Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



DETAILED ACTION
Continuation
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on May 23, 2022 has been entered.


Response to Arguments
	 
Applicant’s arguments filed May 23, 2022 have been fully considered. After further consideration the previously applied 35 U.S.C. 112 rejections are withdrawn and the prior art of record still reads on Applicant’s claim language.


Applicant asserts the prior art of record does not teach choosing one or more of an NMC, another application, or a service to employ the key information for selectively decrypting encrypted network packets associated with the secure communication, wherein selective choosing of the encrypted network packets for decryption is based on one or more of configuration information, policy rules, or parameters.
In response, The Examiner respectfully disagrees and relies upon the combination of applied prior art to suggest choosing one or more of an NMC, another application, or a service (reads on using any combination of hardware and software, see Li para 0044) to employ the key information for selectively decrypting (reads on the combination of decrypt the accessed traffic flow using the associated session key and choosing a network tool based on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018, see Li para 0037) encrypted network packets (reads on the combination of encrypted communication between a first computing device and a second computing device, see Taub para 0013 and 0018, and packetized encrypted traffic flows, see Li para 0004 and 0026) associated with the secure communication (reads on the exemplary IPSec encrypted traffic, SSL encrypted traffic or any other suitable encrypted traffic, see Li para 0026), wherein selective choosing of the encrypted network packets for decryption (reads on choosing to decrypt based on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018) is based on one or more of the configuration information, policy rules, or parameters (reads on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018).




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  



Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Harrigan (US Pub. No. 2014/0351415 A1) in view of Li (US Pub. No. 2013/0133032 A1) in view of Taub (WO2016118131A1) in view of Rothstein (US Pub. No. 2014/0269777 A1) in view of Fu (US Pub. No. 2003/0217144 A1).


Per claim 1, Harrigan suggests a method for monitoring communication (reads on detect and monitory network flows occurring on the network, see Harrigan para 0025) over a network (reads on the network 110, see Harrigan Figure 1) between one or more computers (reads on the computers of Harrigan Figure 1 block 120a – 120d), with one or more network monitoring computers (reads on the network monitoring system of Harrigan Figure 1 block 130 that may be a computing device or a combination of computing devices, see Harrigan para 0024) that perform actions, comprising: 
identifying a secure communication session based on detected network traffic patterns (reads on capturing and storing packets based on specified packet capture rules such as full packet capture is enabled based on network flows classified as using secure socket layer, see Harrigan para 0014, 0025 and 0030) that are associated with one or more secure communication protocols (reads on secure socket layer network flows, see Harrigan para 0014, 0025 and 0030);
capturing (reads on storing/capturing specific network flows to be analyzed at a later date, see Harrigan para 0013 – 0014 and 0030. The Examiner asserts continuously capturing to be reasonably scoped as the storing of a specific network flow, see Harrigan para 0013 – 0014 and  0030) a plurality of network packets (reads on specific network flows to be analyzed at a later date, see Harrigan para 0013 – 0014 and  0030) that are securely (reads on packets that are using Secure Socket Layer encryption will have metadata and full packet capture enabled, see Harrigan para 0030) communicated (reads on packets associated with Secure Socket Layer encryption communication between two devices, see Harrigan para 0025 and 0030) between (reads on associated with a connection between two or more endpoints on a network, see Harrigan para 0014) the one or more computers in the secure communication session (reads on the computers of Harrigan Figure 1 block 120a – 120d), wherein the plurality of captured network packets is stored in a data store (reads on all packets associated with the captured network flow will be stored for later analysis, see Harrigan para 0014 and 0034).

[0013] In general, network owners desire to understand and, to the extent possible, control information sent over their networks.  For example, a network owner may desire to maintain a forensic record of activity on the network in 
order to be able to investigate potential undesirable network activity at a later time.  One possible approach is to capture and store all traffic sent over the network.  On a network that includes more than a few nodes, however, 
the amount of data to be stored will quickly become unduly large, forcing the network owner to purchase hardware or contract for costly data storage.  Accordingly, the present inventors recognized that a solution allowing a network owner to selectively capture only enough information to construct a reliable forensic record would be desirable. 
 
[0014] In some implementations, the present solution allows the network owner to specify packet capture rules governing which portions of traffic on the network (e.g., which packets) will be captured and stored.  In some implementations, the packet capture rules may specify that network flows associated with certain protocol metadata attributes should be captured.  A network flow may be a connection between two or more endpoints on a network, a 
series of connections between the endpoints, an interaction between the endpoints including multiple connections or message sequences, or any other suitable network traffic.  In some implementations, where network flows associated with a protocol metadata value, the solution may begin capturing network traffic (e.g., packets) associated with the network flow.  In some cases, the solution may capture only certain packets or portions of certain packets as defined by the rule.  The solution may also enable the full packet capture for the flow if specified by the rule, in which case all packets associated with the network flow will be stored for later analysis.

[0024] In some implementations, the network monitoring system 130 may be a computing device or a set of computing devices configured to perform the actions discussed above.  In some cases, the network monitoring system 130 may 
be implemented as a combination of hardware and software.  The network monitoring system 130 may also control or instruct other network components to perform any of the actions discussed herein. 
 
[0025] The network monitoring system 130 may include a network flow monitor 132.  In some implementations, the network flow monitor 132 may be a software or hardware component operable to detect and monitor network flows occurring on the network 110, such as network flows 150, 152, 154.  In some cases, the network flow monitor 132 may analyze packets being sent across the network 110 and correlate these packets to the various network flows 150, 152, 154.  For example, if a packet is sent from the laptop 120a to the server 120d, the network flow monitor 132 may classify this packet as belonging to network flow 150.  In some implementations, the network flow monitor 132 may associate packets to flows based on information contained in the packets.  For example, if a packet contains a session identifier or other identifier associating it 
with a communication between devices, the network flow monitor 132 may use this identifier to associate the packet with the network flow.  In some cases, the network flow monitor 132 may associate packets to flows by examining networking attributes associated with the packets.  For example, packets sent from a certain port on device 120a to a certain port on server 120d may be associated with network flow 150.  In some implementations, the network flow monitor 132 may associate all packets sent between two devices with the same network flow.

