DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 2/3/2022 has been entered. Claims 1-27 are currently amended. Claim 28 is newly added. Claims 1-28 are pending in the application.
The objection of claims 8, 17, 26 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 12/20/2021, 12/23/2021, 3/8/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Response to Arguments
Applicant’s argument regarding double patenting (see page 11 of the Remark filed 2/3/2022) has been acknowledged and the double patenting rejection is maintained as record for further consideration.
Applicant’s arguments, see pages 11-14 of the Remarks filed 2/3/2022 regarding rejections under the 35 USC 103, on claims 1-27 as being unpatentable over the prior arts of record have been fully considered and asserted not fully persuasive and moot in view of current office action with newly applied prior art. See current office action for details. 

Claims are interpreted under broadest reasonable interpretation (see MPEP 2111.01 I). Claim 1 (similarly claims 10, 19) recites packet (encrypted packets, unencrypted packets) filtering. The packet is interpreted as data or message communicated over network. The unencrypted data of packet is interpreted as any data or message without being encrypted communicated over network. Packet-filtering rules are rules based on which the data filtering is performed. 
Examiner acknowledges applicant has amended independent claim 1, similarly claim 10, 19, specifying “a plurality of second packets comprising: respective packet headers comprising second unencrypted data; determine a correlation between the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, matches the at least a portion of the unencrypted data in the log data; filter, based on the determined correlation between the plurality of second packets and the plurality of first packets, the plurality of second packets comprising the encrypted data”, inter alia. 
Applicant argued “None of the cited references teach, disclose, or otherwise suggest ‘determine a correlation between the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, matches the at least a portion of the unencrypted data in the log data’ and ‘filter, based on the determined correlation between the plurality of second packets and the plurality of first packets, the plurality of second packets comprising the encrypted data’". Examiner agrees with applicant that references of record, Mahadik and Dubrovsky, does not teach the amended features of the packet headers of the plurality of second packets, however disagrees with applicant that none of the other references teach this feature. For instance, prior art Wang is found to teach filtering network traffic based on identification information of packet header. Therefore, applicant’s argument is moot in view of newly applied prior art Wang used in current office action.
Examiner asserts the combination of Mahadik, Dubrovsky, and Wang teaches “determine a correlation between the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, matches the at least a portion of the unencrypted data in the log data” and “filter, based on the determined correlation between the plurality of second packets and the plurality of first packets, the plurality of second packets comprising the encrypted data”. First, Mahadik teaches filtering encrypted traffic packets based on correlating with handshake message such as domain information, while Dubrovsky teaches filtering accessing to document based on logged previous failed access record in data structure, i.e. based on correlating with logged data, and Wang further teaches the second unencrypted data is the unencrypted packet header information. In result, the combination of these references further teaches filter, based on the determined correlation between the plurality of second packets and the plurality of first packets, the plurality of second packets comprising the encrypted data. See updated office action below for detail.
Regarding “correlation” in particular, Mahadik clearly indicates when network traffic that been encrypted, the traffic cannot be monitored with the same tools used in the unencrypted scenario. Therefore, the traffic filtering is rather based on the encryption handshake by detecting domain during handshake with web proxy, i.e. by correlating the encrypted traffic with encryption handshake which is unencrypted data communication. If the domain is restricted then the encrypted traffic is restricted, while if the domain is permitted then the encrypted traffic is permitted, i.e. correlating or based on correlating between encrypted data with unencrypted data. Dubrovsky also teaches correlation, i.e. terminating request (i.e. second unencrypted data) to access to document based on logged failed access requests (i.e. first unencrypted data). Wang further teaches the correlating is performed based on identification information of packet header. For this reason, applicant’s argument that Mahadik and Dubrovsky do not teach “correlation” (see page 13 of the Remark) is not persuasive.
Applicant’s further argument that a person of ordinary skill in the art would not combine the references in the manner proposed by the Action. See pages 13-14 of the Remarks. Examiner respective disagrees. First, claims are interpreted under the guidance of BRI. The claim limitations of claim 1 (similarly claims 10, 19) as whole is filtering of encrypted packets with packet filtering rules. While Mahadik teaches selectively filtering internet traffic, Dubrovsky further teaches method of action of filtering access to the network (web server with web pages) from clients by identifying offensive content. Dubrovsky teaches filtering the 
Applicant’s further argument regarding dependent claims are therefore also not persuasive due to their dependency on the respective rejected independent claims.
Applicant is suggested to incorporate innovative features into independent claims to advance the case.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 9, 17, 27 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications 
Claim 9, similarly claims 17, 27, recites “cause the packet-filtering system to filter the plurality of second packets based on determining that the decrypted data comprises the domain name”. However, upon review of the specification of the instant application, examiner can’t find written description that suggests “the decrypted data comprises the domain name”. Para. [38] states “Proxy device 112 may receive the packets and decrypt the data in accordance with the parameters of session 306”; and para. [35], [36], [78] etc. state “the packets comprising one or more handshake messages configured to establish session 308 that comprise unencrypted data (e.g., including the domain name) corresponding to the network-threat indicators”. However, the claimed “decrypted data” is not “unencrypted data”, since the unencrypted data is data that is/has not been encrypted, while the decrypted data is data that is/has been decrypted from the encrypted data. Applicant is suggested to respond with explanation, or amend the claim language to resolve the written description issue.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 10, 19 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 21 (or claim 2) of parent co-pending Application No. 15/877,608 (hereinafter, “’608”), in view of Mahadik (US2014008966A1, hereinafter, “Mahadik”).
Claim 21 (or claim 2) of copending application ‘608 discloses all of the limitations recited in claim 1 (similarly claim 10, claim 19) of the instant application, as seen in the table below, except those limitation(s) as emphasized in bold, however Mahadik in the same area of endeavor teaches: 
receive a network-threat indicator that indicates a domain name identified as a network threat (Mahadik, [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses) (i.e. network-threat indicator), file names, hashes of files, and/or any suitable identifiers of a network accessed resource…); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the packet filtering system of ‘608 by receiving data regarding network-threat indicators as domain name from Internet Resource Database/Admin Interface. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide the resource database with stored information such as domain names, URI/URL, etc. as well as respective resource access levels for internet traffic filtering (Mahadik, [Abstract]).
Claims Comparison Table
Instant Application 17/383,784
Co-pending Application 15/877,608
Claim 1 (similarly claims 10, claim 19). 
A packet-filtering system comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 










