DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	Applicant’s response filed on March 14, 2022 have been considered.  Claims 1, 10, and 16 have been amended. Claims 4, 12, and 18 have been canceled.  New claims 21-23 have been added.  Claims 1-3, 5-11, 13-17, and 19-23 are pending.

Claim Objections
3.	Claims 1, 10, and 16 are objected to because of the following informalities:  Referring to claims 1, 10, 16:
	Claim 1 recites:
	“wherein each of the field rules indicate a feature of a field, wherein each of the order rules an order of the plurality of fields in the handshake message,”. It appears ‘indicate’ is missing before ‘an ‘order’. 
	Claims 10, and 16 recite the similar limitation as claim 1.

Claim Rejections - 35 USC § 103

4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-3, 7-8, 10-11, 14-17, and 20  are rejected under 35 U.S.C. 103 as being unpatentable over Yung (U.S. 7,778,194 B1), in view of Montoro (U.S. 2014/0101764 A1).
Referring to claim 1:
	Yung teaches:
           An encrypted data stream identification method, comprising (see Yung, fig. 1, 30 ‘traffic monitoring device’; col. 5, line 10 ‘the present invention facilitates the classification of network traffic that has been encrypted [i.e., the encrypted data stream identification ] according to a dynamic encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols,’): 
           parsing a handshake message of an encrypted data stream to obtain a plurality of fields comprised in the handshake message, wherein the parsing is performed according to a secure encrypted transmission protocol corresponding to the encrypted data stream (see Yung, col. 6, lines 9-20 ‘parsing the data packets for various attributes (such as source and destination addresses, and the like [i.e., ‘a plurality of fields’ ]… various attributes of the connection handshake associated with dynamic encryption mechanisms, such as the SSL and TLS protocols [i.e., ‘a secure encrypted transmission protocol’ ].’);
            determining a rule set of a plurality of rule sets that matches the handshake message based on the plurality of fields by separately matching the plurality of fields with a plurality of field rules and with a plurality of order rules, wherein the plurality of rule sets comprises the field rules and the order rules, wherein each of the field rules indicate a feature of a field, wherein each of the order rule an order of the plurality of fields in the handshake message, and wherein the plurality of fields meets a rule in a matched rule set (see Yung, col. 9, line 12 ‘According to either framework, a traffic class has at least one attribute defining the criterion(ia) against which data flow attributes are analyzed for the purpose of determining a matching traffic class [i.e., determining a rule set that matches the handshake message ].’; col. 11, line 25 ‘As discussed herein, the detected handshake attributes can then be compared against matching criteria [i.e., ‘a plurality of rule sets’ ] for one or more traffic classes maintained by traffic classification engine 86 (and/or traffic discovery module 84).’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ corresponds to an order rule indicates an order of the plurality of fields ] including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites, etc. [i.e., ‘each of the plurality of rule sets comprises at least one of a field rule or an order rule’ ]; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc.) [i.e., ‘the plurality of fields meets a rule in a matched rule set’, where  ‘ subject name’, ‘issuer name’, etc.,  correspond to a filed rule indicating a feature of the field (field length, type, value) ]; col. 11, line 61 ‘compares [i.e., separately matching ] the source and destination addresses identified in the SSL packet to the IP address pairs in the preliminary SSL connection table.’); and
             determining an application corresponding to the encrypted data stream based on a mapping relationship between the matched rule set and the application corresponding to the encrypted data stream (see Yung, col. 13, line 48-50 ‘The attributes of the handshake, therefore, allow for classification of encrypted network traffic into application-specific classes [i.e., determining an application corresponding to the encrypted data stream ].’; col. 19, line 10 ‘a traffic class may also be defined in relation to the attributes of the handshake associated with an encryption mechanism that a given application employs.[i.e., determining an application corresponding to the encrypted data stream ]’).
	Yung suggests the order rule indicating an order of the plurality of fields in the handshake message (see Yung, col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ corresponds to an order rule indicates an order of the plurality of fields ] including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites, etc. [i.e., ‘each of the plurality of rule sets comprises at least one of a field rule or an order rule’ ];).  However, Yung does not elaborate on it. 
	Montoro discloses the order rule indicating an order of the plurality of fields in the message (see Montoro, [0041] ‘A rule may assign a score based on the order of header fields in a communication packet.’)
 		It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Montoro into the system of Yung to use the order rule in parsing a message.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Montoro’s teaching could enhance the system of Yung, because Montoro discloses “A score indicative of malware may be assigned to headers that includes fields in an order that does not match the order for the application identified in a user agent field of the header.” (see Montoro, [0041]) 
Referring to claims 10, 16:
	Yung teaches:
           An encrypted data stream identification method, comprising (see Yung, fig. 1, 30 ‘traffic monitoring device’; col. 5, line 10 ‘the present invention facilitates the classification of network traffic that has been encrypted [i.e., the encrypted data stream identification ] according to a dynamic encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols,’): 
