DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
The amendment filed 4/21/2022 has been entered. Claims 1-7, 9-15, 17-22,24-29 are currently amended. Claims 1-30 are pending in the application.
The objection of claims 1, 3-5, 9, 11-13, 17, 19-21, 24, 26-28 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
The rejection of claim 2 under 35 USC 112(b) due to lack of antecedent basis has been withdrawn in light of applicant’s amendment to the claim.
Applicant’s filed Terminal Disclaimer (4/21/2022) has been approved and acknowledged. Therefore, the nonstatutory double patenting rejection has been withdrawn.
Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/8/2022, 3/11/2022, 4/4/2022, 4/14/2022, 5/4/2022 have been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Response to Arguments
Applicant’s arguments, see pages 14-24 of the Remarks filed 4/21/2022 regarding rejections under the 35 USC 103, on claims 1-30 as being unpatentable over the prior arts of record have been fully considered and asserted not fully persuasive and further moot in view of current office action with newly applied combination of prior arts previously identified.  
The following discussion is directed to applicant’s argument regarding claim 1 of A packet-filtering system (similarly for claim 17 of A method). Claim 9 (A packet-filtering system) and claim 24 (A method) recites similar limitations as claim 1 but with TCP connection instead of TLS connection (of claim 1, 17). Therefore, the below discussion of claim 1 also applies to claim 9 (and claim 24).
Examiner acknowledges applicant has amended claim 1 by clarifying/specifying with underlines reciting: “receive one or more unencrypted packets; … and wherein the at least a portion of the TLS handshake comprises a host domain name; determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name; receive one or more encrypted packets subsequent to receiving the one or more unencrypted packets; correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; and in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter, the one or more encrypted packets based on the first rule”; inter alia.
Applicant argued,
None of the cited references teach, disclose, or otherwise suggest, as recited by claim 1 (as amended), at least "based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name;" and "correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; and in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule." (see page 17 of the Remark)

