IDENTIFICATION OF THREATS VIA TLS CERTIFICATE ANALYSIS

DETAILED ACTION This Office action is in response to amendments and remarks filed by Applicant on 10/31/2025. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment Applicant presents amendments to claims 1, 11, and 20. All amendments have been fully considered. Applicant’s amendments are sufficient to overcome the previous art and combination of prior art serving as the basis for the rejections under 35 U.S.C. 102 and 103. A new search was conducted to identity prior art to address the added subject matter. New prior art was identified and a new combination of references is presented to serve as the basis for a new rejection under 35 U.S.C. 103. The claim limitations are mapped to the new combination below. Response to Arguments Applicant presents arguments with respect to independent claims 1, 11, and 20. All arguments have been fully considered. The Examiner agrees that the clarification as to what the recited static context data amounts to was not found in the previously cited references. As noted above, a new search was conducted and a new rejection is presented below. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1–8, 10–12, 14–17, 19–20 rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 2020/0287888 A1, published Sep. 10, 2020, See IDS filed 5/21/2025) in view of Krishan (US 2024/0163271 A1, published May 61, 2024). Regarding claims 1 and 20, Moore discloses: a method for detecting threats comprising: (a) obtaining a first network communication transmitted via a network (receiving and filtering TLS certificates that are in-transit in the network. Moore ¶ 93.); (b) obtaining a certificate in a Transport Layer Security (TLS) handshake of the first network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.); and (f) in response to the one or more analyses resulting in detection of a threat, taking one or more actions based on the one or more analyses (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Moore discloses some of, but does not disclose all of: (c) parsing the certificate to obtain corresponding certificate field values; (d) obtaining static context data associated with the network, the static context data including data determined in association with TLS activity in the network; (e) performing one or more analyses of the obtained certificate field values against the static context data associated with TLS activity. However, Krishan does disclose: (c) parsing the certificate to obtain corresponding certificate field values (receiving the SAN extension parameters in the received TLS certificate during the TLS handshake. Krishan ¶ 27.); (d) obtaining static context data associated with the network, the static context data including data determined in association with TLS activity in the network (receiving TLS parameter associated with the owner of the access token. Krishan ¶ 27.); (e) performing one or more analyses of the obtained certificate field values against the static context data associated with TLS activity (comparing the TLS parameter associated with the owner of the access token with the value of the TLS parameter in the TLS certificate received from the handshake. Krishan ¶ 27.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining certificate data and TLS context data and performing analysis on the data based upon the teachings of Krishan. The motivation being to verify whether the access token was sent by its owner. Krishan ¶ 27. Regarding claim 2, Moore in view of Krishan discloses the limitations of claim 1, further comprising: monitoring all network communications in the network, including the first network communication (Moore ¶ 30.); and for each of the network communications, performing steps (b)-(f) (See Moore ¶¶ 93, 95, and 108.). Regarding claim 3, Moore in view of Krishan discloses the limitations of claim 1, wherein receiving the first network communication comprises intercepting the TLS handshake of the first network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.). Regarding claim 4, Moore in view of Krishan discloses the limitations of claim 3, wherein receiving the first network communication comprises receiving the intercepted TLS handshake of the first network communication at a network appliance other than a destination device associated with the first network communication (at the Packet Filtering Device 112, filtering TLS certificates as components to TLS handshake sessions. Moore figure 1 and ¶¶ 34 and 94.). Regarding claim 5, Moore in view of Krishan discloses the limitations of claim 4, wherein transmission of the first network communication to the destination device is uninterrupted by interception of the first network communication (at the Packet Filtering Device 112, filtering TLS certificates as components to TLS handshake sessions. Moore figure 1 and ¶¶ 34 and 94.). Regarding claim 6, Moore in view of Krishan discloses the limitations of claim 1, wherein the certificate field values comprise a common name (CN) of a certificate holder of the certificate and one or more subject alternative names (SANs) of corresponding alternative domains that use the certificate (Moore ¶ 108.). Regarding claim 7, Moore in view of Krishan discloses the limitations of claim 1, wherein the certificate field values comprise an issuing organization and information corresponding to the issuing organization (Moore ¶ 108.). Regarding claim 8, Moore in view of Krishan discloses the limitations of claim 1, wherein the certificate field values comprise a set of validity dates (Moore ¶ 68.). Regarding claim 10, Moore in view of Krishan discloses the limitations of claim 1, wherein taking the one or more actions comprises providing an alert in response to detecting that the certificate is invalid (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Regarding claim 11, Moore discloses: a network appliance adapted to be coupled to a network, the network appliance comprising: a processor and a memory; the processor further adapted to, for each network communication: obtain a certificate in a Transport Layer Security (TLS) handshake of the network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.); parse the certificate to obtain corresponding certificate field values (values from the captured certificates are considered indicators of compromise. Moore ¶ 95.); and in response to the one or more analyses resulting in detection of a threat, taking one or more actions based on the one or more