DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the America Invents Act (AIA ).

Response and Claim Status
The instant Office action is responsive to the interview conducted April 12, 2022 (the “Interview”) and the response received April 19, 2022 (the “Response”).  
In response to the Interview and the Response, the previous rejections of claims 1–9 and 12–20 under 35 U.S.C. § 103
are WITHDRAWN.
Claims 1–20 are currently pending.  

Claim Objections
The Examiner notes Applicants assert that “Applicant[s have] amended these claims to address the Examiner’s concerns.”  Response 6.  The Examiner, however, finds the claims amendments do not address the objections.  See Response 2–5 (Claims App’x).
Claims 3–5 and 13–18 are objected to under 37 C.F.R. § 1.71(a) for the following informalities:
(1) claim 3, line 1 should be “wherein the computing apparatus.”
(2) claim 4, line 1 should be “wherein the directing.”
(3) claim 5, line 1 should be “wherein the determining.”
(4) claim 13, line 2 should be “wherein the instructions.”

Claim Rejections – 35 U.S.C. § 112
The following is a quotation of 35 U.S.C. § 112(a): 
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1–18 are rejected under 35 U.S.C. § 112(a) as failing to comply with the written description requirement.  
Claim 1 recites “receiving an outgoing network packet . . . ; and upon determining that the outgoing network packet is directed to a domain name that was previously resolved, direct the outgoing network packet to the native IP stack.”
The Examiner finds although the Specification recites “direct a second portion of the outgoing traffic to the native IP stack” (Abstract; Spec. ¶¶ 19, 288; original claim 1), the Specification does not provide support for directing the outgoing network packet to the native IP stack upon determining that the outgoing network packet is directed to a domain name that was previously resolved.  Notably, paragraph 169 of the Specification recites 
Returning to decision block 574, if the domain was not locally blocked, then the domain is allowed and there is no reputation issue. In that case, in block 584, the domain is resolved and no further issues are identified. Further traffic with this IP address that has been resolved from the domain name may in the future be handled via native IP stack 312.

Thus, the Examiner finds the Specification supports future traffic with an IP address resolved from a domain name is handled via native IP stack item 312.  
Paragraphs 288 and 291 further support the Examiner’s finding.  Notably, paragraph 288 of the Specification recites “direct a second portion of the outgoing traffic to the native IP stack.”  Paragraph 291 of the Specification recites “wherein directing the second portion comprises determining that the second portion includes a fully-resolved destination IP address.”  
Moreover, paragraphs 306 and 308 also further support the Examiner’s finding.  Notably, paragraph 306 of the Specification recites “designate a second class of traffic for handling via a native internet protocol (IP) stack.”  Paragraph 308 of the Specification recites “wherein designating the second class comprises determining that at least some of the traffic includes a fully-resolved destination IP address.”
Moreover, original claim 4 recites “wherein directing the second portion comprises determining that the second portion includes a fully-resolved destination IP address.”
Thus, the Specification supports directing an outgoing network packet to a native IP stack upon determining the second portion of the outgoing network packet includes a destination IP address—not a domain name—that was previously resolved.  
Therefore, claim 1 reciting “directing the outgoing network packet to the native IP stack upon determining that the outgoing network packet is directed to a domain name that was previously resolved” was not described in the Specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor at the time the application was filed, had possession of the claimed invention.  Claim 12 by analogy.
Accordingly, claims 1–18 are rejected under 35 U.S.C. § 112(a) as failing to comply with the written description requirement.1
Response to Arguments
Applicants’ arguments with respect to the rejection of claims 1, 2, 9, 12, 13, and 20 under 35 U.S.C. § 103 as being obvious over Parla et al. (US 9,455,909 B2; filed Sept. 1, 2015) in view of Chien (US 9,015,090 B2; filed Aug. 14, 2013) (see Response 6–7) have been considered but are moot.