Examiner respectively disagrees with applicant since Mahadik in combination of other cited prior art references teaches those features argued by applicant shown above. 
First, regarding the amended limitation “receive one or more unencrypted packets”, “receive one or more encrypted packets subsequent to receiving the one or more unencrypted packets”, Mahadik clearly suggests or indicates that encrypted communication is after the encryption handshake where the encryption handshake is interpreted as unencrypted communication (packets) prior to the encrypted communication (encrypted packets).
Regarding the teachings of Mahadik on filtering of encrypted communication, applicant argued “Mahadik's restriction of encrypted communication handshakes does not teach the aforementioned limitations”, “Mahadik's ‘permitted’ encrypted communication handshake process does not teach the aforementioned limitations” and “Mahadik's ‘partially permitting’ of encrypted communication handshake does not teach the aforementioned limitations”. See pages 18-19 of the Remark. Examiner respectively disagrees with applicant. 
Examiner asserts Mahadik teaches the correlating of encrypted communication (packets) with unencrypted communication (packets). Para [29] of Mahadik clearly states for encrypted communication, the filtering (restricted, partially permitted, or permitted) is based on the detected domain from encryption handshake in SSL/HTTPS based website access where when network traffic is encrypted and cannot be monitored with the same tools used in unencrypted scenario. This means the filtering of encrypted network traffic is based on the domain name detected during handshake through a server name attribute or alternative parameter rather than based on the encrypted traffic (data), i.e. correlating. In another words, if domain is restricted, then access is blocked; if domain is permitted, then access is allowed (Para. [29] of Mahadik). The argument of this filtering is prior to the establishment of the encrypted communication or during the encrypted communication is irrelevant, since the claim (claim 1) does not specifically suggest the filtering of encrypted packets is during the encrypted communication (or after the encrypted communication session has been established). The claim recites receive … unencrypted packets, received … encrypted packets, correlate encrypted packets with unencrypted packets, filter encrypted packets based on the rule. Nowhere in the claim suggests the filtering is on the encrypted packets after the encrypted communication has been established. On the other hand, Mahadik suggests encrypted traffic can be filtered based on domain information from the encryption handshake as shown above, i.e. if the domain name suggest the host domain name is associated with network threat, the access request of the encrypted traffic will be restricted. If the domain name suggests the host domain name is not associated with network threat, the access request may be permitted. 
Applicant further argued that Mahadik does not teach generating log entry and “correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets… See pages 19-20 of the Remark. Examiner asserts applicant’s argument is moot since the examiner has rely on the teachings of Dubrovsky for storing log entry with information of URL and IP address that is used to determine whether accessing (to document resource) is terminated or not. Examiner further relies on Wang’s teachings of filtering of encrypted traffic based on reading information of packet headers since Wang teaches correlating the filtering of encrypted TLS request with unencrypted TLS handshake based on header portion of the packets. 
Applicant’s further argument regarding dependent claims are also not persuasive and moot due to their dependency on the respective rejected independent claims.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 6-7, 17, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Wang et al (US20130312054A1-IDS by Applicant, hereinafter, “Wang”), further in view of Moore (US20140283004A1-IDS by applicant, hereinafter, “Moore”) and Dubrovsky et al (US20140373156A1-IDS by applicant, hereinafter, “Dubrovsky”).
Regarding claim 1, similarly claim 17, Mahadik teaches:
A packet-filtering system, a method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each third-party network intelligence provider provides at least a portion of the plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party threat intelligence providers or third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers (i.e. a plurality of network-threat indicators) of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
receive one or more unencrypted packets; analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data [comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake] comprises a host domain name (Mahadik, [0029] A domain (i.e. host domain name) is preferably detected during the handshake (i.e. receive unencrypted packets) through a server name attribute or through some alternative parameter); (see Wang below for the teaching of limitation(s) in bracket) 
determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name, of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat (Mahadik, [0022] Step S220, which includes, determining a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database… Step S220 may additionally include determining the resource access level according to rules set by a network administration interface. These rules function to enable the method to enforce conditional access restrictions to resources. And [0029] The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted… Examiner notes that it is obvious to one ordinary skilled in the art that the access is restricted if domain name is associated with network resource of potential network threat); 
receive one or more encrypted packets subsequent to receiving the one or more unencrypted packets (Mahadik, see [0029], since the encryption handshake is to establish the encrypted communication, it is obvious that the received encrypted packets is after the unencrypted encryption handshake (unencrypted packets)); 2Application No. 17/482,910Docket No.: 007742.00251\US Response to Office Action dated 01.21.2022 
correlate, [based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry], the one or more encrypted packets with the one or more unencrypted packets (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake (i.e. TLS handshake with further teaching of Wang shown below) when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake…The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); (see the teachings of Wang, Moore, Dubrovsky for limitation(s) in bracket shown below)
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet and detecting domain during handshake but does not explicitly teach unencrypted data comprises TLS handshake and unencrypted data (IP address) contained in packet headers of one or more encrypted packets, however in the same field of endeavor Wang teaches:
[analyze first unencrypted data contained in the one or more unencrypted packets] (see Mahadik shown above for teaching of analyze…), wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0018] the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract (i.e. analyze) the Server Name Indication (SNI) extension from the ClientHello message), and wherein the at least a portion of the TLS handshake comprises a host domain name (Wang, [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname (i.e. host domain name) the client is attempting to connect to during the handshaking procedure); 
correlate, based on determining that [an IP address] in one or more packet headers of the one or more encrypted packets [matches the network address of the log entry], the one or more encrypted packets with the one or more unencrypted packets (Wang, [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname the client is attempting to connect to during the handshaking procedure. Specifically, it is present in the ClientHello message 600 to assist with name-based virtual hosting. Name-based virtual hosting allows multiple DNS hostnames to be hosted on a single server on the same IP address. In an unsecured HTTP request, the server can read the virtual host from the HTTP headers. In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate); (see Moore and Dubrovsky below for limitations in bracket)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).
While Mahadik-Wang teaches correlate encrypted packets with unencrypted packets based on information of packet headers but does not explicitly teach based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address, however in the same field of endeavor Moore teaches:
[correlate], based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address [of the log entry] (Moore, [0025] dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria. The specified criteria may take the form of a five-tuple, which may, for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), or one or more other protocols), one or more source IP addresses), (see Dubrovsky below for log entry)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik-Wang by filtering network data traffic using information of IP address of packet header. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication against attack (Moore, [Abstract]).
While the combination of Mahadik-Wang-Moore does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name (Dubrovsky, [0027] The extracted URL (i.e. domain name) and IP address (i.e. network address) may be used to compare with the information stored in table 206 (i.e. log entry). If the table 206 contains the extracted URL and/or IP address, the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik-Wang-Moore by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).
The combination of Mahadik-Wang-Moore-Dubrovsky further teaches: determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets (Mahadik, [0029] A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter) and based on the log entry (Dubrovsky, [0027] The extracted URL (i.e. domain name) and IP address (i.e. network address) may be used to compare with the information stored in table 206), that the one or more encrypted packets correspond to the domain name associated with the potential network threat (Mahadik, [0029] The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted);
and in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter, the one or more encrypted packets based on the first rule (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).

