Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to the amendment filed 6/19/2020. Claims 1, 4, 6, 8, 10, 11, 13, 15, 17, 18, 20, 22-24, and 26-29 are pending.  Claim 1 is amended. Claims 1 (a method), 8 (a device), and 15 (a non-transitory CRM) are independent.

Response to Arguments
Applicant's arguments filed 02/04/2022 have been fully considered but they are not persuasive. 
On page 10 of the response, Applicant states that “Keralapura [makes] no mention of creating entries in traffic reports based on determining whether data packets correspond to the claimed “TCP session.””
This argument is not persuasive.  Keralapura clearly states:
(“a flow (e.g., a TCP flow) between two network hosts (e.g., a client and a server in a client-server application scenario) is a series of data records (referred to as packets or data packets, e.g., IP packets) regarding the communication between the two network hosts engaged in an Internet transaction. … is uniquely defined by a 5-tuple identifier (i.e., source address, destination address, source port, destination port, and transport protocol).” Keralapura col. 3, ln. 37)
(“a flow consists of one or more packets having the same 5-tuple identifier, aggregate based on sequence information contained in the headers of the packets, and transmitted within a defined time window…. Termination (or completion) of the flow may be marked by a TCP packet flag (e.g., “connection reset” or “fin”) or if a time-out condition occurs when no more packet having the 5-tuple identifier is transmitted in the sequence beyond a pre-determined time-out period since the last transmitted packet in the flow. This time-out period may be heuristically determined by the application and is generally set at 2 min.” Keralapura col. 3, ln. 53).
The flow of Keralapura is analogous to the claimed TCP session as defined by Applicant’s specification ¶ 23, which extracts IP addresses to determine correspondence with a TCP session. Where the TCP session is distinct from other TCP sessions with identical client/server IP addresses in a different time period - the time-out period of Keralapura – termed a reporting period in Applicant’s specification ¶ 24.  Neither Applicant’s claims nor Applicant’s specification contain descriptions that would distinguish the “flow” of Keralapura from the claimed session and the terms appear to be analogous in use and in functionality. 

Applicant further argues that Keralapura does not disclose “’recreating a record for the IP address based on a predetermined reporting period,’ on a condition that the data packets do not correspond to the TCP session.” 
This argument is not persuasive.  Keralapura clearly discloses “creating a record for the IP address based on a predetermined reporting period”: 
(“a flow consists of one or more packets having the same 5-tuple identifier, aggregate based on sequence information contained in the headers of the packets, and transmitted within a defined time window…. Termination (or completion) of the flow may be marked by a TCP packet flag (e.g., “connection reset” or “fin”) or if a time-out condition occurs when no more packet having the 5-tuple identifier is transmitted in the sequence beyond a pre-determined time-out period since the last transmitted packet in the flow. This time-out period may be heuristically determined by the application and is generally set at 2 min.” Keralapura col. 3, ln. 53).
As previously noted, Keralapura does not explicitly disclose recreating ... on a condition that the data packets do not correspond to [another] TCP session.  
While Keralapura does disclose that sessions have timeouts, Keralapura does not explicitly disclose the act of checking (the claimed “on a condition”) that the packet belongs to a session that has not timed out. (Keralapura col. 3, ln. 53, discussing that sessions end at timeout).
	See the newly cited Joch reference regarding starting/ending sessions, particularly: (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75. recreating).

	Applicant’s further arguments are moot in view of the newly formulated combination.

	Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 24 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends.  Claim 24 depends on canceled claim 3.  Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 6, 8, 10, 11, 13, 15, 17, 18, 20, 22-24, and 26-29 is/are rejected under 35 U.S.C. 103 as being unpatentable over Keralapura et al., US 8,819,227 (filed 2012-03) in view of Miller et al., US 2003/0093438 (filed 2001-11), and Joch et al., US 2017/0237777 (filed 2017-02).

