Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
Claims 33-62 are presented for examination.  Claims 1-32 are newly added.
Information Disclosure Statement
3.	The information disclosure statement (IDS) submitted on 11/04/2021 was filed in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
5.	Claims 33-62 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-13 of U.S. Patent No. 10/432,521. Although the claims at issue are not identical, they are not patentably distinct from each other because.
Claim Rejections - 35 USC § 102
6.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
7.	The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

8.	Claim(s) 33, 35, 37, 48, 50 and 52 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US 2015/0006755 A1 by Turlington et al. (hereafter referred to as Turlington).
Regarding claim 33, Turlington teaches apparatus for monitoring a plurality of devices that use a plurality of networks (see at least Fig. 1 and ¶ [0018]), the apparatus comprising:
a network interface (see at least Fig. 1 and ¶ [0018]); and a processor (see at least ¶ [0024]-[0026]), configured:
to receive, via the network interface, a plurality of packets that were collectively communicated, from the devices, via all of the networks (see at least ¶ [0015], network device 130 may provide the interface between network 120 and external devices/networks. Network device 130 may include edge ports 132 and 134 used to forward and receive data from other devices in network 100 via links 172 and 174), to aggregate the packets (see at least Fig. 2 and ¶ [0023]), using at least one field that is included in respective packet headers of the packets, into a plurality of packet aggregations, such that all of the packets in each one of the packet aggregations were collectively communicated from no more than one of the devices, to group the packet aggregations, based on information contained in the packet aggregations, into a plurality of groups (see at least ¶ [0029], Incoming traffic received by NID 150/160 may be received on one of user ports 400, queued in one of queues 410 (depending on the traffic load) and forwarded to one of network ports 420 for transmission via one of the links in LAG 170 (e.g., link 172). In an exemplary implementation, queues 410 may be divided into queues associated with various customer traffic, such as queues that each will handle traffic for different customers. For example, information included in a header of an incoming data frame may indicate that a data flow is associated with a particular customer or port), such that there is a one-to-one correspondence between the groups and the devices (see at least Fig. 4), in that all of the packets in each of the groups were collectively communicated from a different respective one of the devices (see at least Fig. 4), and to generate an output in response to the grouping (see at least Fig. 4).

Regarding claim 35, Turlington teaches the apparatus according to claim 33.  In addition, Turlington teaches wherein the processor is configured to group the packet aggregations by: for each packet aggregation of the packet aggregations: identifying, in at least one packet of packets belonging to the packet aggregation, at least one device identifier that uniquely identifies the one of the devices from which the packet was communicated, and using the identified device identifier, associating the packet aggregation with the one of the devices from which the packets belonging to the packet aggregation were communicated (see at least Fig. 4 and ¶ [0029], Incoming traffic received by NID 150/160 may be received on one of user ports 400, queued in one of queues 410 (depending on the traffic load) and forwarded to one of network ports 420 for transmission via one of the links in LAG 170 (e.g., link 172). In an exemplary implementation, queues 410 may be divided into queues associated with various customer traffic, such as queues that each will handle traffic for different customers. For example, information included in a header of an incoming data frame may indicate that a data flow is associated with a particular customer or port).

Regarding claim 37, Turlington teaches the apparatus according to claim 36.  In addition, Turlington teaches wherein the processor is configured to identify the device identifier by decoding the at least one packet belonging to the packet aggregation (see at least ¶ [0048]; NID 150 (e.g., traffic monitoring module 310) may identify a particular customer associated with the traffic (e.g., based on packet headers, originating port, etc.)).