[0028] In operation, the network monitoring system 130 and its associated components may enable a network owner to generate an accurate forensic record of network activity in different ways for different types of traffic.  For 
example, a network owner may configure the network monitoring system 130 such that network flows using the Dynamic Host Configuration Protocol (DHCP) and/or 
the Domain Name Service (DNS) protocol will be described with metadata only, with no full packet capture or content extraction being performed.  Such a configuration may be appropriate because the content of the protocol packets 
may be less important than the fact that the packets were sent.  For example, the fact that a DNS request was sent from a client to a DNS server may be more important to the forensic record required by the network owner than the content of the packet.

[0030] In another example, the network owner may configure the network monitoring system 130 such that network flows classified as using Secure Socket Layer encryption will have metadata and full packet capture enabled.  In such a 
case, this configuration may be desirable because decryption and analysis of the packets may not be possible in real time, so the packets may be stored and analyzed at a later date. 
 
[0031] In the illustrated example, the network monitoring system 130 is connected to a database 140.  In some implementations, the database 140 is stored on the same server as the network monitoring system 130.  The database 
140 may also be stored on a separate server and accessed by the network monitoring system 130 over a network, such as network 110.  The database 140 may be any proprietary or commercially available database system or format, 
including, but not limited to, MySQL.RTM., Microsoft.RTM.  SQLServer, IBM.RTM.  DB2, Oracle.RTM., SQLite, or any other suitable database system or format.  The database 140 may also be a distributed database running on a plurality of 
servers.  In some implementations, the database 140 may be a configuration file or set of configuration files associated with the network monitoring system 130.  The network monitoring system 130 may examine these configuration files to determine the currently configured rules and associated actions. 
 
[0032] As shown, the database 140 includes packet capture rules 142.  In some implementations, the packet capture rules 142 are interpreted by the rules engine 134 and control the operation of the network monitoring system 130 in capturing and storing packets.  Each packet capture rule may include a trigger condition and an action.  Each trigger condition may specify a condition or set of conditions that, when detected, may cause the specified action to be performed.  For example, a trigger condition may state that the network flow associated with a certain protocol metadata value should trigger the rule.  Protocol metadata values may include attributes associated with the network flow, such as, for example, Hypertext Transfer Protocol (HTTP) headers, the source address, a destination address, login information, encryption keys, or any other suitable attributes. 
 
[0033] Each of the packet capture rules 142 may also include an action or set of actions to be performed when the trigger condition is detected.  In some implementations, the actions may include, but are not limited to, enabling full packet capture for the network flow, enabling full packet capture globally, performing content extraction on the network flow, or any other suitable action or set of actions. 
 
[0034] The database 140 may also include packet capture data 144.  In some implementations, the packet capture data 144 is stored in a table or set of tables and includes raw packets captured by the network monitoring system 130 
according to the packet capture rules 142.  In some cases, the packet capture data 144 may include a subset of the full packet data, such that the packets are parsed into fields and stored in a database table or set of tables.  In 
some cases, the packet capture data may include timing information indicating when a packet was captured.  In some cases, the signing information may allow a network analyst to replay a series of packets associated with the network flow using only the packet capture data 144.

[0046] FIG. 3 is a message flow diagram of an example interaction 300 between the components of the example network when a full packet capture has been enabled for a network flow. 
 
[0047] At 305, the device 120a sends a packet destined for device 120b over the network 110.  The network monitoring system 130 receives the packet.  In some implementations, as discussed previously, the network monitoring system 130 may receive only an indication of the packet and not the packet itself. 
 
[0048] At 315, the network monitoring system 130 determines whether full packet captures are enabled for the network flow associated with the packet.  In some implementations, the network monitoring system 130 queries the database 140 to determine if packet capture is enabled for the network flow associated with the packet.  The network monitoring system 130 may also locally store indication of the network flows for which full packet captures are enabled and thus may not need to consult the database to make this decision. 
 
[0049] If full packet capture is not enabled, the flow continues to 325, where the packet is sent to the device 120b.  If full packet capture is enabled for the network flow associated with the packet, the flow continues to 320, where the packet is stored in the database 140.  The flow then continues to 325 where the packet is sent to the device 120b. 


[0076] Although a few implementations have been described in detail above, other modifications are possible.  In addition, the logic flows depicted in the figures do not require the particular order shown, or sequential order, to 
achieve desirable results.  Other steps may be provided, or steps may be eliminated, from the described flows, and other components may be added to, or removed from, the described systems.  Accordingly, other implementations are 
within the scope of the following claims. 


