DETAILED ACTION

This action is in response to the communication filed on 10/23/20.
All objections and rejections not set forth below have been withdrawn.
Claims 1, 3 – 6, 9 – 11, 13 – 16, and 20 – 26 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

	
Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1, 3 – 6, 9 – 11, 13 – 16, and 20 – 26 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Scott et al. (Scott), “Abstracting Application-Level Web Security” in view of Hallak, US 8,464,318 B1.
Regarding claim 1, Scott discloses:
intercepting, by a protection module …, a request for web content residing on a remote web server, the request made by a web browser application running on the client device (e.g. Scott, fig. 4: receive HTTP request by a security gateway, i.e. “protection module”). 
Scott discloses a system utilizing a security gateway for protecting web applications from malicious attacks, such as XSS attacks and other web attacks (e.g. Scott, Abstract; sect. 2), wherein the security gateway modifies responses received from web servers (e.g. Scott, fig. 4: “modify http response”).  However, Scott does not explicitly state that the security gateway resides on the same client device as the client’s browser application.  
Hallak also discloses a system utilizing a security gateway for protecting web applications from malicious attacks, such as XSS attacks and other web attacks (e.g. Hallak, Abstract; 12:10-22), wherein the security gateway modifies responses received from web servers (e.g. Hallak, 3:19-23, 35-37; 4:53-57).  Furthermore, Hallak discloses that the security gateway resides on the same client device as the client’s browser application (e.g. Hallak, fig. 2a; fig. 2g:210, 200, “UI component”; 4:16-18, 46-49).  
It would have been obvious to one of ordinary skill in the art to art to recognize the teachings of Hallak for a security gateway that modifies responses from a web server, wherein the security gateway can be located on any of a server, a physically separate device, or the client device.  This would have been obvious because one of skill in the art would have been motivated by the teachings that either arrangement is useful for providing security for a web application (e.g. Hallak, 3:13-38).

completing the request, by the protection module, without the help of the web browser application by (e.g. Scott, fig. 4: fetch page from server; Hallak, 5:3-6,58-63 – gateway forwards request and receives response to/from server).  
	receiving and caching, by the protection module, the requested web content from the remote web server, wherein the web content comprises data for assembling a web page (e.g. Scott, fig. 4; sect. 3.4.1; Hallak, fig. 2a:response).  Herein, the security gateway receives in memory (at least temporarily – i.e. “caches”) a response from the web server. 
	analyzing, by the protection module, the cached web content to identify a malware of the requested web content (e.g. Scott, fig. 4, Abstract; sect. 2; sect. 3.4, par. 4; sect. 3.4.1; sect. 3.5.2; sect. 6, par. 3, 6; see also Hallak, 3:13-37).  Herein, the security gateway operates to identify harmful elements of code and parameters within the HTTP responses (e.g. HTML forms, <form> tags, “certain url parameters”, embedded code) which are indicative of attacks, or otherwise pose threats of malware, i.e. “malware threat”. 
in response to identifying the malware threat, modifying, by the protection module, the requested web content to remove the malware threat of the web page to create a modified web page free of the malware thread (e.g. Scott, sect. 3.4, par. 4; sect. 3.4.1; sect. 3.4.2; fig. 4: validation, transformation, modified response – herein a modified HTTP response, designed to remove the threat posed by malware, is generated; see also Hallak, 3:19-23, 35-37; 4:53-57  – herein, the gateway removes harmful portions of the web content before sending the response to the client browser); 
and providing, by the protection module, the modified web page to the web browser application for rendering and display (e.g. Scott, fig. 4: return HTTP request to client in the form of modified HTTP response, which is rendered on the client; see also Hallak, 3:19-23, 35-37; 4:53-57 – herein the gateway returns the response comprising the harmless content to the client browser). 

Regarding claim 3, the combination enables:
wherein providing the modified web page further comprises supplementing the web page with indicators regarding a vulnerability of one or more links within the web page (e.g. Scott, sect. 3.4, par. 2, 3 – error messages are sent extraneously to the web page – i.e. “supplementing”; sect. 3.4, par. 4, sect. 3.1, par. 2 – HTTP response annotated with validation code and MACs). 