receive a network-threat indicator that indicates a domain name identified as a network threat; 

filter, based on the network-threat indicator, a plurality of first packets comprising unencrypted data; 








generate, based on the filtering the plurality of first packets, log data comprising: an indication of the filtering of the plurality of first packets; and at least a portion of the unencrypted data; 

receive, after the filtering the plurality of first packets, a plurality of second packets comprising encrypted data, and respective packet headers comprising second unencrypted data; 



determine a correlation between the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, matches the at least a portion of the unencrypted data in the log data; 


and filter, based on the determined correlation between the plurality of second packets and the plurality of first packets, the plurality of second packets comprising the encrypted data.  
Claim 21 (or claim 2). 
A packet-filtering apparatus comprising: 
at least one processor configured to filter packets traversing a communications
link between a first network and a second network in accordance with a plurality of
packet-filtering rules; and memory storing instructions that when executed by the at least one processor cause the packet-filtering apparatus to: 

receive a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data;





determine whether the first unencrypted data corresponds to one or more network-threat indicators specified by one or more first packet-filtering rules of the plurality of packet-filtering rules;

filter, responsive to determining that the first unencrypted data corresponds to the one or more network-threat indicators the plurality of first packets;

generate, based on the filtering the plurality of first packets, log data indicating:
an indication of the filtering of the plurality of first packets; and at least a portion of the first unencrypted data; 

receive, after the filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise: encrypted data and respective 

determine whether the plurality of second packets correspond to an encrypted communication session associated with the plurality of first packets by 9Application No. 15/877,608Docket No.: 007742.00109\USResponse to Office Action dated 11.17.2021determining
that the second unencrypted data corresponds to the logged at least a portion of the first unencrypted data; 

and filter, responsive to determining that the encrypted communication session corresponds to the logged at least a portion of the first unencrypted data, and based on at least one action specified by the one or more first packet-filtering rules of the plurality of packet-filtering rules, the plurality of second packets.


