DETAILED ACTION
This communication is in respond to applicant’s amendment filed on April 6, 2022. Claims 1-20 are pending.

Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

Response to Arguments
Rejection of claims 1-20 under 35 USC 112(a), and rejection of claims 18 and 20 under 35 USC 112b have been withdrawn in light of Applicant’s amendment filed on 04/06/2022.
Applicant's arguments with respect to amended claims have been fully considered but are moot in view of the new ground(s) of rejection. 
	

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/ guidance/eTD-info-I.jsp.

Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No. 10,764,274 in view of US PG-PUB 2008/0288458 A1 to Sun et al. (hereinafter Sun). With respect to the claims of the instant application, please refer to the following table, which illustrates the obvious and anticipatory relationship of the claim limitations at issue:
Instant application
US Pat. No. 10,764,274
1. A method for establishing a proxy-less communication session, the method comprising: 
performing a first key exchange with a server, wherein a first public key is provided to the server; performing a second key exchange with a client device, wherein a second public key is provided to the client device; 

Receiving a data packet that includes information encrypted at the server using the first public key, decrypting information included in an encrypted communication received from the server, wherein decrypting the encrypted information included in the data packet received from the server, wherein the decrypted information is inspected; 

generating encrypted data by re-encrypting the inspected information, wherein the encrypted data is decrypted at the client device using the second public key; sending the encrypted data to the client device.
1. A method for inspecting data sent over a computer network, the method comprising: 
establishing a secure connection between a client device and a responder device via a gateway; intercepting a plurality of data packets sent between the responder device and the client device via the secure connection; ....
Claim 8. The method of claim 1, wherein the current packet is encrypted, and further comprising determining when to attempt decryption of the encrypted packet.
...(claim 1).... updating the second set of state information as each of the second set of intercepted packets are inspected and communicated to the client device...
claim 11. The method of claim 8, further comprising determining when to attempt re-encryption of the decrypted packet...
...(claim 1).... updating the second set of state information as each of the second set of intercepted packets are inspected and communicated to the client device...
2. The method of claim 1, further comprising: receiving a first certificate from the server; and generating a second certificate based on modifying the first certificate, the second certificate including the second public key, wherein a portion of the second certificate is identical to a portion of the first certificate.
2. The method of claim 1, further comprising: receiving a first certificate from the responder device; generating a second certificate based on modifying the first certificate, wherein a public key of the second certificate is different from a public key of the first certificate and a remaining portion of the second certificate is identical to a remaining portion of the first certificate; and establishing a new secured connection based on the second certificate.
3. The method of claim 1, wherein the encrypted information corresponds to a data packet, and further comprising: inspecting the decrypted information from the data packet; identifying that the data packet includes data associated with a security function based on the inspection; and executing the associated security function based on the identification.
Claim 1....updating the second set of state information as each of the second set of intercepted packets are inspected and communicated to the client device; identifying that the packets from the responder device include data that is associated with a security function; and executing the security function based on the identification that the data is associated with the security function.
4. The method of claim 3, wherein executing the security function comprises blocking a further data packet from being transmitted to the client device.
4. The method of claim 1, wherein executing the security function comprises blocking further transmission of the data packets sent to the client device.
5. The method of claim 3, wherein executing the security function comprises sending a warning message to the client device.
5. The method of claim 1, wherein executing the security function comprises sending a warning message to the client device.
6. The method of claim 3, wherein inspecting the decrypted information includes deep packet inspection.
6. The method of claim 1, wherein inspecting the intercepted data packets includes deep packet inspection.
7. The method of claim 3, wherein executing the security function comprises filtering content of data received from the server.
7. The method of claim 1, wherein executing the security function comprises filtering content of the intercepted data packets.
8. The method of claim 1, further comprising: intercepting one or more data packets transmitted according to a secured network protocol between the client device and the server while remaining transparent to the client device and the server; maintaining a first set of state information for the client device, the first set of state information including a sequence number of a last packet received by the client device; and 






retransmitting the last data packet corresponding to the sequence number to the client device based on the first set of state information.
Claim 1....
maintaining packet state information relating to the intercepted data packets at the gateway, wherein a first set of state information pertains to a first set of the intercepted packets from communications with the responder device, and wherein a second set of state information pertains to a second set of the intercepted packets from communications with the client device; updating the first set of state information as each of the first set of intercepted packets are inspected and communicated to the responder device; transmitting a current intercepted packet from the gateway via the secured connection to the client device, wherein the client device identifies the current packet as being sent directly from the responder device; receiving a retransmission of the current packet from the responder device based on the responder device not receiving an acknowledgment from the client device; transparently passing the acknowledgement to the responder device that was received from the client device; updating the second set of state information as each of the second set of intercepted packets are inspected and communicated to the client device
9. The method of claim 8, wherein retransmitting the last data packet is further based on a retransmission received from the server.
Claim 1.... receiving a retransmission of the current packet from the responder device based on the responder device not receiving an acknowledgment from the client device...


