DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/11/2022, 4/4/2022, 4/14/2022, 5/4/2022, 5/13/2022, 6/29/2022, 7/12/2022, 8/12/2022, 8/31/2022, 9/9/2022, 10/26/2022, 11/30/2022 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, initialed and dated copy of Applicant’s IDS form 1449 filed as stated above is attached to the instant Office Action.
Applicant is advised that the cited reference submitted 6/29/2022, US patent application US20120290229A1 to Cavallini, et al. has been strike-out by the examiner. It has been placed in the application file, but the information referred to therein has not been considered as to the merits since the reference appears to be irrelevant to the claimed invention. Applicant is advised that the date of any re-submission of any item of information contained in this information disclosure statement or the submission of any missing element(s) will be the date of submission for purposes of determining.
Status of Claims
The amendment filed 8/16/2022 has been entered. Claims 1-14, 16-23, 25-28 are currently amended. Claims 1-28 are pending in the application.
The rejection of claims 9, 17, 27under the 35 USC 112(a) has been withdrawn in light of applicant’s amendment to the claims.
The provisional nonstatutory double patenting rejection of claims 1, 10, 19 has been withdrawn in light of applicant’s filed and approved Terminal Disclaimer on 8/16/2022.
Response to Arguments
Applicant’s arguments, see pages 13-19 of the Remarks filed 8/16/2022 regarding rejections under the 35 USC 103, on claims 1-28 as being unpatentable over the prior arts of record have been fully considered and asserted not persuasive and moot in view of current office action with newly applied prior art Moore. 
Regarding claim 1 (similarly claims 10, 19), applicant argued 
“None of the cited references teach, disclose, or otherwise suggest, as recited by claim 1 (as amended), at least ‘receive, after the receiving the plurality of first packets and as part of an encrypted communication session, a plurality of second packets comprising: encrypted data, and respective packet headers comprising second unencrypted data; determine whether the plurality of second packets are associated with the potential network threat by correlating the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, comprises the logged IP address corresponding to the domain name; and filter, based on determining that the plurality of second packets are associated with the potential network threat, the plurality of second packets comprising the encrypted data based on an action associated with the network-threat indicator.’” (see pages 15-16 of the Remark) 

