DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Status of Claims
The amendment filed 8/30/2022 has been entered. Claims 1, 3-6, 8-9, 11-14, 16-17, 20-21, 23-24, 26-28, 30 are currently amended. Claims 31-35 are newly added. Claims 1-35 are pending in the application.
The objection of claims 1, 9, 17, 24 due to informalities has been withdrawn in light of applicant’s amendment to the claims.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/23/2021, 4/14/2022, 5/4/2022, 5/13/2022, 6/30/2022, 7/12/2022, 8/12/2022, 8/30/2022, 8/31/2022, 9/9/2022, 10/26/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Applicant is advised that the cited reference submitted 6/30/2022, US patent application US20120290229A1 to Cavallini, et al. has been strike-out by the examiner. It has been placed in the application file, but the information referred to therein has not been considered as to the merits since the reference appears to be irrelevant to the claimed invention. Applicant is advised that the date of any re-submission of any item of information contained in this information disclosure statement or the submission of any missing element(s) will be the date of submission for purposes of determining.
Response to Arguments
Applicant’s arguments, see pages 17-25 of the Remarks filed 8/30/2022 regarding rejections under the 35 USC 103, on claims 1-30 as being unpatentable over the prior arts of record have been fully considered and asserted not fully persuasive and moot in view of current office action with newly applied prior arts to the independent claims in response to applicant’s amendment. 
Regarding claim 1 (similarly claims 17), applicant argued 
“None of the cited references teach, disclose, or otherwise suggest, as recited by claim 1 (as amended), at least ‘log an indication of the first packet-filtering rule and the IP address corresponding to the domain name; receive, after the logging, one or more encrypted packets; correlate the one or more encrypted packets with the one or more unencrypted packets based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the logged IP address; determine, based on the correlating the one or more encrypted packets with the one or more unencrypted packets, and based on the first packet-filtering rule, that the one or more encrypted packets correspond to the potential network threat; filter, based on the determination that the one or more encrypted packets correspond to the potential network threat, and based on the first packet-filtering rule, the one or more encrypted packets; and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least a portion of the filtered one or more encrypted packets.’” (see page 21 of the Remark) 

