DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 5/4/2022, 5/13/2022, 6/29/2022, 7/12/2022, 8/12/2022, 8/31/2022, 9/9/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Status of Claims
The amendment filed 8/15/2022 has been entered. Claim 1 has been previously cancelled. Claims 2-29 are currently amended. Claims 2-29 are pending in the application.
Response to Arguments
Applicant’s arguments, see pages 13-17 of the Remarks filed 8/15/2022 regarding claim rejections under the 35 USC 103 over the prior arts of record have been fully considered and asserted not persuasive due to following reason.
First, applicant is directed to examiner’s opinions and response to applicant’s concern over prior arts Mahadik, Dubrovsky and Moore from previous office action in Response to Arguments and Claim Rejections sections. In analyzing the current claim 2 (similarly claim 12, 21), Dubrovsky is used as primary reference while Mahadik and Moore are used as secondary references. Applicant argued,
Mahadik does not teach the above-cited features of claim 1 (or the other independent claims). The independent claims recite a method that involves receiving a "plurality of first packets" and determining "that the plurality of first packets are associated with a potential network threat corresponding to a first packet-filtering rule of the plurality of packet-filtering rules by determining whether a domain name in the first unencrypted data matches one or more network-threat indicators specified by the first packet-filtering rule." Then, the system generates log data indicating both "an indication of the first packet-filtering rule; and an Internet Protocol (IP) address corresponding to the domain name." Then, the system receives "a plurality of second packets." The system then determines, "without decrypting the encrypted data," "whether the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule by determining that the second unencrypted data corresponds to the logged IP address corresponding to the domain name" and filters "the plurality of second packets, comprising the encrypted data, based on at least one action specified by the first packet-filtering rule" responsive to "determining that the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule." In this manner, the system determines that encrypted packets correspond to the "potential network threat" using IP addresses, even when those packets do not necessarily comprise the "domain name" corresponding to a particular rule. For at least the same reasons previously discussed in detail, none of Mahadik's approaches (Mahadik's restriction of encrypted communication handshakes, Mahadik's "permitted" encrypted communication handshake process, and/or Mahadik's "partially permitt[ing]" of encrypted communication handshakes) teach these concepts. (See page 21 of the Remarks)

Examiner acknowledges applicant’s prospective, however respective disagrees. All three references, namely Dubrovsky, Mahadik and Moore suggest filtering network traffic(s) (such as access document request (Dubrovsky), DNS query (Mahadik), data transfers (Moore)) based on network property associated with URL and/or IP address (Dubrovsky), server name attribute (Mahadik), packet header information (such as source and destination IP address, Moore). This property is used as packet filtering rule(s) (e.g. Moore, [Abstract], [5]; Mahadik, [22]). It is obvious to one ordinary skilled in the arts that the IP address can be associated with domain name after domain name and IP address having been resolved by the DNS server, therefore knowledge of IP address of destination can be used as indication of domain name as network threat indicator, therefore network filtering rule(s). 
Applicant further argued that,
“… none of the disclosures of Mahadik (or any other reference, as discussed below) teach, disclose, or otherwise suggest a "packet-filtering system" that does each of "receiving ... a plurality of first packets," "determining ... that the plurality of first packets are associated with a potential network threat corresponding to a first packet-filtering rule of the plurality of packet- filtering rules by determining whether a domain name in the first unencrypted data matches one or more network-threat indicators specified by the first packet-filtering rule, " "generating. . . log data," "receiving . . . a plurality of second packets," "determining, "without decrypting the Application No. 15/877,608Docket No.: 007742.00109\USResponse to Office Action dated 04.13.2022encrypted data," "whether the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule by determining that the second unencrypted data corresponds to the logged IP address corresponding to the domain name," and 'filtering... the plurality of second packets, comprising the encrypted data, based on at least one action specified by the first packet-filtering rule." Instead, Mahadik describes a system whereby a proxy is separate from other devices, such as a DNS server. (See, e.g., Mahadik para. 0029).” (see the last paragraph of page 21 to first paragraph of page 22 of the Remarks)