Regarding claim 48, Turlington teaches a method for monitoring a plurality of devices that use a plurality of networks, the method comprising:
using at least one field that is included in respective packet headers of a plurality of packets that were collectively communicated from the devices via all of the networks, aggregating the packets into a plurality of packet aggregations, such that all of the packets in each one of the packet aggregations were collectively communicated from no more than one of the devices (see at least Fig. 4 and ¶ [0029], Incoming traffic received by NID 150/160 may be received on one of user ports 400, queued in one of queues 410 (depending on the traffic load) and forwarded to one of network ports 420 for transmission via one of the links in LAG 170 (e.g., link 172). In an exemplary implementation, queues 410 may be divided into queues associated with various customer traffic, such as queues that each will handle traffic for different customers. For example, information included in a header of an incoming data frame may indicate that a data flow is associated with a particular customer or port);
based on information contained in the packet aggregations, grouping the packet aggregations into a plurality of groups, such that there is a one-to-one correspondence between the groups and the devices, in that all of the packets in each of the groups were collectively communicated from a different respective one of the devices (see at least ¶ [0029], Incoming traffic received by NID 150/160 may be received on one of user ports 400, queued in one of queues 410 (depending on the traffic load) and forwarded to one of network ports 420 for transmission via one of the links in LAG 170 (e.g., link 172). In an exemplary implementation, queues 410 may be divided into queues associated with various customer traffic, such as queues that each will handle traffic for different customers. For example, information included in a header of an incoming data frame may indicate that a data flow is associated with a particular customer or port); and 
generating an output in response to the grouping (see at least Fig. 4).
Regarding claim 50, Turlington teaches the method according to claim 48.  In addition, Turlington teaches wherein grouping the packet aggregations comprises: for each packet aggregation of the packet aggregations: identifying, in at least one packet of packets belonging to the packet aggregation, at least one device identifier that uniquely identifies the one of the devices from which the packet was communicated, and using the identified device identifier, associating the packet aggregation with the one of the devices from which the packets belonging to the packet aggregation were communicated (see at least Fig. 4 and ¶ [0029], Incoming traffic received by NID 150/160 may be received on one of user ports 400, queued in one of queues 410 (depending on the traffic load) and forwarded to one of network ports 420 for transmission via one of the links in LAG 170 (e.g., link 172). In an exemplary implementation, queues 410 may be divided into queues associated with various customer traffic, such as queues that each will handle traffic for different customers. For example, information included in a header of an incoming data frame may indicate that a data flow is associated with a particular customer or port).

Regarding claim 52, Turlington teaches the method according to claim 150.  In addition, Turlington teaches wherein identifying the device identifier comprises identifying the device identifier by decoding the at least one packet belonging to the packet aggregation (see at least ¶ [0048]; NID 150 (e.g., traffic monitoring module 310) may identify a particular customer associated with the traffic (e.g., based on packet headers, originating port, etc.)).
Claim Rejections - 35 USC § 103
9.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
10.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

11.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
12.	Claims 34, 38, 39, 43, 44, 46, 47, 49, 53, 54, 58, 59, and 61-63 are rejected under 35 U.S.C. 103 as being unpatentable over Turlington as applied to claims 33, 48 and 50 above, further in view of Cohen (~provided by applicant, hereafter referred to as Cohen).
Regarding claim 34, Turlington teaches the apparatus according to claim 33. 
Turlington does not specifically teach that is serviced by a network address translator (NAT).
In the same field of endeavor, Cohen teaches that is serviced by a network address translator (NAT) (see at least pg. 138 and Fig. 1).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

Regarding claim 38, Turlington teaches the apparatus according to claim 33.
Turlington does not specifically teach wherein the processor is configured to group the packet aggregations by: for each packet aggregation of the packet aggregations: identifying, in at least one packet belonging to the packet aggregation, at least one device identifier, in response to the identified device identifier, calculating a likelihood that the packets belonging to the packet aggregation were communicated from a particular one of the devices, and associating the packet aggregation with the particular one of the devices, with the calculated likelihood.
In the same field of endeavor, Cohen teaches wherein the processor is configured to group the packet aggregations by: for each packet aggregation of the packet aggregations: identifying, in at least one packet belonging to the packet aggregation, at least one device identifier (see at least pg. 139 1. Attribution model), in response to the identified device identifier, calculating a likelihood that the packets belonging to the packet aggregation were communicated from a particular one of the devices, and associating the packet aggregation with the particular one of the devices, with the calculated likelihood (see at least pg. 140 section 1.1 Hypothesis testing).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

