Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is a Final Office action in response to communications received June 30, 2022.  Claims 1, 8, and 15 have been amended.  Therefore, claims 1-19 are pending and addressed below. 


Response to Arguments
Applicant’s arguments, see Pages 10-12, filed June 30, 2022, with respect to the rejection(s) of claim(s) 1-19 under 35 USC 102 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of newly found prior art reference, Kurmala et al. (US2016/0315920 A1, publish date 10/27/2016).



Based on claims amendments, a new ground of rejection of claims 1-19 is set forth below.  



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.



The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Sen et al. (US2020/0153805 A1, file date 11/14/2018) in view of Kurmala et al. (US2016/0315920 A1, publish date 10/27/2016).

Claims 1, 8, 15:
With respect to claims 1, 8, 15, Sen et al. discloses A computer system/At least one non-transitory machine readable storage medium comprising instructions that, when executed by a processor/A method for sending encrypted data via a virtual private network (VPN) (a cloud networking architecture is shown that leverages cloud technologies and supports rapid innovation and scalability via a transport layer 350, a virtualized network function cloud 325 and/or one or more cloud computing environments 375, 0084, Figure 3) for sending encrypted data (Traffic Encryption, End-to-end encrypted transport protocols, 0042) via a virtual private network (VPN) (Virtualized Network Function Cloud: VNEs 330, 332 and 334 can include IP edge routers for IP-VPN, 0088), the computer system/method comprising: 
memory including instructions; and one or more processors to execute instructions to cause the one or more processors (computing environment 400 can be used in the implementation VNEs 330, 332, 334, 0090, System memory 406, Processing Unit 404, Figure 4) to: 
establish a first tunnel and a second tunnel between a VPN client and a VPN server (PS gateway node(s) 518 can comprise a tunnel interface (e.g., tunnel termination gateway (TTG) in 3GPP UMTS network(s) (not shown)) which can facilitate packetized communication with disparate wireless network(s), such as Wi-Fi networks, 0112) (server(s) 514 in mobile network platform 510 can execute numerous applications that can generate multiple disparate packetized data streams or flows, and manage (e.g., schedule, queue, format . . . ) such flows, 0114) (Figure 5);
access a request message to be sent via the VPN (detecting a plurality of request packets corresponding to a sequence of requests by a network client for video segments to be downloaded at the network client, and determining a traffic volume downloaded at the network client between consecutive requests to obtain a sequence of traffic volumes, 0026); 
determine if a payload of the request message is formatted using a first protocol (the segment identities (M.sub.i, T.sub.i, I.sub.i) are inferred from information still available in the encrypted traffic such as traffic volume.  the generated network traffic volume corresponding to download C.sub.i is denoted V.sub.i; V.sub.i can be calculated for different encryption protocols (e.g. HTTPS, QUIC), 0039) (Two popular protocols are HTTP over TLS (HTTPS) and QUIC; in particular, 0042) (a processing system performing the S2I procedure parses the network trace, which has network traffic encrypted using the HTTPS or QUIC protocol, 0060);
determine, in response to the payload being encrypted using the first protocol, whether a packet associated with the request message includes an encrypted server name indication (SNI) (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043); and 
in response to the packet including the encrypted SNI:
encrypt a header of the request message to form an encrypted header (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043);
create an encrypted message including the encrypted header and the payload of the request message; and transmit the encrypted message through the first tunnel (the client downloads the manifest from the server to get information on the tracks and segments. Then it uses HTTP to download segments in order of increasing playback indexes. 0036) (a Segment Sequence Inferencer (S2I), in accordance with embodiments of the disclosure, can infer detailed downloaded segment identities from encrypted traffic, 0046).

Sen et al. does not discloses establish a first tunnel and a second tunnel between a VPN client and a VPN server, the first tunnel to facilitate transmission of packets identified for partial encryption, the second tunnel to facilitate transmission of packets identified for full encryption as claimed.

