Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to the application 18/329,337 in response to the Remarks filed on 08/28/2025.
Claims 1-6, 8-10, 16, 18-20 have been examined and are pending in this application.
This application is being reopened and this Action is count as a Non-FINAL.
Response to Arguments
Applicants’ arguments in the instant Amendment, filed on 08/28/2025, with respect to limitations listed below, have been fully considered but they are not persuasive.
Applicant arguments on page 3-4 of the remarks have been considered. The Examiner agrees with the Applicant. In light of this clarification, prosecution is reopened and the application is being returned to non-final status. A new rejection under 35 USC § 103 is present bellowed based on new considered prior art.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 4, 9, 16, 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1) and in further view of Velugu (US 2022/0368672 A1).
Regarding Claim 1
Ludin discloses:
A method, comprising: receiving, by a security device, a packet including a ticket identifier and the packet comprising a header and a payload (Ludin ¶39–45: teaches that the proxy server (security device) receives TCP and TLS packets from a client, including a ClientHello message that initiates a TLS handshake. Ludin further explains that the proxy server checks the ClientHello for a TLS session ticket or PSK identity field containing a proxy token (ticket identifier). It would be understood by one of ordinary skill in the art that TLS handshake messages, such as ClientHello, are transmitted as TLS records each comprising a header and payload according to the TLS protocol specification.);
determining, by the security device, a disposition of the packet (Ludin ¶45–47: Ludin teaches that the proxy server (security device) analyzes the received packet to determine whether the proxy token (ticket identifier) is present and valid, and based on that determination, decides the disposition by either forwarding the packet to the origin if valid or rejecting/blocking the connection if invalid.);
Ludin teaches determining, by the security device, a disposition of a packet such as allowing or blocking traffic based on trust status and proxy handling logic. However, they do not disclose the following limitation “logging, by the security device, the disposition of the packet, with: the ticket identifier, and an identifier of the security device”
However, in an analogous art, Fenton discloses a logging system/method that includes:
logging, by the security device, the disposition of the packet, with: the ticket identifier, and an identifier of the security device (Fenton ¶53: discloses a packet filtering network appliance (e.g., TIG 120) that applies filtering rules having dispositions (e.g., allow, block, or drop) and includes logging directives that cause the device to generate logs for packets matching the rules. Fenton ¶38-39 and ¶55 further teaches that such logs include: the disposition of the packet (e.g., allow or block), packet-associated identifiers (e.g., header-derived values such as 5-tuple or flow identifier), and an identifier of the security device (e.g., TIG identifier). Thus, Fenton teaches logging, by the security device, the disposition of the packet together with identifiers corresponding to both the packet (ticket identifier) and the security device.).
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify Ludin to incorporate the logging functionality taught by Fenton in order to enable monitoring, auditing, and traceability of packet handling decisions. Logging packet disposition together with identifiers is a known and routine practice in network security systems for troubleshooting and security analysis. The modification represents a predictable use of prior art elements according to their established functions and would have improved the functionality and observability of Ludin’s proxy packet processing system.
Ludin and Fenton combined teaches determining a disposition of a packet by the security device and logging the disposition of the packet with a ticket identifier and an identifier of the security device. However, they do not disclose the following limitation “forwarding the packet after removing only a portion of the payload”
However, in an analogous art, Velugu discloses a pattern matching system/method that includes:
and forwarding the packet after removing only a portion of the payload (Velugu ¶114: teaches that the firewall (security device), upon detecting a pattern match in the response, may modify the response by removing the portion of the content generated by a specific service while forwarding the remaining portion of the contents to the client. This directly corresponds to forwarding a packet after removing only a portion of its payload.).
Given the teachings of Velugu, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Ludin and Fenton to include selective payload removal. Velugu discloses that a firewall may remove only a portion of response content matching a specified pattern and forward the modified response to the client (¶114). It would have been obvious to apply this known selective filtering technique to Ludin’s proxy system and Fenton’s logging system so that instead of forwarding or blocking an entire packet the security device could remove only a portion of the payload and forward the remainder, thereby enhancing control and efficiency in packet handling.