Although the US Pat. No. 10,764,274 does not explicitly recites “a second acknowledgement indicating that the data packet has been received is not sent to the server until after a first acknowledgement is received from the client device indicating that data included in the data packet has been received at the client device”, and “receiving the first acknowledgement from the client device acknowledging receipt of the data included in the data packet has been received; and sending the second acknowledgement to the server based on the receipt of the first acknowledgement from the client device”, in an analogous art in network communication via proxy, Sun disclosed a proxy server managing communications between client and server where a second acknowledgement indicating that the data packet has been received is not sent to the server until after a first acknowledgement is received from the client device indicating that data included in the data packet has been received at the client device, and receiving the first acknowledgement from the client device acknowledging receipt of the data included in the data packet has been received; and sending the second acknowledgement to the server based on the receipt of the first acknowledgement from the client device (Sun, Fig. 5, and par 0040, 0041,acknowledgement between client and media server); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of US Pat. No. 10,764,274 to incorporate the implementation of acknowledgement forwarding as disclosed by Sun, in order to ensure proper communication being established between client and server.
	Claims 10-18 recite substantially the same limitations as claims 1-9, respectively, in the form of a non-transitory computer-readable medium with program implementing the corresponding method, therefore, they are rejected under the same rationale. 
	Claims 19-20 recite substantially the same limitations as claims 1-2, respectively, in the form of an apparatus implementing the corresponding method, therefore, they are rejected under the same rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-3, 6, 10-12, 15, and 19-20 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over US PG-PUB No. 2008/0126794 A1 to Wang et al. (hereinafter Wang) in view of US PG-PUB 2008/0288458 A1 to Sun et al. (hereinafter Sun).
As per claim 1, Wang disclosed a method for establishing a proxy-less communication session, the method comprising: 
performing a first key exchange with a server, wherein a first public key is provided to the server (Wang, par 0031, establishing proxy-server session, and par 0020, “two devices interested in establishing a security session (e.g., for encryption of traffic between a client 110 and server 130) may send session initiation request/reply messages ("security messages") to exchange security information, as will be understood by those skilled in the art. For instance, each device may have its own corresponding public-private key pair, e.g., according to a public key infrastructure (PKI). Public and private keys are well known in the art. For instance, devices within a network 100 are allowed to see anyone's public key, while each device's private key is not disclosed”); performing a second key exchange with a client device, wherein a second public key is provided to the client device (Wang, par 0031, establishing client-proxy session, and par 0020, “two devices interested in establishing a security session (e.g., for encryption of traffic between a client 110 and server 130) may send session initiation request/reply messages ("security messages") to exchange security information, as will be understood by those skilled in the art. For instance, each device may have its own corresponding public-private key pair, e.g., according to a public key infrastructure (PKI). Public and private keys are well known in the art. For instance, devices within a network 100 are allowed to see anyone's public key, while each device's private key is not disclosed”); 
receiving a data packet that includes information encrypted at the server, decrypting the encrypted information included in the data packet received from the server, and wherein the decrypted information is inspected (Wang, par 0038, “…the proxy device is able to decrypt the received traffic/packets (e.g., using the session key negotiated for the client-proxy or proxy-server session, as appropriate) from each sending end device, and may re-encrypt the traffic prior to forwarding it on using the respective session key with the receiving end device. In this manner, the traffic is decrypted solely for the proxy device, and deep packet inspection (e.g., for firewalls) may be performed appropriately. The proxy device may then re-encrypt the deeply inspected traffic prior to forwarding it to the receiving end device”); 
generating encrypted data by re-encrypting the inspected information, and sending the encrypted data to the client device (Wang, par 0038, “…the proxy device is able to decrypt the received traffic/packets (e.g., using the session key negotiated for the client-proxy or proxy-server session, as appropriate) from each sending end device, and may re-encrypt the traffic prior to forwarding it on using the respective session key with the receiving end device. In this manner, the traffic is decrypted solely for the proxy device, and deep packet inspection (e.g., for firewalls) may be performed appropriately. The proxy device may then re-encrypt the deeply inspected traffic prior to forwarding it to the receiving end device”);
Wang does not explicitly disclose the information encrypted at the server using the first public key, and “the encrypted data is decrypted at the client device using the second public key”, however, in a different embodiment, Wang disclosed using public key for encrypting and decrypting traffic between devices (Wang, par 0020, “Traffic may be encrypted using a public key of the recipient, which then decrypts the traffic with its own private key.”); it would have been obvious to one of ordinary skill in the art before the time of the invention, to modify the system of Wang to implement the encrypting and decrypting traffic between devices using public / private keys of the corresponding devices as disclosed by Wang in par 0020, in order to ensure secure data exchange in the proxy-server and client-proxy communication sessions;
Wang does not explicitly disclose “a second acknowledgement indicating that the data packet has been received is not sent to the server until after a first acknowledgement is received from the client device indicating that data included in the data packet has been received at the client device”, and “receiving the first acknowledgement from the client device acknowledging receipt of the data included in the data packet has been received; and sending the second acknowledgement to the server based on the receipt of the first acknowledgement from the client device”, in an analogous art in network communication via proxy, Sun disclosed a proxy server managing communications between client and server where a second acknowledgement indicating that the data packet has been received is not sent to the server until after a first acknowledgement is received from the client device indicating that data included in the data packet has been received at the client device, and receiving the first acknowledgement from the client device acknowledging receipt of the data included in the data packet has been received; and sending the second acknowledgement to the server based on the receipt of the first acknowledgement from the client device (Sun, Fig. 5, and par 0040, 0041,acknowledgement between client and media server); it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the system of Wang to incorporate the implementation of acknowledgement forwarding as disclosed by Sun, in order to ensure proper communication being established between client and server. 

