Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
This Office Action is in response to the amendment filed on 10/06/2022.
Claims 1-20 are pending for consideration.
Claims 1, 5, 10, 14, and 20 are currently amended.
Response to Arguments
Applicant's arguments filed on 10/06/2022 have been fully considered and are not persuasive.
Applicant argues on page 8 of the Remarks that Susanta and Knapp do not disclose the following limitation in claims 1, 10 and 20: "a copy of the packet based on one or more header fields of the packet matching one or more Transport Layer Security (TLS) header fields indicated by one or more flow table entries of the switch". It is noted that the disclosed limitation is amended claim language and a previous disclosed prior art, US 2020/0053064 A1 (hereinafter ‘Oprisan’), was used in order to reject this limitation. The rationale for the rejection of the amended claim language is given below. 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 3, 4, 5, 7, 9, 10, 12, 13, 14, 16, 18, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2016/191545 (hereinafter 'Susanta'), in view of US 2020/0053064 A1 (hereinafter ‘Oprisan’) and in further view of US 2010/050256 (hereinafter 'Knapp').
Regarding Claim 1:
Susanta discloses:
A method comprising: receiving, at a switch in a software-defined network (SDN), a packet sent by an endpoint device via the SDN (¶50: “Returning to FIG. 3, at step 304 one or more of the systems described herein may provide, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy. For example, providing module 106 may, as part of virtual switch 202 in FIG. 2, provide software-defined network rules 212 within virtual switch 202.”);
Susanta does not disclose the following limitation “making, by the switch, a copy of the packet based on one or more header fields of the packet matching one or more Transport Layer Security (TLS) header fields indicated by one or more flow table entries of the switch”
Oprisan discloses: 
 making, by the switch, a copy of the packet based on one or more header fields of the packet matching one or more Transport Layer Security (TLS) header fields indicated by one or more flow table entries of the switch (¶34: “After producing decrypted TLS traffic, proxy element 104 may utilize a packet copier to copy the decrypted TLS traffic, which can be forwarded to a network tool for analysis and monitoring. At this stage, the decrypted TLS traffic is forwarded to encryption manager 122. Encryption manager 122 subsequently forwards the encrypted TLS traffic to transmitting agent 132, which in turn sends the encrypted TLS traffic to a destination server); 
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta in order to include a feature in which a packet is copied from TLS traffic and with the indication of a flow table forwards the copied packet to a destination server as taught by Oprisan. One of ordinary skill in the art would have been motivated to do so because Oprisan recognizes that copying the information of a packet in TLS traffic the packet can then be monitored and analyzed by a proxy client (¶34). 
Susanta and Oprisan does not disclose the following limitation “forming, by the switch, telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet wherein the metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data; and sending, by the switch, the formed telemetry data to the traffic analysis service.”
Knapp discloses:
forming, by the switch, telemetry data for reporting to a traffic analysis service by applying a metadata filter to the copy of the packet wherein the metadata filter prevents at least a portion of the copy of the packet from inclusion in the telemetry data; and sending, by the switch, the formed telemetry data to the traffic analysis service (¶10: “a computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is provided. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching packet header data, and storing, in a database, only a single instance of packet header data for any reviewed packet header data that is determined to have occurred multiple times.”) and sending, by the switch, the formed telemetry data to the traffic analysis service (¶71: “System 120 relies on the header capture and storage capability found in the IP packet header collection and storage system 110 discussed above.”; ¶90: “System 120 collects and stores information the types and quantities of traffic passing through an IP network. The information is then recorded for later use and analysis.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta and Oprisan in order to include a feature that can use a metadata filter in order to copy the header information of a telemetry data and send it to an endpoint in order to analyze the traffic of system as taught by Knapp. One of ordinary skill in the art would have been motivated to do so because Knapp recognizes that copying the header information of a packet will reduce the amount of bandwidth that is required in order to send it over to an endpoint device, the endpoint device will then use the data in order to detect anomalies in the network traffic of a system (¶43: “Such a storage scheme is operative to reduce the bandwidth required to transfer the packet headers to the database, and reduce the storage requirements of the database.”; ¶90: “This type of data provides the building blocks to perform more advanced analysis, such as anomaly detection”).