Regarding claim 6, Mahadik-Wang-Moore-Dubrovsky combination further teaches:
The packet-filtering system of claim 1, wherein the network address and the IP address are the same (Dubrovsky, [0027] When the network access device 201 receives the second request, the network access device 201 may extract the URL of the requested Web page and the IP address of the server that hosts (i.e. hostname) the Web page from the second request. The extracted URL and IP address may be used to compare with the information stored in table 206). Examiner notes, since the IP address corresponds to hostname taught by Dubrovsky and claim requires network address corresponds to the hostname, therefore in this case, the network address is the IP address.

Regarding claim 7, similarly claim 22, Mahadik-Wang-Moore-Dubrovsky combination further teaches: 
The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to receive the one or more encrypted packets, correlate the one or more encrypted packets with the one or more unencrypted packets, determine that the one or more encrypted packets correspond to the domain name, and filter the one or more encrypted packets without decrypting the one or more encrypted packets (Wang, [0025] Reference is now made to FIGS. 3-7 for a more detailed description of the examples described above. FIG. 3 illustrates an example in which the application of the policy decision results in subsequent secure communications between a client 110 and a server 130 passing through a proxy 120 without decryption at the proxy 120).  

Claims 2, 18 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Moore-Dubrovsky as applied above, further in view of Ratica et al (US20120124645A1, hereinafter, “Ratica”).
Regarding claim 2, similarly claim 18, Mahadik-Wang-Moore-Dubrovsky combination teaches: The packet-filtering system of claim 1, the method of claim 17, 
While the combination of Mahadik-Wang-Moore-Dubrovsky does not explicitly teach the following limitation(s), in the similar field of endeavor Ratica teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: determine, using a Domain Name System (DNS) query, network address corresponding to the host domain name (Ratica, discloses a system to determine IP address from hostname, see [Abstract]. And [0016] A domain name system (DNS) request is received for a hostname corresponding to the host of the third network from the host of the second network. Using at least one processor, an Internet protocol (IP) address of the first network is allocated, an IP address of the host of the third network is determined from the hostname, and the allocated IP address is mapped to the determined IP address. The allocated IP address is returned to the host of the second network in response to the DNS request),
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ratica in the method of selectively filtering internet traffic of Mahadik-Wang-Moore-Dubrovsky by determining IP address from hostname using DNS request. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine IP address of associated hostname (host domain name), to connect internal networks with external network (Ratica, [Abstract], [0004]).  

