Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 05/10/2022 has been entered.


Response to Arguments
In response to communication filed on 05/10/2022, applicant amends claims 1, 7-10, 12-21, 25, 27-32, 34, and 64.  The following claims, 1-10, 12-23, 25-34, 36-38, 43, 45, 55, 63-64, 67-68 are presented for examination.   

Applicant’s arguments, see Pages 11-14, filed May 10, 2022, with respect to the rejection(s) of claim(s) 1, 31, 64 under 35 USC 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art reference, MacLeod et al. (US2013/0239166 A1, publish date 09/12/2013).  Examiner withdraws Berlin (US2006/0184792 A1).


Upon further consideration and based on claim amendments, a new ground of rejection of claims 1-10, 12-23, 25-34, 36-38, 43, 45, 55, 63-64, 67-68 is set forth below.  




Information Disclosure Statement 
The information disclosure statement filed 05/12/2022 complies with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 and the information referred to therein has been considered as to the merits.  


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


Claims 1-6, 8-15, 22-23, 25-30, 34, 36-38, 43, 45, 55, 63 are rejected under 35 U.S.C. 103 as being unpatentable over John et al. (US2006/0236370 A1, publish date 10/19/2006) (on Applicants IDS filed 02/10/2020) in view of MacLeod et al. (US2013/0239166 A1, publish date 09/12/2013).


Claims 1, 34:
With respect to claims 1, 34, John et al. discloses a system/method (a computer system for enforcing a security policy defined for a networked environment, Figure 1), comprising: 
a network interface (network interface 34, 0027); and 
one or more processors (a packet processing engine 32, 0027), configured to cooperatively perform a process that includes:
receiving, via the network interface, a request originating from a request- origin application (a client application, such as client application 62a, sending a SYN request to a server application, 0037) and directed to a request-destination application (to a server application, such as server application 64a, 0037) that runs on a request-destination device (The destination address in a SYN packet is typically the network address assigned to another computing device, such as device 68, hosting a server application, such as server application 64a, 0038), 
subsequently to receiving the request, communicating the request to the request-destination device (an ACK response may be used to establish a second pathway through which the client and server applications can exchange data if the server application uses a destination port ID that is different from the source port ID received from the SYN packet in the ACK packet's destination port ID field, 0045), 
subsequently to communicating the request to the request-destination device, receiving a response (an "ACK packet", such as ACK packet 66b in FIG. 1, 0045), from the request-destination application, to the request (an ACK response that 
corresponds to the initial SYN packet, 0042), 
while holding the response (may be modified to include storing 208 the session information and/or receiving additional packets from the computer network instead of ending, After the security policy is enforced 206, the method flow returns to receiving 200 another packet instead of ending, 0148), identifying information contained in at least one log entry ("log entries", 0123) that was recorded by the request-destination application responsively to the request (session information, 0145), and 
performing a function in response to the information (A security policy defined for the network environment is enforced 206 by using the session information and the object attribute(s) to determine whether the packet violates the security policy, 0147) and in accordance with a security rule (collector 6 reviews a security policy defined for the network environment by reviewing the session information and the object attribute(s) to determine whether the packet violates the security policy, 0140) (security policy may include a set of security criteria defined for at least network entity defined in network environment 8, 0141).

John et al. does not disclose identifying, from among multiple log entries recorded by the request- destination application, at least one log entry as having been recorded responsively to the request, while holding the response, identifying, in the at least one log entry, information associated with the request or with the response as claimed. 

MacLeod et al. teaches identifying, from among multiple log entries recorded by the request- destination application, at least one log entry as having been recorded responsively to the request, while holding the response, identifying, in the at least one log entry, information associated with the request or with the response (computing device 300 may receive an action request from a user. For example, on-call engineer 140 may attempt to run a debugging trace on a process associated with software service 120(A). To protect the privacy of user data 122(A), such access may not be always available to operators and/or engineers associated with server 110. Such users may be limited to basic access permissions, such as viewing log data and/or configuration information, and access to user data 122(A)-(C) is prohibited, 0016) (computing device 300 may create a log entry of the action request. The log entry may comprise whether the request resulted in automatic approval of the permissions elevation at stage 225 and/or whether the request was sent for administrator approval at stage 227. The log entry may further comprise a record of data accessed by the requesting user while the elevated permissions were in force, 0022) (In response to determining that the requested action requires the elevated permission, method 200 may advance to stage 220 where computing device 300 may determine whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, 0018) (If the action request is determined not to comply with the permission policies, method 200 may advance to stage 227 where computing device 300 may forward the action request to at least one approval user, 0020) (may advance to stage 230 where computing device 300 may perform the requested action, 0021) (Figure 1, 2).


