PleDETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 2/3/2022 has been entered. Claims 1-2, 4, 9-10, 15, 17-18, 23 are currently amended. Claims 1-24 are pending in the application.
The objection of claims 1, 4, 9, 17 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
The rejection of claim 4 under 35 USC 112(b) due to lack of antecedent basis has been withdrawn in light of applicant’s amendment to the claim.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 11/19/2021, 12/20/2021, 12/23/2021, 1/4/2022, 3/8/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Response to Arguments
Applicant’s argument regarding double patenting (see page 10 of the Remark filed 2/3/2022) has been acknowledged and the double patenting rejection is maintained as record for further consideration.
Applicant’s arguments, see pages 10-16 of the Remarks filed 2/3/2022 regarding rejections under 35 USC 103 on claims 1-24 as being unpatentable over the prior arts of record 
First, all references of record are related to network data/packet traffic filtering. Primary reference Mahadik discloses selectively filtering internet traffic, specifically on filtering encrypted communication traffic based on encryption handshake which is unencrypted communication prior to the encrypted communication (session), and Martini teaches selectively performing MIM decryption based on DNS request by proxy, while Dubrovsky specifically teaches filtering traffic/request to access document based on logged unencrypted data (stored in data structure). 
Claims are interpreted under broadest reasonable interpretation (see MPEP 2111.01 I). Claim 1 (similarly claims 9, 17) recites packet (encrypted packets, unencrypted packets) filtering. The packet is interpreted as data or message communicated over network. The unencrypted data of packet is interpreted as any data or message without being encrypted, communicated over network. Packet-filtering rules are rules based on which the data filtering is performed. 
Examiner acknowledges applicant has amended, independent claim 1, similarly claim 9, 17, specifying “determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating, at least one of the one or more encrypted packets with one or more of the unencrypted packets based on: determining that the first unencrypted data comprises the IP address corresponding to the domain name, and determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address; filter, the one based on determining that the encrypted communication session corresponds to the first unencrypted data and based on determining that the at least a portion of the first unencrypted data corresponds to the at least one of the plurality of network-threat indicators”, inter alia. 
Applicant argued,
“none of the cited references teach, disclose, or otherwise suggest at least, as recited by
claim 1, ‘determine whether one or more encrypted packets correspond to an encrypted
communication session associated with the one or more unencrypted packets by correlating at least one of the one or more encrypted packets with one or more of the unencrypted packets based on: determining that the first unencrypted data comprises the at least a portion of the DNS query, and determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address.’" (see page 13 of the Remarks)

Applicant specifically argued that 

“First, none of the cited references teach, disclose, or otherwise suggest ‘determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating at least one of the one or more encrypted packets with one or more of the unencrypted packets.’"

Examiner respectively disagrees with applicant since Mahadik teaches this feature shown above, i.e. Mahadik teaches the correlating. Para [29] of Mahadik clearly states for encrypted communication, the filtering (restricted, partially permitted, or permitted) is based on the detected domain from encryption handshake in SSL/HTTPS based website access where when network traffic is encrypted and cannot be monitored with the same tools used in unencrypted scenario. This means the filtering of encrypted network traffic is based on the domain detected during handshake through a server name attribute or alternative parameter rather than encrypted traffic (data), i.e. correlating. In another words, if domain is restricted, then access is blocked; if domain is permitted, then access is allowed (the web proxy preferably 
Applicant further argued that
“Second, none of the cited references teach, disclose, or otherwise suggest ‘determine
whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating at least one of the one or more encrypted packets with one or more of the unencrypted packets based on: determining that the first unencrypted data comprises the at least a portion of the DNS query, and determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address.’"

