DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

 Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on September 14, 2022 has been entered.
 
 3.	Applicant’s response filed on August 23, 2022 have been considered.  Claims 1, 5, 10, 13, 16, and 19 have been amended. Claim 2 has been canceled.  New claim 24 has been added.  Claims 1, 3, 5-11, 13-17, and 19-24 are pending.

Claim Objections
4.	Claims 1, 10, and 16 are objected to because of the following informalities:
Referring to claims 1, 10, 16:
	Claim 1 recites:
	“wherein each of the field rules indicate a feature of a field and comprises at least one of a length of the field, a type of the field. or a value of the field;”, wherein ‘indicate’ should be ‘indicates’, since the subject is ‘each’.
	Claims 10, and 16 recite the similar limitation as claim 1, and are therefore objected for the same rationale.

Claim Rejections - 35 USC § 103

5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

6.	Claims 1, 3, 7-8, 10-11, 14-17, 20, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Yung (U.S. 7,778,194 B1), in view of Montoro (U.S. 2014/0101764 A1).
Referring to claims 1, 10, 16:
Yung teaches:
           An encrypted data stream identification method, comprising (see Yung, fig. 1, 86 ‘traffic classification engine’; col. 5, line 10 ‘the present invention facilitates the classification of network traffic that has been encrypted [i.e., the encrypted data stream identification ] according to a dynamic encryption mechanism involving a handshake between two end-systems, such as the SSL and TLS protocols,’): 
            parsing a handshake message of an encrypted data stream to obtain a plurality of fields comprised in the handshake message, wherein the parsing is performed according to a secure encrypted transmission protocol corresponding to the encrypted data stream (see Yung, col. 6, lines 9-20 ‘parsing the data packets for various attributes (such as source and destination addresses, and the like [i.e., ‘a plurality of fields’ ]… various attributes of the connection handshake [i.e., ‘in the handshake message’ ] associated with dynamic encryption mechanisms, such as the SSL and TLS protocols [i.e., ‘a secure encrypted transmission protocol’ ].’); 
            determining a rule set of a plurality of rule sets comprising a plurality of field rules and a plurality of order rules, wherein the rule set is associated with an application corresponding to the encrypted data stream and matches the handshake message, and wherein determining the rule set comprises (see Yung, col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ such as for a digital certificate corresponds to determining an order rule indicates an order of the plurality of fields: the subject name, user name, validity period, etc. ] including fields reserved for attributes of the handshake, such as details of the digital certificate [i.e., a rule set comprising filed rules and order rules ], or selected cipher suites, etc.; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc. [i.e., determining a plurality of field rules for fields: the subject name, issuer name, validity period, certificate purpose, etc. ])’; col. 19, lines 41-44 ‘at one level a traffic class may be configured to define a particular user group or subnet, while additional child traffic classes can be configured to identify specific application [i.e., determining an application ] traffic associated with the user group or subnet.’; col. 13, lines 57-63 ‘traffic monitoring device can differentiate a SSL flow corresponding to a banking transaction (for example, the certificate common name may identify "onlinebanking.bank.com") from a SSL flow associated with a peer-to-peer application, such as EarthStation V [i.e., determining an application ] song downloads’):
                         determining whether the plurality of fields match one or more field rules associated with the application, wherein each of the field rules indicate a feature of a field and comprises at least one of a length of the field, a type of the field. or a value of the field (see Yung, col. 10, line 39 ‘a server_hello with the same session ID value [i.e., a length of the field, a type of the field, or a value of the field ]’; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc. [i.e., determining a plurality of field rules for fields: the subject name, issuer name, validity period, certificate purpose, etc. ])’; col. 19, lines 41-44 ‘at one level a traffic class may be configured to define a particular user group or subnet, while additional child traffic classes can be configured to identify specific application [i.e., determining an application ] traffic associated with the user group or subnet.’;); and 
                         determining whether an order of the plurality of fields comprised in the handshake message matches one or more order rules associated with the application, wherein each of the order rules indicates an order of the plurality of fields in the handshake message (see Yun, col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ such as for a digital certificate corresponds to determining an order rule indicates an order of the plurality of fields: the subject name, user name, validity period, etc. ] including fields reserved for attributes of the handshake, such as details of the digital certificate [i.e., a rule set comprising filed rules and order rules ], or selected cipher suites, etc.’); and 