Applicant further argued regarding the cited references Mahadik, Wang, Dubrovsky each does not teach the above features. Examiner acknowledged applicant’s perspective however respectively disagrees. 
All references of record are related to network data/packet traffic filtering. Primary reference Mahadik discloses selectively filtering internet traffic; Dubrovsky discloses controlling accessing a document. Mahadik teaches filtering encrypted traffic packets based on correlating with handshake message which is unencrypted data such as domain information, prior to the encrypted communication (encrypted packets), while Dubrovsky teaches filtering accessing to document based on logged previous failed access record in data structure, i.e. based on correlating with logged data. Although Dubrovsky does not teach packets comprising encrypted data as part of an encrypted communication session, these encrypted packets are taught by Mahadik as suggested above. Instead, what Dubrovsky teaches is the fact that filtering of unencrypted data by correlating with previously logged unencrypted data stored in the data structure. Reference Wang is used to teach correlating encrypted TLS request with TLS handshake based on reading virtual host from HTTP headers to identify hostname client is attempting to reach. Martini is further applied to teach man in the middle decryption after encrypted communication is selected (i.e. filtered) for further inspection. As result, the combination of Mahadik, Wang, Dubrovsky, Martini teaches every elements of limitations recited in claim 1 (claim 17). Therefore, examiner asserts applicant’s argument is not persuasive, and moot in view of the updated Claim Rejections presented below. 
Applicant’s argument regarding Buruganahalli is moot since the reference is not used in the current office action.
Claims 9, 24 recite limitations similar to claims 1, 17, except the second unencrypted data is associated with initiation of a TCP connection, instead of TLS handshake, therefore above discussion also applies. As result, the combination of Mahadik, Moore, Dubrovsky, Martini teaches every elements of limitations recited in claims 9, 24.
Applicant’s further argument regarding dependent claims are therefore also not persuasive due to their dependency on the respective rejected independent claims.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1, 4-5, 8, 12-13, 16-17, 20-21, 23, 27-28, 30 are rejected on the ground of nonstatutory double patenting as being unpatentable over corresponding claims of Patent No. 11,477,224 B2 (hereinafter, “’224”), in view of Mahadik et al (US20140089661A1) and further in view of Dubrovsky et al (US20140373156A1). See below the Claims Comparison Table.
Claim 1 of ‘224 discloses all of the limitations recited in claim 1 (similarly claim 17) of the instant application, similarly claim 12 of ‘224 discloses all of the limitations recited in claim 9 (similarly claim 24) of the instant application, as seen in the table below, except those limitations as emphasized in bold, however Mahadik in the same area of endeavor teaches: 
generate, based on the plurality of network-threat indicators, one or more packet-filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the first network-threat indicator comprises domain name criteria that is associated with a potential network threat (Mahadik, [0022] Step S220, which includes, determining (i.e. generating) a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database…Step S220 may additionally include determining the resource access level according to rules set by a network administration interface); wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the DNS query comprises one or more of: a domain name, or an IP address corresponding to the domain name (Mahadik, [0022] Step S220, which includes, determining a resource access level of a requested domain (i.e. domain name) of the DNS resolution query, preferably determines the resource access level based on an internet resource database); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the packet filtering system of ‘224 by using domain name as network-threat indicators. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide the resource database with stored information such as domain names as well as respective resource access levels for internet traffic filtering (Mahadik, [Abstract]). 
While the combination of ‘224 and Mahadik does not explicitly teach the following limitation (s) taught by Dubrovsky in the same field of endeavor:
correlate, based on one or both of the domain name or the IP address corresponding to the domain name, the first unencrypted data and the second unencrypted data (Dubrovsky, discloses selectively forwarding or returning a message based on detection of message content using stored unencrypted data with notification of reassembly-free file scanning, see [Abstract]. And [0022] data structure to maintain any previous failed requests for access certain documents of remote nodes that have been detected to have offensive data such as viruses or spywares. When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL and/or IP address)); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the packet filtering system of ‘224 and Mahadik by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database for filtering access request (Dubrovsky, [Abstract], [0027]).
Claim 4 of ‘224 discloses all of the limitations recited in claim 4 (similarly claim 20) of the instant application, as seen in the table below;
Claim 5 of ‘224 discloses all of the limitations recited in claim 5 (similarly claim 21) of the instant application, as seen in the table below;
Claim 11 of ‘224 discloses all of the limitations recited in claim 8 (similarly claims 23) of the instant application, as seen in the table below;
Claim 15 of ‘224 discloses all of the limitations recited in claim 12 (similarly claim 27) of the instant application, as seen in the table below;
Claim 16 of ‘224 discloses all of the limitations recited in claim 13 (similarly claim 28) of the instant application, as seen in the table below;
Claim 21 of ‘224 discloses all of the limitations recited in claim 16 (similarly claims 30) of the instant application, as seen in the table below.
Claims Comparison Table
Instant Application 17/482,921
US Patent No. 11,477,224 B2
Claims 1 (similarly claim 17). A packet-filtering system comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive data regarding a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network threat intelligence providers provides at least a portion of the data; 

generate, based on the plurality of network-threat indicators, one or more packet-filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the first network-threat indicator comprises domain name criteria that is associated with a potential network threat; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the DNS query comprises one or more of: a domain name, or an IP address corresponding to the domain name; 
analyze second unencrypted data contained in the one or more unencrypted packets, wherein the second unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the TLS handshake comprises the domain name; 

correlate, based on one or both of the domain name or the IP address corresponding to the domain name, the first unencrypted data and the second unencrypted data; 
determine, based on correlating the first unencrypted data and the second unencrypted data, and based on determining that at least a portion of the one or more2Application No. 17/482,921Docket No.: 007742.00252\USResponse to Office Action dated 03.31.2022 unencrypted packets match the domain name criteria of the first packet-filtering rule, that the at least a portion of the one or more unencrypted packets are associated with the potential network threat; 

log an indication of the first packet-filtering rule and the IP address corresponding to the domain name; 



receive, after the logging, one or more encrypted packets; 




correlate the one or more encrypted packets with the one or more unencrypted packets based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the logged IP address; 

determine, based on the correlating the one or more encrypted packets with the one or more unencrypted packets, and based on the first packet-filtering rule, that the one or more encrypted packets correspond to the potential network threat; 

filter, based on the determination that the one or more encrypted packets correspond to the potential network threat, and based on the first packet-filtering rule, the one or more encrypted packets; 

and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least a portion of the filtered one or more encrypted packets.
Claim 1. A packet-filtering system comprising: 

one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 












receive one or more unencrypted packets; 
analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; 
determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 














based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: 
an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name;

receive one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; 

correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 2Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 

determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 

in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule; 

and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.
Claim 9 (similarly claim 24). A packet-filtering system comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive data regarding a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network threat intelligence providers provides at least a portion of the data; 