    PNG
    media_image1.png
    677
    978
    media_image1.png
    Greyscale




Harrigan is silent on explicitly stating identifying a secure communication session based on detected network traffic patterns that are associated with one or more secure communication protocols; providing a query of the captured network packets, by one or more applications or services, that includes one or more expressions in the query to exclude those stored network packets that are unencrypted from a result for the query, wherein the query result includes one or more encrypted network packets that are provided to the one or more other applications or services; employing a hardware security module to provide key information to one or more of the NMC and the one or more endpoints of the secure communication session, wherein the HSM is stored at the NMC or an endpoint of the secure communication session; and choosing one or an NMC, another application, or a service to employ the key information for selectively decrypting encrypted network packets associated with the secure communication, wherein selective choosing of the encrypted network packets for decryption is based on one or more of configuration information, policy rules, or parameters.
Li suggests
capturing (reads on receiving by a capture device packetized encrypted traffic flows, see Li para 0004 and 0026) a plurality of network packets that are securely communicated (reads on packetized encrypted traffic flows, see Li para 0004 and 0026) between the one or more computers (see Li Figure 1 blocks 120 and 115), wherein the plurality of captured network packets is stored in a data store (reads on capturing and storing both encrypted and unencrypted data of the particular traffic flow, see Li para 0004, 0014, 0032, 0033 and 0037);
providing a query of the captured network packets (reads on user and/or administrator may query the encrypted traffic flow tracking database using any attribute associated with traffic flows for specific traffic flows using the available attribute, see Li para 0036 – 0037), by one or more applications or services (reads on performing the action using any combination of software and hardware, Li para 0044), that includes one or more expressions in the query to exclude those stored network packets that are encrypted from a result for the query (The Examiner construes this to be an obvious limitation of the disclosure of Li because Li teaches performing a query based on any attribute associated with the traffic flow and searching for a particular/specific flow. One of ordinary skill in the art as a result of Li’s teaching would consider it obvious that an encrypted flow would not satisfy a query for flows associated with no particular session key, see Li para 0037), wherein the query result includes one or more non-encrypted network packets that are provided to the one or more other applications or services (reads on the obvious teaching based on Li’s teaching of the result of the query is a specific traffic flow that does not use a particular associated session key, see Li para 0036 – 0037); and
choosing one or more of an NMC, another application, or a service (reads on using any combination of hardware and software, see Li para 0044) to employ the key information for selectively decrypting (reads on decrypt the accessed traffic flow using the associated session key, see Li para 0037) encrypted network packets (reads on packetized encrypted traffic flows, see Li para 0004 and 0026) associated with the secure communication (reads on the exemplary IPSec encrypted traffic, SSL encrypted traffic or any other suitable encrypted traffic, see Li para 0026).

[0004] According to one embodiment of the present invention, a method includes receiving, by a capture device, traffic flows transmitted by a plurality of client devices, each of the traffic flows being associated with one of the plurality of client devices and comprising encrypted data.  The method further includes receiving, by the capture device, flow information communicated from a 
proxy server communicatively coupled to the capture device, the flow information comprising an identification of a particular traffic flow and a session key associated with the particular traffic flow.  The method further includes storing, by the capture device, encrypted data of the particular traffic flow identified by the flow information supplied by the proxy server; storing, by the capture device, the session key associated with the particular 
traffic flow; and discarding, by the capture device, any of the plurality of received traffic flows not identified in the flow information received from the proxy server. 
 
[0014] The teachings of the disclosure recognize that it would be desirable to provide a system and method for capturing and storing both encrypted and unencrypted traffic flows of specific flow properties from a network at high bitrates.  FIGS. 1 through 5 below illustrate a system and method for capturing network traffic according to the teachings of the disclosure.

[0026] In certain embodiments, traffic flow 125 is any data that is communicated from client device 120.  In certain embodiments, traffic flow is any packetized data such as IP data packets.  Traffic flow 125 may be encrypted data, unencrypted data, or a mixture of both encrypted and unencrypted data.  In certain embodiments, traffic flow 125 may refer to IPSec encrypted traffic, SSL encrypted traffic, or any other suitable encrypted traffic. 
 
[0027] Session key 127 may refer to any appropriate security key that is communicated from client device 120 to proxy server 110 for the purpose of encrypting messages in a communication session between client device 120 and 
proxy server 110.  In certain embodiments, session key 127 may be utilized to decrypt traffic flow 125 after it is received from client device 120.  In certain embodiments, session key 127 may be generated according to SSL, TLS, or 
any other appropriate cryptography standard. 

[0032] At any appropriate time, proxy server 110 selects a particular traffic flow 125 to store on a particular capture device 130.  For example, proxy server 110 may select to store traffic flow 125A on either or both of capture devices 130A or 130B.  As another example, proxy server 110 may select to store traffic flow 125B on either or both of capture devices 130A or 130B.  To select 
which traffic flow 125 to capture and store on capture devices 130, proxy server may access one or more policies 112 stored on proxy server 110.  For example, an administrator may interact with proxy server 110 and create a policy 112 that indicates to capture all traffic flows 125 from a particular IP address, entity, or switch port.  As another example, a policy 112 may be created that instructs how to process particular traffic flows 125 (i.e., discard or save all traffic flows 125 from a particular IP range), or how to log particular traffic flows 125 (i.e., log a particular traffic flow for a 
certain amount of time and/or for a specific time of day).  Proxy server 110 may access policies 112 and analyze any received traffic flows 125 against policies 112 in order to determine one or more traffic flows 125 to capture and 
store on one or more capture devices 130. 
 
[0033] After selecting a particular traffic flow 125, proxy server 110 communicates flow information 135 to at least one capture device 130.  For example, if proxy server 110 accesses policies 112 and determines that all traffic flows 125A from client device 120A should be logged, proxy server 110 communicates flow information 135A to capture device 130A and/or flow information 135B to capture device 130B in order to instruct one or both of these devices to capture and store traffic flow 125A.  As another example, if 
proxy server 110 accesses policies 112 and determines that all traffic flows 125B from client device 120B should be logged, proxy server 110 communicates flow information 135A to capture device 130A and/or flow information 135B to 
capture device 130B in order to instruct one or both of these devices to capture and store traffic flow 125B.  As described above, flow information 135 may in some embodiments include session key 127 and/or an identification of the selected traffic flow 125.

[0035] Capture devices 130 store selected traffic flows 125 based on flow information 135 received from proxy server 110 across secure communications channels.  For example, if flow information 135A indicates to capture traffic flow 125A, capture device 130A will capture and store traffic flow 125A in storage device 132A.  As another example, if flow information 135B indicates to capture traffic flow 125B, capture device 130B will capture and store traffic 
flow 125B in storage device 132B.  In certain embodiments, capture devices 130 discard any traffic flows 125 that were not identified in flow information 135.  In the examples provided here, capture device 130A discards traffic flow 125B because flow information 135A only indicated to capture and store traffic flow 125A.  Likewise, capture device 130B discards traffic flow 125A because flow 
information 135B only indicated to capture and store traffic flow 125B.  Herein "discard" may refer to erasing any stored traffic flows 125 that were not identified in flow information 135, marking any stored traffic flows 125 that were not identified in flow information 135 as being eligible for being over-written, ignoring any incoming traffic flows 125 that were not identified in flow information 135, and the like. 