Claim Rejections – 35 U.S.C. § 1032
Claims 1, 3, 4, 6, and 7 are rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Bryson et al. (US 2006/0056297 A1; filed Jan. 7, 2005).
Regarding claim 1, while Parla teaches a computing apparatus (fig. 1, mobile device item 100; fig. 3, item 300), comprising: 
a hardware platform comprising a processor (fig. 3, item 304) and a memory (fig. 3, item 306);  
a network interface (fig. 3, item 318);  
an operating system (Parla at least suggests mobile device item 100 includes an operating system);  and 
a security agent (fig. 3, item 310; “storage device 310, such as a magnetic disk, optical disk, and/or flash storage, is provided and coupled to bus 302 for storing information and instructions” at 8:59–61), comprising instructions encoded within the memory to instruct the processor to: 
establish a split virtual private network (VPN) tunnel (fig. 1, items 102, 104; “dynamic split tunneling to multiple data centers” at 3:58–59) with a remote VPN service;  
receive an outgoing network packet (“DNS traffic is routed to the appropriate tunnel associated with the sub-domain” at 3:33–34; “Such traffic is retrieved by the VPN client 130 and then tunneled.  Any other traffic is routed to the depicted physical IP interface 132 and sent in the clear (e.g., not via an encrypted tunnel)” at 4:8–11; “the mobile device 100 employs the route table 128 to determine how to route outbound packets and handle inbound packets” at 4:25–27); and
upon determining that the outgoing network packet includes an outgoing domain name service (DNS) request (“the VPN client 130 intercepts and modifies DNS requests and responses for the first network and the second network. For example, a first DNS request . . . is intercepted by VPN client 130.” at 5:13–18; “The VPN client 130 intercepts a second Domain Name System (DNS) request” at 5:33–34), direct the outgoing network packet to a DNS resolver (fig. 1, first tunnel item 102 and “The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102. The VPN client 130 receives a response to the first DNS request from the first tunnel 102. The response to the DNS request comprises a first service IP address associated with the first network.” at 5:18–24; fig. 1, second tunnel item 104 and “The VPN client 130 forwards the second DNS request onto the second tunnel 104. The VPN client 130 receives a response to the second DNS request from tunnel 104. The response to the second DNS request comprises a second service IP address associated with the second network 110.” at 5:36–41),
Parla does not teach (A) the operating system comprising a native internet protocol (IP) stack; and (B) upon determining that the outgoing network packet is directed to a domain name that was previously resolved, directed the outgoing network packet to the native IP stack.
Bryson teaches a native IP stack (“local TCP/IP stack” at ¶ 241); and
upon determining that an outgoing network packet (fig. 3, item 102; “packet” at ¶¶ 163, 241) is directed to an IP address (“destination IP address” at ¶ 241) that was previously resolved (“a local IP address assigned to the device” at ¶ 241), directed the outgoing network packet to the native IP stack (“The packet is sent to the local TCP/IP stack . . . if the destination IP address corresponds to a local IP address assigned to the device” at ¶ 241).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla’s operating system to comprise a native IP stack and for Parla’s outgoing network packet to be directed to the native IP stack upon determining that the outgoing network packet is directed to an IP address that was previously resolved as taught by Bryson “for controlling traffic between different entities on a network.”  Bryson ¶ 1.
Parla teaches a domain name (2:61; 4:12–24).  Although the Parla/Bryson combination teaches directing the outgoing network packet to the native IP stack upon determining that the outgoing network packet is directed to an IP address that was previously resolved, it would have been obvious to substitute Bryson’s IP address with Parla’s domain name since “the substitution of one known element for another yields predictable results to one of ordinary skill in the art.”  MPEP § 2143(I)(B).
Regarding claim 3, Parla teaches wherein the apparatus is a mobile computing device (fig. 1, mobile device item 100; fig. 3, item 300). 
Regarding claim 4, the Parla/Bryson combination teaches wherein directing the second portion comprises determining that the second portion includes a fully resolved destination IP address (Bryson ¶ 241).
Regarding claim 6, Parla teaches wherein the instructions are further to 
identify a class of traffic (“a first DNS request for a sub-domain associated with a first FQDN associated with the first network (e.g., finances.company.com)” at 5:15–18; “a second Domain Name System (DNS) request for a sub-domain associated with a second FQDN associated with the second network (e.g., Oracle.BizApp.Com)” at 5:33–36) for tunneling, and direct all packets of the class 
to the VPN tunnel (fig. 1, items 102, 104; “dynamic split tunneling to multiple data centers” at 3:58–59). 
Regarding claim 7, Parla teaches wherein the instructions are further to 
receive a DNS response (“The VPN client 130 receives a response to the first DNS request from the first tunnel 102.” at 5:21–23; “The VPN client 130 receives a response to the second DNS request from tunnel 104.” at 5:37–39) via the VPN tunnel. 