John et al. and MacLeod et al. are analogous art because they are from the same field of endeavor of Network Traffic/applications.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use MacLeod et al. in John et al. for identifying, from among multiple log entries recorded by the request- destination application, at least one log entry as having been recorded responsively to the request, while holding the response, identifying, in the at least one log entry, information associated with the request or with the response as claimed for security and privacy and not to segregate access. (See MacLeod et al. 0002)

Claim 2:
With respect to claim 2, John et al. discloses wherein the request includes a request to access a resource (a client application, such as client application 62a, initiates an application session by sending a SYN request to a server application, such as server application 64a, 0037).

Claims 3, 36:
With respect to claims 3, 36, John et al. discloses wherein the request includes an authentication request (packet processing engine 32 to identify authentication exchange packets of the required type, such as a request or response type, 0101).

Claims 4, 37:
With respect to claims 4, 37, John et al. discloses wherein the authentication request uses a Kerberos protocol ("Kerberos Protocol", 0059, 0066) and is encrypted using Flexible Authentication Secure Tunneling (FAST) (a temporary encryption key, called a "session key".  The authentication service 25 encrypts the contents of the authentication exchange response packet using the initiator's secret-key., After receiving the authentication exchange response packet, the initiator decrypts it by using the initiator's secret key, enabling the initiator to obtain the session key., 0109), and wherein the request-destination application includes a Kerberos Key Distribution Center (KDC) (The Kerberos protocol also defines the method of exchanging the secret-key, which is sometimes referred to as an "authentication exchange" process, 0108).

Claims 5, 38:
With respect to claims 5, 38, John et al. discloses wherein the authentication request uses a Netlogon protocol (pertaining to network authentication-related activities that occur, such as user logon and logoff events, on network environment 8, 0123), wherein the request-destination device includes a Domain Controller in a Windows domain (a server providing DNS (Domain Name System) services may be accessed or used to provide a name service.  In addition, WINS (Windows Internet Name service), or other name services may be used.  DNS and WINS are commonly known, 0114) (using a Microsoft brand operating system, such as Microsoft Windows Server 2003, 0125), and wherein the request-destination application includes Active Directory Domain Services (networked environment 8 may provide access to a server, such as server 10, running a Windows.RTM.  brand operating system, such as Windows.RTM.  2003 Server, which typically includes Active Directory.  Active Directory is a LDAP-based directory service, 0057).

Claim 6:
With respect to claim 6, John et al. discloses wherein the request includes a request to verify that a user is authorized to access a resource (authenticated real users, such as real users 18-1 through 18-n, who have logged-on to devices 16-1 through 
16-n, 0057).

Claim 8:
With respect to claim 8, John et al. discloses wherein receiving the request includes receiving from the request-destination device (an ACK response may be used to establish a second pathway through which the client and server applications can exchange data if the server application uses a destination port ID that is different from the source port ID received from the SYN packet in the ACK packet's destination port ID field, 0045).

Claim 9:
With respect to claim 9, John et al. discloses wherein the request-origin application runs on a request-origin device, and wherein receiving the request includes receiving the request from the request-origin device (the source address in a SYN packet is typically the network address assigned to a computing device, such as device 16-1, that hosts a client application, such as client application 62a, 0038, Figure 1).

Claims 10, 43:
With respect to claims 10, 43, John et al. discloses wherein a message selected from the group of messages (messages that were encrypted using either the initiator's secret-key or the target network entity's secret-key, 0110) consisting of: 
the request, and the response is encrypted, and wherein preforming the function includes performing the function without first decrypting the message (a temporary encryption key, called a "session key".  The authentication service 25 encrypts the contents of the authentication exchange response packet using the initiator's secret-key, After receiving the authentication exchange response packet, the initiator decrypts it by using the initiator's secret key, enabling the initiator to obtain the session key., 0109), and wherein the request-destination application includes a Kerberos Key Distribution Center (KDC) (The Kerberos protocol also defines the method of exchanging the secret-key, which is sometimes referred to as an "authentication exchange" process, 0108).

