DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 2/24/2022 has been entered. Claims 1, 9, 17, 24 are currently amended. Claims 1-30 are pending in the application.
The objection of claims 1, 9, 17, 24 due to informalities has been updated.
Applicant’s filed Terminal Disclaimer has been acknowledged, therefore the nonstatutory double patenting rejection has been withdrawn.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/8/2022, 3/11/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Response to Arguments
Applicant’s arguments, see pages 12-18 of the Remarks filed 2/24/2022 regarding rejections under the 35 USC 103, on claims 1-30 as being unpatentable over the prior arts of record have been fully considered and asserted not persuasive due to following reason.  
The following discussion is directed to applicant’s argument regarding claim 1 of a packet-filtering system (similarly for claim 17 of a method). Claim 9 (A packet-filtering system) and claim 24 (A method) recites similar limitations as claim 1 but with TCP connection instead 
Examiner acknowledges applicant has amended claims by clarifying: data regarding a plurality of network-threat indicators; the DNS query comprises one or more of a domain name, or an IP address corresponding to the domain name; receive, after receiving the one or more unencrypted packets, one or more encrypted packets; determine that the one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets; inter alia.
Applicant argued,
“None of the cited references teach, disclose, or otherwise suggest, as recited by claim 1, at least ‘receive, after receiving the one or more unencrypted packets, one or more encrypted packets" and "determine that one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address.’ Mahadik describes that, for ‘SSL/HTTPS based website access,’ its method may include ‘detecting encryption handshake when web proxying.’ (Id., para. 0029). If a domain indicated by such an encryption handshake is restricted, ‘access may be blocked entirely,’ whereas if the domain is permitted, ‘the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic.’ (Id.). As such, Mahadik redirects initial encryption requests for the purposes of proxying encrypted communications. Such redirection does not involve ‘correlating’ anything. After all, once the encryption requests are identified and redirected, the encrypted communication session is established as normal (albeit with a proxy), and no ‘correlating’ need be performed with respect to encrypted packets. 

More broadly, Mahadik handles encrypted packets in an entirely different way than the present claims, to the point where Mahadik does not receive encrypted packets other than those associated with login activity." … (see pages 15-16 of the Remarks)


First, regarding the amended limitation “receive, after receiving the one or more unencrypted packets, one or more encrypted packets”, Mahadik clearly suggests or indicates that encrypted communication is after the encryption handshake where the encryption handshake is interpreted as unencrypted communication (packets) prior to the encrypted communication (encrypted packets).
Applicant’s further argument regarding “determine that one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating …”. In particular, applicant argued Mahadik does not teach the correlating and Mahadik handles encrypted packets in an entirely different way than the present claims. Examiner acknowledges applicant’s perspective but respectively disagrees. Examiner asserts Mahadik teaches the correlating. Para [29] of Mahadik clearly states for encrypted communication, the filtering (restricted, partially permitted, or permitted) is based on the detected domain from encryption handshake in SSL/HTTPS based website access where when network traffic is encrypted and cannot be monitored with the same tools used in unencrypted scenario. This means the filtering of encrypted network traffic is based on the domain detected during handshake through a server name attribute or alternative parameter rather than that encrypted traffic (data), i.e. correlating. In another words, if domain is restricted, then access is blocked; if domain is permitted, then access is allowed (the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic) (Para. [29] of Mahadik). This 
Applicant further argued 

“Moreover, the Action's interpretation of Mahadik wholly ignores the involvement, in the claims, of the ‘first unencrypted data,’ the ‘second unencrypted data,’ and the ‘third unencrypted data.’ Claim 1, as amended, recites, inter alia, ‘correlate, based on one or both of the domain name or the IP address corresponding to the domain name, the first unencrypted data and the second unencrypted data’ and ‘determine that the one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address.’ No such functionality exists in Mahadik. (See page 17 of the Remark).

Examiner respectively disagrees. The claim recites “first unencrypted data contained in one or more unencrypted packets”, “second unencrypted data contained in the one or more unencrypted packets”, and “third unencrypted data contained in respective packet header of the one or more encrypted packets”. Therefore, it can be understood that the first unencrypted data and second unencrypted data are of the one or more unencrypted packets wherein the first unencrypted data is associated with DNS query as taught by Mahadik and the second unencrypted data is related to TLS handshake as taught by Wang. It can be further understood that the third unencrypted data is from the packet header of the one or more encrypted packets. The correlation is based on the domain name or IP address associated with the domain name, i.e. the determination of whether the encrypted communication is threat to the network 
Applicant’s further argument regarding dependent claims are therefore also not persuasive due to their dependency on the respective rejected independent claims.
Applicant is suggested to incorporate innovative features into independent claims to advance the case.
Claim Objections
Claims 1, 9, 17, 24 are objected to because of the following informalities:  
Claim 1 line 7, “wherein each of the plurality of third-party network intelligence providers” may read “wherein each of the plurality of third-party network threat intelligence providers”.  
Similarly for claim 17 line 5, claim 24 line 5.
Claim 9 line 7, “wherein each of the third-party network intelligence providers” may read “wherein each of the plurality of third-party network threat intelligence providers”.  
Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.