Claim 2 is rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Bryson, and in further view of Li et al. (US 2019/0132288 A1; filed May 2, 2019).
Regarding claim 2, while the Parla/Bryson combination at least suggests the operating system (Parla at least suggests mobile device item 100 includes an operating system), 
the Parla/Bryson combination does not teach the operating system being a closed operating system. 
Li teaches a closed operating system (¶ 24).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla/Bryson combination’s operating system to be a closed operating system as taught by Li for “us[ing] code that is proprietary and kept secret to prevent its use by other entities, with only limited APIs made accessible to third party software developers.”  Li ¶ 24.

Claim 5 is rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Bryson, and in further view of Chen et al. (US 11,057,404 B2; filed Apr. 19, 2019).
Regarding claim 5, while the Parla teaches determining that the first portion includes an outgoing DNS request (“DNS requests are routed to the VPN tunnel to the first predefined concentrator” at 3:34–36; “The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102” at 5:18–21; “The VPN client 130 forwards the second DNS request onto the second tunnel 104.” at 5:36–37), 
the Parla/Bryson combination does not teach the determining comprises determining that a destination port is 53.
Chen teaches determining that a destination port is 53 (“determining that the data packet is a UDP packet and that the destination port is 53” at 5:42–43).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla/Bryson combination’s determining to comprise determining that a destination port is 53 as taught by Chen “for defending against a DNS attack.”  Chen 4:63–64.

Claims 8 and 9 are rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Bryson, and in further view of Clarke et al. (US 10,897,475 B2; filed Aug. 1, 2017).
Regarding claim 8, while Parla teaches the DNS response (“The VPN client 130 receives a response to the first DNS request from the first tunnel 102.” at 5:21–23; “The VPN client 130 receives a response to the second DNS request from tunnel 104.” at 5:37–39),
the Parla/Bryson combination does not teach wherein the DNS response includes extended DNS data.
Clarke teaches extended DNS data (“OPT pseudo-resource records (RRs)” at 7:12-13; “the OPT RR of DNS query 304” at 7:67–8:1; “reply OPT RRs in DNS response 306 sent back to node A” at 12:5–6).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla/Bryson combination’s DNS response to include extended DNS data as taught by Clarke “for network policy control.”  Clarke 1:8.
Regarding claim 9, Clarke teaches wherein the extended DNS data include 
an OPT pseudo-resource record (“OPT pseudo-resource records (RRs)” at 7:12-13; “the OPT RR of DNS query 304” at 7:67–8:1; “reply OPT RRs in DNS response 306 sent back to node A” at 12:5–6).

