Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
      Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 07/07/2020 was filed before the mailing date of this office action.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1, 8-9 and 16-17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US-PGPUB No 2021/0092095 A1 to Kim et al. (hereinafter “Kim”)
Regarding claim 1: 
Kim discloses:
A non-transitory computer-readable medium storing computer-executable instruction, and in response to execution by one or more processors, the computer-executable instructions cause the one or more processors to perform the steps of: 
establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including the one or more processors and a remote node, and wherein the control channel includes a session identifier (see ¶41: “… a machine-readable medium having instructions that may be used to program a computing device … to establish control flows, node flows and, application flows, and facilitate secure transmission of data between nodes.”, 
¶148: “An encrypted control flow may be established between the trusted source node and the controller.”, and 
¶127: “… the controller … may send an authentication session ID … to the trusted source node”); 
establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier (see ¶56: “… a secure node flow may be established between a source node and a gateway. A controller may establish the node flow …”, 
¶84: “A node flow may include an IPSec encrypted tunnel between a trusted node and a trusted perimeter gateway or with another trusted node where data is securely exchanged.”,  
¶127: “… the controller … may send an authentication session ID … to the trusted source node”, 
¶57: “… application flows may be established between the source node and destination node. Data may be securely and efficiently transmitted between the source node and destination node via the application flow.”, and 
¶169: “The application flow may be a data channel between a source node application and a destination node/destination gateway.”); 
performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier (see ¶80: “An element may include an authentication server that may be responsible for the authorization of additional devices in the network.”,  
¶172: “… the control flow can provide secure transmission of the terminal security information. Authentication requests (e.g., sending a user ID and passwords to an authentication server and receiving the results) may provide secure transmission of security information.”, and  
¶109: “… controller … may send user request credentials … (e.g., a user identifier…) to an authentication server …”); and 
subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier (see ¶118: “A trusted source node … may transmit a data packet … to a gateway … The data packet … may include IPSec and a flow ID. The security application on the trusted source node …  may add the flow ID and encrypt the packet using the keys provided … This encrypted packet may be sent to the target gateway.”).  

Regarding claim 8:
Kim discloses:
The non-transitory computer-readable medium of claim 1, wherein one or more of the data packets further include an application identifier mapped from a local user device connected to the remote node (see Kim ¶184: “An application flow ID … may be used to identify the application flow created between the source node and the destination node.”).

Regarding claim 9:
Kim discloses: 
A node comprising: 
a network interface, a data store, and a processor communicatively coupled to one another (see Kim ¶275: “The processing system … can include one or more central processing units (“processors”), …  network adapter … (e.g., network interface), …  drive unit … including a storage medium … and signal generation device 3230 that are communicatively connected to a bus”); 
In addition to the above limitation claim 9 substantially recites the same limitations as claim 1 in the form of a memory storing computer instructions to implement the corresponding functionalities, therefore it is rejected under the same rationale.

Regarding 16:
claim 16 substantially recites the same limitation as claim 8 in the form of a memory storing computer-executable instructions implementing the corresponding functionalities, therefore it is rejected under the same rationale. 

Regarding claim 17:
claim 17 substantially recites the same limitation as claim 1 in the form of a method to implement the corresponding functionalities, therefore it is rejected under the same rationale.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 2-3, 10-11 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kim, and further in view of US-PGPUB No. 2019/0349337 A1 Glazemakers et al. (hereinafter “Glazemakers”)
Regarding claim 2:
Kim discloses the non-transitory computer-readable medium of claim 1, but failed to explicitly disclose the following limitation taught by Glazemakers: 
wherein the first encryption technique is one of Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and the second encryption technique is one of TLS and Datagram Transport Layer Security (DTLS) (see Glazemakers ¶115: “…  may implement security protocols, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) …”, and  
¶42: “The data travelling in the TUNNEL … may further be protected by encryption, such as according to the Internet Protocol Security (or “IPsec protocol,”) Transport Layer Security (or “TLS”) and/or Datagram Transport Layer Security (or “DTLS”).”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Kim to incorporate the functionality of the system to implement different protocols to establish secure connections, using SSL/TLS, and encrypt the data traveling in the tunnel, using TLS/DTLS, as disclosed by Glazemakers, such modification would allow the system to provide communications privacy over networks using SSL, guarantee privacy and data integrity using TLS, and secure applications that are delay sensitive using DTLS.

Regarding claim 3:
The combination of Kim and Glazemakers disclose:
The non-transitory computer-readable medium of claim 2, wherein the first encryption technique is always a same one of TLS and SSL, and the second encryption technique is selected as the one of TLS and DTLS based on support of the remote node (see Glazemakers ¶115: “…  may implement security protocols, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) …”, and  
¶42: “The data travelling in the TUNNEL … may further be protected by encryption, such as according to the Internet Protocol Security (or “IPsec protocol,”) Transport Layer Security (or “TLS”) and/or Datagram Transport Layer Security (or “DTLS”).”).  

Regarding claims 10 and 11:
claims 10 and 11 substantially recite the same limitation as claims 2 and 3, respectively, in the form of a memory storing computer-executable instructions implementing the corresponding functionalities, therefore they are rejected under the same rationale.

Regarding claim 18:
claim 18 substantially recites the same limitation as claim 2 in the form of a method to implement the corresponding functionalities, therefore it is rejected under the same rationale.