Claims 1-2, 5, 7-8, 17-18, 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Wang et al (US20130312054A1-IDS by Applicant, hereinafter, “Wang”), further in view of Buruganahalli et al (US 9,419,942 B1-IDS by applicant, hereinafter, “Buruganahalli”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive data regarding a plurality of network-threat indicators from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the data (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party threat intelligence providers or third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the DNS query comprises one or more of: a domain name, or an IP address corresponding to the domain name (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process any DNS queries made by a device on a network. Preferably all users/machines using a network must use the DNS proxy server no when attempting to access a site, thus enabling all devices on the entire network to be secured by the system… The DNS proxy server no preferably processes DNS queries (i.e. first unencrypted data) in cooperation with the internet resource database 120. The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests) …); 
determine, based on one or both of the first unencrypted data and the second unencrypted data, [and based on correlating the first unencrypted data and the second unencrypted data], that at least a portion of the one or more unencrypted packets corresponds (Mahadik, [0015] The internet resource database 120 preferably stores domain names (i.e. e.g. network-threat indicator), URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource. Each resource stored in the internet resource database 120 preferably includes a parameter indicating an associated resource access level. And [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query (e.g., permitted, partially-permitted, or restricted)); (see Buruganahalli below for limitation in bracket)
receive, after receiving the one or more unencrypted packets, one or more encrypted packets (Mahadik, see [0029], since the encryption handshake is to establish the encrypted communication (packets), it is obvious that the received encrypted packets is after the unencrypted encryption handshake (packets));
determine that the one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets [based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address] (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake (i.e. TLS handshake with further teaching of Wang shown below) when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake…The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); (see Wang below for limitation in bracket)
and2Application No. 17/482,921Docket No.: 007742.00252 filter, based on the determining that the one or more encrypted packets correspond to the encrypted communication session associated with the one or more unencrypted packets and based on the determining that the at least a portion of the one or more unencrypted packets correspond to the at least one of the plurality of network-threat indicators, the one or more encrypted packets (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).  
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data such as DNS query and detecting domain during handshake but does not explicitly teach analyzing unencrypted data comprising TLS handshake and unencrypted data contained in respective packet headers of one or more encrypted packets, however in the same field of endeavor Wang teaches:
analyze second unencrypted data contained in the one or more unencrypted packets, wherein the second unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the TLS handshake comprises the domain name (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0018] the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract (i.e. analyze) the Server Name Indication (SNI) extension from the ClientHello message. And [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname (i.e. domain name) the client is attempting to connect to during the handshaking procedure);
[determine that the one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets] (see Mahadik above for limitation(s) in bracket) based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address (Wang, [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname (i.e. domain name) the client is attempting to connect to during the handshaking procedure… Name-based virtual hosting allows multiple DNS hostnames to be hosted on a single server on the same IP address. In an unsecured HTTP request, the server can read the virtual host from the HTTP headers (i.e. third unencrypted data in packet header). In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).
While Mahadik-Wang teaches analyze unencrypted data and correlate encrypted packets with unencrypted packets but does not explicitly teach following limitations shown below, however in the same field of endeavor Buruganahalli teaches:
correlate, based on one or both of the domain name or the IP address corresponding to the domain name, the first unencrypted data and the second unencrypted data (Buruganahalli, discloses traffic filtering using a security device based on destination domain extraction for secure connection, see [Abstract] the secure protocol is a secure sockets layer (SSL) protocol or transport layer security (TLS) protocol, and the destination domain is extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server. And [Col. 9 lines 8-25] An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis… user identification is then determined (e.g., user ID can be deduced based on the source IP address). A policy check engine 106 determines whether any policies can be applied based on the IP address and port number…). Examiner notes Buruganahalli teaches both TLS traffic with SNI (server name indication) of a client hello message (i.e. second unencrypted data) and DNS request (i.e. first unencrypted data) are associated with source IP address which suggests the TLS traffic and DNS request can be related or correlated due to association with same IP address; 
determine, [based on one or both of the first unencrypted data and the second unencrypted data] (taught by Mahadik shown above), and based on correlating the first unencrypted data and the second unencrypted data, that at least a portion of the one or more unencrypted packets corresponds to at least one of the plurality of network-threat indicators (Buruganahalli, [Col. 7 lines 16-24] destination domain extraction for secure protocols further includes determining whether the destination domain (i.e. network-threat indicators) extracted from the server name indication (SNI) of a client hello message sent from the client to the remote server matches a domain identified in a public certificate sent from the remote server to the client);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Wang by filtering traffic based on destination domain extracted from TLS handshake. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address of destination in the TLS handshake 