[0036] For increased security, capture devices 130 may store session keys 127 separate from the data of the selected traffic flow 125.  For example, capture device 130 may store traffic flow 125 in storage device 132 in the same format as it is when it is taken off the wire (i.e., encrypted).  Then, capture device 130 may utilize an encrypted traffic flow tracking database (ETFTD) 134 to 
store information such as session key 127 received from proxy server 110.  In certain embodiments, ETFTD 134 may be stored in a separate storage device 132, in a separate database, or any other location that is separate from where 
traffic flow 125 is stored.  In some embodiments, ETFTD 134 may be encrypted and may store one or more attributes such as a time stamp, a user ID (i.e., a user name, IP addresses or port number), flow information 135, session key 127, 
a security certificate associated with client device 120 and/or server 115, and/or a storage location on disk that indicates where on storage device 132 that traffic flow 125 is stored in its original format.  In other embodiments, 
ETFTD 134 may include any other appropriate attributes associated with traffic flows 125. 
 
[0037] In certain embodiments, ETFTD 134 may be a searchable database, and capture device 130 may provide a user and/or an administrator the ability to query its ETFTD 134 for specific traffic flows 125 using any available 
attributes of ETFTD 134.  For example, a user may interact with capture device 130A to query ETFTD 134A for traffic flows 125 from a specific IP address.  As another example, a user may interact with capture device 130A to query ETFTD 
134A for traffic flows 125 from a specific time of day.  In certain embodiments, capture device 130 may export either decrypted or unencrypted traffic flows 125 to a network analyzer for further analysis.  For example, capture device 130 may access a traffic flow 125 stored in storage device 132, access an associated session key 127 stored in ETFTD 134, decrypt the accessed traffic flow 125 using the associated session key 127, and then export the decrypted traffic flow 125 to a network analysis tool such as Wireshark for further analysis. 

[0044] FIG. 4 illustrates an example method 400 for capturing network traffic, which may be performed by the example systems of FIGS. 1 and 2 according to certain embodiments of a present disclosure.  Method 400 may be implemented in any suitable combination of software, firmware, and hardware.  Although particular components may be identified as performing particular steps, the present disclosure contemplates any suitable components performing the steps according to particular needs.

    PNG
    media_image2.png
    819
    858
    media_image2.png
    Greyscale

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the packet capture teachings of the primary reference by incorporating the packet capture teachings of Li to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the packet capture art to include the ability to query the captured data, as taught by Li, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable and resulting in the expected benefit of increasing the system’s ability to decrypt particular encrypted communication sessions at a later time. The motivation to combine references applies to all claims beneath this heading.
Taub suggests 
a method for monitoring communication (reads on monitor traffic from the application to other applications and/or computing devices, see Taub para 0009) over a network (reads on traffic passing over a network or a portion of a network, see Taub para 0009) between one or more computers (reads on the application and computing devices, see Taub para 0009), with one or more network monitoring computers (reads on one or more agents/engines/modules configured to monitor encrypted communication between a first computing device and a second computing device, determine a session key and a session ID that corresponds to the encrypted communication, and store the encrypted communication, session key and ID, see Taub para 0013, 0022 and 0041) that perform actions, comprising: 
capturing (reads on intercepting and logging communication traffic passing over a network or a portion of the network, see Taub para 0009, 0013, 0029 and 0041) a plurality of network packets (reads on the encrypted communication between a first computing device and a second computing device, see Taub para 0013 and 0018) that are securely (reads a secure communication session, see Taub para 0040 – 0042 and Figures 3 and 4) communicated between (reads on between a first computing device and a second computing device, see Taub para 0018) the one or more computers (reads on a first computing device and a second computing device, see Taub para 0018), wherein the plurality of captured network packets is stored in a data store (reads on the captured packets are stored in a database, see Taub para 0018 and 0028);
employing a hardware security module (reads on hardware that is configured to monitor encrypted communication between a first computing device and second computing device and store session keys corresponding to encrypted communication, see Taub para 0013) to provide key information (reads on send a portion of the requested number of session keys to the network took based on the number of rules, see Taub para 0018) to one or more of the NMC and the one or more endpoints of the secure communication session (reads on send the stored session keys to a network tool that correspond to communication that was previously sent to the network took, see Taub para 0018), wherein the HSM is stored at the NMC or an endpoint of the secure communication session (reads on the monitor module, rules module, repository module can be sub-modules and/or contained within the same computing device, see Taub para 0022);
and choosing one of an NMC or another application or a service (reads on choosing a network tool based on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018) to employ the key information for selectively decrypting (reads on choosing to decrypt based on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018) encrypted network packets associated with (reads on the encrypted communication between a first computing device and a second computing device, see Taub para 0013 and 0018) the secure communication session (reads on the particular secure communication session, see Taub para 0011 and 0040 – 0042), wherein selective choosing of the encrypted network packets for decryption (reads on choosing to decrypt based on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018) is based on one or more of the configuration information, policy rules, or parameters (reads on rules that define what type and/or portions of the secure communication can be decrypted for a plurality of different network tools, see Taub para 0018).