This is a provisional nonstatutory double patenting rejection because the co-pending application has not in fact been patented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4, 7, 10, 13, 16, 19, 22, 25 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Wang et al (US20130312054A1-IDS by Applicant, hereinafter, “Wang”), in further view of Dubrovsky et al (US20140373156A1-IDS by Applicant, hereinafter, “Dubrovsky”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive a network-threat indicator that indicates a domain name identified as a network threat (Mahadik, [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names (i.e. network-threat indicator, URI/URL resource addresses), file names, hashes of files, and/or any suitable identifiers of a network accessed resource…); 
filter, based on the network-threat indicator, a plurality of first packets comprising unencrypted data (Mahadik, [0022] …domains are classified as permitted, partially-permitted, and restricted (i.e. filtering). Permitted resources are resources that are fully trusted and deemed safe. Restricted resources are resources that are untrusted, malicious, inappropriate, or otherwise undesirable for some users of a network. Restricted resources are typically blocked for users without permission to view. Partially-permitted resources are resources that have portions that could be permitted or restricted); 
receive, after the filtering the plurality of first packets, a plurality of second packets comprising: encrypted data (Mahadik, [0029] The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. Examiner notes encrypted communication is after the handshake, i.e. filtering with unencrypted data), and [respective packet headers comprising second unencrypted data] (see Wang below for the teaching of limitation(s) in bracket); 
(Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain (i.e. unencrypted data) is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake. Examiner further notes determine a correlation means correlate/correlating); (see Wang and Dubrovsky below for limitations in bracket)
and filter, based on the determined correlation between the plurality of second packets and the plurality of first packets, the plurality of second packets comprising the encrypted data (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).  

[determine a correlation between the plurality of second packets and the plurality of first packets] (see the teachings of limitation in bracket by Mahadik above and Dubrovsky below) based on determining that the second unencrypted data, of the packet headers of the plurality of second packets (Wang, discloses traffic control techniques between first and second devices by a proxy device, see [Abstract]. And [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service 
While the combination of Mahadik-Wang teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data but does not explicitly teach the following limitation (s) taught by Dubrovsky in the same field of endeavor:
generate, based on the filtering the plurality of first packets, log data comprising: an indication of the filtering of the plurality of first packets; and at least a portion of the unencrypted data (Dubrovsky, discloses selectively forwarding or returning a message based on detection of message content using stored unencrypted data with notification of reassembly-free file scanning, see [Abstract]. And [0026] Meanwhile, the network access device 201 may extract the URL of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein) (i.e. log data). And referring to Fig. 3 steps 305 and 306 (i.e. storing log data)); 
determine a correlation between the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, [of the packet headers of the plurality of second packets], matches the at least a portion of the unencrypted data in the log data (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. logged data). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated);


Regarding claim 10, Mahadik-Wang-Dubrovsky combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: performing method steps substantially similar to the steps performed by packet-filtering system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 19, Mahadik-Wang-Dubrovsky combination teaches:
One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors of a packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]. And [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: perform method steps substantially similar to the steps performed by packet-filtering system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 4, similarly claim 13, claim 22, Mahadik-Wang-Dubrovsky combination further teaches:
The packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to determine the correlation between the plurality of second packets with the plurality of first packets based on state information in the unencrypted data (Mahadik, [0029] If the domain is permitted (i.e. based on state information in the unencrypted data), the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete and then forcing additional encrypted traffic (HTTPS) to be blocked, forcing unencrypted access).  

Regarding claim 7, similarly claim 16, claim 25, Mahadik-Wang-Dubrovsky combination further teaches:
plurality of first packets, wherein the first portion of the plurality of first packets were received by a first network device (Dubrovsky, referring to Fig. 4, and [0031] In response to the request, at block 402, processing logic examines the failed request table to determine whether an identifier of the requested document such as the URL of the document and/or address of the remote facility can be found in a data structure or database); and-40--- Patent Application --Attorney Docket No. 007742.00234 generate a second log entry corresponding to a second portion of the plurality of first packets, wherein the second portion of the plurality of first packets were transmitted by a second network device, and wherein the at least a portion of the unencrypted data comprises data from both the first portion of the plurality of first packets and the second portion of the plurality of first packets (Dubrovsky, [0031] At block 404, the retrieved information is returned (e.g., in a HTML page) to the client without accessing the requested document of the remote facility. As a result, the client would have known the reasons why the requested document would not be obtained).  

