Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Detailed Action
1.	This action is responsive to communication filed on: 23 December 2020 with acknowledgement of an original application filed on 8 August 2017.
2.	Claims 1-20 are pending.  Claims 1 and 11 are independent claims
Response to Arguments

3.	Applicant's arguments filed 23 December 2020 have been fully considered however they not are persuasive.
I)	In response to Applicant’s argument beginning on page 7, “Claims 1-20 stand rejected…wherein the second rule is different than the first rule that caused the sending of the alert package in that the second rule comprises a condition including an attribute vale that is different from any of the attribute values in the set of one or more attribute values included in the condition of the first rule…there is no indication in Narayanaswamy that a new set of attribute value that was determined based on an alert package that was sent to the electronic device due to a condition of the first policy being met is transmitted for the second policy in the manner recited in claim 1”.
	The Examiner disagrees with argument.  The claim and the argued limitation state:
“transmitting, for delivery to the [set of] ADs, the new set of attribute values for a second rule to be used in the protection of the one or more web application servers against web application layer attacks from the one or more HTTP clients, wherein the second rule is different than the first rule that caused the sending of the alert package in that the second rule comprises a 

In this claim limitation it is stated that “the second rule is different than the first rule”.  The Examiner does not interpret the claim to mean “the first policy being met is transmitted for the second policy”.  The claim specifically states the attribute values in the second rule are not included in the first rule.  Like the claim Narayanaswamy teaches a second policy (i.e. rule) being applied that is different from a first policy (i.e. rule), see paragraph 12 “the first policy identifies a first set of attack patterns that correspond to a first set of network attacks, and the first set of attack patterns and the second set of attach patterns identify at least one different attack pattern”.  The at least one different attack pattern is interpreted equivalent ‘to different from any of the attribute values in the set of one or more attribute values included in the condition of the first rule’.  Therefore the Applicant’s arguments are not persuasive.

Double Patenting
4.	The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A statutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/forms/.
 The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. 
 An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, please refer to - http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp
5.	Claims 1 and 11 are  rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 11 or the U.S. Patents No. 9,762,592 and 9,027,136.  Although the conflicting claims are not identical, they are not patentably distinct 

Claim Rejections - 35 USC § 103
6. 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

7.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
8.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kim et al., (“Kim,” US 2007/0136809), published on Jun. 14, 2007, in view of Motsinger et al.(“Motsinger,” US 2005/0198099), published on Sep. 8, 2005, in further view of Song et al., (“ Song,” US 2011/0167493), published on Jul. 7. 2011 in further view of Narayanaswamy U.S. Patent Application Publication No. 2009/0328219 (hereinafter ‘219).
Regarding claim 1, Kim discloses a method in an electronic device communicatively coupled to a set of one or more web application layer attack detectors (ADs), wherein the [set of] ADs are communicatively coupled between one or more Hypertext Transfer Protocol (HTTP) clients and one or more web application servers to protect the one or more web application servers against application layer attacks, and wherein the set of ADs apply rules that each comprise a condition including a set of one or attribute values corresponding to one or more attribute identifiers (pars. 0028-0047; Figs. 1-3), the method comprising:
receiving, from an AD [of the set of ADs], an alert package comprising a web application layer request message sent by an HTTP client to a web application server, wherein the alert package was sent responsive to a set of one or more packets that collectively carried the web application layer request message and that resulted in the condition of a first of the rules that is for detecting [remote file inclusion (RFI)] attacks being met (pars 0044-0045, the service request reception unit 230 receives Web service request data (Operation 300). The input value authentication unit 240 authenticates input values included in the Web service request data (Operation 310), and determines whether the Web service request data is the attack against the Web application according to the authentication (Operation 320);
determining, based on the alert package, a set of one or more attribute values for an attribute identifier, wherein the set of attribute values comprises a set of one or more Uniform Resource Locator (URL) values (par. 0028, the input value authentication unit 240 authenticates user input values by checking an URL input parameter)',
filtering, from the set of attribute values, any attribute values that cannot be considered indicative of an attack to form a new set of attribute values for the attribute identifier (par. 0046, the input value filtering unit 250 removes an attack element from the Web service request data determined as the attack against the Web application (Operation 330); and
transmitting, for delivery to the [set of] ADs, the new set of attribute values for a second rule to be used in the protection of the one or more web application servers against web application layer attacks from the one or more HTTP clients, wherein the second rule is different than the first rule that caused the sending of the alert package (pars. 0045-0047, if it is determined that the Web service request data is the attack against the Web application, the input value authentication unit 240 transfers the Web service request data to the input value filtering unit 250. The input value filtering unit 250 removes an attack element from the Web service request data determined as the attack against the Web application (Operation 330). The input value filtering unit 250 can report a filtering result to a manager (Operation 340).
Kim does not explicitly disclose more than one (1) detectors.
However, in an analogous art, Motsinger discloses system/method for monitoring user access wherein more than one (1) detectors are disclosed (Motsinger: Fig. 2, Dl-D53).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Motsinger with the method and system of Kim wherein more than one (1) detectors are disclosed to provide users with a means for faster identifying network attacked (Motsinger: par. 0013).
Kim and Motsinger do not explicitly disclose remote file inclusion (RFI) attack is detected.
However, in an analogous art, Song discloses system/method for detecting network anomalies wherein remote file inclusion (RFI) attack is detected (Song: par. 0010, in some embodiments, mechanisms are provided that protect web servers against web layer attacks, such as cross-site scripting attacks, PHP local and remote file inclusion attacks).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of Song with the method and system of Kim and Motsinger wherein remote file inclusion (RFI) attack is detected to provide users with a means for protecting web server against RFI attacks (Song: par. 0010).
Kim, Motsinger, and Song do not explicitly teach:
“transmitting, for delivery to the [set of] ADs, the new set of attribute values for a second rule to be used in the protection of the one or more web application servers against web application layer attacks from the one or more HTTP clients, wherein the second rule is different than the first rule that caused the sending of the alert package in that the second rule comprises a condition including an attribute value that is different from any of the attribute values in the set of one or more attribute values included in the condition of the first rule” however ‘219 teaches techniques for dynamic policy provisioning that stores multiple policies (i.e. first policy, second policy, etc.)  and that the Intrusion Detection and Prevention device (IDP) may change the policy applied from a first policy wherein the second policy is different from the first policy (i.e. different from any of the attribute values in the set of one or more attribute values included in the condition of the first rule (i.e. policy) in the Abstract, paragraphs 6 and 12.
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention of an apparatus and method for blocking attacks against web applications taught in Kim, Motsinger, and Song to include a means to utilize a second rule that comprises an attribute value that is different from the attribute values on the first rule.  One of ordinary skill in the art would have been motivated to perform such a modification because 

