DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to application filed 08/06/2019. Claims 1-20 are pending.

Priority
This application is a continuation of 14/925,547 filed 10/28/2015, now Patent No. 10375026.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/08/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-33 of U.S. Patent No. 10375026 (reference patent hereinafter). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-33 of the reference patent anticipates claims 1-20.


Claim #
Instant Application
Reference Patent
Claim #
1
1. A computer-implemented method, comprising: 

applying a set of one or more security countermeasures to web transactions of a particular transaction type involving a web server system; 

determining a first expression pattern that occurs in response messages served by the web server system in response to successful transactions of the particular transaction type; 

determining a second expression pattern that occurs in response messages served by the web server system in response to unsuccessful transactions of the particular transaction type; 

intercepting a plurality of responses messages served by the web server system for a plurality of transactions of the particular transaction type requested by a plurality of client computing devices; 

determining a status for each of the plurality of transactions based on matching the first expression pattern and the second expression pattern to the response messages; 

updating aggregate status information for the particular transaction type based on the status for the plurality of transactions; and 

based on a change in the aggregate status information, updating the set of one or more security countermeasures; 

wherein the method is performed by one or more computing devices.
1. A computer-implemented method, comprising: 

intercepting, at an intermediary computing system, first response messages comprising web code for web page content served by a web server system to client computing devices in response to first operations of a particular operation type when the first 
operations have a successful completion state;  

determining a first expression 
pattern with at least one wildcard value that occurs in the web code of the web 
page content of each of the first response messages served in response to the 
first operations when the first operations have the successful completion 
state;  

storing a first mapping from the first expression pattern to a success 
status for the particular operation type;  


intercepting, at the intermediary computing system, second response messages comprising web code for web page content served by the web server system to the client computing devices in response to second operations of the particular operation type when the second operations have an unsuccessful completion state;  

determining a second 
expression pattern with at least one wildcard value that occurs in the web code 
of the web page content of each of the second response messages served in 
response to the second operations when the second operations have the 
unsuccessful completion state;  

storing a second mapping from the second 
expression pattern to a non-success status for the particular operation type;  

based on a set of mappings comprising the first mapping and the second mapping, 
determining a status for each operation of a set of operations of the particular operation type based on matching one or more expression patterns in the set of mappings to web code for one or more web page content served by the web server system in response to the set of operations;  

updating aggregate status information for the particular operation type based on the status for the set of operations;  and 

based on the aggregate status information 
corresponding to the particular operation type, performing an appropriate 
action;  

wherein the method is performed by one or more computing devices.

12.  The computer-implemented method of claim 1, wherein: the intermediary computer system applies a set of one or more security countermeasures to web code received from the web server system that is directed to the client computing devices before transmitting the web code from the intermediary computing system to the client computing devices for execution at the client computing devices. 
 
13.  The computer-implemented method of claim 12, wherein the appropriate action comprises adjusting the set of one or more security countermeasures based on the aggregate status information for the particular operation type.

11
11. A computer system comprising: 

one or more hardware processors; 

at least one memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to: 

apply a set of one or more security countermeasures to web transactions of a particular transaction type involving a web server system; 


determine a first expression pattern that occurs in response messages served by the web server system in response to successful transactions of the particular transaction type; 

determine a second expression pattern that occurs in response messages served by the web server system in response to unsuccessful transactions of the particular transaction type; 

intercept a plurality of responses messages served by the web server system for a plurality of transactions of the particular transaction type requested by a plurality of client computing devices; 

determine a status for each of the plurality of transactions based on matching the first expression pattern and the second expression pattern to the response messages; 

update aggregate status information for the particular transaction type based on the status for the plurality of transactions; and 

based on a change in the aggregate status information, update the set of one or more security countermeasures; 
wherein the method is performed by one or more computing devices.
19. A computer system for identifying and blocking unauthorized requests 
based on request volume comprising: 

one or more hardware processors;  

a memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause 
the one or more hardware processors to:

intercept, at an intermediary computing 
system, first response messages comprising web code for web page content served 
by a web server system to one or more client computing devices in response to 
first, operations of a particular operation type when the first operations have 
a successful completion state;  

determine a first expression pattern with at 
least one wildcard value that occurs in the web code of the web page content of 
each of the first response messages served in response to the first operations when the first operations have the successful completion state;  

store a first mapping from the first expression pattern to a success status for the 
particular operation type;  

intercepting, at the intermediary computing system, second response messages comprising web code for page content served by the web server system to the client computing devices in response to second operations of the particular operation type when the second operations have an unsuccessful completion state;  

determine a second expression pattern with at least one wildcard value that occurs in the web code of the web page content of 
each of the second response messages served in response to the second operations when the second operations have the unsuccessful completion state;  

store a second mapping from the second expression pattern to a non-success 
status for the particular operation type;  

based on a set of mappings comprising the first mapping and the second mapping, determine a status for each operation of a set of operations of the particular operation type based on matching one or more expression patterns in the set of mappings to web code for one or more web page content served by the web server system in response to the set of operations;  

updating aggregate status information for the particular operation type based on the status for the set of operations;  and 

corresponding to and based on the aggregate status information for the 
particular operation type, performing an appropriate action. 