Examiner acknowledges applicant include limitation “second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address” in the amendment, and agrees with applicant the combination of Mahadik and Martini does not specifically teach amended feature of second unencrypted data contained in respective packet headers of the one or more encrypted packets. However, upon further review, Wang is found to teach filtering network traffic based on identification information of packet header. Therefore, applicant’s argument is moot in view of current office action with newly applied prior art Wang.
Applicant’s further argument that none of the cited references teach, discloses, or otherwise suggest ''filter the one or more encrypted packets based on determining that the encrypted communication session corresponds to the first unencrypted data and based on determining that the at least a portion of the first unencrypted data corresponds to the at least one of the plurality of network-threat indicators" is not persuasive since all applied references are directed to network traffic filtering and correlating of encrypted traffic to unencrypted data as network-threat indicators, such as domain, IP addresses, etc.

Applicant further argued, on page 15 of the Remark, that “Nor do any of the cited references teach … ‘receive a plurality of network-threat indicators from a plurality of third-party threat-intelligence providers located external to a network …, wherein each third-party network intelligence provider provides one or more network-threat indicators’”, specifically regarding the use of “internet resource database” as the plurality of third-party threat intelligence providers. Examiner acknowledges applicant’s perspective however respectively disagrees. The claim essentially recites receive … network-threat indicators from a plurality of providers. The specification of the instant application suggests one or more (i.e. a plurality of) threat-intelligence providers, see para. [15] in reference to Fig. 1, TIP(s) 140. In fact, nowhere in the claims nether specification specifically teach what the third-party intelligence provider(s) is/are, and there is no requirement that the providers are third-party (rather than a name as third-party intelligence provider(s)), i.e. outside of the network A or B as shown in Fig. 1 of instant application. Therefore, it can be understood the provider(s) can be database as taught by Mahadik that provide(s) rule information such as domain names, URI/URL resource addresses etc. for the network traffic filtering.
Applicant’s further argument regarding dependent claims are also not persuasive due to their dependency on the respective rejected independent claims.
Applicant is suggested to incorporate innovative features into independent claims to advance the case.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which 
Claims 1-3, 9, 17-18 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 21 (or claim 2) of co-pending Application No. 15/877,608 (hereinafter, “’608”), in view of Mahadik et al (US20140089661A1) and in further view of Martini (US20140317397A1) and Wang et al (US20130312054A1). See below the claims comparison table for claim comparison between the instant application and the co-pending application.
Claim 21 (or claim 2) of copending application ‘608 discloses all of the limitations recited in claim 1 (similarly claim 9, claim 17) of the instant application, as seen in the table below, except those limitations as emphasized in bold. In particular, ‘608 teaches receiving a plurality of first packets but does not teach receive a plurality of network-threat indicators … wherein each third-party network intelligence provider provides one or more of the plurality of network-threat indicators, however Mahadik in the same area of endeavor teaches: 
receive a plurality of network-threat indicators from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider of the plurality of third-party threat intelligence providers provides one or more of the plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query); 
Further ‘608 teaches analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query (‘608, claim 2 and claim 6), but does not expressly teaches following limitations taught by Mahadik,
wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process any DNS queries made by a device on a network. Preferably all users/machines using a network must use the DNS proxy server no when attempting to access a site, thus enabling all devices on the entire network to be secured by the system… The DNS proxy server no preferably processes DNS queries (i.e. first unencrypted data) in cooperation with the internet resource database 120. The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…); determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating, at  (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the packet filtering system of ‘608 by receiving data regarding network-threat indicators from third party network intelligence provider such as Internet Resource Database/Admin Interface and using data for correlation of encrypted packets with unencrypted packets. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide the resource database with stored information such as domain names, URI/URL, etc. as well as respective resource access levels for internet traffic filtering (Mahadik, [Abstract]).
the IP address, however in the same field of endeavor Martini teaches:
determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets … based on: … determining that second unencrypted data contained [in respective packet headers of] the one or more encrypted packets comprises the IP address (Martini, discloses selectively decrypting encrypted traffic based on DNS request, see [Abstract]. And [0024] the network gateway may intercept and examine a DNS request 108 from the browser device 106 that is addressed to the DNS 110. Based on, for example, the URL or URI in the DNS request 108 and rules 103 indicating which destination should be decrypted and which should be passed directly to the Internet destination, the network gateway 102 may determine that, instead of passing the DNS request 108 to the DNS 110, the network gateway 102 should respond to the DNS request with a MitM gateway address 112. And [0038] the network gateway 102 can process a set of rules 103 that indicate which destination should be decrypted and which should be passed directly to the Internet destination. These rules 103 may include, for example, a list of domain names and IP address mapped to security policies, …); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the packet filtering system of ‘608-Mahadik by correlating encrypted connection with specified spoofed IP addresses with 
The combination of ‘608-Mahadik-Martini teaches the main concept of the invention and correlate encrypted packets with unencrypted packets but does not explicitly teach second unencrypted data contained in respective packet headers of the one or more encrypted packets, however in the same field of endeavor Wang teaches:
determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets (Wang, discloses traffic control techniques between first and second devices by a proxy device, see [Abstract]. And [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the packet filtering system of ‘608-Mahadik-Martini by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have 
Dependent claim 2 (similarly claim 18) are rejected by claim 21 of ‘608; claim 3 is rejected by claim 6 of ‘608. Although the claims at issues are not identical, they are not patentably distinct from each other, as seen in the table below.
Claims Comparison Table
Instant Application 17/482,894
Co-pending Application 15/877,608
Claim 1 (similarly claims 9, 17). 
A packet-filtering system comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 