          determining the application corresponding to the encrypted data stream based on whether the plurality of fields match the one or more field rules associated with the application and whether the order of the plurality of fields comprised in the handshake message matches the one or more order rules associated with the application (see Yun, col. 19, lines 41-44 ‘at one level a traffic class may be configured to define a particular user group or subnet, while additional child traffic classes can be configured to identify specific application [i.e., determining an application ] traffic associated with the user group or subnet.’; col. 13, lines 57-63 ‘traffic monitoring device can differentiate a SSL flow corresponding to a banking transaction (for example, the certificate common name may identify "onlinebanking.bank.com") from a SSL flow associated with a peer-to-peer application, such as EarthStation V [i.e., determining an application ] song downloads’). 
         Yung suggests the order rule indicating an order of the plurality of fields in the handshake message (see Yung, col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ corresponds to an order rule indicates an order of the plurality of fields ] including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites, etc. [i.e., ‘each of the plurality of rule sets comprises at least one of a field rule or an order rule’ ]’).  However, Yung does not elaborate on it 
	Montoro discloses the order rule indicating an order of the plurality of fields in the message (see Montoro, [0041] ‘A rule may assign a score based on the order of header fields in a communication packet.’)
 		It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Montoro into the system of Yung to use the order rule in parsing a message.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Montoro’s teaching could enhance the system of Yung, because Montoro discloses “A score indicative of malware may be assigned to headers that includes fields in an order that does not match the order for the application identified in a user agent field of the header.” (see Montoro, [0041])
Referring to claims 3, 11, 17:
	Yung, and Montoro further disclose:
	wherein the plurality of fields comprise a plurality of groups, wherein each of the plurality of groups corresponds to one of the handshake message, wherein the encrypted data stream identification method further comprises: matching the plurality of groups with rules from the plurality of rule sets in an order of receiving the handshake message to obtain the rule set that matches the handshake message (see Yung, fig. 5B; col. 8, line 65 ‘selected cipher suites [i.e., a group of cipher suites fields in the client hello message ]; col. 11, line 31 ‘client hello message’; col. 8, line 62 ‘ In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites [i.e., a group of cipher suites fields ], etc. Traffic classification engine 86, as well as traffic discovery module 84, can then use the attribute values stored in the data structure in addition to, or in lieu of, other flow attributes to classify the data flow [i.e., matching the plurality of groups with rules from the plurality of rule sets ].’). 
Referring to claims 7, 14:
	Yung, and Montoro further disclose:
	parsing a plurality of names of the handshake message (see Yung, fig. 5B, 144 ‘Client Hello ?’); 
           determining a rule corresponding to the plurality of names; and parsing a plurality of fields of the handshake message that are indicated by the rule  (see Yung, col. 11, line 31 ‘client hello message’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites [i.e., a group of cipher suites fields in the client hello message ], etc. Traffic classification engine 86, as well as traffic discovery module 84, can then use the attribute values stored in the data structure in addition to, or in lieu of, other flow attributes to classify the data flow [i.e., matching the plurality of groups with rules from the plurality of rule sets ].’).
Referring to claims 8, 15, 20:
	Yung, and Montoro further disclose:
	wherein the handshake message comprises a plurality of handshake messages (see Yung, fig. 6 describes a message flow according to the SSL handshake protocol).
Referring to claim 24:
	Yung, and Montoro further disclose:
	wherein determining the application corresponding to the encrypted data stream is whether the plurality of fields match all the field rules associated with the application and whether the order of the plurality of fields comprised in the handshake message matches the all the order rules associated with the application (see Yung, col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ such as for a digital certificate corresponds to determining an order rule indicates an order of the plurality of fields: the subject name, user name, validity period, etc. ] including fields reserved for attributes of the handshake, such as details of the digital certificate [i.e., matching all the filed rules and matching all the order rules, such as details of the digital certificate  ], or selected cipher suites, etc.; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc. [i.e., determining a plurality of field rules for fields: the subject name, issuer name, validity period, certificate purpose, etc. ])’; col. 19, lines 41-44 ‘at one level a traffic class may be configured to define a particular user group or subnet, while additional child traffic classes can be configured to identify specific application [i.e., determining an application ] traffic associated with the user group or subnet.’; col. 13, lines 57-63 ‘traffic monitoring device can differentiate a SSL flow corresponding to a banking transaction (for example, the certificate common name may identify "onlinebanking.bank.com") from a SSL flow associated with a peer-to-peer application, such as EarthStation V [i.e., determining an application ] song downloads’).