Claims 12, 45:
With respect to claims 12, 45, John et al. discloses wherein performing the function includes, while holding the response (may be modified to include storing 208 the session information and/or receiving additional packets from the computer network instead of ending, After the security policy is enforced 206, the method flow returns to receiving 200 another packet instead of ending, 0148), requesting  authentication from a user who submitted the request (authenticated real users, such as real users 18-1 through 18-n, who have logged-on to devices 16-1 through 16-n, 0057).

Claim 13:
With respect to claim 13, John et al. discloses wherein performing the function includes, while holding the response (may be modified to include storing 208 the session information and/or receiving additional packets from the computer network instead of ending, After the security policy is enforced 206, the method flow returns to receiving 200 another packet instead of ending, 0148), requesting approval of the request from an individual other than a user who submitted the request (device 16-1 through 16-n may also be configured to respond to a query seeking the log-on status of users having a user account on the client, 0069).

Claim 14:
With respect to claim 14, John et al. discloses wherein performing the function includes preventing the response from being communicated to the request-origin application (to determine whether the packet violates the security policy, causes monitor 4 to either drop the packet or return the packet to the networked environment or any combination of the foregoing, 0140) (a set of actions that should be taken if it is found that a packet violates the security policy, actions in the security policy may include to reporting, dropping or both the packet from which the session information was generated, 0141).

Claim 15:
With respect to claim 15, John et al. discloses wherein the request belongs to a communication session, and wherein performing the function further includes causing the communication session to terminate (The application session may be terminated by the client application, 0048) (to determine whether the packet violates the security policy, causes monitor 4 to either drop the packet or return the packet to the networked environment or any combination of the foregoing, 0140) (a set of actions that should be taken if it is found that a packet violates the security policy, actions in the security policy may include to reporting, dropping or both the packet from which the session information was generated, 0141).

Claims 22, 55:
With respect to claims 22, 55, John et al. discloses wherein the information includes an identity of a user who submitted the request (authenticated real users, such as real users 18-1 through 18-n, who have logged-on to devices 16-1 through 
16-n, 0057).

Claim 23:
With respect to claim 23, John et al. discloses wherein the log entry (obtains event log 148, 0123) includes a Windows Event Log entry (WINS (Windows Internet Name service), or other name services may be used.  DNS and WINS are commonly known, 0114) (using a Microsoft brand operating system, such as Microsoft Windows Server 2003, 0125) (networked environment 8 may provide access to a server, such as server 10, running a Windows.RTM.  brand operating system, such as Windows.RTM.  2003 Server, which typically includes Active Directory.  Active Directory is a LDAP-based directory service, 0057).

Claim 25:
With respect to claim 25, John et al. discloses wherein the process further includes, prior to communicating the request to the request-destination device, recording metadata that are associated with the request, and identifying the log entry from among the multiple log entries includes identifying the log entry from among the multiple log entries by identifying the recorded metadata in the log entry (Obtaining event log 148, extract a user name and a network address from event log 148.  Control software 94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time stamp extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claim 26:
With respect to claim 26, John et al. discloses wherein the metadata include a session identifier (Obtaining event log 148, extract a user name and a network address from event log 148.  Control software 94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time stamp extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claim 27:
With respect to claim 27, John et al. discloses wherein the process  further includes, prior to communicating the request to the request-destination device, modifying the request to include a particular marker, and wherein identifying the log entry from among the multiple log entries includes identifying the log entry from among the multiple log entries by identifying the particular marker in the log entry (Obtaining event log 148 enables control software 94 to extract at least one category item that can be used for associating packets from network traffic traversing on networked environment 8, 0124).

Claim 28:
With respect to claim 28, John et al. discloses wherein identifying the log entry from among the multiple log entries includes identifying the log entry from among the multiple log entries by identifying, in the log entry, an identifier of a communication interface via which the request was communicated to the request-destination device (Obtaining event log 148, extract a user name and a network address from event log 148.  Control software 94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time stamp extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claim 29:
With respect to claim 29, John et al. discloses wherein identifying the log entry from among the multiple log entries includes identifying the log entry from among the multiple log entries by identifying a correspondence between a log-entry time of the log entry and a request-communication time at which the request was communicated to the request- destination device (Obtaining event log 148 enables control software 94 to extract at least one category item that can be used for associating packets from network traffic traversing on networked environment 8.  For example, control software 94 may extract a user name and a network address from event log 148.  Control software 
94 may also obtain a time stamp, such as time stamp 158, associated with the user name and network address.  The user name, network address and time tamp 
extracted from the same log entry are hereinafter referred to as an "extracted user name", "log extracted network address", and "extracted time stamp", 0124).