receive a plurality of network-threat indicators from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider of the plurality of third-party threat intelligence providers provides one or more of the plurality of network-threat indicators; 

 wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address; 

compare the first unencrypted data to the plurality of network-threat indicators; determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators; 

















determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating, at least one of the one or more encrypted packets with one or more of the unencrypted packets based on: determining that the first unencrypted data comprises the at least a portion of the DNS query, and determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address; 

and filter, the one or more encrypted packets based on determining that the encrypted communication session corresponds to the first unencrypted data and based on determining that the at least a portion of the first unencrypted data corresponds to the at least one of the plurality of network-threat indicators.
Claim 21 (or claim 2). 
A packet-filtering apparatus comprising: 
at least one processor configured to filter packets traversing a communications
link between a first network and a second network in accordance with a plurality of
packet-filtering rules; and memory storing instructions that when executed by the at least one processor cause the packet-filtering apparatus to: 

receive a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data;















See above, i.e. whether the first unencrypted data corresponds to one or more network-threat indicators (i.e. compare);



filter, responsive to determining that the first unencrypted data corresponds to the one or more network-threat indicators the plurality of first packets;
generate, based on the filtering the plurality of first packets, log data indicating:
an indication of the filtering of the plurality of first packets; and at least a portion of the first unencrypted data; 
receive, after the filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise: encrypted data and respective packet headers comprising second unencrypted data; 

determine whether the plurality of second packets correspond to an encrypted communication session associated with the plurality of first packets by 9Application No. 15/877,608Docket No.: 007742.00109\USResponse to Office Action dated 11.17.2021determining
that the second unencrypted data corresponds to the logged at least a portion of the first unencrypted data; 







and filter, responsive to determining that the encrypted communication session corresponds to the logged at least a portion of the first unencrypted data, and based on at least one action specified by the one or more first packet-filtering rules of the plurality of packet-filtering rules, the plurality of second packets.

Claim 6. The method of claim 2, wherein the plurality of first packets comprise one or more packets comprising at least one of a domain name system (DNS) query request or a corresponding DNS query reply, and wherein filtering the plurality of first packets comprises: determining that the at least one of the DNS query request or the corresponding DNS query reply comprises a domain name or a network address identified in the one or more network-threat indicators.
Claim 2 (similarly claim 18).
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the IP address or the domain name corresponding to the IP address; and -42--- Patent Application --Attorney Docket No. 007742.00235 determine whether the second unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data.
Claim 21.