Claims 12–15 are rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Song et al. (US 2019/0372937 A1; filed May 31, 2018), and in further view of Bryson.
Regarding claim 12, while Parla teaches one or more tangible, non-transitory computer readable storage media (fig. 1, mobile device item 100; fig. 3, items 300, 306) having stored thereon executable instructions to: 
establish a virtual private network (VPN) (fig. 1, items 102, 104; “dynamic split tunneling to multiple data centers” at 3:58–59 with VPN client item 130);  
intercept outgoing network traffic (“DNS traffic is routed to the appropriate tunnel associated with the sub-domain” at 3:33–34; “Such traffic is retrieved by the VPN client 130 and then tunneled.  Any other traffic is routed to the depicted physical IP interface 132 and sent in the clear (e.g., not via an encrypted tunnel)” at 4:8–11) of a device (fig. 1, item 100);  
designate a first class of packets (“certain traffic (e.g., traffic targeted to specific networks)” at 4:5–6; “Such traffic is retrieved by the VPN client 130 and then tunneled” at 4:8–9) for tunneling via the VPN to a DNS resolver (fig. 1, first tunnel item 102 and “The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102. The VPN client 130 receives a response to the first DNS request from the first tunnel 102. The response to the DNS request comprises a first service IP address associated with the first network.” at 5:18–24; fig. 1, second tunnel item 104 and “The VPN client 130 forwards the second DNS request onto the second tunnel 104. The VPN client 130 receives a response to the second DNS request from tunnel 104. The response to the second DNS request comprises a second service IP address associated with the second network 110.” at 5:36–41); and 
wherein the first class includes outgoing domain name service (DNS) 
lookup requests (“The response to the DNS request comprises a first service IP address associated with the first network.” at and “The response to the second DNS request comprises a second service IP address associated with the second network 110.” at 5:13–49),,
Parla does not teach, in italics, (A) the establishing the VPN with a VPN provider; (B) designate a second class of traffic for handling via a native internet protocol (IP) stack, the second class includes packets directed to a domain name that was previously resolved.
(A)
Song teaches establishing a VPN with a VPN provider (¶ 48).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla’s established VPN to be with a VPN provider as taught by Song “for split network tunneling based on traffic inspection.”  Song ¶ 30.
(B)
Bryson teaches designating a second class of traffic (fig. 3, item 102; “packet” at ¶¶ 163, 241) for handling via a native IP stack (“The packet is sent to the local TCP/IP stack . . . if the destination IP address corresponds to a local IP address assigned to the device” at ¶ 241), the second class includes packets directed to an IP address (“destination IP address” at ¶ 241) that was previously resolved (“a local IP address assigned to the device” at ¶ 241).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla’s traffic to include a second class of traffic for handling via a native IP stack, the second class includes packets directed to a domain name that was previously resolved as taught by Bryson “for controlling traffic between different entities on a network.”  Bryson ¶ 1.
Parla teaches a domain name (2:61; 4:12–24).  Although the Parla/Bryson combination teaches directing the outgoing network packet to the native IP stack upon determining that the outgoing network packet is directed to an IP address that was previously resolved, it would have been obvious to substitute Bryson’s IP address with Parla’s domain name since “the substitution of one known element for another yields predictable results to one of ordinary skill in the art.”  MPEP § 2143(I)(B).
Moreover, because the Parla/Bryson combination teaches designating a first class of packets and a second class of traffic from the outgoing network traffic for reasons indicated above, the Parla/Bryson combination then teaches bifurcating the outgoing network traffic.
Regarding claim 13, Parla teaches wherein instructions are further to receive a DNS response (“The VPN client 130 receives a response to the first DNS request from the first tunnel 102.” at 5:21–23; “The VPN client 130 receives a response to the second DNS request from tunnel 104.” at 5:37–39), parse a domain name reputation (“the VPN client 130 receives a packet from the first tunnel 102 with a source address matching the first service IP address” at 6:43–45; “a first service IP address associated with the first network” at 5:24; “When a response is received for the DNS request for sub-domains that are not associated to one of tunnels 102 or 104” at 6:58–60) from the DNS response, and act on the reputation (“the VPN client 130 replaces the source address of the packet received from the first tunnel 102 with the first dummy IP address and forwards the first packet with the first dummy IP address as the source address.” at 6:45–48; “the DNS response is forwarded unmodified and the VPN client does not associate a dummy service IP address to the address in the DNS response.  Thus, the route table 128 will route traffic for non-tunneled networks to IP interface 132.” at 6:60–64). 
Regarding claim 14, Parla teaches wherein the instructions are further to parse a domain name category (“a source address matching the first service IP address” at 6:43–45; “a first service IP address associated with the first network” at 5:24) from the DNS response. 
Regarding claim 15, Parla teaches wherein the domain name category indicates that a domain belongs to a class of traffic (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23) that should be fully tunneled via the VPN. 