Claims 5, 8, 21, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Moore-Dubrovsky as applied above to claim 1, claim 17 respectively, further in view of Buruganahalli et al (US 9,419,942 B1-IDS by applicant, hereinafter, “Buruganahalli”).
Regarding claim 5, similarly claim 21, Mahadik-Wang-Moore-Dubrovsky combination teaches: The packet-filtering system of claim 1, the method of claim 17, 
While the combination of Mahadik-Wang-Moore-Dubrovsky does not explicitly teach the following limitation(s), in the same field of endeavor Buruganahalli teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets further based on a port number associated with the first unencrypted data (Buruganahalli, [Col. 9 lines 7-10] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Wang-Moore-Dubrovsky by filtering traffic based on port number. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on destination domain using unencrypted packet traffic data such as IP address and port number (Buruganahalli, [Abstract]).

Regarding claim 8, similarly claim 23, Mahadik-Wang-Moore-Dubrovsky combination teaches: The packet-filtering system of claim 1, the method of claim 17, 
While the combination of Mahadik-Wang-Moore-Dubrovsky does not explicitly teach the following limitation(s), in the same field of endeavor Buruganahalli teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets (Buruganahalli, [Col. 5 lines 52-58] Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy). For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked (i.e. prevent) and decryption is not required).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik-Wang-Moore-Dubrovsky by filtering traffic based on destination domain extracted from TLS handshake. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as destination IP address for enhanced performance (Buruganahalli, [Abstract]).

Claims 3, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Moore-Dubrovsky as applied above to claim 1, claim 17 respectively, further in view of Ben-Natan (US7437362B1, hereinafter, “Ben-Natan”).
Regarding claim 3, similarly claim 19, Mahadik-Wang-Moore-Dubrovsky combination teaches:
The packet-filtering system of claim 1, the method of claim 17, 
While the combination of Mahadik-Wang-Moore-Dubrovsky does not explicitly teach the following limitation(s), in the same field of endeavor Ben-Natan teaches:
wherein the packet-filtering system does not comprise a proxy device (Ben-Natan, discloses security filter for intercepting database streams, see [Abstract]. And [Col. 4 lines 51-62] In the non-proxy, or direct modification configuration, limiting the data access transaction further includes receiving a set of packets, in which the packets encapsulate the data access transaction according to layered protocols. The interrogation and modification of the packets occurs in a nondestructive manner with respect to the layered protocols. The security filter padding the packets for accommodating elimination of the restricted data items to generate the resulting data access transaction. Therefore, the generation of the resulting data access transaction preserves the encapsulating layered protocol associating the packets, and without employing a proxy for regenerating the sequence of packets). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ben-Natan in the method of selectively filtering internet traffic of Mahadik-Wang-Moore-Dubrovsky by implementing non-proxy configuration security filter. This would have been obvious because the person having ordinary skill in the art would have been motivated to preserve the encapsulating layered protocol associating the packets, and without employing a proxy for regenerating the sequence of packets (Ben-Natan, [Abstract], [Col. 4 lines 51-62]).

Claims 4, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Moore-Dubrovsky as applied above to claim 1, claim 17 respectively, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 4, similarly claim 20, Mahadik-Wang-Moore-Dubrovsky combination teaches: The packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik-Wang-Moore-Dubrovsky presented for claim 1),
While the combination of Mahadik-Wang-Moore-Dubrovsky does not explicitly teach the following limitation(s), in the same field of endeavor Williams teaches:
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Moore-Dubrovsky by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).