Regarding claim 17, Mahadik-Wang-Buruganahalli combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: performing method steps substantially similar to the method steps performed by the packet-filtering system of claim 1, therefore is rejected with same rational set forth as rejection of claim 1 above.

Regarding claim 2, similarly claim 18, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the DNS query comprises one or more of: a DNS query request, or a DNS query reply (Mahadik, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource).  

Regarding claim 5, similarly claim 21, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the third unencrypted data with one or both of the first unencrypted data or the second unencrypted data further based on a port number associated with one or both of: the first (Buruganahalli, [Col. 9 lines 7-10] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis).  

Regarding claim 7, similarly claim 22, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the TLS handshake is configured to establish an encrypted communication session between a client and a server, and wherein the TLS handshake further comprises one of: a ClientHello message generated by the client, or a certificate message generated by the server (Buruganahalli, [Col. 5 lines 32] This extracted hostname data (e.g., destination domain) can then be used by the firewall to perform an action(s) based on a firewall policy (e.g., the domain name can be extracted by parsing the client hello message to extract the host name from the server_name field of the SNI extension, which can then be used to apply firewall policies or take responsive actions based on this information without having to wait for data to be decrypted)).  

Regarding claim 8, similarly claim 23, Mahadik-Wang-Buruganahalli combination further teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further (Buruganahalli, [Col. 5 lines 52-58] Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy). For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked (i.e. prevent) and decryption is not required).  

Claims 3-4, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Buruganahalli as applied above, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 3, similarly claim 19, Mahadik-Wang-Buruganahalli combination teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the third unencrypted data with one or both of the first unencrypted data or the second unencrypted data (See the teachings of Mahadik-Wang-Buruganahalli presented for claim 1),
While the combination of Mahadik-Wang-Buruganahalli does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Buruganahalli by comparing DNS requests based on timestamp associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp associated with previously made DNS request for malicious request or response (Williams, [Abstract]).  

Regarding claim 4, similarly claim 20, Mahadik-Wang-Buruganahalli combination teaches:
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the third unencrypted data with one or both of the first unencrypted data or the second unencrypted data (See the teachings of Mahadik-Wang-Buruganahalli presented for claim 1),
While the combination of Mahadik-Wang-Buruganahalli does not explicitly teach but in the same field of endeavor Williams teaches:
(Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Buruganahalli by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Buruganahalli as applied above, further in view of Dubrovsky et al (US20140373156A1-IDS by applicant, hereinafter, “Dubrovsky”).
Regarding claim 6, Mahadik-Wang-Buruganahalli combination teaches:
The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, 
While the combination of Mahadik-Wang-Buruganahalli does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the domain name or the IP address corresponding to the domain name (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log data). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)); and determine whether the third unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data (Dubrovsky, [0027] If the table 206 contains the extracted URL and/or IP address (i.e. the third unencrypted data contained in the encrypted packets taught by Mahadik), the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated). 
.  