…
generate, based on the filtering the plurality of first packets, log data indicating:
an indication of the filtering of the plurality of first packets; and at least a portion of the first unencrypted data;
… by determining that the second unencrypted data corresponds to the at least a portion of the first unencrypted data in the log data;
Claim 3. 
The packet-filtering system of claim 1, wherein the DNS query comprises one or more of a DNS query request, or a DNS query reply.
Claim 6. The method of claim 2, wherein the plurality of first packets comprise one or more packets comprising at least one of a domain name system (DNS) query request or a corresponding DNS query reply, and wherein filtering the plurality of first packets comprises: determining that the at least one of the DNS query request or the corresponding DNS query reply comprises a 


This is a provisional nonstatutory double patenting rejection because the co-pending application has not in fact been patented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

Claims 1, 3-4, 8-9, 11, 16-17, 22, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Martini (US20140317397A1-IDS provided by Applicant, hereinafter, “Martini”), in further view of Wang et al (US20130312054A1-IDS by applicant, hereinafter, “Wang”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider of the plurality of third-party threat intelligence providers provides one or more of the plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process any DNS queries made by a device on a network. Preferably all users/machines using a network must use the DNS proxy server no when attempting to access a site, thus enabling all devices on the entire network to be secured by the system… The DNS proxy server no preferably processes DNS queries (i.e. first unencrypted data) in cooperation with the internet resource database 120. The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…); 
(Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines (i.e. compare DNS queries with DNS query in the internet resource database and determines) a categorization of the query (e.g., permitted, partially-permitted, or restricted). Upon determining the categorization of the query, the DNS proxy server no preferably returns an IP address to the originating machine); 
determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating, at least one of the one or more encrypted packets with one or more of the unencrypted packets based on: determining that the first unencrypted data comprises the at least a portion of the DNS query, (Mahadik, [0016] The DNS proxy server no preferably processes DNS queries (i.e. first unencrypted data) in cooperation with the internet resource database 120. And [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially permitted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)) and [determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address]; (see the teachings of Martini and Wang below for limitation(s) in bracket)
and filter, the one or more encrypted packets based on determining that the encrypted communication session corresponds to the first unencrypted data (Mahadik, [0029] A domain is preferably detected during the handshake (i.e. corresponds with encrypted traffic) through a server name attribute or through some alternative parameter) and based on determining that the at least a portion of the first unencrypted data corresponds to the at least one of the plurality of network-threat indicators (Mahadik, [0029] If the domain (i.e. network-threat indicator) is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).
While Mahadik teaches the main concept of the invention and correlate encrypted packets with unencrypted packets but does not explicitly teach the correlation is based on determining that second unencrypted data contained in one or more encrypted packets comprises the IP address, however in the same field of endeavor Martini teaches:
determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets … based on: … determining that second unencrypted data contained [in respective packet headers of] the one or more encrypted packets comprises the IP address (Martini, discloses selectively decrypting encrypted traffic based on DNS request, see [Abstract]. And [0024] the network gateway may intercept and examine a DNS request 108 from the browser device 106 that is addressed to the DNS 110. Based on, for example, the URL or URI in the DNS request 108 and rules 103 indicating which destination should be decrypted and which should be passed directly to the Internet destination, the network gateway 102 may determine that, instead of passing the DNS request 108 to the DNS 110, the network gateway 102 should respond to the DNS request with a MitM gateway address 112. And [0038] the network gateway 102 can process a set of rules 103 that indicate which destination should be decrypted and which should be passed directly to the Internet destination. These rules 103 may include, for example, a list of domain names and IP address mapped to security policies, …); (see Wang below for limitation in bracket)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik by correlating encrypted connection with specified spoofed IP addresses with DNS to filter the encrypted communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to use rules that includes domain name and IP address that indicate destination upon which the encrypted traffic should be directed to, i.e. further to decrypted or not (Martini, [Abstract]).

determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets (Wang, discloses traffic control techniques between first and second devices by a proxy device, see [Abstract]. And [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request (i.e. encrypted packet), the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik-Martini by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service 

Regarding claim 9, similarly claim 17, Mahadik teaches:
A packet-filtering system, a packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] An alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider of the plurality of third-party threat intelligence providers provides one or more of the plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database in external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises a domain name; identify an Internet Protocol (IP) address corresponding to the domain name (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process any DNS queries made by a device on a network. Preferably all users/machines using a network must use the DNS proxy server no when attempting to access a site, thus enabling all devices on the entire network to be secured by the system… The DNS proxy server no preferably processes DNS queries (i.e. first unencrypted data) in cooperation with the internet resource database 120. The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests)…); 
compare the first unencrypted data to the plurality of network-threat indicators; determine, based on the comparing, that at least a portion of the first unencrypted data corresponds to at least one of the plurality of network-threat indicators (Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines (i.e. compare DNS queries with DNS query in the internet resource database and determines) a categorization of the query (e.g., permitted, partially-permitted, or restricted). Upon determining the categorization of the query, the DNS proxy server no preferably returns an IP address to the originating machine); 
determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating at least one of the one or more encrypted packets with one or more of the unencrypted packets based on: determining that the first unencrypted data comprises the IP address corresponding to the domain name, (Mahadik, [0015] The internet resource database 120 preferably stores domain names, URI/URL resource addresses,...Access is generally allowed but additionally monitored by the web proxy server 130. A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. And [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)) and [determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address]; (see the teachings of Martini and Wang below for limitation(s) in bracket)
and filter, the one or more encrypted packets based on determining that the encrypted communication session corresponds to the first unencrypted data (Mahadik, [0029] A domain is preferably detected during the handshake (i.e. corresponds with encrypted traffic) through a server name attribute or through some alternative parameter) and based on determining that the at least a portion of the first unencrypted data corresponds to the at least one of the plurality of network-threat indicators (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain (i.e. network-threat indicator) is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).
While Mahadik teaches the main concept of the invention and correlate encrypted packets with unencrypted packets but does not explicitly teach the correlation is based on determining that second unencrypted data contained in one or more encrypted packets comprises the IP address corresponding to the domain name, however in the same field of endeavor Martini teaches:
determine whether one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating … based on: … determining that second unencrypted data [contained in respective packet headers] of the one or more encrypted packets comprises the IP address (Martini, discloses selectively decrypting encrypted traffic based on DNS request, see [Abstract]. And [0024] the network gateway may intercept and examine a DNS request 108 from the browser device 106 that is addressed to the DNS 110. Based on, for example, the URL or URI in the DNS request 108 and rules 103 indicating which destination should be decrypted and which should be passed directly to the Internet destination, the network gateway 102 may determine that, instead of passing the DNS request 108 to the DNS 110, the network gateway 102 should respond to the DNS request with a MitM gateway address 112. And [0038] the network gateway 102 can process a set of rules 103 that indicate which destination should be decrypted and which should be passed directly to the Internet destination. These rules 103 may include, for example, a list of domain names and IP address mapped to security policies, …); (see Wang below for limitation in bracket)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik by correlating encrypted connection with specified spoofed IP addresses with DNS to filter the encrypted communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to use information such as spoofed IP addresses directed to the domains contained in the DNS requests to filter the encrypted network traffic (Martini, [Abstract]).  
The combination of Mahadik-Martini teaches the main concept of the invention and correlate encrypted packets with unencrypted packets but does not explicitly teach second unencrypted data contained in respective packet headers of the one or more encrypted packets, however in the same field of endeavor Wang teaches:
determining that second unencrypted data contained in respective packet headers of the one or more encrypted packets (Wang, discloses traffic control techniques between first and second devices by a proxy device, see [Abstract]. And [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik-Martini by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).

