DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 08/27/2020, in which, claim(s) 1-20 are pending. Claim(s) 1, 9 and 17 are independent.

Priority
Acknowledgment is made of applicant's claim for foreign priority under 35 U.S.C. 119(a)-(d). Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers have been placed of record in the file.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/25/2022, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 08/27/2020 are accepted by The Examiner.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 9-16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 9 recites “An apparatus” in the preamble and "a kernel” and “a security component”, in the claim body. As recited in the body of the claim, the claimed apparatus lacks a structural component because the kernel and component could be implemented as software only. As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  Therefore, Claim 9 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101 such as “one or more hardware processors”.
Claims 10-16 don't cure the deficiency of claim 9 and are rejected under 35 U.S.C. 101 for their dependency upon claim 9.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
Claims 1-3, 9-11, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Darren Reed (US 2012/0230202 A1) in view of Oleksii Mandrychenko (US 2020/0287920 A1, cited by the applicant in the 01/25/2022 IDS).
Regarding Claims 1, 9, and 17, Reed discloses
receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine ([0043], “the network packet is selectively passed from the Internet Protocol kernel module”, [0090], “the IP logic 405 processes a packet according to a layer 3 Internet Protocol of a protocol stack”, [0092], “receives packets from the IP logic 405 and selectively sends the packets to a packet sniffer 415 based, at least in part, on a filter hook”); 
adding, by the kernel, the one or more packets to a queue accessible by a security component of the first machine ([0109], “releasing the packet from the packet sniffer includes sending the packet back to the layer 3 processing service…sending the packet to a queue”); 
Reed does not explicitly teach but Mandrychenko teaches
generating, by the kernel, a metadata object for the connection based on at least a subset of the one or more packets ([0007], “collects network communication metadata from the endpoint device by receiving callbacks from a kernel-level tracing facility”, “The callbacks are responsive to system calls relating to network events including receipt or transmission of one or more packets by the endpoint device via a 
determining, by the kernel, based on the metadata object, whether to continue capturing additional packets of the connection ([0094], “receipt or transmission of one or more packets by the endpoint device”, [0097], “determine whether the endpoint device is connected to the enterprise network”); 
receiving, by the kernel, from the security component, a security determination regarding the connection based on the one or more packets ([0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior by transmitting the aggregated network communication metadata to an anomaly detection service (as security component)”); and 
performing, by the kernel, an action with respect to the connection based on the security determination ([0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior by transmitting the aggregated network communication metadata to an anomaly detection service”, [0033], “protect the enterprise network by blocking access attempts and/or other risky activity at these points of entry to the 
Reed and Mandrychenko are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mandrychenko with the disclosure of Reed. The motivation/suggestion would have been to protect the enterprise network by blocking access attempts and/or other risky activity at these points of entry to the enterprise network (Mandrychenko, [0033]).

Regarding Claims 2, 10 and 18, the combined teaching of Reed and Mandrychenko teaches
wherein the action comprises one or more of: blocking subsequent packets of the connection based on the security determination (Mandrychenko, [0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior”, [0033], “blocking access attempts and/or other risky activity at these points of entry to the enterprise network”).

Regarding Claims 3, 11 and 19, the combined teaching of Reed and Mandrychenko teaches
determining, by the kernel, that the connection has terminated; and deleting, by the kernel, the metadata object (Mandrychenko, [0007], “a kernel-level tracing facility”, [0046], “when the aggregated network communication metadata has been transmitted to anomaly detection service 106, agent 116 can delete the aggregated network communication metadata”).

Claims 4-8, 12-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Darren Reed (US 2012/0230202 A1) in view of Oleksii Mandrychenko (US 2020/0287920 A1, cited by the applicant in the 01/25/2022 IDS) further in view of Mahaffey et. al (US 2015/0128205 A1).
Regarding Claims 4, 12 and 20, the combined teaching of Reed and Mandrychenko teaches the kernel (Reed, [0043], “Internet Protocol kernel module”);
The combined teaching of Reed and Mandrychenko does not explicitly teach but Mahaffey teaches 
determining, based on the one or more packets, whether the connection comprises a transport layer security (TLS) stream (Mahaffey, [0074], “The connection may use a security layer such as TLS (Transport Layer Security)”).
Reed, Mandrychenko and Mahaffey are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mahaffey with the combined teaching of Reed and Mandrychenko. The motivation/suggestion would have been to determine whether the security offered by the network connection is appropriate (Mahaffey, Abstract).

Regarding Claims 5 and 13, the combined teaching of Reed, Mandrychenko and Mahaffey teaches 
setting, by the kernel (Reed, [0043], “Internet Protocol kernel module”), a value of the metadata object based on whether the connection comprises the TLS stream (Mahaffey, [0175-0176], “if the Boolean condition evaluates to TRUE (i.e., the current context corresponds "y") then the action is to establish the first type of connection”, “The first type of connection may be a secured connection”, e.g. TLS).

Regarding Claims 6 and 14, the combined teaching of Reed and Mandrychenko does not explicitly teach but Mahaffey teaches 
wherein the one or more packets comprise a handshake (Mahaffey, [0394], “a three-way handshake”).
Reed, Mandrychenko and Mahaffey are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mahaffey with the combined teaching of Reed and Mandrychenko. The motivation/suggestion would have been to determine whether the security offered by the network connection is appropriate (Mahaffey, Abstract).

Regarding Claims 7 and 15, the combined teaching of Reed, Mandrychenko and Mahaffey teaches 
determining, by the kernel (Reed, [0043], “Internet Protocol kernel module”), that the handshake is complete (Mahaffey, [0394], “a three-way handshake is completed”); and 
updating, by the kernel (Reed, [0043], “Internet Protocol kernel module”), a value of the metadata object to indicate that capturing is to be stopped (Mandrychenko, [0069], “metadata transfer object with the count for bytes sent and 

Regarding Claims 8 and 16, the combined teaching of Reed, Mandrychenko and Mahaffey teaches 
accessing the value of the metadata object (Mandrychenko, [0042], “network communication metadata (object) including any or a combination of a process identifier (PID), a source Internet Protocol (IP) address, a source port identifier, a source Domain Name System (DNS) host name, a destination IP address, a destination port number, a destination DNS host name, a protocol, a protocol version, an application name, a username, a timestamp, a type of network activity (e.g., send or receive) and a number of bytes transferred/received from/by endpoint device”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497