DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statements (IDSs) submitted on 3/14/2022 has been entered and considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  

Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 10305809.  Although the claims at issue are not identical, they are not patentably distinct from each other.  Please see the direct claim comparison below.

Instant Application Claim 1
10305809 Claims 1, 2, and 4
A method, comprising:
A method, comprising:
detecting, at a networking device in a network, an encrypted traffic flow conveyed in the network via the networking device;
detecting, at a networking device in a network, an traffic flow conveyed in the network via the networking device, wherein the networking device is located internal to the network and not at an edge of the network; 
generating, by the networking device, behavioral flow data for the encrypted traffic flow, the behavioral flow data comprising one or more of: Transport Layer Security (TLS)-based metadata regarding the encrypted traffic flow and Secure Socket Layer (SSL)-based metadata regarding the encrypted traffic flow;
generating, by the networking device, flow data for the traffic flow;
Claim 2: wherein the traffic flow is encrypted and the flow data comprises one or more of: Transport Layer Security (TLS) metadata or Secure Socket Layer (SSL) metadata
selecting, by the networking device, a machine learning-based classifier among a plurality of machine learning-based classifiers hosted by the networking device based on one or more characteristics of the encrypted traffic flow; and
Claim 4: further comprising:
selecting, by the networking device, the machine learning-based classifier from among a plurality of machine learning-based classifiers hosted by the networking device
performing, by the networking device, a classification of the encrypted traffic flow using the behavioral flow data as input to the machine learning-based classifier that is selected by the networking device.
performing, by the networking device, a classification of the traffic flow using the flow data as input to a machine learning-based classifier; and

performing, by the networking device, a mediation action based on the classification of the traffic flow.


As can be seen from the direct claim comparison above, instant application claim 1 is merely a broader version of US Patent 10305809 and all limitations from instant application claim 1 are clearly disclosed in US Patent 10305809.  Therefore, this is clearly an obvious type non-statutory double patenting issue.  

Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 10728158.  Although the claims at issue are not identical, they are not patentably distinct from each other. Please see the direct claim comparison below.

Instant Application Claim 1
10728158 Claims 1 and 2
A method, comprising:
A method, comprising:
detecting, at a networking device in a network, an encrypted traffic flow conveyed in the network via the networking device;
detecting, at a networking device in a network, a traffic flow conveyed in the network via the networking device, wherein the traffic flow is encrypted;
generating, by the networking device, behavioral flow data for the encrypted traffic flow, the behavioral flow data comprising one or more of: Transport Layer Security (TLS)-based metadata regarding the encrypted traffic flow and Secure Socket Layer (SSL)-based metadata regarding the encrypted traffic flow;
generating, by the networking device, behavioral flow data for the traffic flow;
Claim 2: wherein the behavioral flow data comprises one or more of: Transport Layer Security (TLS) metadata or Secure Socket Layer (SSL) metadata
selecting, by the networking device, a machine learning-based classifier among a plurality of machine learning-based classifiers hosted by the networking device based on one or more characteristics of the encrypted traffic flow; and
selecting, by the networking device, a machine learning-based classifier among a plurality of machine learning-based classifiers hosted by the networking device, wherein the selecting of the machine learning-based classifier is based on one or more characteristics of the behavioral flow data and one or more respective parameters of the plurality of machine learning-based classifiers;
after selecting the machine learning-based classifier among the plurality of machine learning-based classifiers;

performing, by the networking device, a classification of the encrypted traffic flow using the behavioral flow data as input to the machine learning-based classifier that is selected by the networking device.
performing, by the networking device, a classification of the traffic flow using the behavioral flow data as input to the selected machine learning-based classifier;

performing, by the networking device, a first mediation action when the classification of the traffic flow satisfies a threshold; and

performing, by the networking device, a second mediation action different from the first mediation action when the classification of the traffic flow satisfies the threshold and at least one other feature of the traffic flow satisfies a predefined condition.


As can be seen from the direct claim comparison above, instant application claim 1 is merely a broader version of US Patent 10728158 all limitations from instant application claim 1 are clearly disclosed in US Patent 10728158.  Therefore, this is clearly an obvious type non-statutory double patenting issue.  

Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 11303574.  Although the claims at issue are not identical, they are not patentably distinct from each other. Please see the direct claim comparison below.

