DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is a reply to the amendment filed on 06/29/2022, in which, claim(s) 1-20 are pending. Claim(s) 1 and 9 are amended. No claim(s) are cancelled or newly added.

Response to Arguments
Claim Rejections - 35 U.S.C. § 101:
Applicants’ arguments with respect to claim(s) 9-16 have been fully considered but they are not persuasive.  No support is found in the specification for the amendment (“a kernel running on one or more physical processors”). Therefore, the rejection of 35 U.S.C. §101 regarding claim(s) 9-16 is maintained. 

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 8-10, filed 06/29/2022, regarding the U.S.C. 102 and 103 rejections of Claims 1-20 have been fully considered and are not persuasive.
Applicants argue that “The combination of Reed and Mandrychenko does not teach, suggest, or otherwise render obvious "determining, by the kernel, based on the metadata object, whether to continue capturing additional packets of the connection," as recited in Claim 1, and similarly in Claims 9 and 17”. 
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Therefore, the rejection is maintained.

Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.

Claim Objections
Claims 1 and 9 are objected to because of the following informalities:  
Claim 1 and 9 recite “wherein the metadata object is updated based on the security determination or the one or more packets”. It is really confusing and ambiguous whether “the metadata object is updated based on the security determination” or “the metadata object is updated based on the one or more packets” since previous limitation says “a security determination regarding the connection based on the one or more packets”.
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-8 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claim 1 recites “wherein the metadata object is updated… determining, by the kernel, based on the metadata object, whether to continue…”.
It cannot be ascertained from the scope of the claim what the metes and bounds of the “metadata object” is. Whether the “determining” is based on a) metadata object generated before “receiving… a security determination…” or b) updated metadata object after “performing…an action…”. 
According to Fig. 5, “Operations 500 continue with step 508, where the kernel determines, based on the metadata object…” ([0061]) and “continue with step 512, where the kernel performs an action” ([0063]).
Claims 2-8 don't cure the deficiency of claim 1. Therefore claims 2-8 are rejected under 35 U.S.C. 112(b) for their dependency upon claim 1.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 9-16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. Claim 9 recites “An apparatus” in the preamble and "a kernel” and “a security component”, in the claim body. As recited in the body of the claim, the claimed apparatus lacks a structural component because the kernel and component could be implemented as software only. As the body of the claim does not positively recite any hardware embodiment, the claim is directed to non-statutory subject matter.  Therefore, Claim 9 is directed to non-statutory subject matter for lack of a hardware component. The Examiner respectfully suggests that the claim be further amended to positively recite at least one hardware element within the body of the claim to make the claim statutory subject matter under 35 U.S.C. 101 such as “one or more hardware processors”.
Claims 10-16 don't cure the deficiency of claim 9 and are rejected under 35 U.S.C. 101 for their dependency upon claim 9.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-3, 9-11, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Darren Reed (US 2012/0230202 A1) in view of Oleksii Mandrychenko (US 2020/0287920 A1, cited by the applicant in the 01/25/2022 IDS).
Regarding Claims 1 and 9, Reed discloses
receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine ([0043], “the network packet is selectively passed from the Internet Protocol kernel module”, [0090], “the IP logic 405 processes a packet according to a layer 3 Internet Protocol of a protocol stack”, [0092], “receives packets from the IP logic 405 and selectively sends the packets to a packet sniffer 415 based, at least in part, on a filter hook”); 
adding, by the kernel, the one or more packets to a queue accessible by a security component of the first machine ([0109], “releasing the packet from the packet sniffer includes sending the packet back to the layer 3 processing service…sending the packet to a queue”); 
the one or more packets added to the queue ([0109], “sending the packet to a queue”),
Reed does not explicitly teach but Mandrychenko teaches
generating, by the kernel, a metadata object for the connection based on at least a subset of the one or more packets ([0007], “collects network communication metadata from the endpoint device by receiving callbacks from a kernel-level tracing facility”, “The callbacks are responsive to system calls relating to network events including receipt or transmission of one or more packets by the endpoint device via a network”, [0042], “network communication metadata (object) including any or a combination of a process identifier (PID), a source Internet Protocol (IP) address, a source port identifier, a source Domain Name System (DNS) host name, a destination IP address, a destination port number, a destination DNS host name, a protocol, a protocol version, an application name, a username, a timestamp, a type of network activity (e.g., send or receive) and a number of bytes transferred/received from/by endpoint device”); 
receiving, by the kernel, from the security component, a security determination regarding the connection based on the one or more packets ([0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior by transmitting the aggregated network communication metadata to an anomaly detection service (as security component)”); wherein the metadata object is updated based on the security determination or the one or more packets ([0069], “metadata transfer object with the count for bytes sent and received updated during the fixed time interval”),
performing, by the kernel, an action with respect to the connection based on the security determination ([0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior by transmitting the aggregated network communication metadata to an anomaly detection service”, [0033], “protect the enterprise network by blocking access attempts and/or other risky activity at these points of entry to the enterprise network”); and 
determining, by the kernel, based on the metadata object, whether to continue capturing additional packets of the connection ([0094], “receipt or transmission of one or more packets by the endpoint device”, [0097], “determine whether the endpoint device is connected to the enterprise network”); 
Reed and Mandrychenko are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mandrychenko with the disclosure of Reed. The motivation/suggestion would have been to protect the enterprise network by blocking access attempts and/or other risky activity at these points of entry to the enterprise network (Mandrychenko, [0033]).

Regarding Claims 2, 10 and 18, the combined teaching of Reed and Mandrychenko teaches
wherein the action comprises one or more of: blocking subsequent packets of the connection based on the security determination (Mandrychenko, [0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior”, [0033], “blocking access attempts and/or other risky activity at these points of entry to the enterprise network”).