As per claim 2, Wang-Sun disclosed the method of claim 1, further comprising: receiving a first certificate from the server; and generating a second certificate based on modifying the first certificate, the second certificate including the second public key, wherein a portion of the second certificate is identical to a portion of the first certificate (Wang, par 0031-0034, the proxy generates “dynamic certificate” (i.e. second certificate”) that mimics (i.e. a remaining portion identical) original certificate from server or client (i.e. first certificate), the dynamic certificate signed using proxy’s key).

As per claim 3, Wang-Sun disclosed the method of claim 1, wherein the encrypted information corresponds to a data packet, and further comprising: inspecting the decrypted information from the data packet; identifying that the data packet includes data associated with a security function based on the inspection; and executing the associated security function based on the identification (Wang, par 0034-0036, verifying certificate is a security function; also, par 0038, “the traffic is decrypted solely for the proxy device, and deep packet inspection (e.g., for firewalls) may be performed appropriately. The proxy device may then re-encrypt the deeply inspected traffic prior to forwarding it to the receiving end device. Also, when modifying the packets (e.g., for NAT), the newly re-encrypted traffic will match the expected encryption algorithm's hash at the receiving end device because the proxy device is now the expected (re-)encrypting device”).

As per claim 6, Wang-Sun disclosed the method of claim 3, wherein inspecting the decrypted information includes deep packet inspection (Wang, par 0038, “…the proxy device is able to decrypt the received traffic/packets (e.g., using the session key negotiated for the client-proxy or proxy-server session, as appropriate) from each sending end device, and may re-encrypt the traffic prior to forwarding it on using the respective session key with the receiving end device. In this manner, the traffic is decrypted solely for the proxy device, and deep packet inspection (e.g., for firewalls) may be performed appropriately. The proxy device may then re-encrypt the deeply inspected traffic prior to forwarding it to the receiving end device”).

Claims 10-12 and 15 recite substantially the same limitations as claims 1-3 and 6, respectively, in the form of a non-transitory computer-readable medium with program implementing the corresponding method, therefore, they are rejected under the same rationale. 
Claims 19-20 recite substantially the same limitations as claims 1-2, respectively, in the form of an apparatus implementing the corresponding method, therefore, they are rejected under the same rationale.

