DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Status of Claims
The amendment filed 2/3/2022 has been entered. Claims 2-3, 6-21 are currently amended. Claim 1 is previously cancelled claim. Claims 22-29 are newly added claims. Claims 2-29 are pending in the application.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/8/2021, 11/19/2021, 2/3/2022, 3/8/2022, 3/11/2022, 4/4/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, initialed and dated copy of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Response to Amendments
The objection of claims 2, 11-19, and 21 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
Response to Arguments
Applicant’s arguments, see pages 13-17 of the Remarks filed 2/3/2022 regarding claim rejections under the 35 USC 103 over the prior arts of record have been fully considered and asserted not fully persuasive and moot in view of current office action with newly applied prior art Moore (US20140283004A1). See current office action for details. 
In particular, applicant argued “None of the cited references teach, disclose, or otherwise suggest (1) ‘determining, by the packet-filtering system, whether the plurality of second packets correspond to an encrypted communication session associated with the plurality of first packets by determining that the second unencrypted data corresponds to the logged at least a portion of the first unencrypted data’ and (2) ‘filtering, by the packet-filtering system, responsive to determining that the encrypted communication session corresponds to the logged at least a portion of the first unencrypted data, and based on at least one action specified by the one or more first packet-filtering rules of the plurality of packet-filtering rules, the plurality of second packets’”. See page 15 of the Remark. Examiner respectively disagrees with applicant.
Regarding item 1) above, Dubrovsky teaches the second unencrypted data is associated with the first unencrypted data through the log data while Mahadik along with newly applied prior art Moore teaches that the encrypted data of an encrypted communication session associated with either first packets or second packets are associated with the unencrypted data such as handshake or IP addresses within the header of packets. It is therefore obvious to one ordinary skilled in the art to understand that the first and second unencrypted data are related, i.e. the second unencrypted data is correlated to the logged data from the first unencrypted data. It has been also shown that the encrypted data is correlated to the unencrypted data since the encrypted communication session is after the encryption handshake as suggested by Mahadik (para [29]). For the same reason above, the combination of references teaches the filter(ing) action of item 2) since the limitation essentially recites filter … second packets in response to item 1), wherein the unencrypted data taught by Dubrovsky (e.g. para [26]) may be handshake or communication message with unencrypted data such as IP address from packet header of the data packets further taught by Moore (e.g. para [25]).
Applicant’s further argument that a person of ordinary skill in the art would not combine the references in the manner proposed by the Action. See page 16 of the Remarks. Examiner respective disagrees. First, claims are interpreted under the guidance of BRI. The claim limitations of claim 1 (similarly claims 12, 21) as whole is filtering of encrypted packets with packet filtering rules. While Dubrovsky teaches method of identifying offensive content by the action of filtering access to the network (web server with web pages) from clients, Mahadik further teaches selectively filtering internet traffic. As indicated above, Dubrovsky teaches filtering the second unencrypted data based on logged data which is based on the filtering of first unencrypted data, and Mahadik teaches the encrypted packet data may be filtered by correlating the encrypted packets with unencrypted data (i.e. encryption handshake). In another words, Dubrovsky’s packet filtering method and system can be combined with Mahadik’s method and system to come to the claimed invention as recited in claim 1 (or claim 12, claim 21).
Applicant’s further argument regarding dependent claims are also moot due to their dependency on the respective rejected independent claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 2, 4-8, 10-12, 14-18, 20-21, 23-27 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky et al (US20140373156A1, hereinafter, "Dubrovsky"), in view of Mahadik et al (US20140089661A1, hereinafter, “Mahadik”), in further view of Moore (US20140283004A1, hereinafter, “Moore”).
Regarding claim 2, Dubrovsky teaches:
A method (Dubrovsky, discloses method of accessing digital document based on previous knowledge of document content, see [Abstract], [0007]) comprising: 
receiving (Dubrovsky, Fig. 3 Step 301, [0028] at block 301, a request is received from a client for accessing a document hosted by a remote facility), by a packet-filtering system (Dubrovsky, Fig. 2 Network Access Device) comprising at least one processor and memory (Dubrovsky, Fig. 8 Microprocessor and ROM) and configured to filter packets traversing a communications link between a first network and a second network (Dubrovsky, Referring to Fig. 1, where clients are connecting to LAN 103 (i.e. first network) and Servers are connecting to WAN such as internet (i.e. second network)) in accordance with a plurality of packet-filtering rules, a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data (Dubrovsky, [0026] According to one embodiment, when a Web page is received at the network access device 201, which may be requested by client 202, the network access device 201 may invoke a content scanning or filtering module 205 to perform virus and/pr spyware scanning against certain virus/spyware data patterns (i.e. packet-filtering rules). Examiner notes: the request or packets transmitted between clients and servers that are received by the network access device 102 shown in Fig. 1 is the plurality of first packets and request as shown as webpage is unencrypted data); 
determining, by the packet-filtering system, whether the first unencrypted data corresponds to one or more network-threat indicators (Dubrovsky, see for instance [0026] URL of the Web page and/or the address (e.g., IP address) (i.e. network-threat indicators) of the remote server) specified by one or more first packet-filtering rules of the plurality of packet-filtering rules (Dubrovsky, [0026] when a Web page is received at the network access device 201, which may be requested by client 202, the network access device 201 may invoke a content scanning or filtering module 205 to perform virus and/pr spyware scanning against certain virus/spyware data patterns); 