Regarding Claim 3
Susanta discloses:
The method as in claim 1, wherein the traffic analysis service uses the telemetry data to determine whether the endpoint device is infected with malware (¶8: “In this example, the security policy may include a malware detection policy applied to network traffic distributed to the destination port from outside the virtual network.”; ¶50: “Returning to FIG. 3, at step 304 one or more of the systems described herein may provide, within the virtualized switching device, a set of software-defined network rules containing criteria for identifying packets having at least one predetermined property associated with a security policy. For example, providing module 106 may, as part of virtual switch 202 in FIG. 2, provide software-defined network rules 212 within virtual switch 202. The term “security policy,” as used herein, generally refers to any type or form of rules or restrictions intended to detect and/or prevent security threats or breaches such as malware attacks, data leaks, unauthorized access to classified or sensitive information, etc.”).
Regarding Claim 4
Susanta and Oprisan does not disclose “wherein forming the telemetry data further comprises: applying header compression to the copy of the packet.”
Knapp discloses:
The method as in claim 1, wherein forming the telemetry data further comprises: applying header compression to the copy of the packet (¶10: “a computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is provided. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching packet header data, and storing, in a database, only a single instance of packet header data for any reviewed packet header data that is determined to have occurred multiple times”.).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta and Oprisan in order to include a feature that can apply a stripped packet header technique in order to compress the size of a copied packet as taught by Knapp. One of ordinary skill in the art would have been motivated to do so because Knapp recognizes that compressing the size of a copied packet allows a system to process the copied packets at a faster rate as compared to copying the full information of a packet (¶40: “The SMIS component system 110 for IP packet header collection and storage collects, or captures, IP packets from a computer network, strips the packet header data from the captured IP packets, reviews the stripped packet header data for multiple occurrences of like-kind packet header data, and stores, for example in a database, a single instance of each unique packet header, for any reviewed packet headers that have been determined to have occurred multiple times.”). 
Regarding Claim 5
Susanta does not disclose “wherein the metadata filter causes the one or more TLS header fields of the copy of the packet to be included in the telemetry data.”
Oprisan discloses:
The method as in claim 1, wherein the metadata filter causes the one or more TLS header fields of the copy of the packet to be included in the telemetry data (¶23: “After some time, the packet communications may be securely encrypted by the proxy element 104 using, for example, SSL or TLS (e.g., via HTTPS). As such, the packet communications may transition from an unsecured/non-encrypted packet flow to a secured/encrypted packet flow during the course of the established communication session.”; ¶25: “For example, after identifying and/or detecting the initiation of an SSL or TLS session, monitoring engine 108 is configured to establish a separate TLS session with each of source client 102 and destination server 106. For example, proxy element 104 may receive a ‘client hello’ message sent by source client 102 that is directed to destination server 106. In response, proxy element 104 processes the received ‘client hello’ message and transparently functions as destination server 106 and completes a TLS handshake process to establish an TLS session between source client 102 and proxy element 104.” ¶34: “After producing decrypted TLS traffic, proxy element 104 may utilize a packet copier (not shown in FIG. 2) to copy the decrypted TLS traffic, which can be forwarded to a network tool for analysis and monitoring.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta, Oprisan and Knapp to teach that a flow table is indicative of a TLS header and that a metadata filter (client hello) can be used in order to copy a TLS header fields which includes telemetry data as taught by Oprisan. One of ordinary skill in the art would have been motivated to do so because Oprisan recognizes that using a metadata filter (client hello) in order to copy a TLS header fields which includes telemetry data can be used in order to monitor and analyze network data (¶34: “After producing decrypted TLS traffic, proxy element 104 may utilize a packet copier (not shown in FIG. 2) to copy the decrypted TLS traffic, which can be forwarded to a network tool for analysis and monitoring.”).
Regarding Claim 7
Susanta discloses:
The method as in claim 1, further comprising: receiving, at the switch, an update to the one or more flow tables and to the metadata filter from an SDN controller (¶32: “In addition, providing module 106 may cause virtual switch 202 to provide, within virtual switch 202, a set of software-defined network rules (e.g., software-defined network rules 212) containing criteria for identifying packets having at least one predetermined property associated with a security policy. Furthermore, determination module 110 may cause virtual switch 202 to determine that at least one characteristic (e.g., characteristic 216) of packet 214 satisfies at least one of software-defined network rules 212”.; ¶76: “Additionally or alternatively, providing module 106 may dynamically update the criteria within software-defined network rules 212 in response to detecting certain types or frequencies of security threats. For example, in response to determining that packet copy 218 contains a malware attack, providing module 106 may update the criteria to include representations of additional wiretaps designed to detect malware attacks.”).