Claims 2, 11, 20, 28 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky as applied above, further in view of Moore (US20140283004A1, hereinafter, “Moore”).
Regarding claim 2, similarly claim 11, claim 20, Mahadik-Wang-Dubrovsky combination teaches:

While the combination of Mahadik-Wang-Dubrovsky does not explicitly teach but in the same field of endeavor Moore teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of second packets by causing the plurality of second packets to be dropped based on a determination that data exfiltration is occurring (Moore, discloses filtering network data based on packet filtering rule, see [Abstract]. And [0030] Rule 7 314 … may apply a BLOCK operator (e.g., a null operator which "drops" any packets it is applied to) to any packets that do not match the criteria of any of Rules 1 302, 2 304, 3 306, 4 308, 5 310, or 6 312. And [0032] Rule 6 312 may specify that IP packets containing one or more TCP packets, … (e.g., associated with the HTTP protocol) should have an HTTP-EXFIL operator applied to them... an HTTP-EXFIL operator may allow HTTP packets containing a GET method, but may block HTTP packets containing other HTTP methods… Because attackers may often use HTTP PUT or POST methods to exfiltrate sensitive data, operators such as HTTP-EXFIL may be used to stop such exfiltrations).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky by blocking packets that fails to match the criteria of packet filtering rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to drop the packets to prevent attackers to exfiltrate sensitive data (Moore, [Abstract], [0002], [0031], [0032]).

Regarding claim 28, Mahadik-Wang-Dubrovsky combination teaches:
The packet-filtering system of claim 1, 
While the combination of Mahadik-Wang-Dubrovsky does not explicitly teach but in the same field of endeavor Moore teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of second packets by causing the packet-filtering system to perform one or more of: dropping one or more of the plurality of second packets; or forward one or more of the plurality of second packets to an interface (Moore, discloses filtering network data based on packet filtering rule, see [Abstract]. And [0030] Rule 7 314 … may apply a BLOCK operator (e.g., a null operator which "drops" any packets it is applied to) to any packets that do not match the criteria of any of Rules 1 302, 2 304, 3 306, 4 308, 5 310, or 6 312. And [0032] Rule 6 312 may specify that IP packets containing one or more TCP packets, … (e.g., associated with the HTTP protocol) should have an HTTP-EXFIL operator applied to them... an HTTP-EXFIL operator may allow HTTP packets containing a GET method, but may block HTTP packets containing other HTTP methods… Because attackers may often use HTTP PUT or POST methods to exfiltrate sensitive data, operators such as HTTP-EXFIL may be used to stop such exfiltrations).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky by blocking packets that fails to match the criteria of packet filtering rules. This would have been obvious because .

Claims 3, 12, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky as applied above, further in view of Williams (US9875355B1, hereinafter, “Williams”).
Regarding claim 3, similarly claim 12, claim 21, Mahadik-Wang-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19,
While the combination of Mahadik-Wang-Dubrovsky does not explicitly teach but in the same field of endeavor Williams teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to determine the correlation between the plurality of second packets with the plurality of first packets based on comparing one or more first timestamps corresponding to the plurality of first packets with one or more second timestamps corresponding to the plurality of second packets (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Dubrovsky for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 5, 14, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky as applied above, further in view of Hampel et al (US9258218B2, hereinafter, “Hampel”).
Regarding claim 5, similarly claim 14, claim 23, Mahadik-Wang-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of second packets (see Mahadik for filtering encrypted traffic as shown for claim 1 above),

based on comparing first application-layer information corresponding to the plurality of first packets with second application-layer information corresponding to the plurality of second packets (Hampel, [Abstract] discloses method to control overlay networks with control functions and forwarding functions separated, And [Claim 12] a data flow definition for a data flow and a set of actions to be performed for the data flow at the forwarding element, wherein the data flow definition is based on one or more protocol header (i.e. unencrypted data) fields of one or more protocols, wherein the one or more protocols comprise one or more network layer protocols or one or more transport layer protocols (i.e. second application-layer information), wherein the set of actions comprises at least one tunneling action and at least one security action, wherein the at least one tunneling action comprises at least one of a set of multiple encapsulation actions (i.e. encrypted data) …, wherein the at least one security action is associated with a security protocol (i.e. first application-layer layer information) and comprises at least one of an encryption action or a decryption action; wherein the set of multiple encapsulation actions comprises a tunneling encapsulation action, a transport layer encapsulation action, and a network layer encapsulation action; … and processing a packet of the data flow based on the control information (i.e. corresponds to the second application-layer information)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hampel in the network traffic interception and inspection method of Mahadik-Wang-Dubrovsky by separating .  