filtering, by the packet-filtering system, responsive to determining that the first unencrypted data corresponds to the one or more network-threat indicators, the plurality of first packets (Dubrovsky, [0026] When a virus/spyware is detected, the connection with the remote server 203 is terminated (i.e. filtering)); 
generating, based on the filtering the plurality of first packets, log data indicating: an indication of the filtering of the plurality of first packets; and at least a portion of the first unencrypted data (Dubrovsky, [0026] Meanwhile, the network access device 201 may extract the URL of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein) (i.e. log data). And referring to Fig. 3 steps 305 and 306); 
receiving, after the filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise: respective packet headers] comprising second unencrypted data (Dubrovsky, [0027] When the network access device 201 receives the second request, the network access device 201 may extract the URL of the requested Web page and the IP address of the server that hosts the Web page from the second request (i.e. second packets)); (see Mahadik, Moore below for limitation(s) in bracket)
While Dubrovsky teaches the filtering of first packets, generating logged data and filtering second packets, however does not explicitly teach second packets comprises encrypted data and following limitation(s), however in the same field of endeavor Mahadik teaches:
[receiving, after the filtering the plurality of first packets, a plurality of second packets, wherein the plurality of second packets traverse the communications link] (limitation(s) in bracket taught by Dubrovsky as shown above) and comprise: encrypted data and [respective packet headers] comprising second unencrypted data (Mahadik, discloses selectively filtering internet traffic, see [Abstract]. And [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake... The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. filtering). If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic); (see Moore below for respective packet header in bracket)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky by using handshake message information to identify the encrypted connection for traffic data filtering action (e.g. permitted or restricted). This would have been obvious because the person having ordinary skill in the art would have been motivated to relate the encrypted network traffic with unencrypted network traffic data such as handshake message for the network traffic filtering control (Mahadik, [Abstract], [0020], [0029]).
While the combination of Dubrovsky-Mahadik teaches the filtering of first and second packets, however does not explicitly teach second packets comprises respective packet headers comprising second unencrypted data, however in the same field of endeavor Moore teaches:
respective packet headers comprising second unencrypted data (Moore, discloses filtering network data based on packet header field values corresponding to packet filtering rule, see [Abstract]. And [0025] packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), …), one or more source IP addresses, one or more source port values, one or more destination IP addresses (i.e. second unencrypted data), … And [0036] For an HTTPS session composed of IP packets, the application packets contained in the IP packets may be TLS Record Protocol packets. The header fields of TLS Record Protocol packets may not be encrypted. One of the header fields may contain a value (i.e. can also be second unencrypted data) indicating the TLS version). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky-Mahadik by specifying packet header information with associated addresses and TLS version related to dynamic security policy. This would have been obvious because the person having ordinary skill in the art would have been motivated to specify the packet header information corresponding to packet filtering rule to determine the portion of the packet to be transferred (Moore, [Abstract]).
The combination of Dubrovsky-Mahadik-Moore further teaches: determining, by the packet-filtering system, whether the plurality of second packets correspond to an encrypted communication session associated with the plurality of first packets (Mahadik, [0029] encryption handshake as unencrypted data so that web server can determine subsequent communication to be filtered (i.e. restricted, permitted, etc.); Also Moore, [0036] For an HTTPS session (i.e. encrypted communication session) composed of IP packets, the application packets contained in the IP packets may be TLS Record Protocol packets. The header fields of TLS Record Protocol packets may not be encrypted. One of the header fields may contain a value indicating the TLS version) by determining that the second unencrypted data corresponds to the logged at least a portion of the first unencrypted data (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206. If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated); 
and filtering, by the packet-filtering system, responsive to determining that the encrypted communication 2Application No. 15/877,608Docket No.: 007742.00109\USResponse to Office Action dated 11.17.2021session corresponds to the logged at least a portion of the first unencrypted data, and based on at least one action specified by the one or more first packet-filtering rules of the plurality of packet-filtering rules, the plurality of second packets (Dubrovsky, [0031] At block 404, the retrieved information is returned (e.g., in a HTML page) to the client without accessing the requested document of the remote facility (i.e. filtering the plurality of second packets based on the correlating with previous failed access request). Examiner notes Dubrovsky teaches second unencrypted data is correlated to first unencrypted data based on filtering of first request to offensive content (i.e. one action by the filtering rules) while Mahadik further teaches encrypted packet data are correlated to unencrypted packet data and together Dubrovsky, Mahadik and Moore teaches filtering network data based on unencrypted data such as handshake or IP addresses etc. within header of packets as packet threat indicators). 

