DETAILED ACTION
1.	This action is responsive to the communications filed on 03/21/2022.
2.	Claims 1-20 are pending in this application.
3.	Claims 1, 3, 12, 14, 20, have been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-20 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claims contain subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claims 1, 12, 20, recite “blocking, at a network layer, the third-party request.” Regarding this limitation, applicant’s specification states:
[0021] The device 110 may be any computer device having Internet browsing capabilities, such a smartphone, laptop or a tablet. The network apparatus 120 collects information e.g. about the local network 100, including data about the network traffic through the local network 100 and data identifying devices in the local network 100, such as any smart appliances and user devices 110. The network apparatus 120 is configured to receive traffic control instructions from the analysis engine 160 and to process network traffic based on the traffic control instructions. Processing the network traffic through the local network 100, for example, can include restricting where network traffic can travel, blocking network traffic from entering the local network 100, redirecting a copy of network traffic packet or features of those packets to the analysis engine 160 for analysis (e.g., for malicious behaviour), or quarantining the network traffic to be reviewed by a user (e.g., via the user device 110) or network administrator. In some embodiments, the functionality of the network apparatus 120 is performed by a device that is a part of the local network 100, while in other embodiments, the functionality of the network apparatus 120 is performed by a device outside of the local network 100.
[0062] In an embodiment, taking further action to protect the one or more computer devices comprises one or more of: blocking or preventing the third-party request, blocking the third-party request if the host is blacklisted, disallowing the third-party request based on determining that the main request and the sub-request does not belong to a same company.
While the paragraphs disclose the ability to block network traffic based on the network traffic being a third party request, the specification does not specifically state that the blocking is done at the network layer as claimed. For example, it is possible to block traffic at layer 7 with an application firewall. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 2, 4-13, 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Stokes (US 2021/0136038) in view of Golan et al. (US 2021/0157874) in view of Weiser et al. (US 2013/0152153).
Regarding claim 1, Stokes disclosed:
A method comprising: 5detecting a plurality of connection requests relating to monitored network traffic passing through a network apparatus (Paragraph 17, the monitoring device 102 (i.e., network apparatus) monitors communications from the Internet. Such monitoring is used to identify first and third parties in the system. Paragraph 26, the monitoring device includes a receiving device 202, which receives data over one or more networks via one or more protocols. The receiving device receives data from router 104 and client devices 106 (i.e., plurality). Paragraph 28, the receiving device 202 receives data signals transmitted by computing devices (i.e., plurality)…such as data requests…or a request for a website (i.e., connection request)); 
extracting data comprising at least a host name of a host and a time of a respective connection request for each connection request of the plurality of connection requests (Paragraph 32, entries in the cache are set to expire based on the current time (i.e., time of connection request) and an expiration time. Paragraph 41, as requests are intercepted by the monitoring device 102, the destination domain (i.e., host name) for a request is converted to a different form. Paragraph 48, the monitoring device intercepts network packets included in a request for a web resource…from one or more client devices (i.e., plurality of connection requests). Paragraph 49, determining if the destination domain for the intercepted resource is in the memory cache); 
10analyzing the data to determine whether the host is in an active state and an amount of time from a last connection request (Paragraph 49, the monitoring device 102 determines if the destination domain…exists in the first memory cache (i.e., active or not). If there is a matching entry, the monitoring device determines whether an expiration time has been exceeded (i.e., time from last connection)); 
in response to detecting that the host is not in the active state and the amount of time from the last 15connection request exceeds a predetermined new session threshold, classifying a connection request as a main request (Paragraph 49, if there is a matching destination domain in the memory (i.e., not active state), the monitoring device determines whether an expiration time has been exceeded. The expiration time for the domain is then extended (i.e., new session threshold) and the request is classified as a first party request (i.e., main request)); 
in response to detecting that the amount of time from the last connection request is below a predetermined continuous session threshold, classifying any connection requests following the main request as sub-requests (Paragraph 50, if the request is classified as a third party request as a result of the domain not being in the memory, then a second memory is checked to see if the domain already exists in a second memory. If it does exist, then the monitoring device determines an expiration time. If the expiration time has not been exceeded, the referring counter value is incremented); and 
20in response to detecting, for a sub-request, that a domain of a host of the sub-request in the active state does not match a current host for a sub-request, classifying the sub-request as a third-party request (Paragraph 50, if the domain does not exist in the memory (i.e., does not match), the referrer counter is set to 0. Paragraph 51, if the referrer counter exceeds a threshold, that domain is considered a first party (i.e., main). As the referral counter is 0, it is considered a third party).