Claims 9-10, 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Moore (US20140283004A1-IDS by Applicant, hereinafter, “Moore”), further in view of Moore et al (US20140283030A1-IDS by applicant, hereinafter, “Moore2”).
Regarding claim 9, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive data regarding a plurality of network-threat indicators from a plurality of third-party threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the third-party network intelligence providers provides at least a portion of the data (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System4Application No. 17/482,921Docket No.: 007742.00252 (DNS) query, and wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address (Mahadik, [0016] The DNS proxy server no of a preferred embodiment functions to intercept and process any DNS queries made by a device on a network. Preferably all users/machines using a network must use the DNS proxy server no when attempting to access a site, thus enabling all devices on the entire network to be secured by the system… The DNS proxy server no preferably processes DNS queries (i.e. first unencrypted data) in cooperation with the internet resource database 120. The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query… The DNS proxy server no may return unmodified IP addresses (i.e., IP addresses directed to the domains contained in the DNS requests) …); 
determine, based on one or both of the first unencrypted data and the second unencrypted data, that at least a portion of the one or more unencrypted packets corresponds to at least one of the plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 preferably stores domain names (i.e. e.g. network-threat indicator), URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource. Each resource stored in the internet resource database 120 preferably includes a parameter indicating an associated resource access level. And [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query (e.g., permitted, partially-permitted, or restricted)); 
receive, after receiving the one or more unencrypted packets, one or more encrypted packets (Mahadik, see [0029], since the encryption handshake is to establish the encrypted communication (packets), it is obvious that the received encrypted packets is after the unencrypted encryption handshake (packets));
determine that the one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets [based on determining that third unencrypted data contained in respective packet headers of the one or (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake…The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); (see Moore below for limitation(s) in bracket)
and filter, based on the determining that the one or more encrypted packets correspond to the encrypted communication session associated with the one or more unencrypted packets and based on the determining that the at least a portion of the one or more unencrypted packets correspond to the at least one of the plurality of network-threat indicators, the one or more encrypted packets (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data associated with HTTP, HTTPS traffic but does not explicitly teach associated with initiation of a TCP connection and unencrypted data contained 
analyze second unencrypted data contained in the one or more unencrypted packets, wherein the second unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the second unencrypted data comprises the IP address (Moore, discloses filtering network data transfers based on packet header field values according packet filtering rule, see [Abstract]. And [0025] Referring to FIG. 3, dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria… for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP)…). And [0026] For example, rule 1 302 may specify that IP packets containing one or more TCP packets, originating from a source IP address that begins with 140.210); 
[determine that the one or more encrypted packets correspond to an encrypted communication session associated with the one or more unencrypted packets by correlating the one or more encrypted packets with the one or more unencrypted packets] (see Mahadik above for the teachings of limitation(s) in bracket) based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the IP address (Moore, [0005] The filter may be capable of comparing certain packet header information (e.g., source and destination IP address(s)…) (i.e. packer header comprises the IP address). And [0039] The filtering process described herein may be viewed as having two (2) stages: A first stage in which the "5-tuple" of IP packet header field values and transport protocol (e.g., TCP, UDP, etc.) packet header field values may be filtered; and, a second stage in which application packet header field values may be filtered (e.g., by applying operator logic similar to that described above)... the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.) between the resources (i.e. correlate, i.e. if first stage determines allowing communication then second stage also allows the encrypted communication));
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik by filtering TCP traffic with IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication with TCP/IP network protocol against attack (Moore, [Abstract], [0001-0002]).
While the combination of Mahadik-Moore teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data of DNS query and TCP connection associated with IP address but does not expressly teach the following limitation, however in the same field of endeavor Moore2 teaches:
correlate, based on the IP address, the first unencrypted data and the second unencrypted data (Moore2, discloses packet filtering by applying packet filtering rules in overload condition, see [Abstract]. And [0036] An Internet application instance may issue a request to a Domain Name System (DNS) to resolve the domain name (i.e. first unencrypted data in view of Mahadik) into an IP address, and the DNS may respond to the request with an IP address that corresponds to the domain name. And [0050] Rule 5 305 and rule 6 306 may allow DNS protocol packets to pass through packet security gateway 220. Rules 5 305 and 6 306 may not include restrictions on the source IP addresses and destination IP addresses … Rule 6 306 may allow packets that contain DNS server responses to any requests contained in the packets allowed by rule 5 305. The DNS protocol may be transported using either TCP (i.e. second unencrypted data, i.e. TCP handshake in view of Moore) or the User Datagram Protocol (UDP)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore2 in the method of selectively filtering internet traffic of Mahadik-Moore by filtering traffic in overload condition with packet filtering rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic by transporting DNS protocol using TCP with packets associated with source or destination IP address (Moore2, [Abstract], [0050]).

Regarding claim 24, Mahadik-Moore-Moore2 combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: performing method steps substantially similar to the method steps performed by the packet-filtering system of claim 9, therefore is rejected with same rational set forth as rejection of claim 9 above.

Regarding claim 10, similarly claim 25, Mahadik-Moore-Moore2 combination further teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the DNS query comprises one or more of: a DNS query request, or a DNS query reply (Mahadik, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource).  

Claims 11-12, 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Moore2 as applied above, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 11, similarly claim 26, Mahadik-Moore-Moore2 combination further teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the third unencrypted data with the first unencrypted data and the second unencrypted data (See the teachings of Mahadik-Moore-Moore2 presented for claim 9, claim 24 above), 
While the combination of Mahadik-Moore-Moore2 does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Moore-Moore2 by comparing DNS requests based on timestamp associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp associated with previously made DNS request for malicious request or response (Williams, [Abstract]).  