Regarding Claim 4
Ludin discloses:
The method of claim 1, wherein the ticket identifier comprises a source IP address (Ludin ¶66: Ludin teaches that the proxy token (ticket identifier) includes the client’s IP address and a random salt, encrypted with a secret key known only to the proxy operator.).
Regarding Claim 9
Ludin discloses:
The method of claim 1, wherein the determining, by the security device, of the disposition of the packet, comprises determining whether the security device has received another packet including the same ticket identifier (Ludin ¶47: Ludin teaches that the proxy server (security device) monitors for multiple uses of the same proxy token (ticket identifier) by tracking the number of simultaneous connections using that token, and rejects or blocks the connection if the token is being reused too many times. This corresponds to determining whether another packet including the same ticket identifier has been received in order to decide the packet’s disposition.).
Regarding Claim 16
Claim 16 is directed to a method corresponding to the computer-implemented method in claim 1. Claim 16 is similar in scope to claim 1 and is therefore rejected under similar rationale.
Regarding Claim 19
Claim 19 is directed to a method corresponding to the computing platform recited in claim 9. Claim 19 is similar in scope to claim 9 and is therefore rejected under similar rationale.
Claims 2 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1), in view of Velugu (US 2022/0368672 A1) as applied to claim 1 above, and in further view of Wright (US 2021/0306315 A1).
Regarding Claim 2
Ludin, Fenton and Velugu teaches a non-terminating TLS proxy that receives packets, validates a proxy token (ticket ID), determines whether to forward or block the packet, and logs the disposition with the ticket ID and proxy device identifier. However, they do not disclose the following limitation “wherein the ticket identifier comprises a password”.
However, in an analogous art, Wright discloses a packet identifier system/method that includes:
The method of claim 1, wherein the ticket identifier comprises a password (Wright ¶16: The smartphone receives a packet containing a password as part of its payload (ticket identifier).).
Given the teaching of Wright, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teaching of Ludin, Fenton and Velugu by incorporating a method of using a password as part of a ticket identifier for enforcing secure access or policies. Wright discloses a system where firmware analyzes a packet, detects that it contains a password, and enforces compliance with a password policy. This demonstrates that passwords can be included within a packet for validation and control purposes. It would have been obvious to incorporate a password as part of a ticket identifier to facilitate secure identification, access management, or policy enforcement. Wright’s teaching of detecting passwords within packets and validating them against password policies aligns directly with the claimed limitation, fulfilling the requirement that the ticket identifier comprises a password (Wright ¶16).
Claims 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1), in view of Velugu (US 2022/0368672 A1) as applied to claim 1 above, and in further view of Swain (US 2023/0344815 A1).
Regarding Claim 3
Ludin and Velugu teaches a sniffer that identifies packet origin using MAC/SSID, determines whether to anonymize or retain data, removes payloads if needed, logs the decision, and forwards the processed packet. However, they do not disclose the following limitation “wherein the ticket identifier comprises a user-supplied number”.
However, in an analogous art, Swain discloses a ticket identifier system/method that includes:
The method of claim 1, wherein the ticket identifier comprises a user-supplied number (Swain ¶98: The ticket generator 316 generates a ticket associated with a unique identifier, including values, characters, or symbols provided in the access request or data packet from the client device 304.).
Given the teaching of Swain, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Ludin, Fenton and Velugu by incorporating a user supplied number as part of a ticket identifier for session establishment and authentication. Swain discloses that a ticket generator issues a ticket in response to a request to establish a session or access resources, and the ticket includes information such as unique values, characters, or symbols associated with the session or client device. This information is provided by the client device or server during the access request and forms part of the ticket. It would have been obvious to include a user-supplied number as part of a ticket identifier, as Swain’s disclosure of tickets containing unique identifiers derived from data provided in the access request. This approach ensures secure identification and session management by associating the ticket with specific user supplied information (Swain ¶ 98).
Claims 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1), in view of Velugu (US 2022/0368672 A1) as applied to claim 1 above, and in further view of Holness (US 10,652,024 B2).