However, Kurmala et al. teaches IPSEC VPN connections, establish a full-encryption tunnel and a set of virtual tunnels with lower levels of encryption between a set of gateways (0013), establish a first tunnel and a second tunnel between a VPN client and a VPN server, the first tunnel to facilitate transmission of packets identified for partial encryption, the second tunnel to facilitate transmission of packets identified for full encryption (assign data to a full-encryption tunnel 203 or a virtual tunnel 205 that operates alongside the full-encryption tunnel 203, the full-encryption tunnel 203 is an Internet Protocol Security (IPsec) Virtual Private Network (VPN) tunnel that utilizes a preconfigured encryption algorithm for performing encryption on the entirety of each packet transmitted therein.  the virtual tunnels 205 may apply lesser degrees of encryption to associated packet sessions. For example, encryption may not be applied to data packets transmitted through a null-encryption virtual tunnel 205.sub.1 and encryption may only be applied to the header (i.e., a designated number of bytes at the beginning of each data packet) of each data packet transmitted through a header-only encryption virtual tunnel 205.sub.2, 0018, Figure 2).

Sen et al. and Kurmala et al. are analogous art because they are from the same field of endeavor of Virtual Networks.

It would have been obvious to one skilled in the art before the effective filing date of the claimed invention to use Kurmala et al. in Sen et al. for establish a first tunnel and a second tunnel between a VPN client and a VPN server, the first tunnel to facilitate transmission of packets identified for partial encryption, the second tunnel to facilitate transmission of packets identified for full encryption as claimed for purposes of enhancing the system of Sen et al. by avoiding the overhead of double encryption provided by the full-encryption tunnel, preventing double encryption for already encrypted traffic at VPN gateways.  Processor cycles are being unnecessarily wasted to perform encryption/decryption at either end, resulting in lower network throughput. (see Kurmala et al. 0001, 0003)

Claims 2, 9, 16:
With respect to claims 2, 9, 16, Sen et al. discloses wherein the first protocol is a quick user data protocol internet connection (QUIC) protocol (different encryption protocols (e.g. HTTPS, QUIC), 0039) (Two popular protocols are HTTP over TLS (HTTPS) and QUIC, 0042) (a processing system performing the S2I procedure parses the network trace, which has network traffic encrypted using the HTTPS or QUIC protocol, 0060).

Claims 3, 10:
With respect to claims 3, 10, Sen et al. discloses wherein the instructions, when executed, cause the one or more processors to access a public key from a naming system server. 
(Two popular protocols are HTTP over TLS (HTTPS) and QUIC; in particular, HTTPS is a widely used encryption protocol. Video providers such as Netflix use HTTPS to encrypt the video traffic, 0042).

Claim 4:
With respect to claim 4, Sen et al. discloses wherein the naming system server is a domain name system (DNS) server (domain name system (DNS) servers, 0088).
Claims 5, 12, 17:
With respect to claims 5, 12, 17, Sen et al. discloses wherein to create the encrypted message, the one or more processors is to append the payload of the request message as associated data (Once the handshake is done, all the packet payloads are encrypted using TLS. An in-network third party can only get the TCP/QUIC/IP headers and packet timing and size information, 0043) (QUIC has some unique properties different, A retransmitted HTTPS packet can be detected from the SEQ number in the underlying TCP header, 0044)

Claims 6, 13, 18:
With respect to claims 6, 13, 18, Sen et al. discloses wherein the request message is a first request message (detecting a plurality of request packets corresponding to a sequence of requests by a network client for video segments to be downloaded at the network client, and determining a traffic volume downloaded at the network client between consecutive requests to obtain a sequence of traffic volumes, 0026), the payload is a first payload (the segment identities (M.sub.i, T.sub.i, I.sub.i) are inferred from information still available in the encrypted traffic such as traffic volume.  the generated network traffic volume corresponding to download C.sub.i is denoted V.sub.i; V.sub.i can be calculated for different encryption protocols (e.g. HTTPS, QUIC), 0039) (Two popular protocols are HTTP over TLS (HTTPS) and QUIC; in particular, 0042) (a processing system performing the S2I procedure parses the network trace, which has network traffic encrypted using the HTTPS or QUIC protocol, 0060), and the encrypted message is a first encrypted message (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043), wherein the instructions, when executed, cause the one or more processors to:
access a second request message (The second type of split point SP2 is based on the practice that with QUIC, players only download at most 1 video and 1 audio segment concurrently. Thus the traffic may be split when the player sends out two requests at the same time, 0074) to be sent via the VPN;
determine if a second payload of the second request message is encrypted using the first protocol (the segment identities (M.sub.i, T.sub.i, I.sub.i) are inferred from information still available in the encrypted traffic such as traffic volume.  the generated network traffic volume corresponding to download C.sub.i is denoted V.sub.i; V.sub.i can be calculated for different encryption protocols (e.g. HTTPS, QUIC), 0039) (Two popular protocols are HTTP over TLS (HTTPS) and QUIC; in particular, 0042) (a processing system performing the S2I procedure parses the network trace, which has network traffic encrypted using the HTTPS or QUIC protocol, 0060); and
in response to the second payload of the second request message not being encrypted using the first protocol:
encrypt the second request message to form a second encrypted message (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043); and transmit the second encrypted message through the second tunnel (the client downloads the manifest from the server to get information on the tracks and segments. Then it uses HTTP to download segments in order of increasing playback indexes. 0036) (a Segment Sequence Inferencer (S2I), in accordance with embodiments of the disclosure, can infer detailed downloaded segment identities from encrypted traffic, 0046).