Regarding claim 3, Mahadik-Martini-Wang combination further teaches:
The packet-filtering system of claim 1, wherein the DNS query comprises one or more of a DNS query request, or a DNS query reply (Mahadik, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource).  

Regarding claim 4, Mahadik-Martini-Wang combination further teaches:
The packet-filtering system of claim 1, wherein the at least a portion of the DNS query comprises the domain name (Mahadik, [0020] As shown in FIG. 2, a method for securing network traffic of a preferred embodiment includes receiving a domain-name resolution query at a DNS proxy server S210, determining a resource access level of a requested domain of the DNS resolution query based on an internet resource database), and wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: determine, based on the domain name, the IP address using the DNS query (Mahadik, [0020] a method for securing network traffic of a preferred embodiment includes receiving a domain-name resolution query at a DNS proxy server S210, determining a resource access level of a requested domain of the DNS resolution query based on an internet resource database; S220, includes selectively returning an IP address according to the resource access level S230, wherein selectively returning an IP address includes at least the options returning an IP address).  

Regarding claim 8, similarly claim 16, claim 24, Mahadik-Martini-Wang combination further teaches:
The packet-filtering system of claim 1, the packet-filtering system of claim 9, the packet-filtering system of claim 17, wherein the instructions, when executed by the one or more (Martini, [0006] Implementations can include any, all, or none of the following features. The address of the first resource is determined by the second resource based on the address of the second resource. Decrypting and inspecting the encrypted communication traffic includes blocking the encrypted communication traffic).  

Regarding claim 11, Mahadik-Martini-Wang combination further teaches:
The packet-filtering system of claim 9, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to identify the IP address corresponding to the domain name using a Domain Name System (DNS) query (Mahadik, [0020] As shown in FIG. 2, a method for securing network traffic of a preferred embodiment includes receiving a domain-name resolution query at a DNS proxy server S210, determining a resource access level of a requested domain of the DNS resolution query based on an internet resource database. And [0024] As shown in FIG. 4, Step S232, which includes returning an IP address that is unmodified from requested domain for a permitted resource).  

Regarding claim 22, Mahadik-Martini-Wang combination further teaches:
The packet-filtering system of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets based on a network address associated with the first unencrypted data (Martini, [0019] A modified use of the Domain Name System (DNS) maps specific spoofed IP addresses (i.e. network address) to correlated domain in order to, among other uses, determine which encrypted connections should by bypassed and sent directly to the Internet destination and which connections should be decrypted using a man in the middle technique).  

Claims 2, 10, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Martini-Wang as applied above, further in view of Dubrovsky et al (US20140373156A1, hereinafter, “Dubrovsky”).
Regarding claim 2, similarly claim 10, claim 18, Mahadik-Martini-Wang combination teaches:
The packet-filtering system of claim 1, the packet-filtering system of claim 9, the packet-filtering system of claim 17, 
While the combination of Mahadik-Martini-Wang does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the IP address or the domain name corresponding to the IP address (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log data). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)); and-42--- Patent Application --Attorney Docket No. 007742.00235 determine whether the second unencrypted data contained in the one or more [encrypted] packets comprises the IP address based on the log data (Dubrovsky, [0027] If the table 206 contains the extracted URL and/or IP address, the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated). Examiner notes encrypted packets are taught by Mahadik-Martini as shown above for claim 1.  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik-Martini-Wang by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).