Examiner respectively disagrees with applicant since these limitations above are shown being taught by Mahadik or combination of Dubrovsky, Mahadik and Moore as iterated in the current office action shown below.
Applicant’s further arguments or concerns regarding the teachings of references Wang, Buruganahalli, Martini have been acknowledged by the examiner, however are moot since those references are not been used in the current office action.
Applicant’s further argument regarding dependent claims are also moot due to their dependency on the respective rejected independent claims. Therefore, the claim rejections under 35 USC 103 over existing references has been maintained. Applicant is encouraged to further recite innovative features into independent claims to advance the case.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 2, 12, 21 are provisionally rejected on the ground of nonstatutory double patenting as being anticipated by claim 1 (or claim 9) of co-pending Application No. 17/482,910 (hereinafter, “’910”).
Claim 1 of copending application ‘910 discloses all of the limitations recited in claim 2 (similarly claims 12, 21) of the instant application, as seen in the table below. Although the claim limitations are not identical, but they are not distinctly different from each other.
Claims Comparison Table
15/877,608
17/482,910
Claim 21 (similarly claim 2, 12). A packet-filtering apparatus comprising: 
at least one processor configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules; and memory storing instructions that when executed by the at least one processor cause the packet-filtering apparatus to: 





receive a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data; 

determine that the plurality of first packets are associated with a potential network threat corresponding to a first packet-filtering rule of the plurality of packet-filtering rules by determining whether a domain name in the first unencrypted data matches one or more network-threat indicators specified by the first packet-filtering rule;







generate, based on the determining that the plurality of first packets are associated with the potential network threat corresponding to the first packet- filtering rule, log data indicating: 
an indication of the first packet-filtering rule; and an Internet Protocol (IP) address corresponding to the domain name; 

receive, after the generating the log data, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise: encrypted data, and respective packet headers comprising second unencrypted data; 

determine, without decrypting the encrypted data, whether the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule by determining that the second unencrypted data corresponds to the logged IP address corresponding to the domain name; 






and filter, responsive to the determining that the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule, the plurality of second packets, comprising the encrypted data, based on at least one action specified by the first packet-filtering rule.
Claim 1. A packet-filtering system comprising: 

one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 
receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 

receive one or more unencrypted packets; 




analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 

based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: 


an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name;

receive one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; 


correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 2Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 

determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 

in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule; 


and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.