7.	Claims 5-6, 9, 13, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Yung (U.S. 7,778,194 B1), in view of Montoro (U.S. 2014/0101764 A1), further in view of Min et al. (U.S. 2019/0220705 A1), hereinafter “Min”.
Referring to claims 5, 13, 19:
	Yung, and Montoro further disclose:
		wherein the matched rule set comprises a plurality of subsets, wherein each of the plurality of subsets corresponds to at least one application, wherein the encrypted data stream identification method further comprises (see Yung, col. 18, line 57 ‘A traffic class [i.e., a subset of the matched rule set ] comprises a set of matching rules or attributes allowing for logical grouping of data flows that share the same characteristic or set of characteristics--e.g., a service ID or type (see Section B.1., above), a specific application, protocol, IP address, MAC address, port, subnet, etc. In one embodiment, each traffic class [i.e., a plurality of subsets of matched rule set ] has at least one attribute defining the criterion(ia) used for identifying a specific traffic class.’):
                      obtaining a plurality of application sets corresponding to the plurality of subsets based on a mapping relationship between each of the plurality of subsets and an application from the plurality of application sets (see Yung, col. 18, lines 57-64 ‘a specific application’). 
		However, they not disclose the intersection set.
		Min disclose the intersection set (see Min, [0075] ‘intersecting set’).
		It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Min into the system of Yung to use the intersection set.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Min’s teaching could enhance the system of Yung, because Min discloses a method “relates to updating attribute data structures to indicate joint relationships among attributes and predictive outputs in training data that is used for training automated modeling systems.” (see Min, [0002]).
Referring to claim 6:
	Yung, and Montoro further disclose names of the handshake messages (see Yung, fig. 6).  However, they do not explicitly disclose a linked list.
		Min discloses or suggests the linked list (see Min, [0079] ‘linked via identifier value’; [0093] ‘lists’).
           It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Min into the system of Yung to use the linked list.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Min’s teaching could enhance the system of Yung, because linked list is a well-known and popular data storage structure.
Referring to claim 9:
	Yung, and Montoro further disclose: 
           obtaining at least one rule set corresponding to a target application based on a plurality of samples of a plurality of encrypted data flows streams; and determining whether the plurality of samples are handshake messages of an encrypted data flow stream corresponding to the target application (see Yung, col. 11, line 31 ‘client hello message’; col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure including fields reserved for attributes of the handshake, such as details of the digital certificate, or selected cipher suites [i.e., a group of cipher suites fields in the client hello message ], etc. Traffic classification engine 86, as well as traffic discovery module 84, can then use the attribute values stored in the data structure in addition to, or in lieu of, other flow attributes to classify the data flow [i.e., matching the plurality of groups with rules from the plurality of rule sets ].’).
	However, they do not disclose the machine learning.
	Min discloses the machine learning (see Min, [0046] ‘the attribute-creation module 108 can create derived attributes 125 by applying a supervision feature to machine-learning techniques’).
          It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Min into the system of Yung to use machine learning.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Min’s teaching could enhance the system of Yung, because “Association rule mining can include finding frequent combinations of attributes in a set of data and identifying patterns among the attributes.” (see Min, [0047]).

8.	Claims 21-23  are rejected under 35 U.S.C. 103 as being unpatentable over Yung (U.S. 7,778,194 B1), in view of Montoro (U.S. 2014/0101764 A1), further in view of Luna (U.S. 2012/0278886 A1), hereinafter “Luna”.
Referring to claims 21-23:
	Yung, and Montoro disclose the limitations as described in claim 1. However, they do not disclose batch.
Luna further discloses batch (see Luna, [0116] ‘send it in batches’). 
           In addition, Luna further disclose determining an application according to data stream (see Luna, [0086] ‘The notifier 426 can also identify the source (e.g., application/service 608) of the suspicious traffic for the user’).
          It would have been obvious to one of the ordinary skill in the art, before the effective filing date of the claimed invention, to apply the teaching of Luna into the system of Yung to use batch.  Yung teaches systems “that facilitate the classification of encrypted network traffic” (see Yung, col. 2, line 25). Therefore, Luna’s teaching could enhance the system of Yung, because Luna discloses “send it in batches to avoid the protocol overhead of sending individual data fragments.” (see Luna, [0086]). 