generate, based on the plurality of network-threat indicators, one or more packet- filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the Application No. 17/482,921Docket No.: 007742.00252\USResponse to Office Action dated 03.31.2022first network-threat indicator comprises domain name criteria that is associated with a potential network threat; 

analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address; 
analyze second unencrypted data contained in the one or more unencrypted packets, wherein the second unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the second unencrypted data comprises the IP address; 

correlate, based on the IP address, the first unencrypted data and the second unencrypted data; 
determine, based on correlating the first unencrypted data and the second unencrypted data, and based on determining that at least a portion of the one or more unencrypted packets match the domain name criteria of the first packet-filtering rul

log an indication of the first packet-filtering rule and the IP address corresponding to the domain name; 



receive, after the logging, one or more encrypted packets; 



correlate the one or more encrypted packets with the one or more unencrypted packets based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the logged IP address; 



determine, based on the correlating the one or more encrypted packets with the one or more unencrypted packets, and based on the first packet-filtering rule, that the one or more encrypted packets correspond to the potential network threat, 6Application No. 17/482,921Docket No.: 007742.00252\US Response to Office Action dated 03.31.2022 

filter, based on the determination that the one or more encrypted packets correspond to the potential network threat, and based on the first packet-filtering rule, the one or more encrypted packets; 

and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least a portion of the filtered one or more encrypted packets.
Claim 12. A packet-filtering system comprising: 

one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 












receive one or more unencrypted packets; analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the first unencrypted data comprises a host domain name; determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat4Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 













based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name; 

receive one or more encrypted packets as part of an encrypted communication session associated with the initiation of the TCP connection subsequent to receiving the one or more unencrypted packets; 
correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 

determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 

in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule; 