[0009] A number of network tools can be utilized with the application to monitor and/or help performance of the application. In some embodiments, the number of network tools can include monitoring tools (e.g., real user monitor (RUM)), intrusion detection tools, and/or prevention system tools. The number of network tools can utilize a number of techniques (e.g., sniffer-based technique, packet analyzer, network analyzer, protocol analyzer, etc.) to monitor communication traffic from the application to the number of other applications and/or computing devices. For example, the number of techniques can include intercepting and logging communication traffic passing over a network or a portion of the network. In previous embodiments, the number of network tools may require a private key and/or private key/public key combination in order to decrypt the communication traffic.

[0011] The session key repository can be utilized to store a session key (e.g., key associated with a particular communication session), session identification (ID) (e.g., ID established with a particular communication session), and/or corresponding communication packets in a database (e.g., session key repository, session key database, database, etc.). In some embodiments, the database can be utilized to decrypt communication packets utilizing the corresponding stored session key. In addition, the database can be utilized to issue the encrypted communication packets and corresponding session key and/or session ID to the number of network tools. By storing the session keys and/or session IDs for corresponding communication packets
in a database, the communication packets can be decrypted at a later time utilizing the corresponding session keys and/or session IDs without requiring the private key of the
application.

[0013] The number of engines (e.g., monitor engine 106, identification engine 108, rules engine 110, repository engine 112) can include a combination of hardware and programming, but at least hardware, that is configured to perform functions described herein (e.g., monitor encrypted communication between a first computing device and a second computing device, determine a session key and a session ID that corresponds to the encrypted communication, determine a number of rules, store portions of the encrypted communication with the corresponding session key and
session ID based on the number of rules, etc.). The programming can include program instructions (e.g., software, firmware, etc.) stored in a memory resource (e.g., computer readable medium, machine readable medium, etc.) as well as hard-wired program (e.g., logic).

[0018] The repository engine 112 can include hardware and/or a combination of hardware and programming, but at least hardware, to send a portion of the number of
session keys and session IDs to a network tool based on the number of rules and identification of the network tool. The repository engine 112 can store session keys and session IDs based on the rules from the rules engine 110. In some embodiments, the repository engine 112 can store a number of captured packets (PCAPs) of the encrypted communication based on the number of rules. Furthermore, in some
embodiments, the repository engine 112 can receive a request for a number of session keys corresponding to live communication from the network tool and send a portion of
the requested number of session keys to the network tool based on the number of rules. That is, the repository engine 112 can receive requests from a number of network tools that correspond to communication that was previously sent to the network tool and determine what portions of the communication the network tool can decrypt based on
the number of rules. The number of rules can define what content type and/or what portions of the communication can be decrypted for a plurality of different network tools.

[0022] A number of modules (e.g., monitor module 222, identification module 224, rules module 226, repository module 228) can include CRI that when executed by the processing resource 216 can perform functions. The number of modules (e.g., monitor module 222, identification module 224, rules module 226, repository module 228) can be sub-modules of other modules. For example, the detection module 224 and the rules module 226 can be sub-modules and/or contained within the same computing device. In another example, the number of modules (e.g., monitor module 222, identification module 224, rules module 226, repository module 228) can comprise individual modules at separate and distinct locations (e.g., CRM, etc.). 

[0027] The system 330 can include an application processing module 338 to determine a number of relevant TCP connections 344 and/or communication sessions. The number of relevant TCP connections 344 from the database 348 can be based on a number of rules 340. The number of rules 340 can define particular content types and/or subjects of communication between a first application and a second application. That is, the number of rules can be based on content (e.g., subject of the communication, category of information within the communication, department within an
organization, TCP range, IP range, table values as a result of a query, table names as an input for a query, etc.) within the encrypted communication. For example, a search
can be performed on the communication packets (e.g., search of protocol, search of the header information, search of the body of the communication packet, etc.) to determine
a content type for the communication packets. For example, the number of rules can define that human resources (HR) communication is considered relevant communication. In another example, the number of rules can define that financial transactions are not considered relevant communication. In another example, the number rules can be based on: HTTP content, a number of components of an HTML
page, data relating to a protocol (e.g., mssql query, etc.), and a number of TCP properties of the packet of encrypted communication.

[0028] A number of communication packets (e.g., PCAPs, live traffic communication packets, etc.) 342 from a number of communication sessions can be monitored. In some embodiments, the communication packets 342 can be stored in a database 304 with a corresponding session ID and session key. In other embodiments, only the corresponding session ID and/or session key are stored in the database 304.
The number of rules 340 can define the relevant TCP connections 344 from the network 346 that includes all communication session IDs and session keys stored in the
database 348. For example, the application processing module 338 can utilize the number of rules 340 to determine a number PCAPs 342 or live communication packets and a number of relevant TCP connections 344. In this example, the application processing module 338 can store a subset of session IDs, session keys, and/or a corresponding PCAP or live traffic in a database 304.

[0029] In some embodiments the communication session can be established utilizing a Diffie-Hellman (DH) key exchange for an SSL communication session. In previous systems and methods it would not be possible to decrypt SSL communication sessions established utilizing a DH key exchange by a network tool monitoring the traffic (e.g., RUM). The system 330 can utilize a sniffer on the application to store PCAPs or live traffic with corresponding session keys and session IDs from the
communication session established utilizing the DH key exchange. The system 330 can also store only the corresponding session keys and/or session IDs and provide
them to the database 304. The stored session keys and/or session IDs can be accessed by network tools (e.g., RUM, etc.) by requesting the session keys and/or session IDs from the database 304.

[0040] The application 564 can utilize secure communication sessions as described herein. The secure communication sessions can be established utilizing a private key and/or a private key/public key combination. When a secure communication session is established with the application 564 and a different application or computing device, a session ID and/or session key can be issued for encrypting packets of communication during the secure communication session.