Claim 16 is rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Song, in further view of Bryson, and in further view of Wang et al. (US 7,756,987 B2; filed Apr. 4, 2007).
Regarding claim 16, while Parla teaches wherein the domain name category indicates that a domain is associated with a network (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23),
the Parla/Song/Bryson combination does not teach the domain is a typo squatting domain.
Wang teaches a typo squatting domain (1:66–2:10).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla/Song/Bryson combination’s domain to be a typo squatting domain as taught by Wang to “allow a parent to protect a child’s web browsing activities, [and to] allow a website owner to systematically monitor cybersquatting activities against a website.”  Wang 2:8–10.

Claims 17 and 18 are rejected under 35 U.S.C. § 103 as being obvious over Parla in view of Song, in further view of Bryson, and in further view of Mahjoub et al. (US 10,740,363 B2; filed Nov. 26, 2018).
Regarding claim 17, while Parla teaches wherein the domain name category indicates that a domain is associated with a network (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23),
the Parla/Song/Bryson combination does not teach the domain hosts illegal content.
Mahjoub teaches a domain hosting illegal content (“a domain hosts illegal material, hate speech, pornography, material related to drugs or alcohol, or otherwise objectionable material that a subscriber does not wish to access or permit access to” at 6:60–63).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla/Song/Bryson combination’s domain to host illegal content as taught by Mahjoub “so that domains that are malicious or associated with malicious activity can be identified” and users can be protected from those domains.  Mahjoub 2:49–50.
Regarding claim 18, while Parla teaches wherein the domain name category indicates that a domain is associated with a network (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23),
the Parla/Song/Bryson combination does not teach the domain is for a website with questionable privacy terms.
Mahjoub teaches a domain for a website with questionable privacy terms (“a domain hosts illegal material, hate speech, pornography, material related to drugs or alcohol, or otherwise objectionable material that a subscriber does not wish to access or permit access to” at 6:60–63).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla/Song/Bryson combination’s domain to be for a website with questionable privacy terms as taught by Mahjoub “so that domains that are malicious or associated with malicious activity can be identified” and users can be protected from those domains.  Mahjoub 2:49–50.

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicants’ disclosure: US-8284774-B2; US-20130254425-A1; US-20110191455-A1.
Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicants are reminded of the extension of time policy as set forth in 37 C.F.R. § 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to § 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to DAVID P. ZARKA whose telephone number is (703) 756-5746.  The Examiner can normally be reached Monday–Friday from 9:30AM–6PM ET.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Vivek Srivastava, can be reached at (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://portal.uspto.gov/external/portal.  Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, Applicants are encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
/DAVID P ZARKA/PATENT EXAMINER, Art Unit 2449


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 The Examiner recommends amending claim 1 to recite “upon determining that the outgoing network packet is directed to a destination IP address that was previously resolved, direct the outgoing network packet to the native IP stack.”  The Examiner further recommends amending claim 12 to recite “and the second class includes packets directed to a destination IP address that was previously resolved.”  The Examiner further recommends cancelling dependent claim 4.
        
        2 The Examiner notes claims 10 and 11 are not rejected under 35 U.S.C. § 103 in the instant Office action.  See also Office action 15–16, mailed Jan. 19, 2022.