Regarding claim 39, Turlington teaches the apparatus according to claim 33. 
Turlington does not specifically teach wherein the field is an internet protocol identification (IPID).
In the same field of endeavor, Cohen teaches wherein the field is an internet protocol identification (IPID) (see at least pg. 140 section 2.1 IP IDs).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

Regarding claim 43, Turlington teaches the apparatus according to claim 33. 
Turlington does not specifically teach wherein the processor is configured to group the packet aggregations by: identifying respective device-usage characteristics exhibited by the packet aggregations, and based on the device-usage characteristics, grouping the packet aggregations into the plurality of groups.
In the same field of endeavor, Cohen teaches wherein the processor is configured to group the packet aggregations by: identifying respective device-usage characteristics exhibited by the packet aggregations, and based on the device-usage characteristics, grouping the packet aggregations into the plurality of groups (see at least pg. 139, right column).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

 Regarding claim 44, Turlington in view of Cohen teaches the apparatus according to claim 43.  In the obvious combination, Cohen further teaches wherein the device-usage characteristics are at least partly based on destination internet protocol (IP) addresses included in the packet aggregations (see at least pg. 139, right column).

Regarding claim 46, Turlington in view of Cohen teaches the apparatus according to claim 43.  In the obvious combination, Cohen further teaches wherein the device-usage characteristics are at least partly based on respective times at which the packets were communicated (see at least pg. 139, right column).


Regarding claim 47, Turlington in view of Cohen teaches the apparatus according to claim 43.  In the obvious combination, Cohen teaches wherein the packet aggregations are a second plurality of packet aggregations and the plurality of groups are a second plurality of groups, and wherein the processor is configured to group the second plurality of packet aggregations into the second plurality of groups, by: grouping a first plurality of packet aggregations into a first plurality of groups, based on device identifiers identified in the first plurality of packet aggregations, from the first plurality of groups, learning a rule for grouping packet aggregations based on the device-usage characteristics, and using the rule, grouping the second plurality of packet aggregations into the second plurality of groups (see at least pg. 139, right column).

Regarding claim 49, Turlington teaches the method according to claim 48. 
Turlington does not specifically teach that is serviced by a network address translator (NAT).
In the same field of endeavor, Cohen teaches that is serviced by a network address translator (NAT) (see at least pg. 138 and Fig. 1).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

Regarding claim 53, Turlington teaches the method according to claim 48.
Turlington does not specifically teach wherein the processor is configured to group the packet aggregations by: for each packet aggregation of the packet aggregations: identifying, in at least one packet belonging to the packet aggregation, at least one device identifier, in response to the identified device identifier, calculating a likelihood that the packets belonging to the packet aggregation were communicated from a particular one of the devices, and associating the packet aggregation with the particular one of the devices, with the calculated likelihood.
In the same field of endeavor, Cohen teaches wherein the processor is configured to group the packet aggregations by: for each packet aggregation of the packet aggregations: identifying, in at least one packet belonging to the packet aggregation, at least one device identifier (see at least pg. 139 1. Attribution model), in response to the identified device identifier, calculating a likelihood that the packets belonging to the packet aggregation were communicated from a particular one of the devices, and associating the packet aggregation with the particular one of the devices, with the calculated likelihood (see at least pg. 140 section 1.1 Hypothesis testing).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

Regarding claim 54, Turlington teaches the method according to claim 48. 
Turlington does not specifically teach wherein the field is an internet protocol identification (IPID).
In the same field of endeavor, Cohen teaches wherein the field is an internet protocol identification (IPID) (see at least pg. 140 section 2.1 IP IDs).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

Regarding claim 58, Turlington teaches the method according to claim 48. 
Turlington does not specifically teach wherein grouping the packet aggregations comprises: identifying respective device-usage characteristics exhibited by the packet aggregations; and based on the device-usage characteristics, grouping the packet aggregations into the plurality of groups.
In the same field of endeavor, Cohen teaches wherein grouping the packet aggregations comprises: identifying respective device-usage characteristics exhibited by the packet aggregations; and based on the device-usage characteristics, grouping the packet aggregations into the plurality of groups (see at least pg. 139, right column).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

 Regarding claim 59, Turlington in view of Cohen teaches the method according to claim 58.  In the obvious combination, Cohen further teaches wherein the device-usage characteristics are at least partly based on destination internet protocol (IP) addresses included in the packet aggregations (see at least pg. 139, right column).