Regarding claim 12, Dubrovsky-Mahadik-Moore combination discloses:
One or more non-transitory computer-readable media comprising instructions that when executed by at least one processor of a packet-filtering system (Dubrovsky, Fig. 2 Network Access Device (i.e. packet-filtering system), Fig. 8 Microprocessor and ROM, and [0050] Such a computer program may be stored in a computer readable storage medium), configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules (Dubrovsky, Referring to Fig. 1, where clients are connecting to LAN 103 (i.e. first network) and Servers are connecting to WAN such as internet (i.e. second network)), cause the packet-filtering system to: perform steps substantially similar to the method steps of claim 2, therefore is rejected with the same reason set forth as rejection of claim 2 above.

Regarding claim 21, Dubrovsky-Mahadik-Moore combination discloses:
A packet-filtering apparatus comprising: at least one processor configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules; and memory storing instructions that when executed by the at least one hardware processor (Dubrovsky, Referring to Fig. 1, where clients are connecting to LAN 103 (i.e. first network) and Servers are connecting to WAN (i.e. second network) such as internet, and Fig. 2 Network Access Device (i.e. packet-filtering system), Fig. 8 Microprocessor and ROM) cause the packet-filtering apparatus to: perform steps substantially similar to the method steps of claim 2, therefore is rejected with the same reason set forth as rejection of claim 2 above.

Regarding claim 4, similarly claim 14, claim 23, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein filtering the plurality of second packets comprises: forwarding, by the packet-filtering system, the plurality of second packets toward a proxy (Mahadik, [0017] Preferably, the web proxy server is configured to inspect and enforce a network security policy on web traffic. And [0029] The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted).  

Regarding claim 5, similarly claim 15, claim 24, Dubrovsky-Mahadik-Moore combination further teaches: The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21,
wherein the filtering the plurality of second packets comprises: filtering the plurality of second packets based on at least one network-threat indicator, of the one or more network-threat indicators, of the plurality of first packets (Mahadik, [0028] The proxy server or additional component may calculate hashes of URL's or files (i.e. network-threat indicator) to determine if the file matches a database of malicious files. And [0029] The method may additionally include detecting encryption handshake when web proxying…The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. filtering)).  

Regarding claim 6, similarly claim 16, claim 25, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein the plurality of first packets comprise one or more packets comprising at least one of a domain name system (DNS) query request or a corresponding DNS query reply, and wherein filtering the plurality of first packets comprises: determining that the at least one of the DNS query request or the corresponding DNS query reply comprises a domain name or a network address identified in the one or more network-threat indicators (Mahadik, [Abstract] One variation of a method for selectively filtering internet traffic includes: receiving DNS queries; determining resource access levels for the DNS queries based on an internet resource database. And [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses. And referring to Fig. 2 and [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource).  

Regarding claim 7, similarly claim 17, claim 26, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 6, the one or more non-transitory computer-readable media of claim 16, the packet-filtering apparatus of claim 25, 
wherein determining that the plurality of second packets correspond to the encrypted communication session comprises: determining that the second unencrypted data comprises at least one of the one or more network addresses included in the at least one of the DNS query request or the corresponding DNS query reply (Mahadik, [Abstract] One variation of a method for selectively filtering internet traffic includes: receiving DNS queries; determining resource access levels for the DNS queries based on an internet resource database. And [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses (i.e. one or more network addresses)).

Regarding claim 8, similarly claim 18, claim 27, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein the logged at least the portion of the first unencrypted data, is configured to establish the encrypted communication session (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake). Examiner notes handshaking taught by Mahadik is to establish encrypted communication. Dubrovsky’s teachings of unencrypted data such as extracted and stored URL can serve as handshake message of Mahadik for establishing encrypted communication.

Regarding claim 10, similarly claim 20, claim 29, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein the filtering the plurality of second packets comprises: filtering the plurality of second packets based on at least one of: a uniform resource identifier (URI), domain name, or network address specified by the plurality of packet-filtering rules, data indicating a protocol version specified by the plurality of packet-filtering rules, data indicating a method specified by the plurality of packet-filtering rules, data indicating a request specified by the plurality of packet-filtering rules, or data indicating a command specified by the plurality of packet-filtering rules (Mahadik, [0029] A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted).  