Applicant further argued, regarding reference Mahadik that, “None of the disclosures of Mahadik are even remotely analogous to claim steps cited above” (see page 16 of the Remark); and “Dubrovsky does not remedy the many deficiencies of Mahadik. Dubrovsky's system has nothing to do with receiving packets comprising encrypted data as part of ‘an encrypted communication session that corresponds to the plurality of first packets’ in the first place, nor does the Action contend otherwise”, “Dubrovsky is also deficient because it does not teach, disclose, or otherwise suggest ‘generate, based on determining that a domain name in the unencrypted data matches the domain name criteria of the network-threat indicator, log data comprising: an indication of an action corresponding to the network-threat indicator; and an Internet Protocol (IP) address corresponding to the domain name.’”; (see pages 17-18 of the Remark)
Examiner acknowledged applicant’s perspective however respectively disagrees. 
First, all references of record are related to network data/packet traffic filtering. Primary reference Mahadik discloses selectively filtering internet traffic; Dubrovsky discloses controlling accessing a document. Mahadik teaches filtering encrypted traffic packets based on correlating with handshake message which is unencrypted data such as domain information, prior to the encrypted communication (encrypted packets), while Dubrovsky teaches filtering accessing to document based on logged previous failed access record in data structure, i.e. based on correlating with logged data. Although Dubrovsky does not teach packets comprising encrypted data as part of an encrypted communication session, these encrypted packets are taught by Mahadik as suggested above. Instead, what Dubrovsky teaches is the fact that filtering of unencrypted data by correlating with previously logged unencrypted data stored in the data structure. The newly applied prior art Moore further teaches the second unencrypted data is the unencrypted packet header information including IP address, whereas the IP address being associated with domain name (which is a well-known feature, also taught by Dubrovsky). In result, the combination of these references teaches at least, “receive, after the receiving the plurality of first packets and as part of an encrypted communication session, a plurality of second packets comprising: encrypted data, and respective packet headers comprising second unencrypted data; determine whether the plurality of second packets are associated with the potential network threat by correlating the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, comprises the logged IP address corresponding to the domain name; and filter, based on determining that the plurality of second packets are associated with the potential network threat, the plurality of second packets comprising the encrypted data based on an action associated with the network-threat indicator”. See updated office action below for details.
Applicant’s arguments regarding references Wang, Buruganahalli are moot since these references are not applied in the current office action.
Applicant’s further argument regarding dependent claims are therefore also not persuasive due to their dependency on the respective rejected independent claims.
Claim Objections
Claims 1, 10, 19 are objected to because of the following informalities:  
The amended claim 1 (similarly claim 10, 19) recites “log data comprising: an indication of an action corresponding to the network-threat indicator” in lines 12-13, and “filter, …the plurality of second packets … based on an action associated with the network-threat indicator” in the last 4 lines. Applicant is advised that these two actions underlined above appear to be the same actions or different actions. Based on the claim amendment, the first action appears to be filtering of the first packets (i.e. filtering of unencrypted data). Since the second packets may comprise unencrypted data, the filtering of second packets may also base on the filtering the unencrypted data, which suggests the second action may also be filtering of first packets. Applicant is advised to clarify the claim language by using “the action” or “second action”, or more appropriate form.
Appropriate correction is required.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159.  See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-3, 7, 9, 10-12, 16, 18-21, 25, 27 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 of Patent No. 11,477,224 B2 (hereinafter, “’224”), in view of Mahadik et al (US20140089661A1). See below the Claims Comparison Table.
Claim 1 of ‘224 discloses all of the limitations recited in claim 1 (similarly claims 10, 19) of the instant application, as seen in the table below, except those limitations as emphasized in bold, however Mahadik in the same area of endeavor teaches: 
receive a network-threat indicator that indicates domain name criteria corresponding to a potential network threat (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses (i.e. network-threat indicator), …, and/or any suitable identifiers of a network accessed resource … (i.e. domain name criteria, identifier of a network resources being associated with domain name, URI/URL resource addresses)); Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Mahadik in the packet filtering system of ‘224 by using domain name as network-threat indicators. This would have been obvious because the person having ordinary skill in the art would have been motivated to provide the resource database with stored information such as domain names as well as respective resource access levels for internet traffic filtering (Mahadik, [Abstract]).
Claim 2 of ‘224 discloses all of the limitations recited in claim 2 (similarly claims 11, 20) of the instant application, as seen in the table below;
Claim 4 of ‘224 discloses all of the limitations recited in claim 3 (similarly claims 12, 21) of the instant application, as seen in the table below;
Claim 1 of ‘224 discloses all of the limitations recited in claim 7 (similarly claims 16, 25) of the instant application, as seen in the table below;
Claim 1 of ‘224 discloses all of the limitations recited in claim 9 (similarly claims 18, 27) of the instant application, as seen in the table below;
Claims Comparison Table
Instant Application 17/383,784
US Patent No. 11,477,224 B2
Claim 1 of a packet-filtering system (similarly claim 10 of a method, claim 19 of one or more non-transitory computer-readable media) comprising: 

one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive a network-threat indicator that indicates domain name criteria corresponding to a potential network threat; 






receive, a plurality of first packets comprising unencrypted data; 
















generate, based on determining that a domain name in the unencrypted data matches the domain name criteria of the network-threat indicator, log data comprising: 
an indication of an action corresponding to the network-threat indicator; and an Internet Protocol (IP) address corresponding to the domain name; 

receive, after the receiving the plurality of first packets and as part of an encrypted communication session, a plurality of second packets comprising: encrypted data, and respective packet headers comprising second unencrypted data; 

determine whether the plurality of second packets are associated with the potential network threat by correlating the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, comprises the logged IP address corresponding to the domain name; 



and filter, based on determining that the plurality of second packets are associated with the potential network threat, the plurality of second packets comprising the encrypted data based on an action associated with the network-threat indicator.
Claim 1. A packet-filtering system comprising: 