This is a provisional nonstatutory double patenting rejection because the co-pending application has not in fact been patented.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 2, 4-8, 10-12, 14-18, 20-21, 23-27 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky et al (US20140373156A1, hereinafter, "Dubrovsky"), in view of Mahadik et al (US20140089661A1, hereinafter, “Mahadik”), in further view of Moore (US20140283004A1, hereinafter, “Moore”).
Regarding claim 2, Dubrovsky teaches:
A method (Dubrovsky, discloses method of accessing digital document based on previous knowledge of document content, see [Abstract], [0007]) comprising: 
receiving, by a packet-filtering system (Dubrovsky, Fig. 2 Network Access Device) comprising at least one processor and memory (Dubrovsky, Fig. 8 Microprocessor and ROM) and configured to filter packets traversing a communications link between a first network and a second network in accordance with [a plurality of packet-filtering rules], a plurality of first packets, wherein the plurality of first packets traverse the communications link and comprise first unencrypted data (Dubrovsky, referring to Fig. 1, where clients are connecting to LAN 103 (i.e. first network) and Servers are connecting to WAN such as internet (i.e. second network). And Fig. 3 Step 301, [0028] at block 301, a request is received from a client for accessing a document hosted by a remote facility. And [0026] when a Web page is received at the network access device 201, which may be requested by client 202, the network access device 201 may invoke a content scanning or filtering module 205 to perform virus and/pr spyware scanning (i.e. filter) against certain virus/spyware data patterns (i.e. packet-filtering rules). Examiner notes: the request or packets transmitted between clients and servers that are received by the network access device 102 shown in Fig. 1 is the plurality of first packets and request as shown as webpage is unencrypted data); 
determining, by the packet-filtering system, that the plurality of first packets are associated with a potential network threat corresponding to a [first packet-filtering rule of the plurality of packet-filtering rules] by determining whether a domain name in the first unencrypted data matches one or more network-threat indicators specified by [the first packet-filtering rule] (Dubrovsky, [0022] antivirus protection software is installed in a network access device such as a gateway device with a data structure to maintain any previous failed requests for access certain documents of remote nodes that have been detected to have offensive data such as viruses or spywares. When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL (i.e. domain name) and/or IP address) is stored and maintained within the data structure. And [0026] when a Web page is received at the network access device 201, which may be requested by client 202, the network access device 201 may invoke a content scanning or filtering module 205 to perform virus and/pr spyware scanning against certain virus/spyware data patterns); (see Mahadik shown below for packet filtering rule(s))
generating, by the packet-filtering system and based on determining that the plurality of first packets are associated with the potential network threat corresponding to the [first packet- filtering rule], log data indicating: an indication of the [first packet-filtering rule]; and an Internet Protocol (IP) address corresponding to the domain name (Dubrovsky, [0022] When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL and/or IP address) is stored and maintained within the data structure (i.e. log data). When the user or client subsequently tries to access the same document of the same remote node (e.g., refresh), the information of the viruses or spywares associated with the requested document may be retrieved from the data structure. And [0026] Meanwhile, the network access device 201 may extract the URL of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein (i.e. indicating/indication)). And referring to Fig. 3 steps 305 and 306). Examiner notes URL and IP address indicates IP address corresponding to the domain name, since typical URL could have the form … which indicates a protocol (http), a hostname (www.example.com) (i.e. domain name), and a file name (index.html). See Wikipedia definition of URL; 
receiving, by the packet-filtering system and after the generating the log data, a plurality of second packets, wherein the plurality of second packets traverse the communications link and comprise: [encrypted data, and respective packet headers] comprising second unencrypted data (Dubrovsky, [0027] When the network access device 201 receives the second request, the network access device 201 may extract the URL of the requested Web page and the IP address of the server that hosts the Web page from the second request (i.e. second packets)); (see Mahadik, Moore below for limitation(s) in bracket)
While Dubrovsky teaches the filtering of first packets, generating logged data and filtering second packets, however does not explicitly teach packet-filtering rule, second packets comprises encrypted data and following limitation(s), however in the same field of endeavor Mahadik teaches:
packet-filtering rule(s) (Mahadik, discloses selectively filtering internet traffic, see [Abstract]. And [0022] determining a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database...Step S220 may additionally include determining the resource access level according to rules set by a network administration interface. These rules function to enable the method to enforce conditional access restrictions to resources (i.e. packet filtering)),
[receiving, by the packet-filtering system and after the generating the log data, a plurality of second packets, wherein the plurality of second packets traverse the communications link] (limitation(s) in bracket taught by Dubrovsky as shown above) and comprise: encrypted data and [respective packet headers] comprising second unencrypted data (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake... The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted (i.e. filtering). If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic); (see Moore below for respective packet header in bracket)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky by using handshake message information to identify the encrypted connection for traffic data filtering action (e.g. permitted or restricted). This would have been obvious because the person having ordinary skill in the art would have been motivated to relate the encrypted network traffic with unencrypted network traffic data such as handshake message for the network traffic filtering control (Mahadik, [Abstract], [0020], [0029]).
While the combination of Dubrovsky-Mahadik teaches the filtering of first and second packets, however does not explicitly teach second packets comprises respective packet headers, however in the same field of endeavor Moore teaches:
respective packet headers comprising second unencrypted data (Moore, discloses filtering network data based on packet header field values corresponding to packet filtering rule, see [Abstract]. And [0025] packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), …), one or more source IP addresses, one or more source port values, one or more destination IP addresses (i.e. second unencrypted data), … And [0036] For an HTTPS session composed of IP packets, the application packets contained in the IP packets may be TLS Record Protocol packets. The header fields of TLS Record Protocol packets may not be encrypted. One of the header fields may contain a value (i.e. can also be second unencrypted data) indicating the TLS version). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky-Mahadik by specifying packet header information with associated addresses and TLS version related to dynamic security policy. This would have been obvious because the person having ordinary skill in the art would have been motivated to specify the packet header information corresponding to packet filtering rule to determine the portion of the packet to be transferred (Moore, [Abstract]).
Dubrovsky, Mahadik and Moore further teach: 
determining, by the packet-filtering system and without decrypting the encrypted data, whether the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule (Mahadik, [0029] A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted; Examiner notes that Mahadik’s filtering of “is restricted, permitted, or partially restricted” is based on domain information from handshake. It is obvious to one ordinary skilled in the arts that the filtering is not based on decrypting the encrypted data) by determining that the second unencrypted data corresponds to the logged IP address corresponding to the domain name (Dubrovsky, [0027] The extracted URL (i.e. domain name) and IP address may be used to compare with the information stored in table 206. If the table 206 (i.e. data structure, i.e. logged) contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated); and filtering, by the packet-filtering system and; responsive to the determining that the plurality of second packets are associated with the potential network threat corresponding to the first packet-filtering rule, the plurality of second packets, comprising the encrypted data, based on at least one action specified by the first packet-filtering rule (Dubrovsky, [0031] At block 404, the retrieved information is returned (e.g., in a HTML page) to the client without accessing the requested document of the remote facility (i.e. filtering the plurality of second packets based on the correlating with previous failed access request). Mahadik, see [0029] If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete and then forcing additional encrypted traffic (HTTPS) to be blocked, forcing unencrypted access. This preferably allows a client to complete a secure login process (i.e. action) but then alter the rest of the network access so that the web proxy can monitor activity. Examiner notes Dubrovsky teaches second unencrypted data is correlated to first unencrypted data based on filtering of first request to offensive content, while Mahadik further teaches encrypted packet data are filtered based on correlating to unencrypted packet data (handshake), and together Dubrovsky, Mahadik and Moore teaches filtering network data based on unencrypted data such as handshake or IP addresses etc. within header of packets as packet threat indicators for encrypted packets). 