27.  The system of claim 19, wherein: the intermediary computer system applies a set of one or more security countermeasures to the web code received from the web server system that is directed to the client computing devices before transmitting the web code from the intermediary computing system to the client computing devices for execution at the client computing devices. 
 
28.  The system of claim 27, wherein the one appropriate action comprises 
adjusting the set of one or more security countermeasures based on the aggregate status information for the particular operation type.

19, 27 and 28



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1.	Claims 1, 3-11 and 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Cobb, US2007/0266149A1 in view of Jungck, US2010/0142382A1.

Per claim 1, Cobb discloses a computer-implemented method, comprising: 
applying a set of one or more security countermeasures to web transactions of a particular transaction type involving a web server system (traffic monitoring data can indicate that a user's request, such as a request to purchase an item via a web site, took too long to process, or could not be successfully completed, while the application runtime data can indicate specific components or execution paths which are involved, such as by providing a trace.  With this information, appropriate remedial action can be taken.  Thus, with both types of information together, a greater focus and depth of understanding of the deployed resources can be realized – Cobb: par. 0189 – Note: the traffic monitoring system may provide a trigger mechanism that indicates when it is useful to examine (automatically or manually) the corresponding application runtime data, such as when an incident or defect is detected.  As discussed previously, a defect can be set when a request and/or response do not meet certain success criteria, or conversely, when the request and/or response meet certain defect criteria, indicating an anomalous condition, while an incident can be set when one or more associated defects are set, in one approach – par. 0190).
determining a first expression pattern that occurs in response messages served by the web server system in response to successful transactions of the particular transaction type (a transaction signature may be modified and saved to define a non-defective transaction so that transaction signatures which match the non-defect definition indicated a non-defective transaction – Cobb: par. 0159 – Note: transaction signatures defined as one or more “non-defective transaction” is equivalent to “successful transactions of the particular transaction type”); 
determining a second expression pattern that occurs in response messages served by the web server system in response to unsuccessful transactions of the particular transaction type (a signature parameter of a response time threshold may be used to identify defective transactions.  For example, a transaction signature may be modified and saved as a defect definition so that transaction signatures which match the defect definition indicate a defective transaction – Cobb: par. 0159 – Note: similarly, transaction signatures defined as one or more “defective transaction” is equivalent to “unsuccessful transactions of the particular transaction type”); 
intercepting a plurality of responses messages served by the web server system for a plurality of transactions of the particular transaction type requested by a plurality of client computing devices (Traffic sent to and from an application, such as traffic sent between client device 110 and web server 140 over network 120, for instance, is observed by traffic monitoring system 180 at step 101.  The observation can involve passively copying the traffic at some intermediate point between the client and the application via a tap or mirror port, for instance, or intercepting the traffic, copying the intercepted traffic and relaying the intercepted traffic it to its intended destination – Cobb: par. 0061 and Fig. 1B); 
determining a status for each of the plurality of transactions based on matching the first expression pattern and the second expression pattern to the response messages (Transactions can be detected based on transaction definitions which specify the existence or non-existence or combination thereof of a set of name/value pairs, e.g., parameters, which are found in the traffic.  For example, parameter specification may include a matching type, a parameter type (e.g., URL, cookie, post, or query, or session), a name pattern, and a value pattern…Any form of pattern matching may be used, from simple wild-card pattern matching to more complex regular expression pattern matching – Cobb: par. 0064). 
Cobb is not relied on to explicitly disclose but Jungck discloses updating aggregate status information for the particular transaction type based on the status for the plurality of transactions (The data describing the exemplary message patterns may represent an exemplary time-ordered sequence of messages for a transaction, or portion thereof, on the network 130, the number of which may be implementation dependent and may depend on the number of messages required to substantially discern the nature of the interaction represented thereby.  An administrator or expert user may identify and/or define the exemplary message patterns – Jungck: par. 0041-0043 – Note: because one may not even be able to detect that a given transaction is illegitimate until multiple interactions have taken place, the intent then is discernable from the aggregate interactions – par. 0004); and 
based on a change in the aggregate status information, updating the set of one or more security countermeasures (The fraud detection devices 115A-N may also impose message rate limits that may limit the number of messages that may be communicated over a period of time on a per channel or per transaction basis.  Alternatively or in addition thereto, if the current message pattern matches an exemplary invalid message pattern, then it may be probable that the current transaction represented by the messages communicated thus far is invalid and/or fraudulent – Jungck: par. 0035); 
Cobb explicitly discloses wherein the method is performed by one or more computing devices (Cobb: Fig. 1D).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Cobb in view of Jungck to include updating aggregate status information for the particular transaction type based on the status for the plurality of transactions; and based on a change in the aggregate status information, updating the set of one or more security countermeasures.
One of ordinary skill in the art would have been motivated because it would allow to “identify the exemplary denial of service message patterns in the messages, and handle the messages accordingly, such as by blocking the messages from reaching the proxy servers” and further “to impose rate limits on the number of status messages received for a transaction over a specified period of time or the number of sessions initiated on a channel over a specified period of time” – Jungck: par. 0022.