one or more processors; and memory storing instructions that, when executed by the one or more processors, cause the packet-filtering system to: 

receive a plurality of network-threat indicators from a plurality of third-party network threat intelligence providers located external to a network comprising the packet-filtering system, wherein each of the plurality of third-party network intelligence providers provides at least a portion of the plurality of network-threat indicators; 

receive one or more unencrypted packets; 

analyze first unencrypted data contained in the one or more unencrypted packets, wherein the first unencrypted data comprises at least a portion of a Transport Layer Security (TLS) handshake, and wherein the at least a portion of the TLS handshake comprises a host domain name; determine that the one or more unencrypted packets correspond to a first rule by comparing the host domain name of the first unencrypted data to a first network-threat indicator of the plurality of network-threat indicators, wherein the first network-threat indicator comprises a domain name associated with a potential network threat; 

based on determining that the one or more unencrypted packets correspond to the first rule, generate a log entry comprising: 
an indication of the domain name associated with the potential network threat, and a network address corresponding to the host domain name;



receive one or more encrypted packets as part of an encrypted communication session that corresponds to the TLS handshake subsequent to receiving the one or more unencrypted packets; 

correlate, based on determining that an IP address in one or more packet headers of the one or more encrypted packets matches the network address of the log entry, the one or more encrypted packets with the one or more unencrypted packets; 2Application No. 17/482,910Docket No.: 007742.00251\US Response to OA dtd 05.13.2022 and AA dtd 06.13.2022 
determine, based on correlating the one or more encrypted packets with the one or more unencrypted packets and based on the log entry, that the one or more encrypted packets correspond to the domain name associated with the potential network threat; 

in response to determining that the one or more encrypted packets correspond to the domain name associated with the potential network threat, filter the one or more encrypted packets based on the first rule; 