Regarding claim 12, claim 12 recites One or more non-transitory computer-readable media comprising instructions that when executed by at least one processor of a packet-filtering system (Dubrovsky, Fig. 2 Network Access Device (i.e. packet-filtering system), Fig. 8 Microprocessor and ROM, and [0050] Such a computer program may be stored in a computer readable storage medium), configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules (Dubrovsky, Referring to Fig. 1, where clients are connecting to LAN 103 (i.e. first network) and Servers are connecting to WAN such as internet (i.e. second network)), cause the packet-filtering system to: perform steps substantially similar to the method steps of claim 2, therefore is rejected with the same rational set forth as rejection of claim 2 above.

Regarding claim 21, claim 21 recites A packet-filtering apparatus comprising: at least one processor configured to filter packets traversing a communications link between a first network and a second network in accordance with a plurality of packet-filtering rules; and memory storing instructions that when executed by the at least one hardware processor (Dubrovsky, Referring to Fig. 1, where clients are connecting to LAN 103 (i.e. first network) and Servers are connecting to WAN (i.e. second network) such as internet, and Fig. 2 Network Access Device (i.e. packet-filtering system), Fig. 8 Microprocessor and ROM) cause the packet-filtering apparatus to: perform steps substantially similar to the method steps of claim 2, therefore is rejected with the same reason set forth as rejection of claim 2 above.