analyses (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Moore discloses some of, but does not disclose all of: the processor adapted to obtain static context data associated with the network the static context data including data determined in association with TLS activity in the network; perform one or more analyses of the obtained certificate field values against the static context data associated with TLS activity. However, Krishan does disclose: the processor adapted to obtain static context data associated with the network the static context data including data determined in association with TLS activity in the network (receiving TLS parameter associated with the owner of the access token. Krishan ¶ 27.); perform one or more analyses of the obtained certificate field values against the static context data associated with TLS activity (comparing the TLS parameter associated with the owner of the access token with the value of the TLS parameter in the TLS certificate received from the handshake. Krishan ¶ 27.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining certificate data and TLS context data and performing analysis on the data based upon the teachings of Krishan. The motivation being to verify whether the access token was sent by its owner. Krishan ¶ 27. Regarding claim 12, Moore in view of Krishan discloses the limitations of claim 11, wherein receiving the network communication comprises intercepting the TLS handshake of network communication (filtering TLS certificates as components to TLS handshake sessions. Moore ¶ 94.). Regarding claim 14, Moore in view of Krishan discloses the limitations of claim 12, wherein the network appliance is adapted to passively intercept each network communication, wherein transmission of the network communication to a destination device is uninterrupted by interception of the network communication (Moore ¶ 30.). Regarding claim 15, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to obtain certificate field values including a common name (CN) of a certificate holder of the certificate and one or more subject alternative names (SANs) of corresponding alternative domains that use the certificate (Moore ¶ 108.). Regarding claim 16, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to obtain certificate field values including an issuing organization and information corresponding to the issuing organization (Moore ¶ 108.). Regarding claim 17, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to obtain certificate field values including a set of validity dates (Moore ¶ 68.). Regarding claim 19, Moore in view of Krishan discloses the limitations of claim 11, wherein the processor is adapted to, for each of the network communications: in response to the one or more analyses resulting in detection of a threat, providing an alert corresponding to the threat (pursuant to analysis, reporting or logging any anomalies. Moore ¶ 108.). Claims 9, 18 rejected under 35 U.S.C. 103 as being unpatentable over Moore in view of Krishan in view of Ucci (US 2022/0407722 A1, published Dec. 22, 2022). Regarding claim 9, Moore in view of Krishan discloses the limitations of claim 1. Moore in view of Krishan does not disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate. However, Ucci does disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate (capture certificates in the chain of certificates associated with the TLS handshake procedure. Ucci ¶¶ 30–31.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining a last certificate of a chain and parsing the certificate based upon the teachings of Ucci. The motivation being to determine whether at least one certificate in a chain has an anomaly. Ucci ¶ 33. Regarding claim 18, Moore in view of Krishan discloses the limitations of claim 11. Moore in view of Krishan does not disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate. However, Ucci does disclose: wherein obtaining the certificate comprises obtaining a last certificate of a certificate chain and wherein parsing the certificate comprises parsing the last certificate (capture certificates in the chain of certificates associated with the TLS handshake procedure. Ucci ¶¶ 30–31.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with obtaining a last certificate of a chain and parsing the certificate based upon the teachings of Ucci. The motivation being to determine whether at least one certificate in a chain has an anomaly. Ucci ¶ 33. Claim 13 rejected under 35 U.S.C. 103 as being unpatentable over Moore in view of Krishan in view of Reddy (US 2017/0339130 A1, published Nov. 23, 2017). Regarding claim 13, Moore in view of Krishan discloses the limitations of claim 1. Moore in view of Krishan does not disclose: wherein the processor is adapted to, for each of the network communications: decrypt the certificate of the network communication to obtain the corresponding certificate field values; and in response to determining that no threat is detected, re-encrypting the network communication and forwarding the network communication to a corresponding destination. However, Reddy does disclose: wherein the processor is adapted to, for each of the network communications: decrypt the certificate of the network communication to obtain the corresponding certificate field values (packets captured in network traffic are decrypted for threat analysis. Reddy ¶ 52.); and in response to determining that no threat is detected, re-encrypting the network communication and forwarding the network communication to a corresponding destination (the TLS proxy will re-encrypt analyzed data packets and forward the packets on to their destination. Reddy ¶ 52.). Therefore, it would have been prima facie obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify the capture of network traffic to analyze security certificates to identify anomalies of Moore with the decryption and re-encryption of received TLS transmission packets to extract certificate data based upon the teachings of Reddy. The motivation being to be able to read the protocol required encrypted metadata in order to detect network anomalies. Reddy ¶ 3. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to VANCE LITTLE whose telephone number is (571) 270-0408. The examiner can normally be reached Monday - Friday 9:30am - 5:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung (Jay) Kim can be reached at (571) 272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /VANCE M LITTLE/Primary Examiner, Art Unit 2494