fully trusted. Preferably, the web proxy server is configured to inspect and enforce a network security policy on web traffic. And [0029] The method may additionally include detecting encryption handshake when web proxying... The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted).  

Regarding claim 5, similarly claim 13, claim 21, Mahadik-Dubrovsky combination further teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17, wherein the logged at least the portion of the unencrypted data comprises the data, from the plurality of packets comprising the unencrypted data, that corresponds to the one or more packet-filtering rules (Mahadik, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource. The queries are preferably received at a DNS proxy server. And [0022] Step S220, which includes, determining a resource access level (i.e. rules) of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database… These rules function to enable the method to enforce conditional access restrictions to resources).  

Regarding claim 6, similarly claim 14, claim 22, Mahadik-Dubrovsky combination further teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of packets comprising the unencrypted (Mahadik, [0039] Step S340, regulating traffic through the web proxy server based on an access token of the client, functions to regulate traffic based on information present in an access token presented by the client. The access token is preferably a cookie, but may alternatively be a cryptographic hash or any other suitable method for authenticating the client with the web proxy server... Traffic is preferably regulated by the web proxy server based on rules set by the network administration interface, the presence and content of an access token on a client machine of the traffic).  

Claims 4, 12, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky as applied to claims 1, 9, 17 respectively, further in view of Martini (US20140317397A1-IDS by Applicant, hereinafter, “Martini”).
Regarding claim 4, similarly claim 12, claim 20, Mahadik-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17, wherein the plurality of packets comprising the unencrypted data comprise a handshake message configured to establish the encrypted communication session, 

and wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to determine whether the encrypted communication session corresponds to the packets comprising the unencrypted data by causing the packet-filtering system to determine that the packets comprising the encrypted data are associated with the encrypted communication session (Martini, [0042] The MitM gateway 104 requests an encrypted connection with the server 118 (314). For example, the MitM gateway 104 can use the URL of the encryption handshake from the browser device 106 to request an encrypted connection on behalf of the browser device 106. The MitM gateway 104 and the server 118 establish a second encrypted connection (316). For example, the MitM gateway 104 may act as a proxy of the browser device 106, mimicking the interface of the browser device 106 in communications with the server 118. The two encryption sessions may be of the same …).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik-Dubrovsky by correlating encrypted connection session associated with DNS request. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the unencrypted information such as spoofed IP addresses IP addresses directed to the domains contained in the DNS requests of Mahadik to filter the encrypted network traffic (Martini, [Abstract]).  

Claims 7, 15, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky as applied to claims 1, 9, 17 respectively, further in view of Foley et al (US20140165189A1, hereinafter, “Foley”).
Regarding claim 7, similarly claim 15, claim 23, Mahadik-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17, wherein the instructions, when executed by the one or more processors, 
While the combination of Mahadik-Dubrovsky does not explicitly teach the following limitation(s), but in the same field of endeavor Foley teaches:
cause the packet-filtering system to: receive, after generating the one or more packet-filtering rules, one or more second network-threat indicators; and reconfigure, based on the one or more second network-threat indicators, the one or more packet-filtering rules (Foley, discloses monitoring data traffic on a network based on security rules, see [Abstract]. And [0094] Program 405 responsively captures from the access 420 audit data 435 that is defined by matching rule 544 and sends data 435 to repository 534, which may be on a different data server than is designated by rule 542... In addition, rule 544 is configured to cause program 405, responsive to access or accesses 420 matching rule 544, to automatically capture predetermined elements 445 of the access 420, such as the user name, database user name, IP address, or other identifying characteristics of individual 492 (i.e. second network-threat indicators), and to automatically include them in a new, second rule 440 that program 405 responsively creates automatically. Consequently, audit program 405 is now configured with an additional, new rule 546 (i.e. reconfigure) to filter out this potential hacker 492…).  
.

Claims 8, 16, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky as applied above to claims 1, 9, 17 respectively, further in view of Hampel et al (US9258218B2-IDS by applicant, hereinafter, “Hampel”).
Regarding claim 8, similarly claim 16, claim 24, Mahadik-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 9, the computer-readable media of claim 17,
While the combination of Mahadik-Dubrovsky does not explicitly teach the following limitation(s), in the similar field of endeavor Hampel teaches:
wherein the unencrypted data is associated with first transport-layer information, wherein the encrypted data is associated with second transport-layer information, and wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to determine whether the encrypted communication session corresponds to the packets comprising the unencrypted data by causing the packet-filtering system to: determine (Hampel, [Abstract] discloses method to control overlay networks with control functions and forwarding functions separated, And [Claim 12] a data flow definition for a data flow and a set of actions to be performed for the data flow at the forwarding element, wherein the data flow definition is based on one or more protocol header (i.e. unencrypted data) fields of one or more protocols, wherein the one or more protocols comprise one or more network layer protocols or one or more transport layer protocols (i.e. second transport-layer), wherein the set of actions comprises at least one tunneling action and at least one security action, wherein the at least one tunneling action comprises at least one of a set of multiple encapsulation actions (i.e. encrypted data) or a set of multiple decapsulation actions, wherein the at least one security action is associated with a security protocol (i.e. first transport-layer) and comprises at least one of an encryption action or a decryption action; wherein the set of multiple encapsulation actions comprises a tunneling encapsulation action, a transport layer encapsulation action, and a network layer encapsulation action;  … and processing a packet of the data flow based on the control information (i.e. corresponds to the second transport-layer information)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hampel in the method of selectively filtering internet traffic of Mahadik-Dubrovsky by separating the control functions in network layer protocol and the forwarding functions in security protocol. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the software-defined network overlay method vertically move packets across 
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Wong et al (US20110296186A1) discloses selectively transmission of an encrypted packet based on integrity of unencrypted packet header of the encrypted packet.
Moon et al (US 20090150972A1) discloses managing encrypted P2P traffic using policy based on application identifiers.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/MICHAEL M LEE/Examiner, Art Unit 2436
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436