Regarding claim 61, Turlington in view of Cohen teaches the method according to claim 58.  In the obvious combination, Cohen further teaches wherein the device-usage characteristics are at least partly based on respective times at which the packets were communicated (see at least pg. 139, right column).

Regarding claim 62, Turlington in view of Cohen teaches the method according to claim 58.  In the obvious combination, Cohen teaches wherein the packet aggregations are a second plurality of packet aggregations and the plurality of groups are a second plurality of groups, and wherein the processor is configured to group the second plurality of packet aggregations into the second plurality of groups, by: grouping a first plurality of packet aggregations into a first plurality of groups, based on device identifiers identified in the first plurality of packet aggregations, from the first plurality of groups, learning a rule for grouping packet aggregations based on the device-usage characteristics, and using the rule, grouping the second plurality of packet aggregations into the second plurality of groups (see at least pg. 139, right column).

Regarding claim 63, Turlington teaches a method for monitoring a plurality of devices that use at least one network …, the apparatus comprising:
using at least one field that is included in respective packet headers of a plurality of packets that were communicated from the devices via the network, aggregating the packets into a plurality of packet aggregations, such that all of the packets in each one of the packet aggregations were collectively communicated from no more than one of the devices (see at least Fig. 4 and ¶ [0029], Incoming traffic received by NID 150/160 may be received on one of user ports 400, queued in one of queues 410 (depending on the traffic load) and forwarded to one of network ports 420 for transmission via one of the links in LAG 170 (e.g., link 172). In an exemplary implementation, queues 410 may be divided into queues associated with various customer traffic, such as queues that each will handle traffic for different customers. For example, information included in a header of an incoming data frame may indicate that a data flow is associated with a particular customer or port):
for each packet aggregation of the packet aggregations: identifying, in at least one packet in the packet aggregation, at least one device identifier that uniquely identifies the one of the devices from which the packet was communicated, and based on the identified device identifier, associating the packet aggregation with the one of the devices (see at least ¶ [0048]; NID 150 (e.g., traffic monitoring module 310) may identify a particular customer associated with the traffic (e.g., based on packet headers, originating port, etc.)), and generating an output in response to the associating (see at least Fig. 4).
Turlington does not specifically teach that is serviced by a network address translator (NAT).
In the same field of endeavor, Cohen teaches that is serviced by a network address translator (NAT) (see at least pg. 138 and Fig. 1).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Cohen in order to solve the problem of packet traceback in intrusion detection and network forensics (Cohen pg. 138).

13.	Claims 40-42, 55-57 are rejected under 35 U.S.C. 103 as being unpatentable over Turlington as applied to claim 33 above, in view of US 2010/0161795 A1 by Deridder et al. (~provided by applicant, hereafter referred to as Deridder).
Regarding claim 40, Turlington teaches the apparatus according to claim 33.
Turlington does not specifically teach wherein, in aggregating the packets into the plurality of packet aggregations, the processor is configured to aggregate, into any given packet aggregation of the packet aggregations, any given packet of the packets, in response to at least one of: the given packet belonging to the same transmission control protocol (TCP) connection as does a last-received packet of the given packet aggregation, and a TCP timestamp included in the given packet being within an expected offset range from a TCP timestamp included in the last-received packet of the given packet aggregation.
In the same field of endeavor, Deridder teaches wherein, in aggregating the packets into the plurality of packet aggregations, the processor is configured to aggregate, into any given packet aggregation of the packet aggregations, any given packet of the packets, in response to at least one of: the given packet belonging to the same transmission control protocol (TCP) connection as does a last-received packet of the given packet aggregation, and a TCP timestamp included in the given packet being within an expected offset range from a TCP timestamp included in the last-received packet of the given packet aggregation (see at least ¶ [0019]; a Transmission Control Protocol (TCP)-timestamp (which may indicate system uptime) analysis, the evaluation of multiple criteria in combination via a weighted scoring algorithm, the improvement of IPID tracking through the use of TCP/IP flow analysis, and by avoiding the inspection of message content individual user sessions sharing a common IP address can be identified and tracked.).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Deridder in order to enable the identification of multiple, simultaneously active clients behind a NAT device and for distinguishing their individual network activity by tracking their respective sessions remain highly desirable (Deridder ¶ [0019]).