As to claims 1, 8, and 15, Keralapura discloses a method/CRM comprising:
a networking device having at least one data processor, the method comprising: 
receiving, by the at least one data processor and from a remote computing device (“the data collector (102) is configured to obtain network traffic flows (e.g., flows (113), flows (114), flows (115), flows (115 b), etc.)” Keralapura col. 5, ln. 26), one or more data packets (“the collected traffic data is reconstructed to represent data packets of a flow in an appropriated order (e.g., based on sequence information in the headers)” Keralapura col. 5, ln. 35) related to a request for web content; (Keralapura col. 5, ln. 13, HTTP command…)

on a condition that the one or more data packets include a DNS reply: (“the DNS response sniffer that decodes the DNS responses, and maintains a local data structure referred to as the DNS resolver (155).” Keralapura col. 6, ln. 54)
extracting, by the at least one data processor and from the DNS reply, (“the DNS resolver (155) is configured to (i) store information about domain names that were queried by a client IP and (ii) find which server IP addresses it can eventually contact for the requested resources.” Keralapura col. 7, ln. 50) a [FQDN] and at least one key; (“the DNS resolver (155) includes a cache (124) that responds to an input client IP/server IP pair with the most recent FQDNs.” Keralapura col. 7, ln. 58.)
storing, by the at least one data processor, a DNS record including the [FQDN] and the at least one key in a DNS cache memory; and (“the DNS resolver (155) includes a cache (124) that responds to an input client IP/server IP pair with the most recent FQDNs.” Keralapura col. 7, ln. 58)
including, by the at least one data processor, the DNS record in the network traffic flow report; (“The flow tagger (152) queries the DNS resolver (155) to tag the incoming flow referenced by the 5-tuple identifier or a portion thereof (e.g., the client IP/server IP pair). The DNS resolver (155) looks up its own cache (124) to see if it has a mapping for the requested 5-tuple identifier or client IP/server IP pair. If it finds a mapping then the flow information is augmented with the server FQDN and stored in the tagged flow database (121).” Keralapura cols. 6-7, bridging paragraph.)
wherein the DNS cache memory includes prioritized cache memory, wherein the DNS record stored in the DNS cache memory is given priority over conflicting DNS information stored in the DNS cache memory, (“DNS resolver (155) of FIG. 1 includes a cache (124) that responds to an input client IP/server IP pair and returns the most recently logged FQDNs.” Keralapura cols 12-13, bridging paragraph.) … an older request for the web content; (“from where the server IP keys 213.254.17.14 and 213.254.17.17 point to the most recent FQDN entry itunes.apple.com in the Clist (301)…. server IP keys 216.74.41.8, 216.74.41.10, and 216.74.41.12 point to the most recent FQDN entry data.flurry.com in the Clist (301)” Keralapura col. 13, ln. 15. Multiple entries for multiple prior requests.)
on a condition that the one or more data packets do not include the DNS reply:  
determining whether the one or more data packets correspond to a Transmission Control Protocol (TCP) (“a flow (e.g., a TCP flow) between two network hosts (e.g., a client and a server in a client-server application scenario) is a series of data records (referred to as packets or data packets, e.g., IP packets) regarding the communication between the two network hosts engaged in an Internet transaction. … is uniquely defined by a 5-tuple identifier (i.e., source address, destination address, source port, destination port, and transport protocol).” Keralapura col. 3, ln. 37.  Flows may be other protocols such as UDP, Kelapura col. 4, ln. 18) session (“a flow consists of one or more packets having the same 5-tuple identifier, aggregate based on sequence information contained in the headers of the packets, and transmitted within a defined time window…. Termination (or completion) of the flow may be marked by a TCP packet flag (e.g., “connection reset” or “fin”) or if a time-out condition occurs when no more packet having the 5-tuple identifier is transmitted in the sequence beyond a pre-determined time-out period since the last transmitted packet in the flow. This time-out period may be heuristically determined by the application and is generally set at 2 min.” Keralapura col. 3, ln. 53) based on an Internet Protocol (IP) address associated with the one or more data packets; (“Each flow is referred to as attached to each of the two hosts and is uniquely defined by a 5-tuple identifier (i.e., source address, destination address, source port, destination port, and transport protocol)…. within a defined time window” Keralapura col. 3, ll. 46-56)
…. TCP session (Keralapura col. 3, ll. 46-56. A flow is a TCP session)