Claims 9, 14, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Graham-Cumming (US20170171232A1, hereinafter, “Graham-Cumming”), further in view of Moore (US20140283004A1-IDS by Applicant, hereinafter, “Moore”) and Dubrovsky et al (US20140373156A1-IDS by applicant, hereinafter, “Dubrovsky”).
Regarding claim 9, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] alternative embodiment preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence provider provides at least a portion of the plurality of network-threat indicators (Mahadik, [0015] The internet resource database 120 (with Admin Interface 150 as shown in Fig. 1, i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
receive one or more unencrypted packets; analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data [is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name] (Mahadik, [0029] A domain (i.e. host domain name) is preferably detected during the handshake (i.e. receive unencrypted packets) through a server name attribute or through some alternative parameter); (see Graham-Cumming below for the teaching of limitation(s) in bracket) 
determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name, of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat (Mahadik, [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query (i.e. DNS query, i.e. network-threat indicators) and determines (i.e. compare) a categorization of the query (e.g., permitted, partially-permitted, or restricted). Upon determining the categorization of the query, the DNS proxy server no preferably returns an IP address to the originating machine. And [0022] Step S220, which includes, determining a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database… Step S220 may additionally include determining the resource access level according to rules set by a network administration interface. These rules function to enable the method to enforce conditional access restrictions to resources. And [0029] The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted… Examiner notes that it is obvious to one ordinary skilled in the art that the access is restricted if domain name is associated with network resource of potential network threat); 
receive one or more encrypted packets subsequent to receiving the one or more unencrypted packets (Mahadik, see [0029], since the encryption handshake is to establish the encrypted communication, it is obvious that the received encrypted packets is after the unencrypted encryption handshake (unencrypted packets));
correlate, [based on determining that an IP address in one or more packet headers of one or more encrypted packets matches the network address of the log entry], the one or more encrypted packets with the one or more of the unencrypted packets (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. correlating). Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information in handshake (i.e. unencrypted packets)); (see the teachings of Moore, Dubrovsky for limitation(s) in bracket shown below)
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data associated with HTTP, HTTPS traffic but does not explicitly teach associated with initiation of a TCP connection, however in the similar field of endeavor Graham-Cumming teaches:
[analyze first unencrypted data contained in the one or more unencrypted packets] (see Mahadik shown above), wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name (Graham-Cumming, discloses network address for a hostname and identify the address in TCP SYN packet. And [0042] an IP address is assigned to a hostname where the IP address includes a predefined portion that identifies a configuration setting indicating that traffic for that hostname is to be blocked... a TCP SYN packet is received at the proxy server 120 that is requesting a TCP connection be established that includes a destination IP address that includes a predefined portion that identifies that traffic is to be blocked. This TCP SYN packet may be the first TCP packet of a TCP three-way handshake);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Graham-Cumming in the method of selectively filtering internet traffic of Mahadik by identifying IP address in TCP SYN packet of a TCP three-way handshake. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine traffic to be blocked based on the IP address in the TCP SYN packet (Graham-Cumming, [Abstract], [0042]).
While Mahadik/Graham-Cumming teaches filtering encrypted packet data based on unencrypted packet data associated with HTTP, HTTPS traffic but does not explicitly teach IP address in one or more packet headers of the one or more encrypted packets, however in the same field of endeavor Moore teaches:
correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address [of the log entry], the one or more encrypted packets with the one or more unencrypted packets (Moore, [0005] The filter may be capable of comparing certain packet header information (e.g., source and destination IP address(s). Also [0025] dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria. The specified criteria may take the form of a five-tuple, which may, for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), or one or more other protocols), one or more source IP addresses). And [0039] The filtering process described herein may be viewed as having two (2) stages: A first stage in which the "5-tuple" of IP packet header field values and transport protocol (e.g., TCP, UDP, etc.) packet header field values may be filtered; and, a second stage in which application packet header field values may be filtered (e.g., by applying operator logic similar to that described above). Conceptually, the first stage may determine if the network policy allows any communications between the resources identified in the 5-tuple rule; if so, the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.));
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming by filtering TCP traffic with IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication with TCP/IP network protocol against attack (Moore, [Abstract], [0001-0002]).
While the combination of Mahadik/Graham-Cumming/Moore does not explicitly teach but in the same field of endeavor Dubrovsky teaches:
based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name (Dubrovsky, [0027] The extracted URL (i.e. domain name) and IP address (i.e. network address) may be used to compare with the information stored in table 206 (i.e. log entry). If the table 206 contains the extracted URL and/or IP address, the information regarding the previously detected virus and/or spyware is retrieved from table 206. This information may be used to form a reason explaining why the connection was terminated);
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).
The combination of Mahadik/Graham-Cumming/Moore/Dubrovsky further teaches: determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets (Mahadik, [0029] A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter) and based on the log entry (Dubrovsky, [0027] The extracted URL (i.e. domain name) and IP address (i.e. network address) may be used to compare with the information stored in table 206), that the one or more encrypted packets correspond to the domain name associated with the potential network threat (Mahadik, [0029] The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted);
and in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter, the one or more encrypted packets based on the first rule (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filtering)).