Claims 5-6, 12-13, 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Martini-Wang as applied above, further in view of Williams (US9875355B1, hereinafter, “Williams”).
Regarding claim 5, similarly claim 12, claim 20, Mahadik-Martini-Wang combination teaches:
(See the teachings of Mahadik-Martini presented for claim 1, claim 9 and claim 17 above)
While the combination of Mahadik-Martini-Wang does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response [Abstract]. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Martini-Wang by comparing DNS requests based on timestamp associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to 

Regarding claim 6, similarly claim 13, claim 21, Mahadik-Martini-Wang combination teaches:
The packet-filtering system of claim 1, the packet-filtering system of claim 9, the packet-filtering system of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with the one or more of the unencrypted packets (See the teachings of Mahadik-Martini presented for claim 1, claim 9 and claim 17 above)
While the combination of Mahadik-Martini-Wang does not explicitly teach but in the same field of endeavor Williams teaches:
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response [Abstract]. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Martini-Wang by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]). 

Claims 7, 14, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Martini-Wang as applied above, further in view of Rostami-Hesarsorkh (US 8892665 B1, hereinafter, “Rostami-Hesarsorkh”).
Regarding claim 7, similarly claim 14, claim 19, Mahadik-Martini-Wang combination teaches:
The packet-filtering system of claim 1, the packet-filtering system of claim 9, the packet-filtering system of claim 17, 
While the combination of Mahadik-Martini-Wang does not explicitly teach but in the same field of endeavor Rostami-Hesarsorkh teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the at least one of the one or more encrypted packets with (Rostami-Hesarsorkh, discloses monitoring peer-to-peer network traffic [Abstract]. And [Col. 9 line 53-Col. 10 line 27] the data appliance 202 can use an IP address associated with the data appliance 202 and select a port number that is used for emulated peer-to-peer traffic communications… using these techniques, the respective port number(s) for each of client 204 and client 220 used for this monitored network traffic can now be identified as being associated with the peer-to-peer session … As a result, using these encrypted peer-to-peer detection techniques, unknown network traffic flows/sessions (e.g., unidentified/unknown sessions that are suspicious) from a client determined to be executing a peer-to-peer application can be determined to be associated with the peer-to-peer application and can be blocked).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rostami-Hesarsorkh, in the method of selectively filtering internet traffic of Mahadik-Martini-Wang by identifying port number associated with client for monitoring network traffic. This would have been obvious because the person having ordinary skill in the art would have been motivated to associate unencrypted or encrypted peer-to-peer communication traffic associated with port number of clients to filter suspicious application (Rostami-Hesarsorkh, [Abstract]). 

Claims 15, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Martini-Wang as applied above, further in view of Burns et al (US 9077692 B1-IDS by applicant, hereinafter, “Burns”).
Regarding claim 15, similarly claim 23, Mahadik-Martini-Wang combination teaches:
The packet-filtering system of claim 9, the packet-filtering system of claim 17,
While the combination of Mahadik-Martini-Wang does not explicitly teach but in the same field of endeavor Burns teaches:
wherein the first unencrypted data further comprises a TLS handshake message, wherein the TLS handshake message is configured to establish an encrypted communication session between a client and a server, and wherein the TLS handshake message comprises one or more of: a ClientHello message generated by the client, or a certificate message generated by the server (Burns, [Col. 12 lines 54-65] The SSL protocol uses several messages to indicate the use of the SSL protocol after the TCP/IP three-way handshake. A client using the SSL protocol will first send a ClientHello message to a server that includes the highest transportation layer security (TLS) protocol version the client supports, a random number, a cipher suite that the client supports, and compression methods supported by the client. The server will respond with a ServerHello message including a selected TLS protocol version, a random number, a cipher suite, and a compression method, each of which the server may select from the client's ClientHello message).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Burns, in the method of selectively filtering internet traffic of Mahadik-Martini-Wang by using ClientHello message in TLS session. This would have been obvious because the person having ordinary skill in the art would have been motivated to use handshake message in establishing encrypted 
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Wong et al (US20110296186A1) discloses selectively transmission of an encrypted packet based on integrity of unencrypted packet header of the encrypted packet.
Moon et al (US 20090150972A1) discloses managing encrypted P2P traffic using policy based on application identifiers.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL M LEE/Examiner, Art Unit 2436
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436