KL3 3288378 1-2-querying the DNS cache based on the IP address; and (“The flow tagger (152) queries the DNS resolver (155) to tag the incoming flow referenced by the 5-tuple identifier or a portion thereof (e.g., the client IP/server IP pair). The DNS resolver (155) looks up its own cache (124) to see if it has a mapping for the requested 5-tuple identifier or client IP/server IP pair. If it finds a mapping then the flow information is augmented with the server FQDN and stored in the tagged flow database (121).” Keralapura cols. 6-7, bridging paragraph.)
creating, based on querying the DNS cache, a new entry related to the TCP session in the network traffic flow report, wherein the new entry includes at least one of the IP address, time, and DNS name information; and  (“The flow tagger (152) queries the DNS resolver (155) to tag the incoming flow referenced by the 5-tuple identifier or a portion thereof (e.g., the client IP/server IP pair). The DNS resolver (155) looks up its own cache (124) to see if it has a mapping for the requested 5-tuple identifier or client IP/server IP pair. If it finds a mapping then the flow information is augmented with the server FQDN and stored in the tagged flow database (121).” Keralapura cols. 6-7, bridging paragraph.)

… TCP session (“Examples of layer-four protocols include TCP, UDP, etc.” Keralapura col. 4, ln. 17. “a flow consists of one or more packets having the same 5-tuple identifier, aggregate based on sequence information contained in the headers of the packets, and transmitted within a defined time window…. Termination (or completion) of the flow may be marked by a TCP packet flag (e.g., “connection reset” or “fin”) or if a time-out condition occurs when no more packet having the 5-tuple identifier is transmitted in the sequence beyond a pre-determined time-out period since the last transmitted packet in the flow. This time-out period may be heuristically determined by the application and is generally set at 2 min.” Keralapura col. 3, ln. 53) ….

creating a record for the IP address (“The flow tagger (152) queries the DNS resolver (155) to tag the incoming flow referenced by the 5-tuple identifier or a portion thereof (e.g., the client IP/server IP pair).” Keralapura cols. 6-7, bridging paragraph.)


Keralapura does not explicitly disclose:
(claim 8) a communications interface configured to route data to and from a remote computing device; and
query host value
and wherein the conflicting DNS information is associated with an older request for the web content; and
on a condition that the data packets correspond to a … session: 
on a condition that the data packets do not correspond to the …  session: 
recreating a record for the … based on a predetermined reporting period.

Miller discloses:
query host value (“ DNS is a system that translates human recognizable hostnames into numbers, and numbers back into hostnames. For example, the name www.miningworks.com translates to the IP address 207.5.180.163. Numeric addresses can also be translated by the DNS system to find their corresponding hostnames. This process is called DNS resolution. Forward resolution finds the numeric IP address that corresponds to a given name. Reverse resolution finds the name that corresponds to a given numeric IP address.” Miller ¶ 3, a query host value being the “hostname” in a DNS system.)
and wherein the conflicting DNS information is associated with an older request for the web content; and (“add DNS data to the detailed central database (1) if it is new data, and to change data in the detailed central database (1) if it is changed data. Preferably, deleted data is retained in the detailed central database (1) for archival use.” Miller ¶ 72. See Miller ¶¶ 80-84 discussing DNS changes.)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Keralapura with Miller by storing DNS hostnames and accommodating changed DNS entries due to changes in received responses.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Keralapura with Miller in order to build a reverse-DNS lookup database that accommodates changes in the DNS system, Miller ¶ 81.

Keralapura in view of Miller does not disclose:
(claim 8) a communications interface configured to route data to and from a remote computing device; and
on a condition that the data packets correspond to a … session: 
on a condition that the data packets do not correspond to the …  session: 
recreating a record for the … based on a predetermined reporting period.