and send at least a portion of the filtered one or more encrypted packets to a proxy configured to apply an action to the at least the portion of the filtered one or more encrypted packets.
Claims 2, 11, 20. 
Claim 2. 
Claims 3, 12, 21. 
Claim 4. 
Claims 7, 16, 25.
Claim 1.
Claims 9, 18, 27.
Claim 1.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-2, 9-11, 18-20, 27-28 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik et al (US2014008966A1-IDS by applicant, hereinafter, “Mahadik”), in view of Dubrovsky et al (US20140373156A1-IDS by Applicant, hereinafter, “Dubrovsky”), in further view of Moore (US20140283004A1-IDS by applicant, hereinafter, “Moore”).
Regarding claim 1, Mahadik teaches:
A packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]) comprising: 
one or more processors; and memory storing instructions that, when executed by the one or more processors (Mahadik, [0042] The computer-readable medium may be stored on any suitable computer readable media such as RAMs, ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives, floppy drives, or any suitable device. The instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-executable component is preferably a processor…), cause the packet-filtering system to: 
receive a network-threat indicator that indicates domain name criteria corresponding to a potential network threat (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0015] The internet resource database 120 of a preferred embodiment functions to act as a repository of resources and their respective resource access levels. The internet resource database 120 preferably stores domain names, URI/URL resource addresses (i.e. network-threat indicator), …, and/or any suitable identifiers of a network accessed resource … (i.e. domain name criteria, identifier of a network resources being associated with domain name, URI/URL resource addresses)); 
receive, a plurality of first packets comprising unencrypted data (Mahadik, referring to fig. 2, [0021] Step S210, which includes receiving a domain-name resolution query at a DNS proxy server, functions to obtain an initial request to access a network resource); 
receive, after the receiving the plurality of first packets and as part of an encrypted communication session, a plurality of second packets comprising: encrypted data (Mahadik, [0029] The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. Examiner notes encrypted communication is after the handshake, i.e. filtering with unencrypted data), [and respective packet headers comprising second unencrypted data]; (see Moore below for the teaching of limitation(s) in bracket)
determine whether the plurality of second packets are associated with the potential network threat by correlating the plurality of second packets and the plurality of first packets based on determining that the second unencrypted data, of the [packet headers] of the plurality of second packets, comprises the [logged IP address corresponding to the domain name] (Mahadik, [0029] For SSL/HTTPS based website access, the network traffic is encrypted and thus cannot be monitored with the same tools used in unencrypted scenario. The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake. A domain (i.e. unencrypted data) is preferably detected during the handshake through a server name attribute or through some alternative parameter. Examiner notes encrypted communication is determined to be restricted, permitted or partially restricted based on domain and handshake, i.e. correlation of encrypted packets with domain information, which is unencrypted data in handshake); (see Dubrovsky, Moore below for limitations in bracket)
and filter, based on determining that the plurality of second packets are associated with the potential network threat, the plurality of second packets comprising the encrypted data based on an action associated with the network-threat indicator (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely. If the domain is permitted, the web proxy preferably hands client requests to the server and the server responses back to the client without making any modification to the tunneled SSL traffic. If the domain is partially permitted, the web proxy server passes the encrypted requests between the client and the server … (i.e. filter)).
While Mahadik teaches the main concept of the invention of filtering encrypted packet data based on unencrypted packet data but does not explicitly teach the following limitation (s) taught by Dubrovsky in the same field of endeavor:
generate, based on determining that a domain name in the unencrypted data matches the domain name criteria of the network-threat indicator, log data comprising: 
an indication of an action corresponding to the network-threat indicator; and an Internet Protocol (IP) address corresponding to the domain name (Dubrovsky, discloses selectively forwarding or returning a message based on detection of message content using stored unencrypted data with notification of reassembly-free file scanning, see [Abstract]. And [0026] Meanwhile, the network access device 201 may extract the URL (i.e. domain name) of the Web page and/or the address (e.g., IP address) of the remote server from the request received from client 202 and store this information in a data structure 206 (also referred to as a failed request table herein) (i.e. log data). And referring to Fig. 3 steps 305 and 306 (i.e. storing log data)); 
[determine whether the plurality of second packets are associated with the potential network threat by correlating the plurality of second packets and the plurality of first packets] (see Mahadik shown above) based on determining that the second unencrypted data, of the [packet headers] of the plurality of second packets, comprises the logged IP address corresponding to the domain name (Dubrovsky, [0022] data structure to maintain any previous failed requests for access certain documents of remote nodes that have been detected to have offensive data such as viruses or spywares. When the viruses and/or spywares are detected, the connection is terminated and the information regarding the requested document and/or remote node (e.g., URL and/or IP address) (i.e. the logged IP address associated with the domain name) is stored and maintained within the data structure); (see Moore below for teaching of packet header)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Dubrovsky in the method of selectively filtering internet traffic of Mahadik by determining whether the request to access server based on IP address from failed request table as logged data should be terminated. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the DNS queries including IP address of as stored in internet resource database of Mahadik as log data as taught by Dubrovsky for filtering access request (Dubrovsky, [Abstract], [0027]).
The combination of Mahadik-Dubrovsky teaches the main concept of the invention of correlating encrypted packets with unencrypted packets based on log data but does not explicitly teach based on a second IP address in at least one header of the packets comprising the encrypted data, however in the same field of endeavor Moore teaches:
[determine whether the plurality of second packets are associated with the potential network threat by correlating the plurality of second packets and the plurality of first packets] based on determining that the second unencrypted data, of the packet headers of the plurality of second packets, comprises the [logged] IP address] (Moore, discloses apparatus and method for filtering network data transfers, [Title], [Abstract]. And [0025] The specified criteria may take the form of a five-tuple, which may, for example, comprise one or more values selected from, packet header information, specifying a protocol type of the data section of an IP packet …, one or more source IP addresses, one or more source port values, one or more destination IP addresses, and one or more destination ports. And [0039] Conceptually, the first stage may determine if the network policy allows any communications between the resources identified in the 5-tuple rule; if so, the second stage may determine if the policy allows the specific method or type of communication (e.g., … encrypted communication, etc.) between the resources). (See the teachings of Mahadik and Dubrovsky shown above for limitations in bracket)
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Moore in the method of selectively filtering internet traffic of Mahadik-Dubrovsky by filtering network data traffic using information of IP address of packet header. This would have been obvious because the person having ordinary skill in the art would have been motivated to filter network traffic based on application header field values corresponding to packet filtering rule for communication against attack (Moore, [Abstract], [0001-0002]).

