Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Status of Claims
This action is responsive to amendment filed 2/17/2022, where Applicant amended the claims. Claims 1-20 remain pending. 
Response to Arguments
Applicant’s arguments, filed 2/17/22, in regards to the 103 rejections have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new grounds of rejection is made based on Jiang and further based on Jiang in view of Frayman.
Applicants filing of a Terminal Disclaimer in response to the Double Patenting rejection is acknowledged. The Double Patenting rejection is withdrawn.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1,2,5,6,10,11,14,15,19,20 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Jiang et al (US Patent 10063591).
In reference to claim 1, Jiang teaches a method comprising: 
observing, by a device in a network in a network, traffic between a client and a server for an encrypted session (see at least column 5 lines 1-4, which teaches a first device (system 500) intercepting encrypted traffic between a client and server); 
making, by the device, a determination that a server certificate should be obtained from the server based on a preliminary assessment of the traffic indicating that the traffic is potentially malicious or based on server certificate information that is cached in a database (see at least column 8 lines 42-46, which teaches determining to request a server certificate based on if a server certificate is stored in a database); 
sending, by the device and based on the determination, a handshake probe to the server, wherein the handshake probe mimics a client hello message sent by the client hello message sent by the client to the server in the observed traffic (see at least column 8 lines 55-56, which teaches sending a mimicked client hello as part of a handshake procedure); 
extracting, by the device, server certificate information from a handshake response from the server that the server sent in response to the handshake probe (see at least column 8 lines 57-62, which teaches receiving a server certificate as a response from the server);  and 
using, by the device, the extracted server certificate information to analyze the traffic between the client and the server (see at least column 9 lines 1-13, which teaches utilizing the certificate to monitor and determine traffic type between the client and server).

In reference to claim 2, this is taught by Jiang, see at least column 8 lines 11-16, which teaches the traffic between the client and server is not intercepted and thus the certificate not accessed.
In reference to claim 5, this is taught by Jiang, see at least column 7 lines 44-56, which teaches inspecting the intercepted traffic and determining if the traffic is malicious.
In reference to claim 6, this is taught by Jiang, see at least column 8 lines 43-46 and column 9 lines 1-13, which teaches storing the certificate from the server response and analyzing traffic between the client and server based on the certificate.
Claims 10,11,14,15,19,20 are slight variations of rejected claims 1,2,5,6 above, and are therefore rejected based on the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3,4,7-9,12,13,16-18 rejected under 35 U.S.C. 103 as being unpatentable over Jiang et al (US Patent 10063591) in view of Frayman et al (US Publication 20180124085).
In reference to claim 3, Jiang teaches SSL, and fails to explicitly teach traffic encrypted using TLS. However, Frayman teaches monitoring for malicious encrypted traffic (see Frayman, at least Abstract), and discloses the traffic is encrypted using TLS protocol (see Frayman, at least paragraph 14, second half).  It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Jiang based on the teachings of Frayman for the purpose of utilizing TLS which is a more modern and secure replacement of the SSL protocol.
In reference to claim 4, Jiang fails to explicitly teach using the extracted server certificate information as input to a machine learning based traffic classifier. However, Frayman teaches discloses importing training data from the traffic as input into a behavior analysis engine (see Frayman, at least paragraphs 51,65,66).  It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to modify Jiang to use the certificate from the traffic data into the behavior analysis engine and based on the teachings of Frayman for the purpose of enhancing a threat detection model that can efficiently detect malicious traffic.
In reference to claim 7, Frayman teaches evaluating if the certificate is valid based on start and end time/date (see Frayman, at least paragraph 44 lines 3-10).
In reference to claim 8, Frayman teaches determining a confidence score for the encrypted traffic between the client and server, and which includes a server certificate (see Frayman, at least paragraphs 53,65,68).
In reference to claim 9, Frayman teaches determining a confidence score for the encrypted traffic between the client and server, and which includes a size/length or handshake (see Frayman, at least paragraphs 53,55,59,60,68).
Claims 12,13,16-18 are slight variations of rejected claims 3,4,7-9 above, and are therefore rejected based on the same rationale.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
For any subsequent response that contains new/amended claims, Applicant is required to cite its corresponding support in the specification.  (See MPEP chapter 2163.03 section (I.) and chapter 2163.04 section (I.) and chapter 2163.06) Applicant may not introduce any new matter to the claims or to the specification.
In formulating a response/amendment, Applicant is encouraged to take into consideration the prior art made of record but not relied upon, as it is considered pertinent to applicant's disclosure. See attached Form 892.

Contact & Status
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAMY M OSMAN whose telephone number is (571)272-4008.  The examiner can normally be reached on Mon-Fri, 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ario Etienne can be reached on 571-272-4001.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RAMY M OSMAN/Primary Examiner, Art Unit 2457    
April 30, 2022