DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/30/2022, 7/12/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copies of Applicant’s IDS forms 1449 filed as stated above are attached to the instant Office Action.
Applicant is advised that the cited reference submitted 6/30/2022, US patent application US20120290229A1 to Cavallini, et al. has been strike-out by the examiner. It has been placed in the application file, but the information referred to therein has not been considered as to the merits since the reference appears to be irrelevant to the claimed invention. Applicant is advised that the date of any re-submission of any item of information contained in this information disclosure statement or the submission of any missing element(s) will be the date of submission for purposes of determining compliance with the requirements based on the time of filing the statement, including all certification requirements for statements under 37 CFR 1.97(e).  See MPEP § 609.05(a).
Response to Amendment
This Office Action is in response to the amendment filed 6/30/2022.
Claims 1, 3, 8-9, 11, 16-17, 19, 24, 26 are currently amended. Claims 21, 23, 27-28, 30 are currently cancelled. Claims 31-35 are newly added claims. Claims 1-20, 22, 24-26, 29, 31-35 are pending and considered.
Response to Argument
Applicant’s argument, see pages 15-25 of the Remark filed 6/30/2022, with respect to claims rejected over prior arts of records, Mahadik, Wang, Moore, and Dubrovsky have been fully considered and are persuasive, further in view of the examiner’s amendments below. Upon examiner’s updated search on the features recited in the claims, examiner believes the case is in condition for allowance. Therefore, the rejection under 35 U.S.C. 103 of claims 1-30 has been withdrawn.
Allowable Subject Matter
Claims 1-20, 22, 24-26, 29, 31-35 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to packet filtering of encrypted communications based on rules of network-threat indicators by correlating the encrypted packet data with unencrypted packet data, in particular, the unencrypted packet data being from packet headers of the encrypted packets and the unencrypted packet data that is stored as log data from previous communication records.
Claim 1 (similarly claim 17) identifies the uniquely distinct features “receiving, by a packet-filtering system, a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network6Application No. 17/482,910Docket No.: 007742.00251\USResponse to OA dtd 05.13.2022 and AA dtd 06.13.2022 comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; analyzing first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; determining that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; based on determining that the one or more unencrypted packets correspond to the first rule, generating a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name; receiving one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; correlating, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; determining, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filtering, by the packet-filtering system, the one or more encrypted packets based on the first rule; and sending at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets”. 
Claim 9 (similarly claim 24) identifies the uniquely distinct features “receiving, by a packet-filtering system, a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network 8Application No. 17/482,910Docket No.: 007742.00251\USResponse to OA dtd 05.13.2022 and AA dtd 06.13.2022comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; analyzing first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name; determining that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; based on determining that the one or more unencrypted packets correspond to the first rule, generating a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name; receiving one or more encrypted packets as part of an encrypted communication session associated with the initiation of the TCP connection subsequent to receiving the one or more unencrypted packets; correlating, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; determining, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filtering, by the packet-filtering system, the one or more encrypted packets based on the first rule; and sending at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets”. 
The prior art, Mahadik et al (US2014008966A1) discloses method for selectively filtering internet traffic. In particular, Mahadik discloses for SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying and a domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted. If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete and then forcing additional encrypted traffic (HTTPS) to be blocked, forcing unencrypted access.
The prior art, Wang et al (US20130312054A1) discloses method for intercepting an initial message in a handshaking procedure for a secure communication between a first device and a second device at a proxy device. In particular, Wang teaches filtering traffic based on service name identification from TLS handshake in transport layer security traffic control.
The prior art, Graham-Cumming et al (US20170171232A1) discloses method for identifying a hostname in a network address for a secure session at a destination network address. In particular, Graham-Cumming teaches identifying IP address in TCP SYN packet of a TCP three-way handshake to determine traffic to be blocked based on the IP address in the TCP SYN packet.
The prior art, Moore (US20140283004A1) discloses method of filtering network data transfers of multiple packets. In particular, Moore teaches determination may be made that a portion of the packets have packet header field values corresponding to a packet filtering rule, and responsive to such a determination, an operator specified by the packet filtering rule may be applied to the portion of packets having the packet header field values corresponding to the packet filtering rule, and in responsive to such determination, at least one packet transformation function specified by the operator may be applied to the one or more of the portion of the packets.
The prior art, Dubrovsky et al (US20140373156A1) discloses method for notification of reassembly-free file scanning. In particular, Dubrovsky teaches determining whether the request to access server based on IP address from failed request table as logged data should be terminated as filtering the access request.
The prior arts, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claim 1 (similarly claim 17) of “receiving, by a packet-filtering system, a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network6Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; analyzing first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; determining that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; based on determining that the one or more unencrypted packets correspond to the first rule, generating a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name; receiving one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; correlating, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; determining, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filtering, by the packet-filtering system, the one or more encrypted packets based on the first rule; and sending at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets”.
The prior arts, either singularly or in combination fails to anticipate or render obvious the claimed limitations of claim 9 (similarly claim 24) of “receiving, by a packet-filtering system, a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network 8Application No. 17/482,910Docket No.: 007742.00251\USResponse to OA dtd 05.13.2022 and AA dtd 06.13.2022comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; analyzing first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name; determining that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; based on determining that the one or more unencrypted packets correspond to the first rule, generating a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name; receiving one or more encrypted packets as part of an encrypted communication session associated with the initiation of the TCP connection subsequent to receiving the one or more unencrypted packets; correlating, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; determining, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filtering, by the packet-filtering system, the one or more encrypted packets based on the first rule; and sending at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets”.
Regarding the dependent claims: dependent claims 2-8, 31-33, 10-16, 34-35, 18-20, 22, 25-26, 29 are also allowed for incorporating the allowable feature recited in the respective independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Examiner’s Amendment
The application has been amended as follows: 
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Scott Kelly (202-824-3158) on 8/5/2022 and further communication (See PTO-413 interview summary).