Regarding claim 10, claim 10 is a method claim that encompasses limitations that are similar to those limitations of the packet-filtering system claim 1. Therefore, claim 10 is rejected with the same rationale and motivation as applied against claim 1.

Regarding claim 19, claim 19 is a computer-readable media claim that encompasses limitations that are similar to those limitations of the packet-filtering system claim 1. Therefore, claim 19 is rejected with the same rationale and motivation as applied against claim 1. In addition, Mahadik teaches one or more non-transitory computer-readable media storing instructions that, when executed by one or more processors of a packet-filtering system (Mahadik, discloses system and method for securing network traffic by selectively filtering internet traffic, see [Title] and [Abstract]. And [0042] instructions are preferably executed by computer-executable components preferably integrated with a network security system. The computer-readable medium may be stored on any suitable computer readable media such as RAMs, ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives, floppy drives, or any suitable device. The computer-executable component is preferably a processor).

Regarding claim 2, similarly claim 11, claim 20, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19,
Mahadik further teaches: wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to identify the IP address associated with the domain name using a Domain Name System (DNS) query (Mahadik, [0020] As shown in FIG. 2, a method for securing network traffic of a preferred embodiment includes receiving a domain-name resolution query at a DNS proxy server S210, determining a resource access level of a requested domain of the DNS resolution query based on an internet resource database. And [0024] As shown in FIG. 4, Step S232, which includes returning an IP address that is unmodified from requested domain for a permitted resource).  

Regarding claim 9, similarly claim 18, claim 27, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, 
Mahadik further teaches: wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to receive the network-threat indicator by causing the packet-filtering system to: receive, from a plurality of different third-party network threat-intelligence providers located external to a network comprising the packet-filtering system, a plurality of network-threat indicators, wherein each of the plurality of different third-party network threat-intelligence providers provides at least a portion of the plurality of network-threat indicators (Mahadik, [0013] The network security may additionally provide network security against malicious sites and network activity that may pose a threat to the security of a network or device. And [0015] The internet resource database 120 (i.e. third-party network intelligence provider) preferably stores domain names, URI/URL resource addresses, file names, hashes of files, and/or any suitable identifiers of a network accessed resource (i.e. plurality of network-threat indicators) … A resource stored in the internet resource database 120 may additionally or alternatively include an associated IP address. The IP address is preferably the IP address to be returned for the DNS query). Examiner notes DNS Proxy Server accesses Internet Resource Database in cloud suggest the Internet Resource Database is external to the packet filtering system of client device router and DNS Proxy Server as shown in Fig. 1.  

Regarding claim 28, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, 
Mahadik further teaches: wherein the plurality of first packets are associated with initiation of the encrypted communication session (Mahadik, [0029] The method may additionally include detecting encryption handshake when web proxying. This preferably occurs when a site is being accessed over HTTPS using a SSL certificate of a server during a handshake).  

Claims 3, 12, 21 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky-Moore as applied above, further in view of Williams (US9875355B1, hereinafter, “Williams”).
Regarding claim 3, similarly claim 12, claim 21, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19,
While the combination of Mahadik-Dubrovsky-Moore does not explicitly teach but in the same field of endeavor Williams teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the plurality of second packets and the plurality of first packets based on comparing one or more first timestamps corresponding to the plurality of first packets with one or more second timestamps corresponding to the plurality of second packets (Williams, discloses detecting malicious software based on DNS requests and/or response. And [Col. 5 lines 14-19] In process block 510, a determination can be made whether the DNS requests are associated with a same domain name. For example, a simple comparison between the domain names can be made and, if a match is found, then the process continues. In process block 520, previously stored time-stamp data (e.g., day, hour, minute) can be retrieved indicating a last time that the same DNS requests were made. Thus, different time stamps can be retrieved associated with previous requests that correspond with DNS requests 502, 504... In decision block 540, a check is made to determine if the frequencies are equal (i.e. correlating). If so, then the DNS requests 502, 504 are frequency correlated (process block 550)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Williams in the method of selectively filtering internet traffic of Mahadik-Dubrovsky-Moore by comparing DNS requests based on timestamps associated with previously made DNS requests. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and compare DNS requests based on timestamp to correlate the different DNS requests taught by Mahadik and Dubrovsky for the benefit of identifying malicious software request or response for the goal of filtering the network traffic (Williams, [Abstract]).  