Regarding claim 4, similarly claim 14, claim 23, Dubrovsky-Mahadik-Moore combination further teaches: The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein filtering the plurality of second packets comprises: sending at least a portion of the filtered plurality of second packets to a proxy configured to apply the at least one action to the at least a portion of the filtered plurality of second3Application No. 15/877,608Docket No.: 007742.00109\US Response to Office Action dated 04.13.2022packets (Mahadik, [0029] If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete (i.e. action) ...).  

Regarding claim 5, similarly claim 15, claim 24, Dubrovsky-Mahadik-Moore combination further teaches: The method of claim 4, the one or more non-transitory computer-readable media of claim 14, the packet-filtering apparatus of claim 23,
wherein the filtering the plurality of second packets comprises: wherein the at least one action comprises dropping, by the proxy, the at least the portion of the filtered plurality of second packets (Mahadik, [0029] If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete (i.e. action) and then forcing additional encrypted traffic (HTTPS) to be blocked (i.e. dropping)…).  

Regarding claim 6, similarly claim 16, claim 25, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein the plurality of first packets comprises the IP address (Dubrovsky, [0022] When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL and/or IP address) is stored and maintained within the data structure).  

Regarding claim 7, similarly claim 17, claim 26, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
the plurality of first packets comprises a Domain Name System (DNS) query comprising the domain name (Mahadik, [Abstract] One variation of a method for selectively filtering internet traffic includes: receiving DNS queries. And [0037] Step S320, which includes determining user identification requirements for the DNS requests, preferably determines the user identification requirements based on an internet resource database. User identification requirements preferably include whether an internet resource requires user identification or authentication to be accessed through the DNS server… user identification requirements are based on domain classifications. Domains are classified as permitted, partially-permitted, and restricted).

Regarding claim 8, similarly claim 18, claim 27, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 7, the one or more non-transitory computer-readable media of claim 17, the packet-filtering apparatus of claim 26, 
wherein the DNS query comprises the IP address corresponding to the domain name (Mahadik, [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource... A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query).

Regarding claim 10, similarly claim 20, claim 29, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21, 
wherein the at least one action is based on at least one of: a uniform resource identifier (URI), domain name, or network address specified by the first packet-filtering rule, data indicating a protocol version specified by the first packet-filtering rule, data indicating a method specified by the first packet-filtering rule, data indicating a request specified by the first packet-filtering rule, or data indicating a command specified by the first packet-filtering rule (Mahadik, [0029] If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete and then forcing additional encrypted traffic (HTTPS) to be blocked, forcing unencrypted access. This preferably allows a client to complete a secure login process but then alter the rest of the network access so that the web proxy can monitor activity. The web proxy server preferably determines when a login process is complete through a combination of counting the number of transmitted bytes and the number of packets (i.e. data indicating a command specified by the first packet-filtering rule)).  

Regarding claim 11, Dubrovsky-Mahadik-Moore combination further teaches: 
The method of claim 2, wherein the plurality of first packets comprise one or more packets comprising one or more handshake messages configured to establish an encrypted communication session (Mahadik, [0029] This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter).  