PLEASE AMEND THE CLAIMS AS FOLLOWS:
1. 	(Previously Presented) A packet-filtering system comprising: 
one or more processors; and 
memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 
receive one or more unencrypted packets; 
analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; 
determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 
based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: 
an indication of the domain name associated with the potential network threat, and 
a network address corresponding to the host domain name; 
receive one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; 
correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 2Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 
determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 
in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule; and 
send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.  

2. 	(Previously Presented) The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: 
determine, using a Domain Name System (DNS) query, the network address corresponding to the host domain name.  

3. 	(Previously Presented) The packet-filtering system of claim 1, wherein the packet-filtering system does not comprise the proxy.  

4. 	(Previously Presented) The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets further based on: 
a first time stamp associated with the one or more encrypted packets, and 
a second time stamp associated with the first unencrypted data.  

5. 	(Previously Presented) The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets further based on a port number associated with the first unencrypted data.  

6. 	(Previously Presented) The packet-filtering system of claim 1, wherein the network address and the IP address are the same.  

7. 	(Previously Presented) The packet-filtering system of claim 1, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to receive the one or more encrypted packets, correlate the one or more encrypted packets with the one or more unencrypted packets, determine that the one or more encrypted packets correspond to the domain name, and filter the one or more encrypted packets without decrypting the one or more encrypted packets. 

8. 	(Previously Presented) The packet-filtering system of claim 1, wherein the proxy is configured to prevent further transmission of the one or more encrypted packets based on the first rule.

9. 	(Previously Presented) A packet-filtering system comprising: 
one or more processors; and 
memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 
receive one or more unencrypted packets; 
analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name; 
determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat 4Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 
based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: 
an indication of the domain name associated with the potential network threat, and 
a network address corresponding to the host domain name; 
receive one or more encrypted packets as part of an encrypted communication session associated with the initiation of the TCP connection subsequent to receiving the one or more unencrypted packets; 
correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 
determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 
in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule; and 
send at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.  

10. 	(Previously Presented) The packet-filtering system of claim 9, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: 
determine, using a Domain Name System (DNS), the network address corresponding to the host domain name.  

11. 	(Previously Presented) The packet-filtering system of claim 9, wherein the packet-filtering system does not comprise the proxy.  

12. 	(Previously Presented) The packet-filtering system of claim 9, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets further based on: 
a first time stamp associated with the one or more encrypted packets, and 
a second time stamp associated with the first unencrypted data.  