Regarding claim 12, similarly claim 27, Mahadik-Moore-Moore2 combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the third unencrypted data with the first unencrypted data and the second unencrypted data (See the teachings of Mahadik-Moore-Moore2 presented for claim 9, claim 24 above), 
While the combination of Mahadik-Moore-Moore2 does not explicitly teach but in the same field of endeavor Williams teaches:
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data or a third time stamp (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Moore-Moore2 by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 13, 16, 28, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Moore2 as applied above, further in view of Buruganahalli et al (US 9,419,942B1-IDS by applicant, hereinafter, “Buruganahalli”).
Regarding claim 13, similarly claim 28, Mahadik-Moore-Moore2 combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the third unencrypted data with the first unencrypted data and the second unencrypted data (See the teachings of Mahadik-Moore presented for claim 9, claim 24 above),
While the combination of Mahadik-Moore-Moore2 does not explicitly teach but in the same field of endeavor Buruganahalli teaches:
further based on a port number associated with one or both of: the first unencrypted data, or the second unencrypted data (Buruganahalli, [Col. 9 lines 7-10] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Moore-Moore2 by filtering traffic based on packet filtering rules on inspected packets associated with port number. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address and port number to allows multiple secure (HTTPS) websites to be served using the same IP address for the purpose of network traffic filtering (Buruganahalli, [Abstract], Col. 9 lines 7-10).  

Regarding claim 16, similarly claim 30, Mahadik-Moore-Moore2 combination teaches:

While the combination of Mahadik-Moore-Moore2 teaches packet filtering but does not explicitly teach prevent further transmission of the one or more encrypted packets however in the same field of endeavor Buruganahalli teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets (Buruganahalli, [Col. 5 lines 52-58] Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy). For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked (i.e. prevent) and decryption is not required).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Moore-Moore2 by filtering traffic based on packet filtering rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address and port number to block encrypted traffic that violates firewall policy (Buruganahalli, [Abstract], Col. 5 lines 52-58).  

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Moore2 as applied above, further in view of Dubrovsky et al (US20140373156A1, hereinafter, “Dubrovsky”).
Regarding claim 14, Mahadik-Moore-Moore2 combination teaches:
The packet-filtering system of claim 9, 
While the combination of Mahadik-Moore-Moore2 does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to: generate log data indicating: an indication of filtering of the one or more unencrypted packets; and at least one of the IP address or the domain name corresponding to the IP address (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log data). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)); and determine whether the third unencrypted data contained in the one or more encrypted packets comprises the IP address based on the log data (Dubrovsky, [0027] If the table 206 contains the extracted URL and/or IP address (i.e. the third unencrypted data contained in the encrypted packets taught by Mahadik), the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated). 
.    

Claims 15, 29 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Moore2 as applied above, further in view of Li et al (US20080077705A1, hereinafter, “Li”).
Regarding claim 15, similarly claim 29, Mahadik-Moore-Moore2 combination teaches:
The packet-filtering system of claim 9, the method of claim 24,
While the combination of Mahadik-Moore-Moore2 does not explicitly teach but in the same field of endeavor Li teaches:
wherein the second unencrypted data comprises one of: a SYN handshake message, or an ACK handshake message (Li, discloses packet classification according to packet classification rules in packet filtering, see [Abstract], [0004-0006]. And [0010] Like firewalls, proxies can filter traffic based on many packet attributes, such as source IP address and/or port, and destination IP address and/or port. In addition, proxies can filter traffic based on destination service such as hypertext transfer protocol (HTTP)… And [0074] If the inbound packet produces a SYN-cookie match, this implies that the packet is a TCP ACK packet sent by a client as the final step in a three-way handshake establishing a new connection).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Li in the method of selectively filtering internet traffic of Mahadik-Moore-Moore2 by recognizing packet being TCP ACK packet in a three-way handshake to establish new connection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify application and protocols by using proxy to perform filtering operation (Li, [Abstract], [0011]).  
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Wong et al (US20110296186A1) discloses selectively transmission of an encrypted packet based on integrity of unencrypted packet header of the encrypted packet.
Moon et al (US 20090150972A1) discloses managing encrypted P2P traffic using policy based on application identifiers.
Akimoto (US20050102525A1) discloses method to filter encrypted packets by packet filter to determine whether the packets are successfully encrypted by checking the unencrypted header without necessitating decryption of packet.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.




/MICHAEL M LEE/Examiner, Art Unit 2436
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436