Claims 30, 63:
With respect to claim 29, John et al. discloses wherein the request is a first request (a client application, such as client application 62a, sending a SYN request to a server application, 0037), and wherein process further includes: subsequently to communicating the first request, receiving a second request directed to the request-destination device, and refraining from communicating the second request to the request-destination device before the log entry is entered (The application session may be terminated by the client application when the client sends a FIN request, which includes the client and server applications' control connections used during the application session subject to the FIN request, 0048).



Claims 31-33, 64 are rejected under 35 U.S.C. 103 as being unpatentable over Narayanaswamy et al. (US2012/0113857 A1, publish date 05/10/2012) in view of John et al. (US2006/0236370 A1, publish date 10/19/2006). (on Applicants IDS filed 02/10/2020) further in view of MacLeod et al. (US2013/0239166 A1, publish date 09/12/2013).

Claims 31, 64:
With respect to claims 31, 64, Narayanaswamy et al. discloses a system/method (environment 100, Figure 1), comprising: 
a network interface (a communication interface 260, 0022); and 
one or more processors (a processor 220, 0022), configured to cooperatively perform a process that includes: 
receiving, from a security application (Traffic analyzer 310 may receive network traffic in the form of packets, 0029) (Figure 3, 310), a request originating from a request- origin application (network traffic transmitted in network 140, such as data transmitted from client 110, 0039) (client 110) and directed to a request-destination application (server 20, traffic analyzer 310 may receive a packet from a client, such as client 110, for transmission to a server, such as server 120, 0047), 
subsequently to receiving the request, communicating the request to the request-destination application (traffic analyzer 310 may process an initial packet, tentatively identify the packet as being associated with a particular traffic flow, store a copy of the packet, and transmit the packet towards its destination, 0052), 
subsequently to communicating the request to the request-destination application, receiving a response, from the request-destination application, to the request (When traffic analyzer 310 receives a response packet to the initial packet, as an initial STC packet, traffic analyzer 310 may confirm the tentative identification of the traffic flow, 0052), and 
communicating the response, and at least one log entry recorded (may include storing, as entries in a table, information identifying a number of traffic flows and a corresponding number of port numbers, where one of the entries stores information identifying one of the traffic flows and a corresponding one of the port numbers, 0003) by the request-destination application responsively to the request, to the security application (Assume that the traffic analyzer determines, based on the initial packet (i.e., HTTP GET packet) and the response packet (i.e., the HTTP 200 OK packet), that the packets are HTTP packets associated with a HTTP traffic flow. The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow, 0059), without communicating the response to the request-origin application (The traffic analyzer may also transmit the response packet to the Client, 0059).

John et al. teaches at least one log entry (obtains event log 148, 0123) and in accordance with a security rule (collector 6 reviews a security policy defined for the network environment by reviewing the session information and the object attribute(s) to determine whether the packet violates the security policy, 0140) (security policy may include a set of security criteria defined for at least network entity defined in network environment 8, 0141).

Narayanaswamy et al. and John et al. are analogous art because they are from the same field of endeavor of Network Traffic.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use John et al. in Narayanaswamy et al. for at least one log entry as claimed for purposes of providing network security that accurately logs, blocks or both the occurrence of selected activity on a networked environment, reducing the likelihood of blocking or reporting permissible types of activity or data and therefore maximizing the protection of network traffic.

Neither Narayanaswamy et al. nor John et al. disclose receiving the response from the security application, the response including an alteration made by the security application responsively to information in the log entry, and in response to receiving the response from the security application, communicating the response to the request-origin application as claimed. 

MacLeod et al. teaches receiving the response from the security application, the response including an alteration made by the security application responsively to information in the log entry, and in response to receiving the response from the security application, communicating the response to the request-origin application (computing device 300 may receive an action request from a user. For example, on-call engineer 140 may attempt to run a debugging trace on a process associated with software service 120(A). To protect the privacy of user data 122(A), such access may not be always available to operators and/or engineers associated with server 110. Such users may be limited to basic access permissions, such as viewing log data and/or configuration information, and access to user data 122(A)-(C) is prohibited, 0016) (computing device 300 may create a log entry of the action request. The log entry may comprise whether the request resulted in automatic approval of the permissions elevation at stage 225 and/or whether the request was sent for administrator approval at stage 227. The log entry may further comprise a record of data accessed by the requesting user while the elevated permissions were in force, 0022) (Method 200 may then advance to stage 215 where computing device 300 may determine whether the requested action requires an elevated permission. 0017) (In response to determining that the requested action requires the elevated permission, method 200 may advance to stage 220 where computing device 300 may determine whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, 0018) (then advance to stage 225 where computing device 300 may grant the elevated permission to the user, in order to allow the requested action to be performed, 0019) (Figure 1, 2).