13. 	(Previously Presented) The packet-filtering system of claim 9, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets further based on a port number associated with the first unencrypted data.  

14. 	(Previously Presented) The packet-filtering system of claim 9, wherein the network address and the IP address are the same.  

15. (Previously Presented) The packet-filtering system of claim 9, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to receive the one or more encrypted packets, correlate the one or more encrypted packets with the one or more unencrypted packets, determine that the one or more encrypted packets correspond to the domain name, and filter the one or more encrypted packets without decrypting the one or more encrypted packets. 

16. 	(Previously Presented) The packet-filtering system of claim 9, wherein the proxy is configured to prevent further transmission of the one or more encrypted packets based on the first rule.  

17. 	(Previously Presented) A method comprising: 
receiving, by a packet-filtering system, a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network 6Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 
receiving one or more unencrypted packets; 
analyzing first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; 
determining that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 
based on determining that the one or more unencrypted packets correspond to the first rule, generating a log entry comprising: 
an indication of the domain name associated with the potential network threat, and 
a network address corresponding to the host domain name; 
receiving one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; 
correlating, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 
determining, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 
in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filtering, by the packet-filtering system, the one or more encrypted packets based on the first rule; and 
sending at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.  

18. 	(Previously Presented) The method of claim 17, further comprising: 
determining, using a Domain Name System (DNS) query, the network address corresponding to the host domain name.  

19. 	(Previously Presented) The method of claim 17, wherein the packet-filtering system does not comprise a-the proxy.  

20. 	(Previously Presented) The method of claim 17, wherein correlating the one or more encrypted packets with the one or more unencrypted packets is further based on: 
a first time stamp associated with the one or more encrypted packets, and 
a second time stamp associated with the first unencrypted data.  

21. 	(Cancelled).  

22. 	(Previously Presented) The method of claim 17, wherein receiving the one or more encrypted packets, correlating the one or more encrypted packets with the one or more unencrypted packets, determining that the one or more encrypted packets correspond to the domain name, and filtering the one or more encrypted packets are performed without decrypting the one or more encrypted packets.  

23. (Cancelled).  

24. 	(Previously Presented) A method comprising: 
receiving, by a packet-filtering system, a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network 8Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 
receiving one or more unencrypted packets; 
analyzing first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name; 
determining that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 
based on determining that the one or more unencrypted packets correspond to the first rule, generating a log entry comprising: 
an indication of the domain name associated with the potential network threat, and 
a network address corresponding to the host domain name; 
receiving one or more encrypted packets as part of an encrypted communication session associated with the initiation of the TCP connection subsequent to receiving the one or more unencrypted packets; 
correlating, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 
determining, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 
in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filtering, by the packet-filtering system, the one or more encrypted packets based on the first rule; and 
sending at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.  

25. 	(Previously Presented) The method of claim 24, further comprising: 
determining, using a Domain Name System (DNS), the network address.  

26. 	(Previously Presented) The method of claim 24, wherein the packet-filtering system does not comprise a-the proxy.  

27. 	(Cancelled).  
28. 	(Cancelled).  

29. 	(Previously Presented) The method of claim 24, wherein receiving the one or more encrypted packets, correlating the one or more encrypted packets with the one or more unencrypted packets, determining that the one or more encrypted packets correspond to the domain name, and filtering the one or more encrypted packets are performed without decrypting the one or more encrypted packets.  

30. 	(Cancelled).  

31. 	(Previously Presented) The packet-filtering system of claim 1, wherein the action comprises decrypting, by the proxy, the at least the portion of the filtered one or more encrypted packets based on the TLS handshake.  

32. 	(Previously Presented) The packet-filtering system of claim 31, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to: 
send, to the proxy, the TLS handshake.  

33. 	(Previously Presented) The packet-filtering system of claim 1, wherein the action comprises dropping, by the proxy, the at least the portion of the filtered one or more encrypted packets.  

34. 	(Currently Amended) The packet-filtering system of claim 9, wherein the action comprises decrypting, by the proxy, the at least the portion of the filtered one or more encrypted packets 

35. 	(Previously Presented) The packet-filtering system of claim 9, wherein the action comprises dropping, by the proxy, the at least the portion of the filtered one or more encrypted packets.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436   

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436