           separately match the plurality of fields with a plurality of field rules and with a plurality of order rules in a plurality of rule sets to determine a rule set of the plurality of rule sets that matches the handshake message based on the plurality of fields, wherein each of the plurality of rule sets comprises the field rules and the order rules, wherein each of the field rules indicate a feature of a field, wherein each of the order rules an order of the plurality of fields in the handshake message, and wherein the plurality of fields meets a rule in a matched rule set  (see Yung, col. 9, line 12 ‘According to either framework, a traffic class has at least one attribute defining the criterion(ia) against which data flow attributes are analyzed for the purpose of determining a matching traffic class [i.e., determining a rule set that matches the handshake message ].’; col. 11, line 25 ‘As discussed herein, the detected handshake attributes can then be compared against matching criteria [i.e., ‘a plurality of rule sets’ ] for one or more traffic classes maintained by traffic classification engine 86 (and/or traffic discovery module 84).’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ corresponds to an order rule indicates an order of the plurality of fields ] including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites, etc. [i.e., ‘each of the plurality of rule sets comprises at least one of a field rule or an order rule’ ]; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc.) [i.e., ‘the plurality of fields meets a rule in a matched rule set’, where  ‘subject name’, ‘issuer name’, etc.,  correspond to a filed rule indicating a feature of the field (field length, type, value) ]; col. 11, line 61 ‘compares [i.e., separately matching ] the source and destination addresses identified in the SSL packet to the IP address pairs in the preliminary SSL connection table.’);
             determining an application corresponding to the encrypted data stream based on a mapping relationship between the matched rule set and the application corresponding to the encrypted data stream (see Yung, col. 13, line 48-50 ‘The attributes of the handshake, therefore, allow for classification of encrypted network traffic into application-specific classes [i.e., determining an application corresponding to the encrypted data stream ].’; col. 19, line 10 ‘a traffic class may also be defined in relation to the attributes of the handshake associated with an encryption mechanism that a given application employs.[i.e., determining an application corresponding to the encrypted data stream ]’).
	Yung suggests the order rule indicating an order of the plurality of fields in the handshake message (see Yung, col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ corresponds to an order rule indicates an order of the plurality of fields ] including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites, etc. [i.e., ‘each of the plurality of rule sets comprises at least one of a field rule or an order rule’ ];).  However, Yung does not elaborate on it.
	Montoro discloses the order rule indicates an order of the plurality of fields in the message (see Montoro, [0041] ‘A rule may assign a score based on the order of header fields in a communication packet.’)
 		It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Montoro into the system of Yung to use the order rule in parsing a message.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Montoro’s teaching could enhance the system of Yung, because Montoro discloses “A score indicative of malware may be assigned to headers that includes fields in an order that does not match the order for the application identified in a user agent field of the header.” (see Montoro, [0041])
Referring to claim 2:
	Yung, and Montoro further disclose:
	wherein the feature is at least one of a length of the field, a type of the field, the length and the type of the field, the type and a value of the field, or a combination of the length, the type, and the value of the field (see Yung, col. 6, line 9 ‘parsing the data packets for various attributes (such as source and destination addresses, and the like)’).
Referring to claims 3, 11, 17:
	Yung, and Montoro further disclose:
	wherein the plurality of fields comprise a plurality of groups, wherein each of the plurality of groups corresponds to one of the handshake message, wherein the encrypted data stream identification method further comprises: matching the plurality of groups with rules from the plurality of rule sets in an order of receiving the handshake message to obtain the rule set that matches the handshake message (see Yung, fig. 5B; col. 8, line 65 ‘selected cipher suites [i.e., a group of cipher suites fields in the client hello message ]; col. 11, line 31 ‘client hello message’; col. 8, line 62 ‘ In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites [i.e., a group of cipher suites fields ], etc. Traffic classification engine 86, as well as traffic discovery module 84, can then use the attribute values stored in the data structure in addition to, or in lieu of, other flow attributes to classify the data flow [i.e., matching the plurality of groups with rules from the plurality of rule sets ].’). 
Referring to claims 7, 14:
	Yung, and Montoro further disclose:
	parsing a plurality of names of the handshake message (see Yung, fig. 5B, 144 ‘Client Hello ?’); 
           determining a rule corresponding to the plurality of names; and parsing a plurality of fields of the handshake message that are indicated by the rule  (see Yung, col. 11, line 31 ‘client hello message’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites [i.e., a group of cipher suites fields in the client hello message ], etc. Traffic classification engine 86, as well as traffic discovery module 84, can then use the attribute values stored in the data structure in addition to, or in lieu of, other flow attributes to classify the data flow [i.e., matching the plurality of groups with rules from the plurality of rule sets ].’).
Referring to claims 8, 15, 20:
	Yung, and Montoro further disclose:
	wherein the handshake message comprises a plurality of handshake messages (see Yung, fig. 6 describes a message flow according to the SSL handshake protocol).