Regarding claim 11, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, wherein the plurality of first packets comprise one or more packets comprising one or more handshake messages configured to establish an encrypted communication session between a client and a server and wherein the filtering the plurality of second packets is based on determining that the one or more handshake messages comprise a domain name corresponding to the one or more network-threat indicators (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0029] This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted).  

Claims 3, 13, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky-Mahadik-Moore as applied above to claims 2, 12, 21 respectively, further in view of Hampel et al (US9258218B2, hereinafter, “Hampel”).
Regarding claim 3, similarly claim 13, claim 22, Dubrovsky-Mahadik-Moore combination teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21,
While the combination of Dubrovsky-Mahadik-Moore does not explicitly teach the following limitation(s), in the similar field of endeavor Hampel teaches:
wherein the encrypted data is associated with first transport-layer information, wherein the first unencrypted data is associated with second transport-layer information, and wherein the determining whether the plurality of second packets correspond to an encrypted communication session comprises: determining, by the packet-filtering system that the first transport-layer information corresponds to the second transport-layer information (Hampel, [Abstract] discloses method to control overlay networks with control functions and forwarding functions separated, And [Claim 12] a data flow definition for a data flow and a set of actions to be performed for the data flow at the forwarding element, wherein the data flow definition is based on one or more protocol header (i.e. unencrypted data) fields of one or more protocols, wherein the one or more protocols comprise one or more network layer protocols or one or more transport layer protocols (i.e. second transport-layer), wherein the set of actions comprises at least one tunneling action and at least one security action, wherein the at least one tunneling action comprises at least one of a set of multiple encapsulation actions (i.e. encrypted data) or a set of multiple decapsulation actions, wherein the at least one security action is associated with a security protocol (i.e. first transport-layer) and comprises at least one of an encryption action or a decryption action; wherein the set of multiple encapsulation actions comprises a tunneling encapsulation action, a transport layer encapsulation action, and a network layer encapsulation action;  … and processing a packet of the data flow based on the control information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hampel in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky-Mahadik-Moore by separating the control functions in network layer protocol and the forwarding functions in security protocol. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the software-defined network overlay method vertically move packets across network layers to support tunneling via communication networks (Hampel, [Abstract], [0002], [Claim 12]).

Claims 9, 19, 28 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky-Mahadik-Moore combination as applied above to claims 2, 12, 21 respectively, further in view of Ross et al (US20140365372A1, hereinafter, “Ross”).
Regarding claim 9, similarly claim 19, claim 28, Dubrovsky-Mahadik-Moore combination teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21,
While Dubrovsky-Mahadik-Moore does not explicitly teach the following limitations, however in the same field of endeavor Ross teaches: 
wherein the plurality of first packets comprise a certificate message for the encrypted communication session, and wherein the filtering the second packets comprises: at least one of dropping or logging one or more of the plurality of second packets based on a determination that the certificate message comprises data indicating at least one of: a serial number indicated by the plurality of packet-filtering rules, an issuer indicated by the plurality of packet-filtering rules, a validity time-range indicated by the plurality of packet-filtering rules, a key indicated by the plurality of packet-filtering rules, or a signing authority indicated by the plurality of packet filtering rules (Ross, discloses method of mediating communications between communicating devices, see [Abstract]. And [0011] establishing the communications link to the first computing device includes intercepting a connection request from the first computing device to the second computing device, using a set of one or more predefined communication rules.  The intermediary computing device can therefore function as a packet filter, passing each packet through a set of rules (i.e. packet-filtering rules), And [0108] a connection from the computer terminal 402 is established… to the proxy server 401 rather than the web server 406, using for example Hypertext Transfer Protocol Secure (HTTPS) so that communications are fully encrypted… the domain name "www.proxy.com" has a Secure Socket Layer (SSL) certificate generated using the domain name "www.acquirer.com".  This could be an X.509 self-signed SSL certificate (.crt file) in the name of "www.acquirer.com" for example (X.509 is a standard for a Public Key Infrastructure (PKI)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ross in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky-Mahadik-Moore by using the certificate to determine the URL to match the certificate domain. This would have been obvious because the person having ordinary skill in the art would have been motivated to establish communication link between computing devices by intermediary device functioning as packet filter for personal, confidential or sensitive information communication in establishing the communication link between devices (Ross, [Abstract], [0001], [0011]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
He et al (US20100037311A1) discloses secure network architecture for controlling packet exchange among nodes. In particular, a packet filter based on security policy and matching parameters such as source and destination addresses of the packets.
Gupta et al (US6389532B1) discloses filtering packets by detecting signature in the packet header.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436