and send at least a portion of the one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.
Claims 4, 20. 
Claim 4. 
Claims 5, 21. 
Claim 5. 
Claims 8, 23.
Claim 11.
Claims 12, 27.
Claim 15.
Claim 13, 28.
Claim 16.
Claim 16, 30.
Claim 21.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 6-8, 17-18, 22-23, 31, 33, 35 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Wang et al (US20130312054A1-IDS by Applicant, hereinafter, “Wang”), further in view of Dubrovsky et al (US20140373156A1-IDS by Applicant, hereinafter, “Dubrovsky”) and Martini (US20140317397A1-IDS by Applicant, hereinafter, “Martini”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] The computer-readable medium may be stored on any suitable computer readable media such as RAMs, ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives, floppy drives, or any suitable device. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive data regarding a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network threat intelligence providers provides at least a portion of the data (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses (i.e. network-threat indicator), …, and/or any suitable identifiers of a network accessed resource … (i.e. domain name criteria, identifier of a network resources being associated with domain name, URI/URL resource addresses)); 
generate, based on the plurality of network-threat indicators, one or more packet-filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the first network-threat indicator comprises domain name criteria that is associated with a potential network threat (Mahadik, [0022] Step S220, which includes, determining (i.e. generating) a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database…Step S220 may additionally include determining the resource access level according to rules set by a network administration interface); 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the DNS query comprises one or more of: a domain name, or an IP address corresponding to the domain name (Mahadik, [0022] Step S220, which includes, determining a resource access level of a requested domain (i.e. domain name) of the DNS resolution query, preferably determines the resource access level based on an internet resource database (i.e. analyze)); 
determine, based on correlating the first unencrypted data and the second unencrypted data, and based on determining that at least a portion of the one or more2Application No. 17/482,921Docket No.: 007742.00252\USResponse to Office Action dated 03.31.2022 unencrypted packets match the domain name criteria of the first packet-filtering rule, that the at least a portion of the one or more unencrypted packets are associated with the potential network threat (Mahadik, [0015] The internet resource database 120 preferably stores domain names (i.e. e.g. network-threat indicator), URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource. Each resource stored in the internet resource database 120 preferably includes a parameter indicating an associated resource access level. And [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query (e.g., permitted, partially-permitted, or restricted)); 
receive, after [the logging], one or more encrypted packets (Mahadik, see [0029], since the encryption handshake is to establish the encrypted communication (packets), it is obvious that the received encrypted packets is after the unencrypted encryption handshake (packets); (See Dubrovsky below for logging) 
correlate the one or more encrypted packets with the one or more unencrypted packets [based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the logged IP address] (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain (i.e. unencrypted data) is preferably detected during the handshake through a server name attribute or through some alternative parameter. Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlate encrypted packets with domain information, which is unencrypted data in handshake); (see Wang, Dubrovsky below for limitations in bracket)
determine, based on the correlating the one or more encrypted packets with the one or more unencrypted packets, and based on the first packet-filtering rule, that the one or more encrypted packets correspond to the potential network threat (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0029] A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted. Examiner notes that it is obvious to one ordinary skilled to understand that domain is restricted or partially restricted is in response to potential network threat); 
filter, based on the determination that the one or more encrypted packets correspond to the potential network threat, and based on the first packet-filtering rule, the one or more encrypted packets (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filter)); 
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data such as DNS query and detecting domain during handshake but does not explicitly teach analyzing unencrypted data comprising TLS handshake and unencrypted data contained in respective packet headers of the encrypted packets, however in the same field of endeavor Wang teaches:
analyze second unencrypted data contained in the one or more unencrypted packets, wherein the second unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the TLS handshake comprises the domain name (Wang, discloses traffic control techniques of intercepting TLS handshake for secure communication, see [Abstract]. And [0018] the identification information can take different forms. In one example, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure. According to this example, the proxy device 120 may extract (i.e. analyze) the Server Name Indication (SNI) extension from the ClientHello message. And [0034] The SNI extension 660 was added to the TLS protocol to indicate to the server the hostname (i.e. domain name) the client is attempting to connect to during the handshaking procedure); 
[correlate the one or more encrypted packets with the one or more unencrypted packets] (see Mahadik above) based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the [logged] IP address (Wang, [0034] In an unsecured HTTP request, the server can read the virtual host from the HTTP headers (i.e. third unencrypted data in packet header). In an encrypted TLS request, the server is unable to read the HTTP headers until after the handshaking procedure is finished (i.e. the server is able to read the HTTP headers after TLS handshake). And [0039] the determination to block (i.e. filter) the connection between the client 110 and the server 130 is made before the message 335 makes its way to the server 130); Examiner notes that Wang also teaches correlate, i.e. determine whether to block the communication based on unencrypted packet data with initial messages in a TLS handshake (i.e. correlate)); (See Dubrovsky below for teachings of logged IP address)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Wang in the method of selectively filtering internet traffic of Mahadik by filtering traffic based on service name identification from TLS handshake in transport layer security traffic control. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on unencrypted packet traffic data such as service name identification in the TLS handshake message to extract host name of the second device for secure communication between first device and the second device (Wang, [Abstract]).
While the combination of Mahadik-Wang teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data but does not explicitly teach the following limitation (s) taught by Dubrovsky in the same field of endeavor:
correlate, based on one or both of the domain name or the IP address corresponding to the domain name, the first unencrypted data and the second unencrypted data (Dubrovsky, discloses selectively forwarding or returning a message based on detection of message content using stored unencrypted data with notification of reassembly-free file scanning, see [Abstract]. And [0022] data structure to maintain any previous failed requests (i.e. first unencrypted data where current message is the second unencrypted data) for access certain documents of remote nodes that have been detected to have offensive data such as viruses or spywares. When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL and/or IP address) (i.e. the logged IP address corresponding to the domain name the domain name) is stored and maintained within the data structure); 
log an indication of the first packet-filtering rule and the IP address corresponding to the domain name (Dubrovsky, [0026] Meanwhile, the network access device 201 may extract the URL (i.e. domain name) of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein) (i.e. log data). And referring to Fig. 3 steps 305 and 306 (i.e. storing log data));
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik-Wang by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).
The combination of Mahadik-Wang-Dubrovsky does not specifically teach the following limitation(s), however in the same field of endeavor Martini teaches:
and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least a portion of the filtered one or more encrypted packets (Martini, [Abstract] The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource. And [0011] A gateway can decouple domains from shared Internet Protocol (IP) addresses and selectively choose to intercept SSL, TLS, etc requests. If spoofed IP addresses are another server on the network, performance issues may be alleviated as only selective requests are sent to man in the middle (MitM) gateways for decryption (i.e. apply an action)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky by correlating encrypted connection with specified spoofed IP addresses with DNS to filter the encrypted communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to use rules that includes domain name and IP address that indicate destination upon which the encrypted traffic should be directed to, i.e. further to decrypt or optionally drop the encrypted messages (Martini, [Abstract], [0011], [0026]).

Regarding claim 17, claim 17 is a method claim that encompasses limitations that are similar to those of the packet-filtering system of claim 1. Therefore, claim 17 is rejected with the same rationale and motivation as applied against claim 1.

Regarding claim 2, similarly claim 18, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, 
Mahadik further teaches: wherein the DNS query comprises one or more of: a DNS query request, or a DNS query reply (Mahadik, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource).  