Claims 4, 13, 22 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky-Moore as applied above, further in view of Christodorescu et al (US20140310396A1, hereinafter, “Christodorescu”).
Regarding claim 4, similarly claim 13, claim 22, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, 
While the combination of Mahadik-Dubrovsky-Moore does not explicitly teach but in the same field of endeavor Christodorescu teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the plurality of second packets and the plurality of first packets based on state information in the unencrypted data (Christodorescu, discloses identification and classification of web traffic inside encrypted network tunnels, and [Abstract] The detected packet, timing, and size traffic patterns (i.e. state information) are correlated to at least a packet destination and a packet source of the unencrypted data packets to create at least one of a training corpus and a model built from the training corpus. The at least one of the corpus and model is stored in a memory device. Packet traffic, timing, and size patterns of encrypted data packets are observed. The observed packet traffic, timing, and size patterns of the encrypted data packets are compared to at least one of the training corpus and the model to classify the encrypted data packets with respect to at least one of a predicted network host and predicted path information).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Christodorescu in the method of selectively filtering internet traffic of Mahadik-Dubrovsky-Moore by correlating encrypted data packet with unencrypted data packet based on packet traffic, timing and size patterns. This would have been obvious because the person having ordinary skill in the art would have been motivated to identify and classify web traffic inside encrypted network tunnels (Christodorescu, [Abstract]).

Claims 5, 14, 23 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky-Moore as applied above, further in view of Hampel et al (US9258218B2, hereinafter, “Hampel”).
Regarding claim 5, similarly claim 14, claim 23, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to correlate the plurality of second packets and the plurality of first packets (see Mahadik for correlating encrypted traffic and unencrypted traffic as shown for claims 1, 10, 19 respectively above),
While the combination of Mahadik-Dubrovsky-Moore does not explicitly teach the following limitation(s), in the similar field of endeavor Hampel teaches:
based on comparing first application-layer information corresponding to the plurality of first packets with second application-layer information corresponding to the plurality of second packets (Hampel, [Abstract] discloses method to control overlay networks with control functions and forwarding functions separated, And [Claim 12] a data flow definition for a data flow and a set of actions to be performed for the data flow at the forwarding element, wherein the data flow definition is based on one or more protocol header (i.e. unencrypted data) fields of one or more protocols, wherein the one or more protocols comprise one or more network layer protocols or one or more transport layer protocols (i.e. second application-layer information), wherein the set of actions comprises at least one tunneling action and at least one security action, wherein the at least one tunneling action comprises at least one of a set of multiple encapsulation actions (i.e. encrypted data) …, wherein the at least one security action is associated with a security protocol (i.e. first application-layer layer information) and comprises at least one of an encryption action or a decryption action; wherein the set of multiple encapsulation actions comprises a tunneling encapsulation action, a transport layer encapsulation action, and a network layer encapsulation action; … and processing a packet of the data flow based on the control information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Hampel in the network traffic interception and inspection method of Mahadik-Dubrovsky-Moore by separating the control functions in network layer protocol and the forwarding functions in security protocol. This would have been obvious because the person having ordinary skill in the art would have been motivated to use the software-defined network overlay method vertically move packets across network layers to support tunneling via communication networks (Hampel, [Abstract], [0002], [Claim 12]).  