Instant Application Claim 1
11303574 Claim 1
A method, comprising:
A method, comprising:
detecting, at a networking device in a network, an encrypted traffic flow conveyed in the network via the networking device;
detecting, at a networking device in a network, a traffic flow conveyed in the network via the networking device, wherein the traffic flow is encrypted;
generating, by the networking device, behavioral flow data for the encrypted traffic flow, the behavioral flow data comprising one or more of: Transport Layer Security (TLS)-based metadata regarding the encrypted traffic flow and Secure Socket Layer (SSL)-based metadata regarding the encrypted traffic flow;
generating, by the networking device, behavioral flow data for the traffic flow comprising one or more of: Transport Layer Security (TLS)-based metadata regarding the traffic flow and Secure Socket Layer (SSL)-based metadata regarding the traffic flow;
selecting, by the networking device, a machine learning-based classifier among a plurality of machine learning-based classifiers hosted by the networking device based on one or more characteristics of the encrypted traffic flow; and
selecting, by the networking device, a machine learning-based classifier among a plurality of machine learning-based classifiers hosted by the networking device, wherein the selecting of the machine learning-based classifier is based on one or more characteristics of the behavioral flow data and one or more respective parameters of the plurality of machine learning-based classifiers;
after selecting the machine learning-based classifier among the plurality of machine learning-based classifiers;

performing, by the networking device, a classification of the encrypted traffic flow using the behavioral flow data as input to the machine learning-based classifier that is selected by the networking device.
performing, by the networking device, a classification of the traffic flow using the behavioral flow data as input to a machine learning-based classifier;

performing, by the networking device, a first mediation action when the classification of the traffic flow satisfies a threshold; and
performing, by the networking device, a second mediation action different from the first mediation action when the classification of the traffic flow satisfies the threshold and at least one other feature of the traffic flow satisfies a predefined condition.


As can be seen from the direct claim comparison above, instant application claim 1 is merely a broader version of US Patent 11303574 all limitations from instant application claim 1 are clearly disclosed in US Patent 11303574.  Therefore, this is clearly an obvious type non-statutory double patenting issue.  

Claims 1-20 rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-28 of U.S. Patent No. 11303574.  Although the claims at issue are not identical, they are not patentably distinct from each other. Please see the direct claim comparison below.

Instant Application Claim 2
11303574 Claims 1, 5, and 9
A method, comprising:
A method, comprising:
detecting, at a networking device in a network, an encrypted traffic flow conveyed in the network via the networking device;
proxying, at a networking device in a network, an encrypted connection between first and second endpoints, wherein the encrypted connection comprises a traffic flow conveyed in the network via the networking device, wherein the traffic flow is encrypted;
generating, by the networking device, behavioral flow data for the encrypted traffic flow, the behavioral flow data comprising one or more of: Transport Layer Security (TLS)-based metadata regarding the encrypted traffic flow and Secure Socket Layer (SSL)-based metadata regarding the encrypted traffic flow;
generating, by the networking device, behavioral flow data for the traffic flow;
Claim 9: wherein the behavioral flow data comprises one or more of: Transport Layer Security (TLS) metadata, Secure Socket Layer (SSL) metadata, sequence of packet lengths and time (SPLT) data regarding the traffic flow, sequence of application lengths and time (SALT) data regarding the traffic flow, and one or more packet lengths of the traffic flow
selecting, by the networking device, a machine learning-based classifier among a plurality of machine learning-based classifiers hosted by the networking device based on one or more characteristics of the encrypted traffic flow; and
performing, by the networking device, a classification of the traffic flow using the behavioral flow data as an input to a classifier that includes one or more classifier parameters generated using machine learning; 
Claim 5: further comprising: prior to performing the classification of the traffic flow, selecting, by the networking device, the classifier among a plurality of classifiers hosted by the networking device
performing, by the networking device, a classification of the traffic flow using the behavioral flow data as an input to a classifier that includes one or more classifier parameters generated using machine learning;
performing, by the networking device, a classification of the traffic flow using the behavioral flow data as input to a machine learning-based classifier;

and performing a first mediation action based upon the classification of the traffic flow, wherein the first mediation action comprises: decrypting the traffic flow, and evaluating whether the decrypted traffic flow is related to malware.


As can be seen from the direct claim comparison above, instant application claim 1 is merely a broader version of US Patent 10728158 all limitations from instant application claim 1 are clearly disclosed in US Patent 10728158.  Therefore, this is clearly an obvious type non-statutory double patenting issue.  

Allowable Subject Matter
Claims 1-20 are allowable except for the Double Patenting rejections, as shown above. It is suggested that Applicant file a eTerminal Disclaimer so that a Notice of Allowance may be issue.




Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENT KRUEGER whose telephone number is (303)297-4238.  The examiner can normally be reached on M-F 8:00-5:00 MT.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Michael Thier can be reached on (571) 272-2832.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/KENT KRUEGER/Primary Examiner, Art Unit 2474