Regarding claim 6, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, 
Dubrovsky further teaches: wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to log the indication of the first packet-filtering rule and the IP address corresponding to the domain name by causing the packet-filtering system to log an indication of filtering of the one or more unencrypted packets (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)). Same motivation as presented in claim 1 would apply.

Regarding claim 7, similarly claim 22, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, 
Wang further teaches: wherein the TLS handshake is configured to establish an encrypted communication session between a client and a server, and wherein the TLS handshake further comprises one of: a ClientHello message generated by the client, or a certificate message generated by the server (Wang, [0018] Upon intercepting the initial message of the handshaking procedure, the procedure continues to step 230 in which the proxy device 120 extracts from the initial message identification information associated with the server 130…, the initial message of the handshaking procedure comprises a "ClientHello" message of the Transport Layer Security (TLS) handshaking procedure). Same motivation as presented in claim 1, 17 respectively would apply.

Regarding claim 8, similarly claim 23, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, 
Martini further teaches: Wherein the action comprises dropping the at least a portion of the filtered one or more encrypted packets (Martini, [0023] The network 100 can be configured to route some or all of the plaintext messages addressed outside the network to the network gateway 102. The network gateway 102 can inspect the plaintext messages and, optionally, modify or drop some messages). Same motivation as presented in claim 1, 17 respectively would apply. 

Regarding claim 31, similarly claim 33, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, 
Martini further teaches: wherein the action causes the proxy to decrypt the at least the portion of the filtered one or more encrypted packets (Martini, [0011] A gateway can decouple domains from shared Internet Protocol (IP) addresses and selectively choose to intercept SSL, TLS, etc requests. If spoofed IP addresses are another server on the network, performance issues may be alleviated as only selective requests are sent to man in the middle (MitM) gateways (i.e. proxy) for decryption (i.e. the action)). Same motivation as presented for claim 1, 17 respectively would apply.

Regarding claim 35, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, 
Martini further teaches: wherein the proxy comprises a second computing device different from the packet-filtering system (Martini, [0026] the MitM gateway 104 may act as a proxy of the server 118 for the browser device 106 and as a proxy of the browser device 106 for the server 118. The MitM gateway 104 is thus able to receive an encrypted message from the browser device 106, decrypt the message, inspect the message, optionally alter or drop the message). Same motivation as presented in claim 1 would apply.

Claims 5, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky-Martini as applied above to claim 1, 17 respectively, further in view of Rostami-Hesarsorkh (US 8892665 B1, hereinafter, “Rostami-Hesarsorkh”).
Regarding claim 5, similarly claim 21, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik as presented for claims 5, 21 respectively above),
While the combination of Mahadik-Wang-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Rostami-Hesarsorkh teaches:
further based on a port number associated with one or both of: the first unencrypted data, or the second unencrypted data (Rostami-Hesarsorkh, discloses monitoring peer-to-peer network traffic [Abstract]. And [Col. 9 line 53-Col. 10 line 27] the data appliance 202 can use an IP address associated with the data appliance 202 and select a port number that is used for emulated peer-to-peer traffic communications… using these techniques, the respective port number(s) for each of client 204 and client 220 used for this monitored network traffic can now be identified as being associated with the peer-to-peer session … As a result, using these encrypted peer-to-peer detection techniques, unknown network traffic flows/sessions (e.g., unidentified/unknown sessions that are suspicious) from a client determined to be executing a peer-to-peer application can be determined to be associated with the peer-to-peer application and can be blocked).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rostami-Hesarsorkh, in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky-Martini by identifying port number associated with client for monitoring network traffic. This would have been obvious because the person having ordinary skill in the art would have been motivated to associate unencrypted or encrypted peer-to-peer communication traffic associated with port number of clients to filter suspicious application (Rostami-Hesarsorkh, [Abstract]).   

Claims 3-4, 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Wang-Dubrovsky-Martini as applied above to claim 1, 17 respectively, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 3, similarly claim 19, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, 
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik as presented for claims 1, 17 above),
While the combination of Mahadik-Wang-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky-Martini by comparing DNS requests based on timestamp associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp associated with previously made DNS request for malicious request or response (Williams, [Abstract]).  