Response to Arguments

9.	Applicant's arguments filed August 23, 2022 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“Thus, Yung does not determine a rule set associated with an application corresponding to the encrypted data stream and matches the handshake message by determining whether the plurality of fields match one or more field rules associated with the application, wherein each of the field rules indicate a feature of a field and comprises at least one of a length of the field, a type of the field, or a value of the field, and determining whether an order of the plurality of fields comprised in the handshake message matches one or more order rules associated with the application, wherein each of the order rules indicates an order of the plurality of fields in the handshake message, as claimed.” (see page 16, 1st par)
Examiner maintains:
Yung discloses: col. 8, line 62 ‘In one implementation, encrypted flow module 88 detects attributes of a protocol handshake and populates a data structure [i.e., where ‘populates a data structure’ such as for a digital certificate corresponds to determining an order rule indicates an order of the plurality of fields: the subject name, user name, validity period, etc. ] including fields reserved for attributes of the handshake, such as details of the digital certificate [i.e., a rule set comprising filed rules and order rules ], or selected cipher suites, etc.; col. 10, line 39 ‘a server_hello with the same session ID value [i.e., a length of the field, a type of the field, or a value of the field ]’; col. 13, line 53 ‘the digital certificate presented during the handshake (e.g., the subject name, issuer name, validity period, certificate purpose, etc. [i.e., determining a plurality of field rules for fields: the subject name, issuer name, validity period, certificate purpose, etc. ])’; col. 19, lines 41-44 ‘at one level a traffic class may be configured to define a particular user group or subnet, while additional child traffic classes can be configured to identify specific application [i.e., determining an application ] traffic associated with the user group or subnet.’; col. 13, lines 57-63 ‘traffic monitoring device can differentiate a SSL flow corresponding to a banking transaction (for example, the certificate common name may identify "onlinebanking.bank.com") from a SSL flow associated with a peer-to-peer application, such as EarthStation V [i.e., determining an application ] song downloads’.
Therefore, the reference discloses determining a rule set associated with an application corresponding to the encrypted data stream and matches the handshake message by determining whether the plurality of fields match one or more field rules associated with the application, wherein each of the field rules indicate a feature of a field and comprises at least one of a length of the field, a type of the field, or a value of the field, and determining whether an order of the plurality of fields comprised in the handshake message matches one or more order rules associated with the application, wherein each of the order rules indicates an order of the plurality of fields in the handshake message, as claimed.
(b)	Applicant submits:
“In addition, Yung classifies encrypted network traffic into application-specific classes (see id.), which is not the same as determining an application itself.” (see page 16, 2nd par)
Examiner maintains:
Yung discloses: col. 19, lines 41-44 ‘at one level a traffic class may be configured to define a particular user group or subnet, while additional child traffic classes can be configured to identify specific application [i.e., determining an application ] traffic associated with the user group or subnet.’; col. 13, lines 57-63 ‘traffic monitoring device can differentiate a SSL flow corresponding to a banking transaction (for example, the certificate common name may identify "onlinebanking.bank.com") from a SSL flow associated with a peer-to-peer application, such as EarthStation V [i.e., determining an application ] song downloads’.
Therefore, the reference discloses determining an application.
(c)	Applicant submits:
“However, the order of header fields is analyzed in Montoro to determine packets received from malware (see id.), not to determine the application corresponding to the encrypted data stream, as claimed.” (see page 17, 1st par)
Examiner maintains:
Yung discloses determining an application corresponding to the encrypted data stream (see (b) above).
Therefore, the combination of references disclose the limitations in claim 1, as claimed. 
 
Conclusion

10.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	Teal; Richard S. (US 20190081983 A1) disclose secure firewall configurations;
(b)	Keith; Seth Kenneth et al. (US 20180302328 A1) disclose increased packet scheduling throughput and efficiency using über batching;
(c)	Anderson; Blake Harrell et al. (US 20180189677 A1) disclose training a machine learning-based traffic analyzer using a prototype dataset;
(d)	Lee; David D. et al. (US 20180069838 A1) disclose Security for Scene-Based Sensor Networks;
(e)	Guo; Fanglu et al. (US 9800560 B1) disclose Systems and methods for monitoring encrypted data transmission;
(f)	Thota; Kiran Kumar et al. (US 9792447 B2) disclose Method and apparatus for differently encrypting different flows;
(g)	Wasiq; Muhammad et al. (US 9781081 B1) disclose Leveraging transport-layer cryptographic material.
 
 11.     Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
           If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
           Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        
/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492