[0041] The system 560 can include one or more agents 566-1, 566-2, 566-3. The one or more agents 566-1, 566-2, 566-3 can include real user monitors (RUM)s, application monitors, sniffer agents, among other network tools configured to monitor network communication. In some embodiments, the one or more agents 566-1, 566-2, 566-3 can monitor and/or store communication packets (e.g., PCAPs, live communication packets, etc.) being sent from the application 564 and received at the application 564. In some embodiments, the communication packets can be stored in an SSL key repository 568 with a corresponding session ID and/or session key. In some embodiments, only the corresponding session ID and/or session key are stored in the SSL key repository 568. In some embodiments, the corresponding session ID and/or session key are not stored, but only sent and/or passed to a network agent to provide
the session key and/or session ID to a network device or network tool.

[0042] In addition to monitoring and/or storing communication packets in the SSL key repository 568, the one or more agents 566-1, 566-2, 566-3 can monitor and/or
store session IDs and/or session keys from the secure communication sessions that correspond to the communication packets. That is, when the one or more agents 566-1, 566-2, 566-3 monitor a session ID and/or session key from a secure communication session, the one or more agents 566-1, 566-2, 566-3 can store the session ID and/or session key with communication packets from the secure communication session.


    PNG
    media_image3.png
    570
    579
    media_image3.png
    Greyscale



    PNG
    media_image4.png
    455
    390
    media_image4.png
    Greyscale




Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the packet capture teachings of the primary reference by incorporating the packet capture teachings of Taub to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the packet capture art to include in the metadata already captured by the packet capture system of the primary reference the ability to capture/store the session keys, as taught by Taub, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable and resulting in the expected benefit of increasing the system’s ability to decrypt particular encrypted communication sessions at a later time (see Taub para 0011). The motivation to combine references applies to all claims beneath this heading.
Rothstein suggests 
a method for monitoring communication over a network between one or more computers, with one or more network monitoring computers (NMCs) that perform actions, comprising (reads on a network monitor or NMD that refers to any combination of hardware and software that is arranged to monitor and/or record flows of packets in a session that are communicated between at least two endpoints over at least one network, see Rothstein para 0031):  identifying a secure communication session (reads on determining whether the monitored flow is encrypted, see Rothstein para 0102) based on detected network traffic patterns that are associated with one or more secure communication protocols (reads on determining whether the monitored flow is encrypted based on header information or the observation of one or more handshakes that negotiate and/or establish keys for the session, see Rothstein para 0102); capturing a plurality of network packets that are securely communicated between the one or more computers (reads on record flows of encrypted packets in a session that are communicated between at least two endpoints over at least one network, see Rothstein para 0031 and 0102), wherein the plurality of captured packets is stored in a data store (The Examiner construes this to be a necessary limitation of the prior art’s disclosure of recording flows of packets, see Rothstein para 0031).

[0030] Typically, establishing a TCP based connection between endpoints begins with a handshake and creates a single bi-directional flow between two endpoints, e.g., one direction of the flow going from endpoint A to endpoint B, 
the other direction of the flow going from endpoint B to endpoint A, where endpoint A and endpoint B are IP-Port source and destinations.  In at least one of the various embodiments, a tuple may be employed to identify a flow.  Also, other protocols may establish a separate flow for control information that enables management of at least one or more flows between two or more endpoints. 
 
[0031] As used herein, the terms "network monitor", "network monitor device", or "NMD" refer to an application (software, hardware, or some combination) that 
is arranged to monitor and/or record flows of packets in a session that are communicated between at least two endpoints over at least one network.  In some embodiments, the packets that are monitored by the NMD may be referred to as "monitored packets" or "monitored data." The NMD can provide information for assessing different aspects of these monitored flows.  In at least one embodiment, the NMD passively monitors network packet traffic without 
participating in the communication protocols.  This monitoring is performed for a variety of reasons, including troubleshooting and proactive remediation, end-user experience monitoring, SLA monitoring, capacity planning, application lifecycle management, infrastructure change management, infrastructure optimization, business intelligence, security, and regulatory compliance.  The 
NMD can receive network communication for monitoring through a variety of means including network taps, wireless receivers, port mirrors or directed tunnels from network switches, servers including the endpoints themselves, or other infrastructure devices.  In at least some of the various embodiments, the NMD may receive a copy of each packet on a particular network segment or virtual local area network (VLAN).  Also, for at least some of the various embodiments, they may receive these packet copies through a port mirror on a managed Ethernet switch, e.g., a Switched Port Analyzer (SPAN) port, or a Roving Analysis Port (RAP).  Port mirroring enables analysis and debugging of network communications.  Port mirroring can be performed for inbound or outbound traffic (or both) on single or multiple interfaces. 
 
[0032] The NMD may track network connections from and to endpoints, such as a client and/or a server.  The NMD may also extract information from the packets including protocol information at various layers of the communication protocol stack.  The NMD may reassemble or reconstruct the stream of data exchanged between the endpoints.  The NMD may perform decryption of the payload at various layers of the protocol stack.  The NMD may passively monitor the 
network traffic or it may participate in the protocols as a proxy.  In some embodiments, the NMD may set and/or transform to different states based on the data arriving to and from the endpoints.  One non-limiting, non-exhaustive 
example of such an NMD may be an Independent Computing Architecture receiver. 
 
[0033] The NMD may attempt to classify the network traffic according to communication protocols that are used.  The NMD may categorize the traffic where categories might include file transfers, streaming audio, streaming 
video, database access, interactive, gaming, and the like.  The NMD may attempt to determine whether the traffic corresponds to known communications protocols, such as HTTP, FTP, SMTP, RTP, Tabular Data Stream (TDS), TCP, IP, and the like.  In some embodiments, protocol classification may be a necessary precondition to application classification.  While some protocols run on well known L4 ports, others do not.  Even if there is traffic on a well known port, it is not necessarily the protocol assigned to that port.  As a result, protocol classification can include additional analysis, such as signature matching, 
traffic analysis, and other heuristics.  Sometimes protocol classification can be adaptive. 