Joch discloses:
(“The sessionization estimates a media session, including assigning media traffic between a subscriber and a media service (service session traffic) to individual media sessions.”Joch ¶ 73)
(claim 8) a communications interface configured to route data to and from a remote computing device; and (“The monitoring system 106 may include one or more monitoring devices (not shown) that inspect packets on network interfaces of network 110 being monitored. The monitoring devices may be incorporated into an “in-line” device between server(s) 102 and media client(s) 104. For example, a monitoring device may be a router or deep-packet inspection device” Joch ¶ 32)
on a condition that the data packets correspond to a … session: (“Once the end or start time of a media session is determined, application-layer data having an associated time that falls between the start and end time of the media session is associated to the media segment.” Joch ¶ 74)
on a condition that the data packets do not correspond to the …  session: (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75)
recreating a record (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75. recreating) for … based on a predetermined reporting period. (“If the media traffic inactivity period (period of no media traffic between slices) is greater than a second predetermined threshold (e.g., five minutes) or the media time slice is the first time slice for that subscriber or media service, then mark that time slice as “session start”
….
If the media traffic inactivity period is greater than a fourth predetermined threshold that is smaller than the second or third predetermined thresholds (e.g., 30 seconds) then mark that time slice as “session start”” Joch ¶¶ 97-100)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Keralapura in view of Miller with Joch by incorporating the sessionization of Joch for the various flow types of Keralapura (col. 4, ln. 17).  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Keralapura in view of Miller with Joch in order to provide the session tracking mentioned but not described in Keralapura col. 3, ll. 53-56 (flow).  Where session tracking provides benefits such as distinguishing among users and determining attributes of user sessions: (“associating application-layer data of the media traffic to a media session” Joch ¶ 8)


As to claims 10 and 17, Keralapura in view of Miller and Joch discloses the method/device/CRM of claims 8, and 15 and further discloses:
wherein the DNS cache memory includes prioritized cache memory, wherein the DNS record stored in the DNS cache memory is given priority over conflicting DNS information stored in the DNS cache memory, (“DNS resolver (155) of FIG. 1 includes a cache (124) that responds to an input client IP/server IP pair and returns the most recently logged FQDNs.” Keralapura cols 12-13, bridging paragraph.) and wherein the conflicting DNS information is associated with an older request for the web content; and (“add DNS data to the detailed central database (1) if it is new data, and to change data in the detailed central database (1) if it is changed data. Preferably, deleted data is retained in the detailed central database (1) for archival use.” Miller ¶ 72. See Miller ¶¶ 80-84 discussing DNS changes.)  an older request for the web content; (“from where the server IP keys 213.254.17.14 and 213.254.17.17 point to the most recent FQDN entry itunes.apple.com in the Clist (301)…. server IP keys 216.74.41.8, 216.74.41.10, and 216.74.41.12 point to the most recent FQDN entry data.flurry.com in the Clist (301)” Keralapura col. 13, ln. 15. Multiple entries for multiple prior requests.)


As to claims 4, 11, and 18, Keralapura in view of Miller and Joch discloses the method/device/CRM of claims 1, 8, and 15 and further discloses:
wherein the at least one key includes at least one of an 'A', (the record type of ‘A’ is an IPv4 address, whereas an ‘AAAA’ is an IPv6 address.  Kefralapura Fig. 3A shows an IPv4 address; which is, by convention, an ‘A’ record.) an 'AAA', or a 'CNAME' record, and wherein the DNS name information is associated with the web content at the time of the request, further comprising: storing the DNS name information in the network traffic flow report. (“The flow tagger (152) queries the DNS resolver (155) to tag the incoming flow referenced by the 5-tuple identifier or a portion thereof (e.g., the client IP/server IP pair). The DNS resolver (155) looks up its own cache (124) to see if it has a mapping for the requested 5-tuple identifier or client IP/server IP pair. If it finds a mapping then the flow information is augmented with the server FQDN and stored in the tagged flow database (121).” Keralapura cols. 6-7, bridging paragraph.)