Per claim 11, it recites a computer system comprising: 
one or more hardware processors (the computing system may be used to implement client device 110, any of firewall 132, router 134 and switch 136 on one or more machines, network server 140, application server 150, database server 151, Enterprise Manager 150, workstations 410 and 420, database 430, traffic monitor 160, transaction server 164, synthetic transaction generator 172, script recorder 174 and synthetic transaction script module 170 – Cobb: par. 0120-0121and Fig. 5); 
at least one memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors (The computer system includes one or more processors 550 and main memory 552 which stores, in part, instructions and data for execution by processor unit 550 - Cobb: par. 0120-0121and Fig. 5), cause the one or more hardware processors to perform the method steps as recited in claim 1. 
Therefore, claim 11 is rejected based on the same analysis and motivation to combine set forth in the rejection of claim 1 above. 

Per claims 3 and 13, Cobb-Jungck discloses features of claims 1 and 11, wherein the change in the aggregate status information comprises a decrease in volume of successful transactions (the application runtime data can indicate that a database associated with an application server is overwhelmed with requests, while the traffic monitoring data can indicate that a certain class of users, e.g., users who are accessing the application without paying, are the ones who are submitting most of the requests.  The traffic monitoring data can further indicate that paying customers are not using the database because it is too busy servicing the requests of the non-paying users.  Based on this information, the resources could be rearranged, such as by providing a separate database which only services requests of the paying customers – Cobb: par. 0189 – Note: traffic monitoring data indicates a decrease in use (under-usage) of paying customers are indicated ).

Per claims 4 and 14, Cobb-Jungck discloses features of claims 1 and 11, wherein the change in the aggregate status information (Note: statistics on application runtime data over time indicates observing change) comprises a change in a ratio of successful transactions to unsuccessful transactions (aggregated application runtime data can be classified based on the hierarchy.  This allows various questions to be answered, such as "What was the number of errors for some time period for a specific business transaction?" The application runtime data, without classification based on the hierarchy, could answer the question "What was the number of errors at some point of time for a component such as an EJB or a servlet?" – Cobb: par. 0251 – Note: application runtime data can include information such as average method execution time, a method invocation rate per second or per interval, a count of method invocations, a concurrency metric indicating number of method invocations that have started but not finished per interval, and a stalled metric indicating a number of method invocations that have started whose method invocation times have exceeded a specific threshold per interval – par. 0074).

Per claims 5 and 15, Cobb-Jungck discloses features of claims 1 and 11, wherein updating the set of one or more security countermeasures comprises adjusting one or more security parameters (The fraud detection devices 115A-N may also impose message rate limits that may limit the number of messages that may be communicated over a period of time on a per channel or per transaction basis – Jungck: par. 0035).
The same motivation to modify Cobb in view of Jungck applied to claim 1 above applies here.

Per claims 6 and 16, Cobb-Jungck discloses features of claims 1 and 11, wherein determining the first expression pattern and determining the second expression pattern comprises evaluating code corresponding to response messages served by the web server system (In one approach, defects can be detected by evaluating a request-response pair against defect criteria which may specify transaction types, a range of acceptable response times, and/or other parameters, for instance.  For example, when the defect criteria specifies a range of acceptable response times within which a response may be received after a request is sent, the request-response pair is defective if the response time falls outside the specified range.  Similarly, when the defect criteria specify a range of unacceptable response times, the request-response pair is defective if the response time falls within the specified range.  Moreover, defect criteria can be specified for transaction components, transactions and/or business transactions – Cobb: par. 0067).

Per claims 7 and 17, Cobb-Jungck discloses features of claims 1 and 11, wherein determining the first expression pattern and determining the second expression pattern (Note: transaction definitions are equivalent to expression patterns) comprising receiving and processing user-defined configuration data that specifies the first expression pattern and the second expression pattern (Output device/interface 195, which may include an on-screen interface, for instance, may receive traffic monitoring data from traffic monitoring system 180 and application runtime data from application monitoring system 190 for access by an operator.  The interface 195 also allows the operator to provide inputs to the transaction server 164, e.g., to provide transaction definitions or other configuration settings – Cobb: par. 0091 and also Fig. 14, 1420).