While Stokes discloses referrals (Paragraphs 50-51), Stokes did not explicitly disclose whether the host matches a domain referrer; and in response to the host not matching the domain referrer, classifying a connection request as a main request.
However, in an analogous art, Golan disclosed whether the host matches a domain referrer (Paragraph 33, in some cases, traffic may have no valid referral information when a HTTP packet requesting a target website is absent of any referrer information fields in the HTTP headers. If the HTTP packet does comprise referrer information, it may not be valid as it may be inaccurate (i.e., matching or not); and 
in response to the host not matching the domain referrer, classifying a connection request as a main request (Paragraph 37, direct referring is the typing of the webpages URL, a session starting from a homepage, or a session starting from a bookmark. As an example, entering the homepage of a website such as cnn.com is considered a direct referral (i.e., classifying as a main request) as the user reached the website directly without being referred from another entity (i.e., no domain referrer match, as it does not exist)).
	One of ordinary skill in the art would have been motivated to combine the teachings of Stokes with Golan because the references involve determining source information of website requests, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the matching domain referrer of Golan with the teachings of Stokes in order to improve analytics, improve optimizations of content serving, and improve content allocation (Golan, Paragraph 60).
	While Stokes and Golan disclosed filtering of third party requests (Stokes, Paragraph 71), Stokes and Golan did not explicitly disclose blocking, at a network layer, the third-party request.
	However, in an analogous art, Weiser disclosed blocking, at a network layer, the third-party request (Paragraph 194, allowing network layer blocking of any malicious third party requests, regardless of source).
	One of ordinary skill in the art would have been motivated to combine the teachings of Stokes and Golan with Weiser because the references involve determining third party requests, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the blocking of third party requests of Weiser with the teachings of Stokes and Golan in order to provide enhanced service and providing advanced security (Weiser, Paragraph 140).
	Regarding claims 12, 20, the limitations of claim 1 have been addressed. Claim 12 recites one or more processors and a non-transitory computer readable medium (also in claim 20). Stokes disclosed one or more processors and a non-transitory computer readable medium (Paragraphs 3, 73). Therefore, the claims are rejected under the same rationale. 
	Regarding claims 2, 13, the limitations of claims 1, 12, have been addressed. Stokes, Golan, and Weiser disclosed:
	further comprising taking further action 25to protect one or more computer devices of a computer network system from a security threat caused by any sub-requests classified as third-party requests (Stokes, Paragraph 58, preventing external parties (i.e., third parties) from mining data and determining what types of devices are present in the network. This information is used to alert admins or network owners before they are compromised by an attacker).
	Regarding claims 4, 15, the limitations of claims 1, 12, have been addressed. Stokes, Golan, and Weiser disclosed:
	wherein the main request is a request to 5visit a hosted website (Stokes, Paragraph 37, direct referring is the typing of the webpages URL, a session starting from a homepage, or a session starting from a bookmark. As an example, entering the homepage of a website such as cnn.com is considered a direct referral (i.e., classifying as a main request)); 
the sub-request is a request for resources specified by content received in response to the main request (Stokes, Paragraph 51, the domain is stored in a first memory cache and its expiration time is extended as this indicates sufficient requests to the same domain (i.e., sub-requests) during a period of time); and 
the third-party request is a request for resources located on an external domain (Golan, Paragraph 47, supplement webpage requests are generated. Javascript code is obtained from a third party server or domain (i.e., external), which is different from content server providing the second webpage. An article from a content server is embedded with JS code of a different affiliated server (i.e., resources)).
For motivation, please refer to claim 1. 
Regarding claim 5, the limitations of claim 1 have been addressed. Stokes, Golan, and Weiser disclosed:
further comprising determining initiation 10of a new connection request based on detecting a source port number increasing for a connection request (Stokes, Paragraph 48, the web request contains a source port. Golan, Paragraph 145, obtaining module continuously monitors ports of the I/O module to detect any communicated requests from user devices (i.e., new connection with source port increasing)).
For motivation, please refer to claim 1.
Regarding claim 6, the limitations of claim 1 have been addressed. Stokes, Golan, and Weiser disclosed:
further comprising dividing the sub-requests into first-party requests and third-party requests, wherein a first-party 15request is a request for resources located on a same domain (Stokes, Paragraphs 50-51, requests are classified as third party as a result of the domain not being in the first memory cache or the expiration time as elapsed. The domain is stored in a first memory cache and its expiration time is extended as this indicates sufficient requests to the same domain (i.e., sub-requests) during a period of time to establish that domain as first party).