Claims 6, 15, 24 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky-Moore as applied above, further in view of Paixao (US20160180022A1, hereinafter, “Paixao”).
Regarding claim 6, similarly claim 15, claim 24, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to filter the plurality of second packets (see Mahadik for filtering encrypted traffic as shown for claims 1, 10, 19 respectively above),
While the combination of Mahadik-Dubrovsky-Moore does not explicitly teach the following limitation(s), in the similar field of endeavor Paixao teaches:
by causing the packet-filtering system to: generate a new rule by correlating at least two log entries in the log data (Paixao, discloses detection of abnormal behaviour fraud with analyzing and correlating EMR audit log information and/or network security events, see [Abstract], [0003]. And [0072] EMR fraud & risk detection and mitigation system 800 can also include a new rule generation/ implementation module 816 that can provide flexibility to EMR fraud & risk detection and mitigation system 800 so as to allow creation of new parameters and/or rules and/or means to define fraudulent actions or potential fraud activities… new rule generation/implementation module 816 can use one or more automatic techniques to dynamically define new rules configured for fraud detection based on log data correlation and analysis performed by correlation and combination module 810...correlation and combination module 810 can collect log data from different sources such as application level logs of different sub-systems/databases of EMR, and network level logs, and correlate them to determine one or more suspicious activity), 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Paixao in the network traffic interception and inspection method of Mahadik-Dubrovsky-Moore by dynamically define new rules configured for fraud detection based on log data. This would have been obvious because the person having ordinary skill in the art would have been motivated to use new rule generation/implementation module to define new rules in a network controlling access activity to database of EMR system based on correlating audit log data in real time (Paixao, [Abstract], [0003], [0072]).  
Mahadik further teaches: wherein the [new] rule causes the plurality of second packets to be dropped (Mahadik, [0029] If the domain is restricted, the access may be blocked entirely, wherein the new rule is taught by Paixao shown above).  

Claims 7-8, 16-17, 25-26 are rejected under 35 U.S.C. 103 as being unpatentable over Mahadik-Dubrovsky-Moore as applied above, further in view of Martini (US20140317397A1-IDS by Applicant, hereinafter, “Martini”).
Regarding claim 7, similarly claim 16, claim 25, Mahadik-Dubrovsky-Moore combination teaches the packet-filtering system of claim 1, the method of claim 10, the computer-readable media of claim 19, 
The combination of Mahadik-Dubrovsky-Moore does not specifically teach the following limitation(s), however in the same field of endeavor Martini teaches:
wherein the instructions, when executed by the one or more processors, cause the packet-filtering system to send at least a portion of the filtered plurality of second packets to a proxy configured to apply an action to the at least a portion of the filtered plurality of second packets (Martini, [Abstract] The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource. And [0011] A gateway can decouple domains from shared Internet Protocol (IP) addresses and selectively choose to intercept SSL, TLS, etc requests. If spoofed IP addresses are another server on the network, performance issues may be alleviated as only selective requests are sent to man in the middle (MitM) gateways for decryption (i.e. apply an action)).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have employed the teachings of Martini in the method of selectively filtering internet traffic of Mahadik-Dubrovsky-Moore by correlating encrypted connection with specified spoofed IP addresses with DNS to filter the encrypted communication. This would have been obvious because the person having ordinary skill in the art would have been motivated to use rules that includes domain name and IP address that indicate destination upon which the encrypted traffic should be directed to, i.e. further to decrypt or optionally drop the encrypted messages (Martini, [Abstract], [0011], [0026]). 

Regarding claim 8, similarly claim 17, claim 26, Mahadik-Dubrovsky-Moore-Martini combination teaches the packet-filtering system of claim 7, the method of claim 16, the computer-readable media of claim 25,
Martini further teaches: wherein the proxy is configured to prevent further transmission of the filtered plurality of second packets (Martini, [0026] The MitM gateway 104 is thus able to receive an encrypted message from the browser device 106, decrypt the message, inspect the message, optionally alter or drop the message (i.e. prevent further transmission), …). Same motivation as presented in claim 7, 16, 25 respectively would apply.

Citation of References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. The following references are cited but not been replied upon for this office action:
Long et al (US20070180510A1) discloses method to grant or deny a secure communication with a host base on result of categorizing according to URL information extracted from digital certificate associated with the host.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL M LEE whose telephone number is (571)272-1975.  The examiner can normally be reached on M-F: 8:30AM - 5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MICHAEL M LEE/Examiner, Art Unit 2436