6.	Claims 5-6, 9, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yung (U.S. 7,778,194 B1), in view of Montoro (U.S. 2014/0101764 A1), further in view of Min et al. (U.S. 2019/0220705 A1), hereinafter “Min”.
Referring to claims 5, 13, 19:
	Yung, and Montoro further disclose:
		wherein the matched rule set comprises a plurality of subsets, wherein each of the plurality of subsets corresponds to at least one application, wherein the encrypted data stream identification method further comprises (see Yung, col. 18, line 57 ‘A traffic class [i.e., a subset of the matched rule set ] comprises a set of matching rules or attributes allowing for logical grouping of data flows that share the same characteristic or set of characteristics--e.g., a service ID or type (see Section B.1., above), a specific application, protocol, IP address, MAC address, port, subnet, etc. In one embodiment, each traffic class [i.e., a plurality of subsets of matched rule set ] has at least one attribute defining the criterion(ia) used for identifying a specific traffic class.’):
                      obtaining a plurality of application sets corresponding to the plurality of subsets based on a mapping relationship between each of the plurality of subsets and an application from the plurality of application sets (see Yung, col. 18, lines 57-64 ‘a specific application’). 
		However, they not disclose the intersection set.
		Min disclose the intersection set (see Min, [0075] ‘intersecting set’).
		It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Min into the system of Yung to use the intersection set.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Min’s teaching could enhance the system of Yung, because Min discloses a method “relates to updating attribute data structures to indicate joint relationships among attributes and predictive outputs in training data that is used for training automated modeling systems.” (see Min, [0002]).
Referring to claim 6:
	Yung, and Montoro further disclose names of the handshake messages (see Yung, fig. 6).  However, they do not explicitly disclose a linked list.
		Min discloses or suggests the linked list (see Min, [0079] ‘linked via identifier value’; [0093] ‘lists’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Min into the system of Yung to use the linked list.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Min’s teaching could enhance the system of Yung, because linked list is a well-known and popular data storage structure.
Referring to claim 9:
	Yung, and Montoro further disclose: 
           obtaining at least one rule set corresponding to a target application based on a plurality of samples of a plurality of encrypted data flows streams; and determining whether the plurality of samples are handshake messages of an encrypted data flow stream corresponding to the target application (see Yung, col. 11, line 31 ‘client hello message’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites [i.e., a group of cipher suites fields in the client hello message ], etc. Traffic classification engine 86, as well as traffic discovery module 84, can then use the attribute values stored in the data structure in addition to, or in lieu of, other flow attributes to classify the data flow [i.e., matching the plurality of groups with rules from the plurality of rule sets ].’).
	However, they do not disclose the machine learning.
	Min discloses the machine learning (see Min, [0046] ‘the attribute-creation module 108 can create derived attributes 125 by applying a supervision feature to machine-learning techniques’).
          It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Min into the system of Yung to use machine learning.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Min’s teaching could enhance the system of Yung, because “Association rule mining can include finding frequent combinations of attributes in a set of data and identifying patterns among the attributes.” (see Min, [0047]).

7.	Claims 21-23  are rejected under 35 U.S.C. 103 as being unpatentable over Yung (U.S. 7,778,194 B1), in view of Montoro (U.S. 2014/0101764 A1), further in view of Luna (U.S. 2012/0278886 A1), hereinafter “Luna”.
Referring to claims 21-23:
	Yung, and Montoro disclose the limitations as described in claim 1. However, they do not disclose batch.
Luna further discloses batch (see Luna, [0116] ‘send it in batches’). 
           In addition, Luna further disclose determining an application according to data stream (see Luna, [0086] ‘The notifier 426 can also identify the source (e.g., application/service 608) of the suspicious traffic for the user’).
          It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Luna into the system of Yung to use batch.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Luna’s teaching could enhance the system of Yung, because Luna discloses “send it in batches to avoid the protocol overhead of sending individual data fragments.” (see Luna, [0086]). 