Regarding claim 4, similarly claim 20, Mahadik-Wang-Dubrovsky-Martini combination teaches the packet-filtering system of claim 1, the method of claim 17, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik as presented for claim 1, 17 above),
While the combination of Mahadik-Wang-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Williams teaches:
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data or a third time stamp associated with the second unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Wang-Dubrovsky-Martini by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 9-10, 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Moore (US20140283004A1-IDS by Applicant, hereinafter, “Moore”), further in view of Dubrovsky et al (US20140373156A1-IDS by applicant, hereinafter, “Dubrovsky”) and Martini (US20140317397A1IDS by applicant, hereinafter, “Martini”).
Regarding claim 9, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such ... The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive data regarding a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network threat intelligence providers provides at least a portion of the data (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0015] The internet resource database 120 (i.e. third-party network intelligence provider) of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource… A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1; 
generate, based on the plurality of network-threat indicators, one or more packet- filtering rules, wherein the one or more packet-filtering rules comprise a first packet-filtering rule configured to identify packets comprising data corresponding to a first network-threat indicator of the plurality of network-threat indicators, and wherein the Application No. 17/482,921Docket No.: 007742.00252\USResponse to Office Action dated 03.31.2022first network-threat indicator comprises domain name criteria that is associated with a potential network threat (Mahadik, [0022] Step S220, which includes, determining (i.e. generating) a resource access level of a requested domain of the DNS resolution query, preferably determines the resource access level based on an internet resource database…Step S220 may additionally include determining the resource access level according to rules set by a network administration interface); 
analyze first unencrypted data contained in one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Domain Name System (DNS) query, and wherein the at least a portion of the DNS query comprises one or more of: an Internet Protocol (IP) address, or a domain name corresponding to the IP address (Mahadik, [0022] Step S220, which includes, determining a resource access level of a requested domain (i.e. domain name) of the DNS resolution query, preferably determines the resource access level based on an internet resource database (i.e. analyze)); 
determine, [based on correlating the first unencrypted data and the second unencrypted data], and based on determining that at least a portion of the one or more unencrypted packets match the domain name criteria of the first packet-filtering rule, that the at least a portion of the one or more unencrypted packets are associated with the potential network threat (Mahadik, [0015] The internet resource database 120 preferably stores domain names (i.e. e.g. network-threat indicator), URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource. Each resource stored in the internet resource database 120 preferably includes a parameter indicating an associated resource access level. And [0016] The DNS proxy server 110 accesses the internet resource database 120 for each query and determines a categorization of the query (e.g., permitted, partially-permitted, or restricted)); (see Dubrovsky below for limitation(s) in bracket)
receive, after [the logging], one or more encrypted packets (Mahadik, see [0029], since the encryption handshake is to establish the encrypted communication (packets), it is obvious that the received encrypted packets is after the unencrypted encryption handshake (packets); (See Dubrovsky below for logging)
correlate the one or more encrypted packets with the one or more unencrypted packets [based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises the logged IP address] (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain (i.e. unencrypted data) is preferably detected during the handshake through a server name attribute or through some alternative parameter. Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlate encrypted packets with domain information, which is unencrypted data in handshake); (see Moore, Dubrovsky below for limitations in bracket); 
determine, based on the correlating the one or more encrypted packets with the one or more unencrypted packets, and based on the first packet-filtering rule, that the one or more encrypted packets correspond to the potential network threat (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0029] A domain is preferably detected during the handshake through a server name attribute or through some alternative parameter. The web proxy server may subsequently determine if the domain is restricted, permitted, or partially restricted. Examiner notes that it is obvious to one ordinary skilled to understand that domain is restricted or partially restricted is in response to potential network threat),6Application No. 17/482,921Docket No.: 007742.00252\US
Response to Office Action dated 03.31.2022filter, based on the determination that the one or more encrypted packets correspond to the potential network threat, and based on the first packet-filtering rule, the one or more encrypted packets (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filter)); 
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data associated with HTTP, HTTPS traffic but does not explicitly teach associated with initiation of a TCP connection and unencrypted data contained in respective packet headers of one or more encrypted packets, however in the same field of endeavor Moore teaches:
analyze second unencrypted data contained in the one or more unencrypted packets, wherein the second unencrypted data is associated with initiation of a Transmission Control Protocol (TCP) connection, and wherein the second unencrypted data comprises the IP address (Moore, discloses filtering network data transfers based on packet header field values according packet filtering rule, see [Abstract]. And [0025] Referring to FIG. 3, dynamic security policy 218 may include rules 1 302, 2 304, 3 306, 4 308, 5 310, 6 312, and 7 314. Each of these rules may specify criteria and one or more operators that may be applied to packets associated with (e.g., matching) the specified criteria… for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet (e.g., TCP, User Datagram Protocol (UDP)…). And [0026] For example, rule 1 302 may specify that IP packets containing one or more TCP packets, originating from a source IP address that begins with 140.210); 
[correlate the one or more encrypted packets with the one or more unencrypted packets] (see Mahadik above) based on determining that third unencrypted data contained in respective packet headers of the one or more encrypted packets comprises [the logged] IP address (Moore, [0005] The filter may be capable of comparing certain packet header information (e.g., source and destination IP address(s)…) (i.e. packer header comprises the IP address). And [0039] The filtering process described herein may be viewed as having two (2) stages: A first stage in which the "5-tuple" of IP packet header field values and transport protocol (e.g., TCP, UDP, etc.) packet header field values may be filtered; and, a second stage in which application packet header field values may be filtered (e.g., by applying operator logic similar to that described above)... the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.) between the resources (i.e. correlate, i.e. if first stage determines allowing communication then second stage also allows the encrypted communication)); (see Dubrovsky below for logged IP address)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik by filtering TCP traffic with IP address. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication with TCP/IP network protocol against attack (Moore, [Abstract], [0001-0002]).
While the combination of Mahadik-Moore teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data but does not explicitly teach the following limitation (s) taught by Dubrovsky in the same field of endeavor:
correlate, based on the IP address, the first unencrypted data and the second unencrypted data (Dubrovsky, discloses selectively forwarding or returning a message based on detection of message content using stored unencrypted data with notification of reassembly-free file scanning, see [Abstract]. And [0022] data structure to maintain any previous failed requests for access certain documents of remote nodes that have been detected to have offensive data such as viruses or spywares. When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL and/or IP address) (i.e. the logged IP address corresponding to the domain name the domain name) is stored and maintained within the data structure (i.e. logging)); 
log an indication of the first packet-filtering rule and the IP address corresponding to the domain name (Dubrovsky, [0026] Meanwhile, the network access device 201 may extract the URL (i.e. domain name) of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein) (i.e. log data). And referring to Fig. 3 steps 305 and 306 (i.e. storing log data)); 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik-Moore by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).
The combination of Mahadik-Moore-Dubrovsky does not specifically teach the following limitation(s), however in the same field of endeavor Martini teaches:
and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least a portion of the filtered one or more encrypted packets (Martini, [Abstract] The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource. And [0011] A gateway can decouple domains from shared Internet Protocol (IP) addresses and selectively choose to intercept SSL, TLS, etc requests. If spoofed IP addresses are another server on the network, performance issues may be alleviated as only selective requests are sent to man in the middle (MitM) gateways for decryption (i.e. apply an action)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik-Moore-Dubrovsky by correlating encrypted connection with specified spoofed IP addresses with DNS to filter the encrypted communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to use rules that includes domain name and IP address that indicate destination upon which the encrypted traffic should be directed to, i.e. further to decrypt or optionally drop the encrypted messages (Martini, [Abstract], [0011], [0026]).