Regarding claim 24, Mahadik/Graham-Cumming/Moore/Dubrovsky combination teaches:
A method (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: method steps substantially similar to the method steps performed by the packet-filtering system of claim 9, therefore is rejected with same rational set forth as rejection of claim 9 above.

Regarding claim 14, Mahadik/Graham-Cumming/Moore/Dubrovsky combination further teaches:
The packet-filtering system of claim 9, wherein the network address and the IP address are the same (Dubrovsky, [0027] When the network access device 201 receives the second request, the network access device 201 may extract the URL of the requested Web page and the IP address of the server that hosts (i.e. hostname) the Web page from the second request. The extracted URL and IP address may be used to compare with the information stored in table 206). Examiner notes, since the IP address corresponds to hostname taught by Dubrovsky and claim requires network address corresponds to the hostname, therefore in this case, the network address is the IP address.

Claims 10, 25 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik/Graham-Cumming/Moore/Dubrovsky as applied above, further in view of Ratica et al (US20120124645A1, hereinafter, “Ratica”).
Regarding claim 10, similarly claim 25, Mahadik/Graham-Cumming/Moore/Dubrovsky combination further teaches:
The packet-filtering system of claim 9, the method of claim 24, 
While the combination of Mahadik/Graham-Cumming/Moore/Dubrovsky does not explicitly teach the following limitation(s), in the similar field of endeavor Ratica teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: determine, using a Domain Name System (DNS), the network address corresponding to the host domain name (Ratica, discloses a system to determine IP address from hostname, see [Abstract]. And [0016] A domain name system (DNS) request is received for a hostname corresponding to the host of the third network from the host of the second network. Using at least one processor, an Internet protocol (IP) address of the first network is allocated, an IP address of the host of the third network is determined from the hostname, and the allocated IP address is mapped to the determined IP address. The allocated IP address is returned to the host of the second network in response to the DNS request).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ratica in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore/Dubrovsky by determining IP address from hostname using DNS request. This would have been obvious because the person having ordinary skill in the art would have been motivated to determine IP address of associated hostname (host domain name), to connect internal networks with external network (Ratica, [Abstract], [0004]). 

Claims 11, 26 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik/Graham-Cumming/Moore/Dubrovsky as applied above to claim 9, claim 24 respectively, further in view of Ben-Natan (US7437362B1, hereinafter, “Ben-Natan”).
Regarding claim 11, similarly claim 26, Mahadik/Graham-Cumming/Moore/Dubrovsky combination teaches:
The packet-filtering system of claim 9, the method of claim 24, 
While the combination of Mahadik/Graham-Cumming/Moore/Dubrovsky does not explicitly teach the following limitation(s), in the same field of endeavor Ben-Natan teaches:
wherein the packet-filtering system does not comprise a proxy device (Ben-Natan, discloses security filter for intercepting database streams, see [Abstract]. And [Col. 4 lines 51-62] In the non-proxy, or direct modification configuration, limiting the data access transaction further includes receiving a set of packets, in which the packets encapsulate the data access transaction according to layered protocols. The interrogation and modification of the packets occurs in a nondestructive manner with respect to the layered protocols. The security filter padding the packets for accommodating elimination of the restricted data items to generate the resulting data access transaction. Therefore, the generation of the resulting data access transaction preserves the encapsulating layered protocol associating the packets, and without employing a proxy for regenerating the sequence of packets). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ben-Natan in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore/ Dubrovsky by implementing non-proxy configuration security filter. This would have been obvious because the person having ordinary skill in the art would have been motivated to preserve the encapsulating layered protocol associating the packets, and without employing a proxy for regenerating the sequence of packets (Ben-Natan, [Abstract], [Col. 4 lines 51-62]). 