Regarding claim 4, the combination enables:
wherein identifying the malware threat comprises one or more of URL (Uniform Resource Locator) analysis, IP (Internet Protocol) analysis, an image analysis, and a script/HTML analysis (e.g. Scott, pg. 401 – analysis of headers, html encoding, cookies, scripting, URLs, etc.; see also Hallak, 3:35-37; 4:53-57). 

Regarding claim 5, the combination enables:
determining whether the request for the web page from the web browser application is a first request (e.g. Scott, sect. 3.4.2 – replays are detected, i.e. determining whether a “first request” was received; see also, sect. 3.4.1, par. 3 – a . 

Regarding claim 6, the combination enables:
wherein modifying the malware threat further comprises performing one or more of pre-process data decryption, de-chunking and decompressing (e.g. Scott, sect. 3.2). 

	Regarding claim 9, the combination enables:
wherein receiving the web content further comprises performing cloud verification of the web content (e.g. Scott, fig. 1; abstract – the verifications are performed within the web, i.e. “cloud”).

Regarding claim 10, the combination enables:
further comprising allocating memory for caching of the web content (e.g. Scott, fig. 4; sect. 3.4 – memory is allocated within the security gateway to analyze the content; see also Hallak, fig. 4:410). 

Regarding claims 11, 13 – 16 and 20 – 26, they are system and program claims essentially corresponding to the above method claims and they are rejected, at least, for the same reasons.  Furthermore:

Regarding claim 21, the combination enables:
wherein sending the request to one or more web servers comprises iteratively sending a plurality of requests to the one or more web servers (e.g. Scott, sect. 2, par. 3; sect. 3.1, par. 2). 

Regarding claim 22, the combination enables:
	further comprising processing the web content prior to identifying the malware threat within the web content (e.g. Scott, fig. 4 – the web content must be analyzed before malicious content can be identified). 

Regarding claims 23, the combination enables:
wherein the malware threat comprises a Uniform Resource Locator (URL) (e.g. Scott, pg. 401 – analysis of headers, html encoding, cookies, scripting, URLs, etc.; see also Hallak, 3:19-23, 35-37; 4:53-57  ). 

Regarding claim 24, the combination enables:
wherein the malware threat is at a protocol level of the web page (e.g. Scott, sect. 2 – application level; see also Hallak, 3:41-54). 

Regarding claim 25, the combination enables:
wherein the malware threat comprises a Uniform Resource Locator (URL) (e.g. Scott, pg. 401 – analysis of headers, html encoding, cookies, scripting, URLs, etc.). 

Response to Arguments

Applicant's arguments filed 10/23/20 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
… In contrast, the present disclosure addresses threats to web browsers of a client device from remote malware sources. As shown in FIG. 1 (reproduced below), a protection agent 116 resides on a user's PC 105.
…
(Remarks, pg. 8)

Examiner respectfully responds:
The examiner respectfully notes that the Applicant’s arguments is moot in view of the new ground of rejection relying upon the combination of Scott and Hallak.

Applicant argues or alleges essentially that:
…
… One way to look at the difference between Scott and the present disclosure is that while Scott teaches protecting web servers from malicious client devices (i.e., client devices used by hackers), the present disclosure teaches protecting client devices from malicious web servers (i.e., web servers hosting web pages containing malware or hosting web sites that are infected with malware by a malware source).
…
(Remarks, pg. 9)

Examiner respectfully responds:
The examiner respectfully disagrees.  Specifically, the applicant appears to mischaracterize the prior art of Scott, in that the applicant erroneously implies that Scott does not teach protecting the client from malware.  
However, the examiner points out that Scott clearly teaches that application level attacks threaten the safety of the client (e.g. Scott, sect. 2:”cross-site scripting”). Thus, contrary to applicant’s allegation, Scott is directed towards protecting the client (as well as the server) from malware attacks via web applications.  

Applicant argues or alleges essentially that:
…
… Independent claim 1 has been amended as proposed in the Interview conducted on October 14, 2020 (plus replacing "page" with "content" in line 13 to confirm with previous claim language). Independent claims 11 and 26 include similar amendments. As noted above, the Examiner stated during the interview that these amendments appear to overcome the cited prior art.
…
(Remarks, pg. 9)

Examiner respectfully responds:
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.


Conclusion

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/JEFFERY L WILLIAMS/           Primary Examiner, Art Unit 2495