Response to Arguments
8.	Applicant's arguments filed March 14, 2022 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“but Yung does not determine a rule set of a plurality of rule sets that matches the handshake message based on the plurality of fields by separately matching the plurality of fields with a plurality of field rules and with a plurality of order rules in the plurality of rule sets, wherein each of the field rules indicate a feature of a field, and determine an application corresponding to the encrypted data stream based on a mapping relationship between the matched rule set and the application corresponding to the encrypted data stream:” (see page 11, 2nd par)
Examiner maintains:
Yung discloses: col. 9, line 12 ‘According to either framework, a traffic class has at least one attribute defining the criterion(ia) against which data flow attributes are analyzed for the purpose of determining a matching traffic class [i.e., determining a rule set that matches the handshake message ].’; col. 11, line 25 ‘As discussed herein, the detected handshake attributes can then be compared against matching criteria [i.e., ‘a plurality of rule sets’ ] for one or more traffic classes maintained by traffic classification engine 86 (and/or traffic discovery module 84).’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ corresponds to an order rule indicates an order of the plurality of fields ] including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites, etc. [i.e., ‘each of the plurality of rule sets comprises at least one of a field rule or an order rule’ ]; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc.) [i.e., ‘the plurality of fields meets a rule in a matched rule set’, where  ‘subject name’, ‘issuer name’, etc.  correspond to a filed rule indicating a feature of the field (field length, type, value) ]; col. 11, line 61 ‘compares [i.e., separately matching ] the source and destination addresses identified in the SSL packet to the IP address pairs in the preliminary SSL connection table.’
Yung further discloses: col. 13, line 48-50 ‘The attributes of the handshake, therefore, allow for classification of encrypted network traffic into application-specific classes [i.e., determining an application corresponding to the encrypted data stream ].’; col. 19, line 10 ‘a traffic class may also be defined in relation to the attributes of the handshake associated with an encryption mechanism that a given application employs [i.e., determining an application corresponding to the encrypted data stream ]’.
Montoro discloses: [0041] ‘A rule may assign a score based on the order of header fields in a communication packet.’
Therefore, the combination of references disclose the claimed limitations.
(b)	Applicant submits:
“Thus, Yung does not determine a rule set of a plurality of rule sets that matches the handshake message based on the plurality of fields by separately matching the plurality of fields with a plurality of field rules and with a plurality of order rules in the plurality of rule sets, as claimed.” (see page 12, 2nd par)
The combination of references disclose the claimed limitations (see (a) above).
(c)	Applicant submits:
“Therefore, Yung also does not determine an application corresponding to the encrypted data stream based on a mapping relationship between the matched rule set and the application corresponding to the encrypted data stream, as claimed.” (see page 13, 1st par)
Examiner maintains:
Yung discloses: col. 13, line 48-50 ‘The attributes of the handshake, therefore, allow for classification of encrypted network traffic into application-specific classes [i.e., determining an application corresponding to the encrypted data stream ].’; col. 19, line 10 ‘a traffic class may also be defined in relation to the attributes of the handshake associated with an encryption mechanism that a given application employs [i.e., determining an application corresponding to the encrypted data stream ]’.
Therefore, the reference discloses or suggests determining an application corresponding to the encrypted data stream based on a mapping relationship between the matched rule set and the application corresponding to the encrypted data stream, as claimed.  
Conclusion

9.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Nene; Bhushan Sharad (US 10725747 B1) disclose Dynamically customizable portal;
(b)	Raleigh; Gregory G. et al. (US 20200045519 A1) disclose Service Plan Design, User Interfaces, Application Programming Interfaces, and Device Management;
(c)	GUNDA; LAXMIKANT VITHAL et al. (US 20190036956 A1) disclose context engine model;
(d)	Rapp; Adrian Dieter et al. (US 20180203731 A1) disclose dynamically configuring a process based on environmental characteristics monitored by a mobile device;
(e)	Bansal; Kaushal et al. (US 20180176102 A1) disclose application assessment and visibility for micro-segmentation of a network deployment;
(f)	Nimmagadda; Srinivas et al. (US 20180176252 A1) disclose application template generation and deep packet inspection approach for creation of micro-segmentation policy for network applications; 
(g)	WANG; Xiangguang (US 20160255118 A1) disclose network traffic control device, and security policy configuration method and apparatus thereof. 

 10.       THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
             A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.  
                     Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
           If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        


 

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492