Per claims 8 and 18, Cobb-Jungck discloses features of claims 1 and 11, wherein determining the first expression pattern and determining the second expression pattern comprises generating the first expression pattern and the second expression pattern based on a model that automatically determines distinctive characteristics of model web page content served by the web server system regarding the particular transaction type that describe different statuses for the particular transaction type  (At step 1070, the operator can define a hierarchy…A hierarchy rules engine can be generated based on the transaction and hierarchy definitions for use in classifying interactions with an application. After generating transaction definitions, defect definitions and a hierarchy, they are transmitted to traffic monitor 160 at step 1080 for use in monitoring incoming traffic, identifying transactions to process and classifying the transactions according to the hierarchy- Cobb: par. 0162 and 0162 – Note: wherein the statistics and defect data are first translated into objects such as Java objects), wherein the model web page content includes web code that corresponds to a success status for the particular transaction type and web code that corresponds to a non-success status for the particular transaction type (a transaction signature may be modified and saved as a defect definition so that transaction signatures which match the defect definition indicate a defective transaction. In another approach, a transaction signature may be modified and saved to define a non-defective transaction so that transaction signatures which match the non-defect definition indicated a non-defective transaction – Cobb: par. 0159).

Per claims 9 and 19, Cobb-Jungck discloses features of claims 1 and 11, wherein the method is performed by an intermediary computing system configured as a proxy to the web server system such that incoming and outgoing messages from the web server system are routed through the intermediary computing system for processing before the incoming messages are provided to the web server system or before the outgoing messages are delivered to the client computing devices (The network monitoring system also includes traffic monitoring system 180 and an application monitoring system 190.  In one possible approach, the application monitoring system uses one or more agents, such as agent 152, which is considered part of the application monitoring system 190, though it is illustrated as a separate block in FIG. 1A.  Traffic monitoring system 180 observes traffic sent between client device 110 and network server 140, including requests sent from client device 110 and corresponding responses received by the client device 110.  Agent 152 and application monitoring system 190 monitor the execution of one or more applications at the application server 150, generate application runtime data, which represents the execution of components of the application responsive to the requests, and process the generated application runtime data – Cobb: par. 0060 and Fig. 1A).

Per claims 10 and 20, Cobb-Jungck discloses features of claims 9 and 19, wherein the intermediary computer system applies the a set of one or more security countermeasures to web code received from the web server system that is directed to the client computing devices before transmitting the web code from the intermediary computing system to the client computing devices for execution at the client computing devices (traffic monitoring data can indicate that a user's request, such as a request to purchase an item via a web site, took too long to process, or could not be successfully completed, while the application runtime data can indicate specific components or execution paths which are involved, such as by providing a trace.  With this information, appropriate remedial action can be taken.  Thus, with both types of information together, a greater focus and depth of understanding of the deployed resources can be realized – Cobb: par. 0180 – Note: the traffic monitoring system may provide a trigger mechanism that indicates when it is useful to examine (automatically or manually) the corresponding application runtime data, such as when an incident or defect is detected.  As discussed previously, a defect can be set when a request and/or response do not meet certain success criteria, or conversely, when the request and/or response meet certain defect criteria, indicating an anomalous condition, while an incident can be set when one or more associated defects are set, in one approach – par. 0190).

2.	Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Cobb, US2007/0266149A1 in view of Jungck, US2010/0142382A1 as applied to claims 1 and 11, further in view of Zeitlin, US2015/0358338A1.

Per claims 2 and 12, Cobb-Jungck discloses features of claims 1 and 11.
Cobb-Jungck is not relied on to explicitly disclose but further in view of Zeitlin discloses wherein the change in the aggregate status information comprises an increase in volume of unsuccessful transactions (a detection criterion may declare hostile activity if finding that a certain node 21 makes more than a predefined number of consecutive unsuccessful authentication attempts with a given service on a given server… Some detection criteria may take into account both failed and successful authentication attempts – Zeitlin: par. 0042-0043).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Cobb-Jungck further in view of Zeitlin to include wherein the change in the aggregate status information comprises a change in a ratio of successful transactions to unsuccessful transactions.
One of ordinary skill in the art would have been motivated because it would allow to “declare hostile activity if finding that a certain node 21 makes more than a predefined number of consecutive unsuccessful authentication attempts with a given service on a given server” – Zeitlin: par. 0042.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533.  The examiner can normally be reached on Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/AREZOO SHERKAT/            Examiner, Art Unit 2434