Claims 4-5, 7, 13-14 and 16 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Wang in view of Sun as applied to claim 3 above, and further in view of US PG-PUB No. 2006/0272014 A1 to McRae et al. (hereinafter McRae).
As per claim 4, Wang-Sun disclosed the method of claim 3; Wang does not explicitly disclose executing the security function comprises blocking a further data packet from being transmitted to the client device; however, in an analogous art in network communication security, McRae disclosed blocking network traffic based on packet inspection (McRae, par 0018, “The firewall 102 may operate at one or more network layers to restrict network traffic. A packet filter firewall can be used to forward or block packets based on the information in the network layer and transport layer headers (e.g., source and destination Internet Protocol (IP) addresses, source and destination port addresses, and type of protocol (TCP or UDP)). The access rules data structure for a packet filter firewall comprises a filtering table which is used to identify the packets to be blocked. An application-level gateway (ALG) firewall filters network traffic at the application layer by examining the content of the traffic”) and providing client warning message upon detection of unauthorized traffic (McRae, par 0023, “The gateway device 150 will transmit a warning message to the client device indicating that an unauthorized network event has been detected and requesting a response from the user at the client device”); it would have been obvious to one of ordinary skill in the art before the time of the invention, to implement the system of Wang to incorporate the filtering and blocking packets as disclosed by McRae, in order to ensure system security by allowing only authorized network traffic.

As per claim 5, Wang-Sun-McRae disclosed the method of claim 3, wherein executing the security function comprises sending a warning message to the client device (McRae, par 0018, 0023, “The gateway device 150 will transmit a warning message to the client device indicating that an unauthorized network event has been detected and requesting a response from the user at the client device”, the reasons of obviousness have been noted in the rejection of claim 4 above and applicable herein).

As per claim 7, Wang-Sun-McRae disclosed the method of claim 3, wherein executing the security function comprises filtering content of data received from the server (McRae, par 0018, 0021, 0023, “...The access rules data structure for a packet filter firewall comprises a filtering table which is used to identify the packets to be blocked. An application-level gateway (ALG) firewall filters network traffic at the application layer by examining the content of the traffic”, the reasons of obviousness have been noted in the rejection of claim 4 above and applicable herein, one of ordinary skill in the art would recognize that providing warning messages to client would provide the user information to take proper actions and responses).

Claims 13-14 and 16 recite substantially the same limitations as claims 4-5 and 7, respectively, in the form of a non-transitory computer-readable medium with program implementing the corresponding method, therefore, they are rejected under the same rationale.

Claims 8-9 and 17-18 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Wang in view of Sun as applied to claim 1 above, and further in view of US PG-PUB No. 2005/0021999 A1 to Touitou et al. (hereinafter Touitou).
As per claim 8, Wang-Sun disclosed the method of claim 1, further comprising: intercepting one or more data packets transmitted according to a secured network protocol between the client device and the server while remaining transparent to the client device and the server (Wang, par 0036, “The proxy device 120 may then establish the initiated client-proxy session by sending a similar certificate verification and finish message 300 to the client 110 (the proxy device now acting as the server). The client 110 and proxy device 120 may each send a return finish message 300 to the proxy device and server 130, respectively, to complete the establishment of the client-proxy and proxy-server security sessions. The proxy device 120 (e.g., proxy services 244) thus transparently proxies the connection between the client/server endpoints of a client-server security session. In other words, the client-proxy security session and proxy-server security session transparently appear to the client 110 and server 130 as the requested client-server security session”); 
Wang does not explicitly disclose “maintaining a first set of state information for the client device, the first set of state information including a sequence number of a last packet received by the client device; and retransmitting the last data packet corresponding to the sequence number to the client device based on the first set of state information”, however, in an analogous art in network communications, Touitou disclosed the concept of maintaining/updating packet state for different communication sessions/devices (Touitou, par 0005, 0070-0073, guard device 28 records packet sequence number received from network devices to ensure proper transmission, i.e., maintaining and updating of state information for packets from different network devices); it would have been obvious to one of ordinary skill in the art before the time of the invention, to modify the system of Wang to implement the concept of maintaining/updating packet state for different communication sessions/devices as disclosed by Touitou, in order to ensure the proper communication of the client-proxy security session and the proxy-server security session in Wang.

As per claim 9, Wang-Sun-Touitou disclosed the method of claim 8, wherein retransmitting the last data packet is further based on a retransmission received from the server (Wang, par 0036, proxy device transparently proxies the connection between the client/server endpoints of a client-server security session; and Touitou, par 0005, 0070-0073, guard device 28 records packet sequence number received from network devices to ensure proper transmission; the reasons of obviousness have been noted in the rejection of claim 8 above and applicable herein).

Claims 17 and 18 recite substantially the same limitations as claims8 and 9, respectively, in the form of a non-transitory computer-readable medium with program implementing the corresponding method, therefore, they are rejected under the same rationale.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Linglan Edwards whose telephone number is (571)270-5440. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LINGLAN EDWARDS/Primary Examiner, Art Unit 2491