Claims 12, 27 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik/Graham-Cumming/Moore/Dubrovsky as applied above to claim 9, claim 24 respectively, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 12, similarly claim 27, Mahadik/Graham-Cumming/Moore/Dubrovsky combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik/Graham-Cumming/Moore/Dubrovsky presented for claim 9), 
While the combination of Mahadik/Graham-Cumming/Moore/Dubrovsky does not explicitly teach but in the same field of endeavor Williams teaches:
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore/Dubrovsky by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 13, 16, 28, 30 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik/Graham-Cumming/Moore/Dubrovsky as applied above to claim 9, claim 24 respectively, further in view of Buruganahalli et al (US 9,419,942B1, hereinafter, “Buruganahalli”).
Regarding claim 13, similarly claim 28, Mahadik/Graham-Cumming/Moore/Dubrovsky combination teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the 6Application No. 17/482,910Docket No.: 007742.00251\USResponse to Office Action dated 01.21.2022one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik/Graham-Cumming/Moore/Dubrovsky presented for claim 9), 
While the combination of Mahadik/Graham-Cumming/Moore/Dubrovsky does not explicitly teach but in the same field of endeavor Buruganahalli teaches:
further based on a port number associated with the first unencrypted data (Buruganahalli, [Col. 9 lines 7-10] As shown in FIG. 1, network traffic monitoring begins at 102. An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore/ Dubrovsky by filtering traffic based on packet filtering rules on inspected packets associated with port number. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address and port number to allows multiple secure (HTTPS) websites to be served using the same IP address for the purpose of network traffic filtering (Buruganahalli, [Abstract], Col. 9 lines 7-10).

Regarding claim 16, similarly claim 30, Mahadik/Graham-Cumming/Moore/Dubrovsky combination teaches:
The packet-filtering system of claim 9, the method of claim 24,
While the combination of Mahadik/Graham-Cumming/Moore/Dubrovsky teaches packet filtering but does not explicitly teach prevent further transmission of the one or more encrypted packets however in the same field of endeavor Buruganahalli teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the one or more encrypted packets by causing the packet-filtering system to prevent further transmission of the one or more encrypted packets (Buruganahalli, [Col. 5 lines 52-58] Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy). For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked (i.e. prevent) and decryption is not required).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Buruganahalli in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore/ Dubrovsky by filtering traffic based on packet filtering rules. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as IP address and port number to block encrypted traffic that violates firewall policy (Buruganahalli, [Abstract], Col. 5 lines 52-58).

Claims 15, 29 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik/Graham-Cumming/Moore/Dubrovsky as applied above to claim 9, claim 24 respectively, further in view of Wang et al (US20130312054A1, hereinafter, “Wang”).
Regarding claim 15, similarly claim 29, Mahadik/Graham-Cumming/Moore/Dubrovsky combination teaches:
The packet-filtering system of claim 9, the method of claim 24, 
While the combination of Mahadik/Graham-Cumming/Moore/Dubrovsky does not explicitly teach but in the same field of endeavor Wang teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to receive the one or more encrypted packets, correlate the one or more encrypted packets with the one or more unencrypted packets, determine that the one or more encrypted packets correspond to the domain name, and filter the one or more encrypted packets without decrypting the one or more encrypted packets (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0025] Reference is now made to FIGS. 3-7 for a more detailed description of the examples described above. FIG. 3 illustrates an example in which the application of the policy decision results in subsequent secure communications between a client 110 and a server 130 passing through a proxy 120 without decryption at the proxy 120).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik/Graham-Cumming/Moore/Dubrovsky by filtering secure traffic without decryption. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic without decryption corresponding to legal requirement (Wang, [Abstract], [0028]).
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MICHAEL M LEE/Examiner, Art Unit 2436


/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436