John et al. and MacLeod et al. are analogous art because they are from the same field of endeavor of Network Traffic/applications.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use MacLeod et al. in John et al. for receiving the response from the security application, the response including an alteration made by the security application responsively to information in the log entry, and in response to receiving the response from the security application, communicating the response to the request-origin application as claimed for security and privacy and not to segregate access. (See MacLeod et al. 0002)

Claim 32:
With respect to claim 32, Narayanaswamy et al. discloses wherein the process further includes, prior to receiving the request from the security application: receiving the request from the request-origin application, and forwarding the request to the security application (The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow.  The traffic analyzer may also transmit the response packet to the client. 0059).

Claim 33:
With respect to claim 33, the combination of Narayanaswamy et al., John et al., and MacLeod et al. discloses the limitations of claim 31, as addressed. 

John et al. discloses wherein the authentication request uses a Netlogon protocol (pertaining to network authentication-related activities that occur, such as user logon and logoff events, on network environment 8, 0123), wherein the request-destination device includes a Domain Controller in a Windows domain (a server providing DNS (Domain Name System) services may be accessed or used to provide a name service.  In addition, WINS (Windows Internet Name service), or other name services may be used.  DNS and WINS are commonly known, 0114) (using a Microsoft brand operating system, such as Microsoft Windows Server 2003, 0125), and wherein the request-destination application includes Active Directory Domain Services (networked environment 8 may provide access to a server, such as server 10, running a Windows.RTM.  brand operating system, such as Windows.RTM.  2003 Server, which typically includes Active Directory.  Active Directory is a LDAP-based directory service, 0057).

Narayanaswamy et al. and John et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining Narayanaswamy et al. and John et al. is recited in claim 31.  


Claims 7, 16-21 are rejected under 35 U.S.C. 103 as being unpatentable over John et al. (US2006/0236370 A1, publish date 10/19/2006) in view of MacLeod et al. (US2013/0239166 A1, publish date 09/12/2013) further in view of Narayanaswamy et al. (US2012/0113857 A1, publish date 05/10/2012). (on Applicants IDS filed 02/10/2020)

Claim 7:
With respect to claim 7, the combination of John et al. and MacLeod et al. discloses the limitations of claim 1, as addressed. 

John et al. does not disclose wherein the process further includes, subsequently to communicating the request to the request-destination device, receiving the log entries from the request-destination device as claimed. 

MacLeod et al. teaches receiving the log entries from the request-destination device (computing device 300 may create a log entry of the action request. The log entry may comprise whether the request resulted in automatic approval of the permissions elevation at stage 225 and/or whether the request was sent for administrator approval at stage 227. The log entry may further comprise a record of data accessed by the requesting user while the elevated permissions were in force, 0022). 

John et al. and MacLeod et al. are analogous art because they are from the same field of endeavor of Network Traffic/applications.

The motivation for combining John et al. and MacLeod et al. is recited in claim 1.

Narayanaswamy et al. discloses wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the at least one log entry from the request-destination device (Assume that the traffic analyzer determines, based on the initial packet (i.e., HTTP GET packet) and the response packet (i.e., the HTTP 200 OK packet), that the packets are HTTP packets associated with a HTTP traffic flow.  The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow, 0059).

John et al., MacLeod et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Narayanaswamy et al. in John et al. for wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the at least one log entry from the request-destination device as claimed for purposes of not monitoring traffic passively and monitoring appliance may gather statistics, record activity, and/or analyze the packet for security purposes and therefore maximizing the protection of network traffic.

Claim 16:
With respect to claim 16, John et al. and MacLeod et al. discloses the limitations of claim 1, as addressed. 

John et al. does not disclose wherein the process further includes, subsequently to identifying the information, causing the response to be communicated to the request-origin application as claimed. 

However, Narayanaswamy et al. discloses wherein the process further includes, subsequently to identifying the information, causing the response to be communicated to the request-origin application (The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow.  The traffic analyzer may also transmit the response packet to the client. 0059).