Regarding claim 24, claim 24 is a method claim that encompasses limitations that are similar to those of the packet-filtering system of claim 9. Therefore, claim 24 is rejected with the same rationale and motivation as applied against claim 9.

Regarding claim 10, similarly claim 25, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, the method of claim 24, 
Mahadik further teaches: wherein the DNS query comprises one or more of: a DNS query request, or a DNS query reply (Mahadik, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource).  

Regarding claim 14, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, 
Dubrovsky further teaches: wherein the instructions, when executed by the one or more processors, further cause the packet-filtering system to log the indication of the first packet-filtering rule and the IP address corresponding to the domain name by causing the packet-filtering system to log an indication of filtering of the one or more unencrypted packets (Dubrovsky, [0027] The extracted URL and IP address may be used to compare with the information stored in table 206 (i.e. log). If the table 206 contains the extracted URL and/or IP address, that means the requested document has been previously requested and the requested document may contain a virus and/or spyware... This information may be used to form a reason explaining why the connection was terminated (i.e. indication of filtering)). Same motivation as presented in claim 9 would apply.

Regarding claim 16, similarly claim 30, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, the method of claim 24,
Martini further teaches: Wherein the action comprises dropping the at least a portion of the filtered one or more encrypted packets (Martini, [0023] The network 100 can be configured to route some or all of the plaintext messages addressed outside the network to the network gateway 102. The network gateway 102 can inspect the plaintext messages and, optionally, modify or drop some messages). Same motivation as presented in claim 9, 24 respectively would apply. 

Regarding claim 32, similarly claim 34, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, the method of claim 24, 
Martini further teaches: wherein the action causes the proxy to decrypt the at least the portion of the filtered one or more encrypted packets (Martini, [0011] A gateway can decouple domains from shared Internet Protocol (IP) addresses and selectively choose to intercept SSL, TLS, etc requests. If spoofed IP addresses are another server on the network, performance issues may be alleviated as only selective requests are sent to man in the middle (MitM) gateways (i.e. proxy) for decryption (i.e. the action)). Same motivation as presented for claim 9, 24 respectively would apply.