Regarding claim 9
Susanta and Oprisan does not disclose “wherein the telemetry data comprises header information from the copy of the packet and one or more other packets send by the endpoint device.”
Knapp discloses:
The method as in claim 1, wherein the telemetry data comprises header information from the copy of the packet and one or more other packets send by the endpoint device (¶10: “a computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is provided. The method includes capturing IP packets from a computer network, stripping packet header data from the captured IP packets, reviewing the stripped packet header data for multiple occurrences of matching packet header data, and storing, in a database, only a single instance of packet header data for any reviewed packet header data that is determined to have occurred multiple times.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta and Oprisan in order to include a feature that can copy the header information of a telemetry data and send it to an endpoint device as taught by Knapp. One of ordinary skill in the art would have been motivated to do so because Knapp recognizes that copying the header information of a packet will reduce the amount of bandwidth that is required in order to send it over to an endpoint device (¶43: “Such a storage scheme is operative to reduce the bandwidth required to transfer the packet headers to the database, and reduce the storage requirements of the database.”). 
Regarding Claim 19
Susanta discloses:
The apparatus as in claim 10, wherein the apparatus comprises a network switch (¶5: “In one example, a computer-implemented method for monitoring virtual networks may include (1) identifying a virtual network containing at least one virtualized switching device that routes network traffic from a source port within the virtual network to a destination port”).

Claims 10, 12, 13, 14, 16, 18, 20 teach the apparatus claims that correspond to the method claims 1, 3, 4, 5, 7, 9 and are rejected using the same rational.

Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over US 2016/191545 (hereinafter 'Susanta'), in view of US 2020/0053064 A1 (hereinafter ‘Oprisan’), in view of US 2010/050256 (hereinafter 'Knapp'), and in further view of US 2014/029451 (hereinafter ‘Nguyen’). 
Regarding Claim 2
Susanta, Oprisan and Knapp do not disclose “wherein the portion of the copy of the packet comprises a payload of the copy of the packet”. 
Nguyen discloses the following limitation:
The method as in claim 1, wherein the portion of the copy of the packet comprises a payload of the copy of the packet (¶57: “Also, in one or more embodiments, the network switch device 100 may optionally be configured to perform additional filtering on the packet after the header stripping. For example, in some embodiments, the processor 144 may receive a packet with an outer header (O), an inner header (I), and a payload (P).”; ¶69 “It should be noted that when a “packet” is described in this application, it should be understood that it may refer to the original packet that is transmitted from a node, or a copy of it.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta, Oprisan and Knapp to teach that a portion of the copied packet comprises of a payload as taught by Nguyen. One of ordinary skill in the art would have been motivated to do so because Nguyen recognizes that a payload from the packet can be used in order to analyze network traffic (¶56: “In some embodiments, the modified packet with the format I-P-O is received by a network monitoring instrument that is communicatively coupled to an instrument port at the network switch device 100.”).
Regarding Claim 11
Susanta, Oprisan and Knapp do not disclose “wherein the portion of the copy of the packet comprises a payload of the copy of the packet.”. 
Nguyen discloses the following limitation:
The apparatus as in claim 10, wherein the portion of the copy of the packet comprises a payload of the copy of the packet. (¶57: “Also, in one or more embodiments, the network switch device 100 may optionally be configured to perform additional filtering on the packet after the header stripping. For example, in some embodiments, the processor 144 may receive a packet with an outer header (O), an inner header (I), and a payload (P).”; ¶69 “It should be noted that when a “packet” is described in this application, it should be understood that it may refer to the original packet that is transmitted from a node, or a copy of it.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta, Oprisan and Knapp to teach that a portion of the copied packet comprises of a payload as taught by Nguyen. One of ordinary skill in the art would have been motivated to do so because Nguyen recognizes that a payload from the packet can be used in order to analyze network traffic (¶56: “In some embodiments, the modified packet with the format I-P-O is received by a network monitoring instrument that is communicatively coupled to an instrument port at the network switch device 100.”).
Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over US 2016/191545 (hereinafter 'Susanta'), in view of US 2020/0053064 (hereinafter ‘Oprisan’), in view of US 2010/050256 (hereinafter 'Knapp'), and in further view of US 11,108,819 (hereinafter ‘Harrell’)
Regarding Claim 6
Susanta, Oprisan and Knapp do not disclose “wherein the one or more TLS header fields are indicative of: a particular ciphersuite, user agent, or TLS extension”. 
Harrell discloses the following limitation:
The method as in claim 5, wherein the one or more TLS header fields are indicative of: a particular ciphersuite, user agent, or TLS extension (Column 7, Line 54: “For example, network traffic analysis service 310 may base its classification in part on the source address and/or port of endpoint 302, the destination address and/or port of endpoint 304, the protocol(s) used by traffic 306. Further header information from traffic 306 that can be captured and assessed by network traffic analysis service 310 may include Transport Layer Security (TLS) information (e.g., from a TLS handshake), such as the ciphersuite offered, user agent, TLS extensions (e.g., type of encryption used, the encryption key exchange mechanism, the encryption authentication type, etc.), HTTP information (e.g., URI, etc.), Domain Name System (DNS) information, or any other data features that can be extracted from the observed traffic flow(s) of traffic 306.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta, Oprisan and Knapp to teach that TLS header fields can include a user agent, ciphersuite, or a TLS extension as taught by Harrell. One of ordinary skill in the art would have been motivated to do so because Harrell recognizes that a user agent, ciphersuite, or a TLS extension can be used order to subject data traffic for security analysis (Column 7, Line 54: “For example, network traffic analysis service 310 may base its classification in part on the source address and/or port of endpoint 302, the destination address and/or port of endpoint 304, the protocol(s) used by traffic 306. Further header information from traffic 306 that can be captured and assessed by network traffic analysis service 310 may include Transport Layer Security (TLS) information (e.g., from a TLS handshake), such as the ciphersuite offered, user agent, TLS extensions (e.g., type of encryption used, the encryption key exchange mechanism, the encryption authentication type, etc.), HTTP information (e.g., URI, etc.), Domain Name System (DNS) information, or any other data features that can be extracted from the observed traffic flow(s) of traffic 306.”).
Regarding Claim 15
The apparatus as in claim 14, wherein the one or more TLS header fields are indicative of: a particular ciphersuite, user agent, or TLS extension (Refer to Claim 6 Rejection). 


Claims 8 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over US 2016/191545 (hereinafter 'Susanta'), in view of US 2020/0053064 A1 (hereinafter ‘Oprisan’), in view of US 2010/050256 (hereinafter 'Knapp'), and in further view of US 8,813,197 (hereinafter ‘Sabin’)
Regarding Claim 8
Susanta, Oprisan and Knapp does not disclose “wherein the metadata filter determines whether the packet is one of a set of initial packets for a Transmission Control Protocol (TCP) session”
Sabin discloses the following limitation: 
The method as in claim 1, wherein the metadata filter determines whether the packet is one of a set of initial packets for a Transmission Control Protocol (TCP) session (Column 12, line 65: “The metadata includes such information as a TCP/IP address for the first server, a port number for a port that the first application uses on the first server, a PID for the first application, and/or network interface controller data for the first server.”).
It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to modify the teaching of Susanta, Oprisan and Knapp to teach that a metadata filter can be used to determine the first packet (first application) in a TCP session as taught by Sabin. One of ordinary skill in the art would have been motivated to do so because Sabin recognizes that a first packet (first application) can be processed for information gathering before switching the packet to a second system (Column 8, Line 25: “In an embodiment, a first kernel process of a first OS on the first server 402 intercepts the communication that is being sent from the first application before it is released to the second server 403. The first kernel process gathers the information and sends it to the identity service 401 on behalf of the first application.”).
Regarding Claim 17
The apparatus as in claim 10, wherein the metadata filter determines whether the packet is one of a set of initial packets for a Transmission Control Protocol (TCP) session (Refer to claim 8 rejection). 


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/             Examiner, Art Unit 2431                                                                                                                                                                                           
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431