Regarding claims 7, 16, the limitations of claim 1 have been addressed. Stokes, Golan, and Weiser disclosed:
further comprising setting a state of host as not being in the active state for any connection requests for which the amount of time from the last connection request exceeds the predetermined continuous 20session threshold, wherein in the active state the main request is completed and the sub-requests are ongoing (Stokes, Paragraph 49, the monitoring device 102 determines if the destination domain…exists in the first memory cache (i.e., active or not). If there is a matching entry, the monitoring device determines whether an expiration time has been exceeded (i.e., time from last connection). If there is a matching destination domain in the memory (i.e., not active state) the monitoring device determines whether an expiration time has been exceeded. Paragraph 51, the domain is stored in a first memory cache and its expiration time is extended as this indicates sufficient requests to the same domain (i.e., sub-requests) during a period of time (i.e., ongoing) to establish that domain as first party).
Regarding claim 8, the limitations of claim 1 have been addressed. Stokes, Golan, and Weiser disclosed:
further comprising monitoring, for one or more computer devices of a computer network system, a state variable for each 25computer device including a last port number and a time a last request was stored (Stokes, Paragraph 32, determining an expiration time and a current time (i.e., last request). Paragraph 66, the specified endpoint enforced by the network monitoring device. The endpoint includes IP address, a port, and a URL).
Regarding claims 9, 17, the limitations of claims 1, 12, have been addressed. Stokes, Golan, and Weiser disclosed:
further comprising using one or more machine learning models for time-state domain correlation (Golan, Paragraph 55, classifying traffic using statistical learning, data-derived methods, supervised learning, and/or neural network classifiers).
For motivation, please refer to claim 1.
Regarding claims 10, 18, the limitations of claims 1, 12, have been addressed. Stokes, Golan, and Weiser disclosed:
further comprising decreasing an amount of noise from the monitored network traffic, wherein sources of the noise comprise one or more of the following: communications initiated by operating system services, communications by user-installed software and applications on 5household devices, multiple browsers or browser tabs communications, concurrent web page accesses, Online Certificate Status Protocol (OCSP) queries (Stokes, Paragraph 51, indicating sufficient requests to the same domain during a period of time (i.e., concurrent web page accesses) to establish that domain as first party. The domain may then be removed from the second memory cache (i.e., decreasing noise)).
Regarding claims 11, 19, the limitations of claims 1, 12, have been addressed. Stokes, Golan, and Weiser disclosed:
wherein the data further comprises at 10least one of: a communication timestamp, a communication protocol, a Media Access Control (MAC) address of a device, a source port (Stokes, Paragraph 48, the web request includes information about the source of the request, such as a source port), a complete domain name for the host, a server name indication, a Transmission Port Protocol (TCP) window size, a total length of a packet, and a referrer.

Claims 3, 14, are rejected under 35 U.S.C. 103 as being unpatentable over Stokes (US 2021/0136038) in view of Golan et al. (US 2021/0157874), Weiser et al. (US 2013/0152153), and Croll et al. (US 2014/0337991).
Regarding claims 3, 14, the limitations of claims 2, 13, have been addressed. Stokes, Golan, and Weiser did not explicitly disclose:
	wherein taking further action to protect the one or more computer devices comprises disallowing the sub-request based on determining that the main request and the sub-request do not belong to a same company. 
	However, in an analogous art, Croll disclosed wherein taking further action to protect the one or more computer devices comprises disallowing the sub-request based on determining that the main request and the sub-request do not belong to a same company (Paragraph 89, monitoring a history of third party requests (i.e., sub-requests) for resources of third party domains (i.e., second company). A third party request may be automatically invoked via a loaded resource of a first party domain (i.e., first company) transparently to a user of a device. A first party request (i.e., main request) for loading the resource of the first party domain may be explicitly specified by the user. Relationships are indicated between a first party domain and blacklisted third party domains. Paragraph 90, blocking communications or network connections to websites that are blacklisted. Allowing websites as first party websites but completely blocking communications with websites as third party websites. Paragraph 91, the webpage may be presented with the third party website blocked).
	One of ordinary skill in the art would have been motivated to combine the teachings of Stokes, Golan, and Weiser with Croll because the references involve determining third party requests, and as such, are within the same environment.  
	Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the disallowing of third party requests of Croll with the teachings of Stokes, Golan, and Weiser in order to optimize the balance between privacy and compatibility of websites (Croll, Paragraph 92).
Conclusion
Examiner’s Note: In the case of amending the claimed invention, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and also to verify and ascertain the metes and bounds of the claimed invention. 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Steven C Nguyen whose telephone number is (571)270-5663. The examiner can normally be reached M-F 7AM - 3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christopher Parry can be reached on 571-272-8328. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.C.N/Examiner, Art Unit 2451                                                                                                                                                                                                        

/Chris Parry/Supervisory Patent Examiner, Art Unit 2451