Claims 11-12, 26-27 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Dubrovsky-Martini as applied above, further in view of Williams (US9875355B1-IDS by applicant, hereinafter, “Williams”).
Regarding claim 11, similarly claim 26, Mahadik-Moore-Dubrovsky-Martini combination further teaches:
The packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik as presented for claims 9, 24 respectively above), 
While the combination of Mahadik-Moore-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Williams teaches:
further based on a time stamp entry associated with the first unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Moore-Dubrovsky-Martini by comparing DNS requests based on timestamp associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp associated with previously made DNS request for malicious request or response (Williams, [Abstract]).  

Regarding claim 12, similarly claim 27, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, the method of claim 24, 
Mahadik further teaches: wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik as presented for claims 9, 24 respectively above), 
While the combination of Mahadik-Moore-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Williams teaches:
further based on: a first time stamp associated with the one or more encrypted packets, and a second time stamp associated with the first unencrypted data or a third time stamp associated with the second unencrypted data (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Moore-Dubrovsky-Martini by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Martini for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 13, 28 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Dubrovsky-Martini as applied above to claim 9, 24 respectively, further in view of Rostami-Hesarsorkh (US 8892665 B1, hereinafter, “Rostami-Hesarsorkh”).
Regarding claim 13, similarly claim 28, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, the method of claim 24, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the one or more encrypted packets with the one or more unencrypted packets (See the teachings of Mahadik as presented for claims 9, 24 respectively above),
While the combination of Mahadik-Moore-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Rostami-Hesarsorkh teaches:
further based on a port number associated with one or both of: the first unencrypted data, or the second unencrypted data (Rostami-Hesarsorkh, discloses monitoring peer-to-peer network traffic [Abstract]. And [Col. 9 line 53-Col. 10 line 27] the data appliance 202 can use an IP address associated with the data appliance 202 and select a port number that is used for emulated peer-to-peer traffic communications… using these techniques, the respective port number(s) for each of client 204 and client 220 used for this monitored network traffic can now be identified as being associated with the peer-to-peer session … As a result, using these encrypted peer-to-peer detection techniques, unknown network traffic flows/sessions (e.g., unidentified/unknown sessions that are suspicious) from a client determined to be executing a peer-to-peer application can be determined to be associated with the peer-to-peer application and can be blocked).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Rostami-Hesarsorkh, in the method of selectively filtering internet traffic of Mahadik-Moore-Dubrovsky-Martini by identifying port number associated with client for monitoring network traffic. This would have been obvious because the person having ordinary skill in the art would have been motivated to associate unencrypted or encrypted peer-to-peer communication traffic associated with port number of clients to filter suspicious application (Rostami-Hesarsorkh, [Abstract]).    

Claims 15, 29 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Moore-Dubrovsky-Martini as applied above to claim 9, 24 respectively, further in view of Li et al (US20080077705A1, hereinafter, “Li”).
Regarding claim 15, similarly claim 29, Mahadik-Moore-Dubrovsky-Martini combination teaches the packet-filtering system of claim 9, the method of claim 24,
While the combination of Mahadik-Moore-Dubrovsky-Martini does not explicitly teach but in the same field of endeavor Li teaches:
wherein the second unencrypted data comprises one of: a SYN handshake message, or an ACK handshake message (Li, discloses packet classification according to packet classification rules in packet filtering, see [Abstract], [0004-0006]. And [0010] Like firewalls, proxies can filter traffic based on many packet attributes, such as source IP address and/or port, and destination IP address and/or port. In addition, proxies can filter traffic based on destination service such as hypertext transfer protocol (HTTP)… And [0074] If the inbound packet produces a SYN-cookie match, this implies that the packet is a TCP ACK packet sent by a client as the final step in a three-way handshake establishing a new connection).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Li in the method of selectively filtering internet traffic of Mahadik-Moore-Dubrovsky-Martini by recognizing packet being TCP ACK packet in a three-way handshake to establish new connection. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify application and protocols by using proxy to perform filtering operation (Li, [Abstract], [0011]).  

Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Tremblay et al (US20100250918A1) discloses method for identifying application type from encrypted traffic transported over an IP network.
Wu et al (US9253068B1) discloses method of controlling network traffic by classifying encrypted packet payloads based on monitored DNS query requests and responses.
Long et al (US20070180510A1) discloses method to grant or deny a secure communication with a host base on result of categorizing according to URL information extracted from digital certificate associated with the host.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436