Regarding Claims 3, 11 and 19, the combined teaching of Reed and Mandrychenko teaches
determining, by the kernel, that the connection has terminated; and deleting, by the kernel, the metadata object (Mandrychenko, [0007], “a kernel-level tracing facility”, [0046], “when the aggregated network communication metadata has been transmitted to anomaly detection service 106, agent 116 can delete the aggregated network communication metadata”).

Regarding Claim 17, Reed discloses
receiving, by a kernel of a first machine, via a hook in a protocol stack of the first machine, one or more packets of a connection between the first machine and a second machine ([0043], “the network packet is selectively passed from the Internet Protocol kernel module”, [0090], “the IP logic 405 processes a packet according to a layer 3 Internet Protocol of a protocol stack”, [0092], “receives packets from the IP logic 405 and selectively sends the packets to a packet sniffer 415 based, at least in part, on a filter hook”); 
adding, by the kernel, the one or more packets to a queue accessible by a security component of the first machine ([0109], “releasing the packet from the packet sniffer includes sending the packet back to the layer 3 processing service…sending the packet to a queue”); 
Reed does not explicitly teach but Mandrychenko teaches
generating, by the kernel, a metadata object for the connection based on at least a subset of the one or more packets ([0007], “collects network communication metadata from the endpoint device by receiving callbacks from a kernel-level tracing facility”, “The callbacks are responsive to system calls relating to network events including receipt or transmission of one or more packets by the endpoint device via a network”, [0042], “network communication metadata (object) including any or a combination of a process identifier (PID), a source Internet Protocol (IP) address, a source port identifier, a source Domain Name System (DNS) host name, a destination IP address, a destination port number, a destination DNS host name, a protocol, a protocol version, an application name, a username, a timestamp, a type of network activity (e.g., send or receive) and a number of bytes transferred/received from/by endpoint device”); 
determining, by the kernel, based on the metadata object, whether to continue capturing additional packets of the connection ([0094], “receipt or transmission of one or more packets by the endpoint device”, [0097], “determine whether the endpoint device is connected to the enterprise network”); 
receiving, by the kernel, from the security component, a security determination regarding the connection based on the one or more packets ([0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior by transmitting the aggregated network communication metadata to an anomaly detection service (as security component)”); and 
performing, by the kernel, an action with respect to the connection based on the security determination ([0098], “in response to an affirmative determination…causes the aggregated network metadata to be analyzed for anomalous and/or risky network behavior by transmitting the aggregated network communication metadata to an anomaly detection service”, [0033], “protect the enterprise network by blocking access attempts and/or other risky activity at these points of entry to the enterprise network”).  
Reed and Mandrychenko are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mandrychenko with the disclosure of Reed. The motivation/suggestion would have been to protect the enterprise network by blocking access attempts and/or other risky activity at these points of entry to the enterprise network (Mandrychenko, [0033]).

Claims 4-8, 12-16, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Darren Reed (US 2012/0230202 A1) in view of Oleksii Mandrychenko (US 2020/0287920 A1, cited by the applicant in the 01/25/2022 IDS) further in view of Mahaffey et. al (US 2015/0128205 A1).
Regarding Claims 4, 12 and 20, the combined teaching of Reed and Mandrychenko teaches the kernel (Reed, [0043], “Internet Protocol kernel module”);
The combined teaching of Reed and Mandrychenko does not explicitly teach but Mahaffey teaches 
determining, based on the one or more packets, whether the connection comprises a transport layer security (TLS) stream (Mahaffey, [0074], “The connection may use a security layer such as TLS (Transport Layer Security)”).
Reed, Mandrychenko and Mahaffey are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mahaffey with the combined teaching of Reed and Mandrychenko. The motivation/suggestion would have been to determine whether the security offered by the network connection is appropriate (Mahaffey, Abstract).

Regarding Claims 5 and 13, the combined teaching of Reed, Mandrychenko and Mahaffey teaches 
setting, by the kernel (Reed, [0043], “Internet Protocol kernel module”), a value of the metadata object based on whether the connection comprises the TLS stream (Mahaffey, [0175-0176], “if the Boolean condition evaluates to TRUE (i.e., the current context corresponds "y") then the action is to establish the first type of connection”, “The first type of connection may be a secured connection”, e.g. TLS).

Regarding Claims 6 and 14, the combined teaching of Reed and Mandrychenko does not explicitly teach but Mahaffey teaches 
wherein the one or more packets comprise a handshake (Mahaffey, [0394], “a three-way handshake”).
Reed, Mandrychenko and Mahaffey are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Mahaffey with the combined teaching of Reed and Mandrychenko. The motivation/suggestion would have been to determine whether the security offered by the network connection is appropriate (Mahaffey, Abstract).

Regarding Claims 7 and 15, the combined teaching of Reed, Mandrychenko and Mahaffey teaches 
determining, by the kernel (Reed, [0043], “Internet Protocol kernel module”), that the handshake is complete (Mahaffey, [0394], “a three-way handshake is completed”); and 
updating, by the kernel (Reed, [0043], “Internet Protocol kernel module”), a value of the metadata object to indicate that capturing is to be stopped (Mandrychenko, [0069], “metadata transfer object with the count for bytes sent and received updated during the fixed time interval”).  

Regarding Claims 8 and 16, the combined teaching of Reed, Mandrychenko and Mahaffey teaches 
accessing the value of the metadata object (Mandrychenko, [0042], “network communication metadata (object) including any or a combination of a process identifier (PID), a source Internet Protocol (IP) address, a source port identifier, a source Domain Name System (DNS) host name, a destination IP address, a destination port number, a destination DNS host name, a protocol, a protocol version, an application name, a username, a timestamp, a type of network activity (e.g., send or receive) and a number of bytes transferred/received from/by endpoint device”).


Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497