Claims 4 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Kim, Glazemakers and further in view of US-PGPUB No. 2007/0094723 A1 Short et al. (hereinafter “Short”)
Regarding claim 4:
The combination of Kim and Glazemakers disclose the non-transitory computer-readable medium of claim 2, but failed to explicitly disclose the following limitation taught by Short: 
wherein the second encryption technique is selected as the one of TLS and DTLS based on whether the remote node blocks User Datagram Protocol (UDP) port 443 traffic (see Short ¶48: “…  if the DTLS/UDP tunnel cannot be established, the system can fall back to TLS /TCP tunnel.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Kim and Glazemakers to incorporate the functionality of the method and computer readable medium for providing dynamically tunneling over an unreliable protocol or a reliable protocol based on network conditions, as disclosed by Short, such modification would allow the system to have high availability and avoid denial of service, thus providing a dependable system. 

Regarding 12:
claim 12 substantially recites the same limitation as claim 4 in the form of a memory storing computer-executable instructions implementing the corresponding functionalities, therefore it is rejected under the same rationale.

Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Kim, and further in view of Short
Regarding claim 5:
Kim discloses the non-transitory computer-readable medium of claim 1, but failed to explicitly disclose the following limitation taught by Short: 
wherein the first encryption technique and the second encryption technique are different (see Short ¶32: “… simultaneous use of two different protocols between the same devices is accomplished and used to establish connections and to transmit data. For example, SSL is used to establish a secure connection while DTLS is used to transmit data.”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Kim to incorporate the functionality of the system to implement simultaneous use of two different protocols, one for control and one for data , as disclosed by Short, such modification would allow the system to provide communications privacy over networks using SSL, guarantee on time arrival of data that is delay sensitive using DTLS, thus providing a highly available service.
 
Regarding 13:
claim 13 substantially recites the same limitation as claim 5 in the form of a memory storing computer-executable instructions implementing the corresponding functionalities, therefore it is rejected under the same rationale.

Claims 6, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Kim, and further in view of US-PGPUB No. 2020/0195439 A1 Suresh et al. (hereinafter “Suresh”)
Regarding claim 6:
Kim discloses the non-transitory computer-readable medium of claim 1, but failed to explicitly disclose the following limitation taught by Suresh: 
wherein the data packets include data packets between the remote node and the local node from various ports and having different protocols (see Suresh ¶118: “The header information and the payload of each packet may be generated in accordance with any number of communication protocols at any network stack layer …”, and   
¶64: “Packet engine … may manage kernel-level processing of packets received and transmitted by appliance … via network stacks … to send and receive network packets via network ports 266.”. See also FIG. 2 ‘Network Ports 266’).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Kim to incorporate the functionality of the packet engine to generate packets with any number of protocols and ports, as disclosed by Suresh, such modification would allow the system to switch to a different port/protocol without service interruption when the currently being used port/protocol is compromised, thus providing a highly available service. 

Regarding 14: 
claim 14 substantially recite the same limitations as claim 6 in the form of a memory storing computer-executable instructions implementing the corresponding functionalities, therefore it is rejected under the same rationale.

Regarding claim 19:
claim 17 substantially recites the same limitation as claim 6 in the form of a method to implement the corresponding functionalities, therefore it is rejected under the same rationale. 

Claims 7, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kim, and further in view of US-PGPUB No. 20210288881 A1 to Zhang
Regarding claim 7:
Kim discloses the non-transitory computer-readable medium of claim 1, but failed to explicitly disclose the following limitation taught by Zhang: 
wherein the local node is part of a cloud-based security system and the one or more users are connected thereto via the tunnel for firewall and Intrusion Prevention System (IPS) functions (see Zhang ¶38: “… network security may be provided as a service with the network security device residing in the cloud. Non-limiting examples of security functions include authentication, next-generation firewall protection, antivirus scanning, content filtering, data privacy protection, web filtering, network traffic inspection (e.g., secure sockets layer (SSL) or Transport Layer Security (TLS) inspection), intrusion prevention, intrusion detection, denial of service attack (DoS) detection and mitigation, encryption (e.g., Internet Protocol Secure (IPSec), TLS, SSL) …”).  

It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Kim to incorporate the functionality of the network security device, residing in the cloud, to provide network security services, as disclosed by Zhang, such modification would allow the system to provide a proactive and responsive threat management system via a centralized management hub. Threats like DDoS (denial of service) attacks can be thwarted with active monitoring and traffic disbursement to minimize risk.

Regarding 15:
claim 15 substantially recite the same limitations as claim 7 in the form of a memory storing computer-executable instructions implementing the corresponding functionalities, therefore it is rejected under the same rationale.

Regarding claim 20:
claim 20 substantially recites the same limitation as claim 7 in the form of a method to implement the corresponding functionalities, therefore it is rejected under the same rationale. 


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 

Singh et al. (US-PGPUB No. 2021/0352047-A1)- disclosed a first device maintaining an encrypted tunnel and a second device maintaining unencrypted tunnel between the client and the server.
Hashmi et al. (USPAT No. 10498529-B1)- disclosed a scalable node for secure tunnel communication
Skuratovich et al. (US-PGPUB No 2017/0163693-A1)- disclosed how a session is established between an initiating device and a remote device, a session request is transmitted from the initiating device to the remote device according to a preferred networking protocol.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Matthias Habtegeorgis whose telephone number is (571)272-1916. The examiner can normally be reached on 8:00am - 4:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Ashok B Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through

Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.H./Examiner, Art Unit 2491

/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491