[0102] Process 600 may continue at decision block 606, where a determination may be made whether the monitored flow is encrypted.  In some embodiments, this determination may be based on header information, such as an initialized 
encryption flag.  In other embodiments, when a session is established between two endpoints, the NMD may observe one or more handshakes that negotiate and/or establish decryption keys for the session.  However, embodiments are not so limited, and other mechanisms for determining if the monitored flow is encrypted may be employed.  If the monitored flow is encrypted, then process 600 may proceed to block 608; otherwise, process 600 may proceed to decision block 610.


[0115] FIG. 7 illustrates a logical flow diagram generally showing one embodiment of a process for decrypting an encrypted monitored flow with a hole using a stream cipher.  Process 700 begins, after a start block, at block 702, 
where a decryption key may be received.  In some embodiments, the decryption key may be received by the NMD when a session is established between the endpoints.  In at least one embodiment, the NMD may obtain decryption keys for one or more sessions and/or one or more flows.  In some embodiments, if the monitored flow is encrypted using SSL, TLS, or the like, then the NMD may have access to the server's private key and may be enabled to derive the 
corresponding decryption key or master secret from the SSL handshake between the endpoints.  In other embodiments, if the monitored flow is encrypted using WEP, WPA, or the like, then the NMD may have access to the wireless station's pre-shared key and may be enabled to derive the corresponding decryption key. 
 

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the packet capture teachings of the primary references by incorporating the explicit NMC/NMD packet capture teachings of Rothstein to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the packet capture art to include in the packet capture teachings of the primary references, the explicit use of a NMC/NMD, as taught by Rothstein, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable and resulting in the expected benefit of substituting one known in the art technology for another known in the art technology that accomplishes a similar result. The motivation to combine references applies to all claims beneath this heading.
Fu suggests 
providing a query of the captured network packets (reads on capturing non-encrypted network-level information and reconstructing web page accesses, see Fu para 0158), by one or more applications or services (reads on the client and server, see Fu Figures 12, 13 and 14 blocks 101 and 104), that includes one or more expressions in the query to exclude those stored network packets that are encrypted from a result for the query (reads on encrypted connections are not analyzed, see Fu para 0158), wherein the query result includes one or more non-encrypted packets that are provided to the one or more applications or services that provided the query (reads on captured network-level information is used to reconstruct web page access and encrypted connections are not analyzed, see Fu para 0158), and wherein one or more of the encrypted network packets that are excluded from the query result are provided to the one or more other applications or services (The Examiner construes this to be an obvious limitation of the disclosure of Fu because the known in the art packet collectors of Fu do not restrict traffic flow; but rather, they copy packets as they are traveling to their destination, see Fu para 0052 – 0063).

[0158] It should be noted that in each of the implementations described above in FIGS. 12-14, the solutions exclude from consideration the encrypted connections whose content cannot be analyzed, and hence, the HTTP level information cannot be extracted. That is, because embodiments of the present invention capture network-level information and utilize such network-level information for reconstructing web page accesses, encrypted connections are not analyzed.

Before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to modify the packet capture teachings of the primary references by incorporating the explicit analyze/query only unencrypted packet capture teachings of Fu to realize the instant limitations. One or more of the underpinning rational(s), as discussed in KSR international Co, v, Teleflex inc,s etai,s 550 U,S. 398 (2007) U.S.P.Q.2d 1385, also see MPEP § 2141 {IN), are used to support this conclusion of obviousness. Accordingly, it would have been obvious to one of ordinary skill in the packet capture art to include in the packet capture teachings of the primary references, the explicit analyze/query only unencrypted packet capture, as taught by Fu, since the claimed invention is merely a combination of old elements, and in the combination each element merely would have performed the same function as it did separately, and one of ordinary skill in the art would have recognized that the results of the combination were predictable and resulting in the expected benefit of substituting one known in the art technology for another known in the art technology that accomplishes the result of choosing which network packets to query/analyze. The motivation to combine references applies to all claims beneath this heading.