Regarding claim 41, Turlington in view of Deridder teaches the apparatus according to claim 40.  In the obvious combination, Deridder teaches wherein the processor is further configured to compute the expected offset range by applying a machine-learned model that computes the expected offset range (see at least ¶ [0037]).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Deridder in order to enable the identification of multiple, simultaneously active clients behind a NAT device and for distinguishing their individual network activity by tracking their respective sessions remain highly desirable (Deridder ¶ [0019]).

Regarding claim 42, Turlington teaches the apparatus according to claim 41.  In the obvious combination, Deridder teaches wherein the machine-learned model computes the expected offset range by assuming that a rate of increase of the TCP timestamp varies as a function of a time of day (see at least ¶ [0037]).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Deridder in order to enable the identification of multiple, simultaneously active clients behind a NAT device and for distinguishing their individual network activity by tracking their respective sessions remain highly desirable (Deridder ¶ [0019]).

Regarding claim 55, Turlington teaches the method according to claim 48.
Turlington does not specifically teach wherein aggregating the packets comprises aggregating, into any given packet aggregation of the packet aggregations, any given packet of the packets, in response to at least one of:
the given packet belonging to the same transmission control protocol (TCP) connection as does a last-received packet of the given packet aggregation, and
a TCP timestamp included in the given packet being within an expected offset range from a TCP timestamp included in the last-received packet of the given packet aggregation.
In the same field of endeavor, Deridder teaches wherein aggregating the packets comprises aggregating, into any given packet aggregation of the packet aggregations, any given packet of the packets, in response to at least one of: the given packet belonging to the same transmission control protocol (TCP) connection as does a last-received packet of the given packet aggregation, and a TCP timestamp included in the given packet being within an expected offset range from a TCP timestamp included in the last-received packet of the given packet aggregation (see at least ¶ [0019]; a Transmission Control Protocol (TCP)-timestamp (which may indicate system uptime) analysis, the evaluation of multiple criteria in combination via a weighted scoring algorithm, the improvement of IPID tracking through the use of TCP/IP flow analysis, and by avoiding the inspection of message content individual user sessions sharing a common IP address can be identified and tracked.).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Deridder in order to enable the identification of multiple, simultaneously active clients behind a NAT device and for distinguishing their individual network activity by tracking their respective sessions remain highly desirable (Deridder ¶ [0019]).

Regarding claim 56, Turlington in view of Deridder teaches the method according to claim 55.  In the obvious combination, Deridder teaches the method further comprising computing the expected offset range by applying a machine-learned model that computes the expected offset range (see at least ¶ [0037]).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Deridder in order to enable the identification of multiple, simultaneously active clients behind a NAT device and for distinguishing their individual network activity by tracking their respective sessions remain highly desirable (Deridder ¶ [0019]).

Regarding claim 57, Turlington in view of Deridder teaches the method according to claim 56.  In the obvious combination, Deridder teaches wherein the machine-learned model computes the expected offset range by assuming that a rate of increase of the TCP timestamp varies as a function of a time of day (see at least ¶ [0037]).
It would have been obvious to one having ordinary skill in the art before the effective filing date to modify the aggregation of Turlington with the grouping taught by Deridder in order to enable the identification of multiple, simultaneously active clients behind a NAT device and for distinguishing their individual network activity by tracking their respective sessions remain highly desirable (Deridder ¶ [0019]).
Allowable Subject Matter
14.	Claims 36, 45, 51, and 60 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
15.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to NATASHA W COSME whose telephone number is (571)270-7225.  The examiner can normally be reached on M-F 7:30-4.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Marsha Banks-Harold can be reached on 5712727905.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NATASHA W COSME/Primary Examiner, Art Unit 2465