Regarding Claim 5
Ludin, Fenton and Velugu teaches a sniffer that identifies packet origin using MAC/SSID, determines whether to anonymize or retain data, removes payloads if needed, logs the decision, and forwards the processed packet. However, they do not disclose the following limitation “wherein the ticket identifier comprises a digital signature”.
However, in an analogous art, Holness discloses a ticket identifier system/method that includes:
The method of claim 1, wherein the ticket identifier comprises a digital signature (Holness Column 1, Lines 45-50: the digital signature, carried in-band with the packet, acts as a unique identifier and is updated at each network element using a CRC-based process, enabling verification and representation of the packet's path trace through the network.).
Given the teaching of Holness, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Ludin, Fenton and Velugu by incorporating a method of utilizing a digital signature as a ticket identifier to enhance security and integrity in network communication. Holness discloses a method for using a digital signature in a packet to represent traceable network path information, where the digital signature is updated and carried in-band within the packet header or context. This teaching demonstrates the utility of embedding digital signatures within packets for verification and integrity purposes. Ludin, Fenton and Velugu discloses mechanisms for managing ticket identifiers to regulate access and control network operations. By combining these teachings, it would have been obvious to use a digital signature as the ticket identifier, leveraging its cryptographic properties to ensure secure verification and traceability of network packets (Holness Column 1, Lines 45-50).
Claims 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1), in view of Velugu (US 2022/0368672 A1) as applied to claim 1 above, and in further view of Rogers (EP 3,132,587 B1).
Regarding Claim 6
Ludin, Fenton and Velugu teaches a sniffer that identifies packet origin using MAC/SSID, determines whether to anonymize or retain data, removes payloads if needed, logs the decision, and forwards the processed packet. However, they do not disclose the following limitation “determining, based on information received from an access authority, that forwarding of packets including a source IP address equal to a source IP address of the packet, and a destination IP address equal to a destination IP address of the packet is authorized; and configuring the security device to forward packets including a source IP address equal to the source IP address of the packet, and a destination IP address equal to the destination IP address of the packet”.
However, in an analogous art, Rogers discloses a ticket identifier system/method that includes:
The method of claim 1, further comprising:
determining, based on information received from an access authority, that forwarding of packets including a source IP address equal to a source IP address of the packet, and a destination IP address equal to a destination IP address of the packet is authorized (Rogers ¶ 5: describes dynamic security policies received from a security policy management server (access authority). These policies define specific packet-identification criteria (e.g., source IP, destination IP) and indicate whether to authorize forwarding based on rules. Rogers ¶ 30: describes rule-based filtering and forwarding using a five-tuple of values (source IP, destination IP, source port, destination port, and protocol). Specific forwarding rules based on source and destination IP addresses are part of the configuration, enabling packet forwarding only if criteria are met.); and
configuring the security device to forward packets including a source IP address equal to the source IP address of the packet, and a destination IP address equal to the destination IP address of the packet (Rogers ¶ 69-70: highlights the packet transformation functions, including forwarding packets meeting specific criteria. Security devices are dynamically configured to forward packets based on the defined policies.).
Given the teaching of Rogers, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Ludin, Fenton and Velugu by configuring a security device to forward packets based on source and destination IP addresses, in accordance with authorization rules received from an access authority. Rogers discloses that a security policy management server (i.e., an access authority) provides dynamic security policies to the security device, which include packet-identification criteria such as source IP and destination IP addresses. These policies govern whether a packet is authorized for forwarding. Rogers further teaches that the security device uses a five-tuple of header values, including source and destination IP addresses, to determine whether a packet meets the forwarding criteria defined by the policy. Once a match is found, the security device is configured to forward the packet, as described in the policy received from the access authority. Additionally, Rogers notes that packet transformation functions include forwarding packets that satisfy specified criteria and that security devices are dynamically configured based on these access policies. It would have been obvious to a person of ordinary skill in the art to determine, based on information received from an access authority, that forwarding of packets matching a specific source and destination IP address pair is authorized, and to configure the security device to forward such packets. This approach is a direct application of Rogers’ teachings and would predictably result in improved network access control and security policy enforcement (Rogers ¶5, 30, 69–70).