Claims 7, 14, 19:
With respect to claims 7, 14, 19, Sen et al. discloses wherein the request message is a first request message (detecting a plurality of request packets corresponding to a sequence of requests by a network client for video segments to be downloaded at the network client, and determining a traffic volume downloaded at the network client between consecutive requests to obtain a sequence of traffic volumes, 0026), the payload is a first payload (the segment identities (M.sub.i, T.sub.i, I.sub.i) are inferred from information still available in the encrypted traffic such as traffic volume.  the generated network traffic volume corresponding to download C.sub.i is denoted V.sub.i; V.sub.i can be calculated for different encryption protocols (e.g. HTTPS, QUIC), 0039) (Two popular protocols are HTTP over TLS (HTTPS) and QUIC; in particular, 0042) (a processing system performing the S2I procedure parses the network trace, which has network traffic encrypted using the HTTPS or QUIC protocol, 0060), and the encrypted message is a first encrypted message (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043), wherein the instructions, when executed, cause the one or more processors to:
access a second request message (The second type of split point SP2 is based on the practice that with QUIC, players only download at most 1 video and 1 audio segment concurrently. Thus the traffic may be split when the player sends out two requests at the same time, 0074) to be sent via the VPN;
determine if a second payload of the second request message is encrypted using the first protocol (the segment identities (M.sub.i, T.sub.i, I.sub.i) are inferred from information still available in the encrypted traffic such as traffic volume.  the generated network traffic volume corresponding to download C.sub.i is denoted V.sub.i; V.sub.i can be calculated for different encryption protocols (e.g. HTTPS, QUIC), 0039) (Two popular protocols are HTTP over TLS (HTTPS) and QUIC; in particular, 0042) (a processing system performing the S2I procedure parses the network trace, which has network traffic encrypted using the HTTPS or QUIC protocol, 0060); and
whether a second packet of the second request message includes an encrypted server name indication (SNI) (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043); and
in response to the second packet not including the encrypted SNI: 
encrypt the second request message to form a second encrypted message (The server domain name can be known from the Server Name Indication (SNI) extension sent by the client during the handshake phase before the secure connection is fully established. Once the handshake is done, all the packet payloads are encrypted using TLS, 0043); and 
transmit the second encrypted message through the second tunnel (the client downloads the manifest from the server to get information on the tracks and segments. Then it uses HTTP to download segments in order of increasing playback indexes. 0036) (a Segment Sequence Inferencer (S2I), in accordance with embodiments of the disclosure, can infer detailed downloaded segment identities from encrypted traffic, 0046).

Claim 11:
With respect to claim 11, Sen et al. discloses wherein the naming system server is at least one of a domain name system (DNS) over hyptertext transfer protocol secure (HTTPS) or DNS over transport layer security (TLS) server (domain name system (DNS) servers, 0088) (Traffic Encryption, HTTPS, 0042).




Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Helai Salehi whose telephone number is 571-270-7468.  The examiner can normally be reached on Monday - Friday from 9 am to 5 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeff Pwu, can be reached on 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/HELAI SALEHI/
Examiner, Art Unit 2433

/BRANDON HOFFMAN/           Primary Examiner, Art Unit 2433