Claims 6, 15, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky as applied above, further in view of Paixao (US20160180022A1, hereinafter, “Paixao”).
Regarding claim 6, similarly claim 15, claim 24, Mahadik-Wang-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of second packets (see Mahadik for filtering encrypted traffic as shown for claim 1 above),
While the combination of Mahadik-Wang-Dubrovsky does not explicitly teach the following limitation(s), in the similar field of endeavor Paixao teaches:
by causing the packet-filtering system to: generate a new rule by correlating at least two log entries in the log data (Paixao, discloses detection of abnormal behaviour fraud with analyzing and correlating EMR audit log information and/or network security events, see [Abstract], [0003]. And [0072] EMR fraud & risk detection and mitigation system 800 can also include a new rule generation/ implementation module 816 that can provide flexibility to EMR fraud & risk detection and mitigation system 800 so as to allow creation of new parameters and/or rules and/or means to define fraudulent actions or potential fraud activities… new rule generation/implementation module 816 can use one or more automatic techniques to dynamically define new rules configured for fraud detection based on log data correlation and analysis performed by correlation and combination module 810...correlation and combination module 810 can collect log data from different sources such as application level logs of different sub-systems/databases of EMR, and network level logs, and correlate them to determine one or more suspicious activity), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Paixao in the network traffic interception and inspection method of Mahadik-Wang-Dubrovsky by dynamically define new rules configured for fraud detection based on log data. This would have been obvious because the person having ordinary skill in the art would have been motivated to use new rule generation/implementation module to define new rules in a network controlling access activity to database of EMR system based on correlating audit log data in real time (Paixao, [Abstract], [0003], [0072]).  
Mahadik further teaches: wherein the [new] rule causes the plurality of second packets to be dropped (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely, wherein the new rule is taught by Paixao shown above).  

Claims 8-9, 17-18, 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky as applied above, further in view of Martini (US20140317397A1-IDS provided by applicant, hereinafter, “Martini”).
Regarding claim 8, similarly claim 17, claim 26, Mahadik-Wang-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19,
While the combination of Mahadik-Wang-Dubrovsky teach filtering unencrypted and encrypted packets but does not explicitly teach decrypting at least a portion of the encrypted data, but in the same field of endeavor Martini teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: after correlating the plurality of second packets with the plurality of first packets, generate third unencrypted data by decrypting at least a portion of the encrypted data (Martini, discloses selectively performing man in the middle decryption, see [Title] and [Abstract]. And [0007] The operations further include selectively decrypting and inspecting the encrypted communication traffic passing between the device and the first resource depending on the address of the first resource. And [0019] Described in this document is a use of man in the middle decryption based on rules indicating which destinations should be decrypted and which should be passed directly to the Internet destination).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky by selectively 

Regarding claim 9, similarly claim 18, claim 27, Mahadik-Wang-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, 
While the combination of Mahadik-Wang-Dubrovsky teach filtering unencrypted and encrypted packets but does not explicitly teach decrypting at least a portion of the encrypted data, but in the same field of endeavor Martini teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to decrypt the encrypted data, and wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of second packets based on determining that the decrypted data comprises the domain name (Martini, [0038] The network gateway 102 receives the request and selects a gateway to be used for traffic associated with the website address (304). For example, the network gateway 102 can process a set of rules 103 that indicate which destination should be decrypted and which should be passed directly to the Internet destination. These rules 103 may include, for example, a list of domain names).  

Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Wong et al (US20110296186A1) discloses selectively transmission of an encrypted packet based on integrity of unencrypted packet header of the encrypted packet.
Moon et al (US 20090150972A1) discloses managing encrypted P2P traffic using policy based on application identifiers.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL M LEE/Examiner, Art Unit 2436
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436