Claims 8 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1), in view of Velugu (US 2022/0368672 A1) as applied to claim 1 above, and in further view of Arora (US 2021/0111995 A1).
Regarding Claim 8
Ludin, Fenton and Velugu teaches a sniffer that identifies packet origin using MAC/SSID, determines whether to anonymize or retain data, removes payloads if needed, logs the decision, and forwards the processed packet. However, they do not disclose the following limitation “wherein the determining, by the security device, of the disposition of the packet comprises determining whether a time-to-live associated with the ticket identifier has expired”.
However, in an analogous art, Arora discloses a TTL system/method that includes:
The method of claim 1, wherein the determining, by the security device, of the disposition of the packet comprises determining whether a time-to-live associated with the ticket identifier has expired (Arora ¶15-16: Demonstrates the process of receiving a packet (MPLS LSP Echo Request) with a label stack (ticked id). A determination is then made on the disposition of a packet based on its time-to-live (TTL) value, where a packet is processed or dropped when the TTL reaches zero, indicating that it has expired.).
Given the teaching of Arora, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Ludin, Fenton and Velugu by incorporating a method of determining packet disposition based on whether the time-to-live (TTL) associated with the packet has expired. Arora describes the behavior of an MPLS LSP Echo Request, where a router examines the TTL value of an incoming packet to determine its disposition. Specifically, if a packet is received with a TTL of 0, the router processes it (e.g., drops the packet or prevents further traversal) to maintain the integrity of the network. Arora further discloses incrementing the TTL as packets move through the network and highlights scenarios where a packet is dropped due to TTL expiration at a router (e.g., R3 230 dropping the packet when TTL equals 0). This demonstrates the mechanism for determining whether the TTL has expired and using that determination to decide the disposition of the packet. It would have been obvious to apply this method to a security device that determines whether a packet's TTL has expired (Arora ¶s 15-16)
Regarding Claim 18
Claim 18 is directed to a method corresponding to the computing platform recited in claim 8. Claim 18 is similar in scope to claim 8 and is therefore rejected under similar rationale.
Claims 10 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Ludin (US 2020/0162432 A1), in view of Fenton (US 2022/0131835 A1), in view of Velugu (US 2022/0368672 A1) as applied to claim 1 above, and in further view of Liu (US 2022/0174072 A1).
Regarding Claim 10
Ludin, Fenton and Velugu teaches a sniffer that identifies packet origin using MAC/SSID, determines whether to anonymize or retain data, removes payloads if needed, logs the decision, and forwards the processed packet. However, they do not disclose the following limitation “wherein the determining, by the security device, of the disposition of the packet, comprises determining whether the security device has received another packet including the same ticket identifier”.
However, in an analogous art, Liu discloses a ticket identifier system/method that includes:
The method of claim 1, wherein an Internet Protocol (IP) Options field of a header of the packet includes the ticket identifier (Liu ¶179: The IPv4 header includes an "optional item" field, which is used to store specific identifiers. In one example, the optional item field can include a verification code, demonstrating that this field can hold a ticket identifier.).
Given the teaching of the Liu, a person having ordinary skill in the art before the effective filing date of the claimed invention would have recognized the desirability of modifying the teachings of Ludin, Fenton and Velugu by incorporating a method of embedding identifiers in the optional item field of an IPv4 header to support verification or tracking functionalities. Liu discloses that the IPv4 header includes an optional item field, which stores a verification code, demonstrating the use of this field to embed data related to packet validation. It would have been obvious to extend this method to include a ticket identifier in the optional item field (IP Options field) of the IPv4 header (Liu ¶ 179).
Regarding Claim 20
Claim 20 is directed to a method corresponding to the computing platform recited in claim 10. Claim 20 is similar in scope to claim 10 and is therefore rejected under similar rationale.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAAD ABDULLAH whose telephone number is 571-272-1531. The examiner can normally be reached on Monday-Friday 9am-5pm EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, LYNN FIELD can be reached on 571-272-2092.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800- 786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAAD AHMAD ABDULLAH/Examiner, Art Unit 2431
/LYNN D FEILD/Supervisory Patent Examiner, Art Unit 2431