John et al., MacLeod et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Narayanaswamy et al. in John et al. for wherein the processor is further configured to, subsequently to communicating the request to the request-destination device, receive the at least one log entry from the request-destination device as claimed for purposes of not monitoring traffic passively and monitoring appliance may gather statistics, record activity, and/or analyze the packet for security purposes and therefore maximizing the protection of network traffic.

Claim 17:
With respect to claim 17, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Narayanaswamy et al. discloses wherein causing the response to be communicated to the request-origin application includes communicating the response to the request-destination device for forwarding to the request-origin application (The traffic analyzer may receive the packet from the server and process the Packet, traffic analyzer may send the HTTP packets to the traffic processor, along with information identifying these packets as associated with a HTTP traffic flow.  The traffic analyzer may also transmit the response packet to the client. 0059).

John et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al. and Narayanaswamy et al. is recited in claim 16.

Claim 18:
With respect to claim 18, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Narayanaswamy et al. discloses wherein the request-origin application runs on a request-origin device, and wherein causing the response to be communicated to the request-origin application includes communicating the response to the request-origin device (Client 110 may include a device, such as a personal computer, a laptop computer, a personal digital assistant (PDA), a wireless telephone, or another type of computation or communication device.  Client 110 may communicate with server 120 over network 140 via wired and/or wireless connections, 0017).

John et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al. and Narayanaswamy et al. is recited in claim 16.

Claim 19:
With respect to claim 19, the combination of John et al., MacLeod et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

MacLeod et al. teaches log entries (computing device 300 may create a log entry of the action request. The log entry may comprise whether the request resulted in automatic approval of the permissions elevation at stage 225 and/or whether the request was sent for administrator approval at stage 227. The log entry may further comprise a record of data accessed by the requesting user while the elevated permissions were in force, 0022) wherein performing the function includes, prior to causing the response to be communicated to the request-origin application, altering the response (Method 200 may then advance to stage 215 where computing device 300 may determine whether the requested action requires an elevated permission. 0017) (In response to determining that the requested action requires the elevated permission, method 200 may advance to stage 220 where computing device 300 may determine whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, 0018) (then advance to stage 225 where computing device 300 may grant the elevated permission to the user, in order to allow the requested action to be performed, 0019) (Figure 1, 2).

John et al., MacLeod et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al., MacLeod et al. and Narayanaswamy et al. is recited in claim 1.

Claim 20:
With respect to claim 20, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

MacLeod et al. teaches log entries (computing device 300 may create a log entry of the action request. The log entry may comprise whether the request resulted in automatic approval of the permissions elevation at stage 225 and/or whether the request was sent for administrator approval at stage 227. The log entry may further comprise a record of data accessed by the requesting user while the elevated permissions were in force, 0022), wherein the response initially indicates that the request was approved, and altering the response includes altering the response to indicate that the request was denied (Method 200 may then advance to stage 215 where computing device 300 may determine whether the requested action requires an elevated permission. 0017) (In response to determining that the requested action requires the elevated permission, method 200 may advance to stage 220 where computing device 300 may determine whether the action request complies with at least one of a plurality of permission policies associated with a lockbox service, 0018) (then advance to stage 225 where computing device 300 may grant the elevated permission to the user, in order to allow the requested action to be performed, 0019) (Revoke access, Figure 2, 245)  (Figure 1, 2).

John et al., MacLeod et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al., MacLeod et al. and Narayanaswamy et al. is recited in claim 1.

Claim 21:
With respect to claim 21, the combination of John et al. and Narayanaswamy et al. discloses the limitations of claim 16, as addressed. 

Narayanaswamy et al. discloses wherein the response indicates that the request was approved and allows the request- origin application to access a resource (after an application session is established, the client and server applications may then conduct their application session by sending packets to each other as required, 0047), and wherein performing the function includes, subsequently to causing the response to be communicated to the request-origin application, terminating access of the request-origin application to the resource after a predetermined amount of time (The application session may be terminated by the client application when the client sends a FIN request, which includes the client and server applications' control connections used during the application session subject to the FIN request, 0048).

John et al. and Narayanaswamy et al. are analogous art because they are from the same field of endeavor of Network Traffic.

The motivation for combining John et al. and Narayanaswamy et al. is recited in claim 16.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure, (see PTO-Form 892)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HELAI SALEHI whose telephone number is (571)270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm., every other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433