As to claims 6, 13, and 20, Keralapura in view of Miller and Joch discloses the method/device/CRM of claims 1, 8, and 15 and further discloses:
The method of claim 1, further comprising: extracting the IP address from the one or more data packets (“builds a replica of the local DNS module caches on the client devices by sniffing messages exchanged between client IP addresses with the DNS name server during the recursive address resolution process” Keralapura col. 7, ln. 53. And then later: “the flow tagger (152) queries the DNS resolver (155) for a FQDN based on the 5-tuple identifier or client IP/server IP pair of the subsequent flow.” Keralapura col. 7, ln. 15)

 As to claims 22 and 27, Keralapura in view of Miller and Joch discloses the method/device of claims 1 and 8 and further discloses:
(Note that “correspond to the TCP session” is interpreted to mean corresponds to a TCP packet.  This is necessary as a given packet cannot “correspond” to a TCP session AND be a new TCP session.  In other words, if a given TCP packet corresponds to a session, said session must pre-exist the packet and cannot be newly established by said packet.)
wherein if the one or more data packets correspond to the TCP (Keralapura col. 3, ll. 46-56. A flow is a TCP session) session (“The sessionization estimates a media session, including assigning media traffic between a subscriber and a media service (service session traffic) to individual media sessions.”Joch ¶ 73): extracting the TCP session parameters (Keralapura cols. 6-7, bridging paragraph. As cited in claim 1), and determining whether the TCP session is for a new connection. (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75)

As to claims 23 and 28, Keralapura in view of Miller and Joch discloses the method/device of claim 22 and 27 and further discloses:
if a time of the record for the IP address exceeds a predetermined reporting period (“If the media traffic inactivity period (period of no media traffic between slices) is greater than a second predetermined threshold (e.g., five minutes) or the media time slice is the first time slice for that subscriber or media service, then mark that time slice as “session start”
….
If the media traffic inactivity period is greater than a fourth predetermined threshold that is smaller than the second or third predetermined thresholds (e.g., 30 seconds) then mark that time slice as “session start”” Joch ¶ 97), recreating the record (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75. recreating) for the IP address. (“(e.g., the client IP/server IP pair).” Keralapura cols. 6-7, bridging paragraph.)

As to claim 24, Keralapura in view of Miller and Joch discloses the method/device of claim 3 and further discloses:
mining the DNS cache memory in reverse order to recover additional DNS information associated with a time of the web request; (“DNS resolver (155) of FIG. 1 includes a cache (124) that responds to an input client IP/server IP pair and returns the most recently logged FQDNs.” Keralapura cols 12-13, bridging paragraph.) and including the additional DNS information in the network traffic flow report. (“When a data flow is reconstructed by the flow sniffer (151), it is passed on to the flow tagger (152). The flow tagger (152) queries the DNS resolver (155) to tag the incoming flow referenced by the 5-tuple identifier or a portion thereof (e.g., the client IP/server IP pair).” Keralapura col. 6, ln. 63. See claim 1 for the generated report.)

As to claims 26 and 29, Keralapura in view of Miller and Joch discloses the method/machine of claims 1 and 8 and further discloses:
wherein on a condition that the one or more data packets do not correspond (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75) the TCP session: (“Examples of layer-four protocols include TCP, UDP, etc.” Keralapura col. 4, ln. 17.)
closing a record for the IP address if a last time the IP address was active was a long time ago; and (“When an interaction that is newly classified as “session start” is detected using the algorithm described with reference to FIG. 3, then the last interaction before the interaction classified as “session start” is determined to be the end of the previous session” Joch ¶ 75)
updating traffic counters for the IP address (“Accordingly, the collected traffic data is reconstructed to represent data packets of a flow in an appropriated order (e.g., based on sequence information in the headers)” Keralapura col. 5, ln. 35, the sequence information being in the 5-tuple that includes the IP addresses of the client/server) if the last time the IP address was active was relatively recently. (“Once the end or start time of a media session is determined, application-layer data having an associated time that falls between the start and end time of the media session is associated to the media segment.” Joch ¶ 74)


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892; particularly:
	Dillon, US 11,252,089, discloses a IP flow based classifier with domain name awareness. 
	Jensen, US 9,021,085, discloses caching DNS responses at a web filter for blocking future user requests by reverse DNS mapping the future user request IP addresses. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492