Claims 3, 13, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky-Mahadik-Moore as applied above to claims 2, 12, 21 respectively, further in view of Hampel et al (US9258218B2, hereinafter, “Hampel”).
Regarding claim 3, similarly claim 13, claim 22, Dubrovsky-Mahadik-Moore combination teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21,
While the combination of Dubrovsky-Mahadik-Moore does not explicitly teach the following limitation(s), in the similar field of endeavor Hampel teaches:
wherein the encrypted data is associated with first transport-layer information, wherein the first unencrypted data is associated with second transport-layer information, and wherein the determining whether the plurality of second packets correspond to the potential network threat comprises: determining, by the packet-filtering system that the first transport-layer information corresponds to the second transport-layer information (Hampel, [Abstract] discloses method to control overlay networks with control functions and forwarding functions separated, And [Claim 12] a data flow definition for a data flow and a set of actions to be performed for the data flow at the forwarding element, wherein the data flow definition is based on one or more protocol header (i.e. unencrypted data) fields of one or more protocols, wherein the one or more protocols comprise one or more network layer protocols or one or more transport layer protocols (i.e. second transport-layer), wherein the set of actions comprises at least one tunneling action and at least one security action, wherein the at least one tunneling action comprises at least one of a set of multiple encapsulation actions (i.e. encrypted data) or a set of multiple decapsulation actions, wherein the at least one security action is associated with a security protocol (i.e. first transport-layer) and comprises at least one of an encryption action or a decryption action; wherein the set of multiple encapsulation actions comprises a tunneling encapsulation action, a transport layer encapsulation action, and a network layer encapsulation action;  … and processing a packet of the data flow based on the control information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hampel in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky-Mahadik-Moore by separating the control functions in network layer protocol and the forwarding functions in security protocol. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the software-defined network overlay method vertically move packets across network layers to support tunneling via communication networks (Hampel, [Abstract], [0002], [Claim 12]).

Claims 9, 19, 28 are rejected under 35 U.S.C. 103 as being unpatentable over Dubrovsky-Mahadik-Moore combination as applied above to claims 2, 12, 21 respectively, further in view of Ross et al (US20140365372A1, hereinafter, “Ross”).
Regarding claim 9, similarly claim 19, claim 28, Dubrovsky-Mahadik-Moore combination teaches: 
The method of claim 2, the one or more non-transitory computer-readable media of claim 12, the packet-filtering apparatus of claim 21,
Although Dubrovsky-Mahadik-Moore teaches dropping second packets (see Mahadik, [0029] If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server until determining the login process is complete (i.e. action) and then forcing additional encrypted traffic (HTTPS) to be blocked (i.e. dropping)…), but does not explicitly teach the following limitations, however in the same field of endeavor Ross teaches: 
wherein the plurality of first packets comprise a certificate message for an encrypted communication session, and wherein the at least one action comprises: at least one of dropping or logging one or more of the plurality of second packets based on a determination that the certificate message comprises data indicating at least one of: a serial number indicated by the first packet-filtering rule, an issuer indicated by the first packet-filtering rule, a validity time-range indicated by the first packet-filtering rule, a key indicated by the first packet-filtering rule, or a signing authority indicated by the first packet-filtering rule (Ross, discloses method of mediating communications between communicating devices, see [Abstract]. And [0011] establishing the communications link to the first computing device includes intercepting a connection request from the first computing device to the second computing device, using a set of one or more predefined communication rules.  The intermediary computing device can therefore function as a packet filter, passing each packet through a set of rules (i.e. packet-filtering rule), And [0108] a connection from the computer terminal 402 is established… to the proxy server 401 rather than the web server 406, using for example Hypertext Transfer Protocol Secure (HTTPS) so that communications are fully encrypted… the domain name "www.proxy.com" has a Secure Socket Layer (SSL) certificate generated using the domain name "www.acquirer.com".  This could be an X.509 self-signed SSL certificate (.crt file) in the name of "www.acquirer.com" for example (X.509 is a standard for a Public Key Infrastructure (PKI)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Ross in the method of identifying offensive content in file scanning of anti-virus protection of Dubrovsky-Mahadik-Moore by using the certificate to determine the URL to match the certificate domain. This would have been obvious because the person having ordinary skill in the art would have been motivated to establish communication link between computing devices by intermediary device functioning as packet filter for personal, confidential or sensitive information communication in establishing the communication link between devices (Ross, [Abstract], [0001], [0011]).
Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Xu et al (US9917852B1) discloses techniques for Domain Generation Algorithm behavior detection. In particular, Xu teaches network communications from hosts that are redirected to the sinkholed IP address can be analyzed by the cloud security service, which can then determine which host devices attempted to connect to that bad network domain (e.g., log which clients attempted to connect to the bad network domain and how many times) and/or perform various other actions.
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436  

/TRONG H NGUYEN/Primary Examiner, Art Unit 2436