Per claim 2, the prior art of record further suggests 
employing the one or more NMCs (reads on a network monitor or NMD that refers to any combination of hardware and software that is arranged to monitor and/or record flows of packets in a session that are communicated between at least two endpoints over at least one network, see Rothstein para 0031) to identify (reads on the network monitoring system identifying specific encrypted network packets to be captured and stored, see Harrigan para 0014, 0024 – 0025 and 0030) a secure communication session established (reads on packets that are using Secure Socket Layer encryption will have metadata and full packet capture enabled, see Harrigan para 0030) between (reads on packets associated with Secure Socket Layer encryption communication between two devices, see Harrigan para 0025 and 0030) two of the one or more computers (reads on the computers of Harrigan Figure 1 block 120a – 120d);
obtaining (reads on the NMD obtains decryption keys for one or more sessions and/or one or more flows, see Rothstein para 0115 and see Harrigan para 0030 and 0032) key information that corresponds to the secure communication session (reads on decryption keys for one or more sessions and/or one or more flows, see Rothstein para 0115 and see Harrigan para 0030 and 0032), wherein the key information includes a session private key (reads on the server’s private key that is used to derive the corresponding decryption key for the one or more sessions and/or one or more flows , see Rothstein para 0115 and Li Figure 4 block 440 and para 0037) that is provided by a key provider (The Examiner construes this to be an obvious limitation of the disclosure of Rothstein because Rothstein teaches the key information is obtained and since it must be obtained from some entity, The Examiner construes the entity that it was obtained from to the be the key provider, see Rothstein para 0115 and Harrigan para 0030 and 0032).
Per claim 3, the prior art of record further suggests, providing correlation information (reads on using the tuple to identify a flow of packets in a session communicated between at least two endpoints, see Rothstein para 0030 – 0031) associated with (reads on the network monitoring system will receive source address, destination address or any other suitable attributes associated with the monitored network flow, see Harrigan para 0030 and 0032) the secure communication session (reads on the network flow classified as using encryption, see Harrigan para 0030), wherein the correlation information (reads on the source address, destination address or any other suitable attributes associated with the monitored network flow, see Harrigan para 0030 and 0032 and see Rothstein para 0030 – 0031) includes tuple information associated with (reads on the source address, destination address or any other suitable attributes associated with the monitored network flow, see Harrigan para 0030 and 0032 and see Rothstein para 0030 – 0031) the secure communication session (reads on the network flow classified as using encryption, see Harrigan para 0030); and
storing (reads on storing the metadata and the full packets in the database, see Harrigan Figure 1 block 140 and para 0030) the key information (reads on encryption keys associated with the network flow, see Harrigan para 0030 and 0032) and the correlation information (reads on the source address, destination address or any other suitable attributes associated with the monitored network flow, see Harrigan para 0030 and 0032 and see Rothstein para 0030 – 0031) in a key escrow (reads on a database, see Harrigan Figure 1 block 140 and para 0030), wherein the key information is indexed in the key escrow based on (reads on the key information/session key  may be found using any attribute associated with the traffic flow, see Li para 0036 – 0037) the correlation information (reads on the source address, destination address or any other suitable attributes associated with the monitored network flow, see Harrigan para 0030 and 0032 and see Rothstein para 0030 – 0031). 
Per claim 4, the prior art of record further suggests when network packets associated with the key information and the correlation information are absent from the data store, discarding the key information and the correlation information (The Examiner construes this to be an obvious limitation of prior art of record, because one of ordinary skill in the art of database management would consider it obvious to delete key information and correlation information from a database when the stored network packets are deleted and the key, correlation and packets are stored as a pair, see Taub para 0055. The motivation to do so is to maintain data consistency by ensuring only full pairs are stored in the database).
Per claim 5, the prior art of record further suggests providing one or more previously captured encrypted network packets that are associated with one or more secure communication sessions (see Taub para 0055 and see Harrigan para 0013 – 0014 and 0030);
providing key information that is associated with the one or more previously captured encrypted network packets based on the correlation information that is associated with the one or more previously captured network packets (see Taub para 0055 and see Harrigan para 0030 and 0032); and
providing access for one or more services or applications to access the one or more previously captured encrypted network packets and the associated key information (see Li para 0037 and Rothstein para 0115).
Claim 6 is analyzed with respect to claim 5. The prior art of record further suggests decrypting the one or more previously captured network packets using the key information (see Li para 0037 and Rothstein para 0115).
Claim 7 is analyzed with respect to claim 1. The prior art of record further suggests one or more network monitoring computers (reads on a network monitor or NMD that refers to any combination of hardware and software that is arranged to monitor and/or record flows of packets in a session that are communicated between at least two endpoints over at least one network, see Rothstein para 0031, Harrigan Figure 1 block 130, Taub para 0013, 0022 and 0041), comprising a memory that stores at least instructions (see Rothstein Figure 4 block 404); and one or more processors that execute instructions (see Rothstein Figure 4 block 402); and the one or more computers (see Rothstein Figure 3 block 300), comprising: a transceiver that communicates over the network (see Rothstein Figure 3 block 332); a memory that stores at least instructions (see Rothstein Figure 3 block 304); and one or more processors that execute instructions that perform actions, including (see Rothstein Figure 3 block 302): providing the plurality of network packets (reads on specific network flows to be analyzed at a later date, see Harrigan para 0013 – 0014 and  0030).
Per claim 8, the prior art of record further suggests employing the one or more NMCs (reads on a network monitor or NMD that refers to any combination of hardware and software that is arranged to monitor and/or record flows of packets in a session that are communicated between at least two endpoints over at least one network, see Rothstein para 0031) to identify (reads on the network monitoring system identifying specific encrypted network packets to be captured and stored, see Harrigan para 0014, 0024 – 0025 and 0030) a secure communication session established (reads on packets that are using Secure Socket Layer encryption will have metadata and full packet capture enabled, see Harrigan para 0030) between (reads on packets associated with Secure Socket Layer encryption communication between two devices, see Harrigan para 0025 and 0030) two of the one or more computers (reads on the computers of Harrigan Figure 1 block 120a – 120d); obtaining (reads on the NMD obtains decryption keys for one or more sessions and/or one or more flows, see Rothstein para 0115 and see Harrigan para 0030 and 0032) key information that corresponds to the secure communication session (reads on decryption keys for one or more sessions and/or one or more flows, see Rothstein para 0115 and see Harrigan para 0030 and 0032), wherein the key information includes a session private key (reads on the server’s private key that is used to derive the corresponding decryption key for the one or more sessions and/or one or more flows , see Rothstein para 0115) that is provided by a key provider (The Examiner construes this to be an obvious limitation of the disclosure of Rothstein because Rothstein teaches the key information is obtained and since it must be obtained from some entity, The Examiner construes the entity that it was obtained from to the be the key provider, see Rothstein para 0115).
Claim 9 is analyzed with respect to claim 3.
Claim 10 is analyzed with respect to claim 4.
Claim 11 is analyzed with respect to claim 5.
Claim 12 is analyzed with respect to claim 6.
Claim 13 is analyzed with respect to claim 7.
Claim 14 is analyzed with respect to claim 8.
Claim 15 is analyzed with respect to claim 9.
Claim 16 is analyzed with respect to claim 10.
Claim 17 is analyzed with respect to claim 11.
Claim 18 is analyzed with respect to claim 12.
Claim 19 the processor readable non-transitory storage media is analyzed with respect to claim 13. 
Claim 20 is analyzed with respect to claim 14.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Brian Shaw whose telephone number is (571)270-5191.  The examiner can normally be reached on Mon-Thurs from 6:00 AM-3:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's Supervisor, Jorge Ortiz-Criado can be reached on (571) 272-7624.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.  Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/BRIAN F SHAW/Primary Examiner, Art Unit 2496