Regarding claim 2, Kim, Motsinger, and Song disclose the method of claim 1.
Motsinger further discloses wherein the set of ADs includes a plurality of
Ads (Motsinger: Fig. 2, D1-D53).
Regarding claim 3, Kim, Motsinger, and Song disclose the method of claim 2.
Motsinger further discloses wherein the plurality of ADs are operated by different business enterprises at different geographic locations (Motsinger: par. 0014, the methods, systems, and computer program products can identify one geographic location of a client initiating a login session. The methods, systems, and computer program products can also identify another geographic location of the same client or a different client initiating another login session).
Regarding claim 4, Kim, Motsinger, and Song disclose the method of claim 1.
Song further discloses wherein the second rule is also for detecting RFI attacks (Song: par. 0010, in some embodiments, mechanisms are provided that protect web servers against web layer attacks, such as cross-site scripting attacks, PHP local and remote file inclusion attacks).
Regarding claim 5, Kim, Motsinger, and Song disclose the method of claim 1.
Kim further discloses wherein determining the set of attribute values includes identifying the set of URL values embedded within one or more parameters of the web application layer request message (Kim: par. 0028, the input value authentication unit 240 authenticates user input values by checking an URL input parameter, a form/script variable value, IDS bypass encoding, SQL query, etc. with respect to the Web service request data through a URL).
Regarding claim 6, Kim, Motsinger, and Song disclose the method of claim 1.
Motsinger further discloses wherein filtering any attribute values that cannot be considered indicative of an attack comprises downloading one or more resources corresponding to the set of URL values (Motsinger: par. 0004, documents on the web, referred to as web pages, are typically written in a hypertext markup language (HTML) or similar mark-up language, and identified by uniform resource locators (URLs) or uniform resource identifiers (URIs) that specify a particular computer and pathname by which a file or resource can be accessed. Codes, often referred to as tags, embedded in an HTML document associate particular words and images in the document with URLs so that a user or client can access another file or page by pressing a key or clicking a mouse button. These files generally comprise text, images, videos, and audio, as well as applets or other embedded software programs, written in for example, Java or ActiveX, that execute when the user or client activates them by clicking on a hyperlink. A user or client viewing a web page can also interact with components that, for example, forward requested information supplied by the client to a server through the use of forms, download files via file transfer protocol (FTP), facilitate user or client participation in chat rooms, conduct secure business transactions, and send messages to other users or clients via e-mail by using links on the web page).
Regarding claim 7, Kim, Motsinger, and Song disclose the method of claim 6.
Motsinger further discloses wherein filtering any attribute values that cannot be considered indicative of an attack further comprises determining that at least one of the one or more resources matches at least one known malicious script pattern (Motsinger: par. 0010, a second technique involves the installation of a network filter in front of an application and updating the filter database with known patterns that can affect the application; par. 0145, at step ST10, application filter AF can determine whether the request-URI matches include pattern).
Regarding claim 8, Kim, Motsinger, and Song disclose the method of claim 7.
Motsinger further discloses wherein filtering any attribute values that cannot be considered indicative of an attack further comprises including, in the new set of attribute values, those of the set of URL values that correspond to those of the one or more resources determined to have matched at least one known malicious script pattern (Motsinger: par. 0010, a second technique involves the installation of a network filter in front of an application and updating the filter database with known patterns that can affect the application; par. 0145, at step ST10, application filter AF can determine whether the request-URI matches include pattern).
Regarding claim 9, Kim, Motsinger, and Song disclose the method of claim 7.
Motsinger further discloses wherein determining that at least one of the one or more resources matches at least one known malicious script pattern comprises: determining that the at least one of the one or more resources includes scripting language code (Motsinger: par. 0364, detector D47 can trigger when a cookie returned from the web application has been modified. When a server (such as server S and web server WS shown in FIGS. 1A and IB, respectively) issues session cookies to a client (such as clients Cl, C2, and C3 shown in FIG. 1A and web-enabled devices WED1, WED2, and WED3 shown in FIG. IB), the cookies should normally be returned with the same value as that set by the web server. If the value is different, it can indicate that the user of the web-enabled device has altered the value. Detector D47 can be disabled for the web applications that are designed to use client side scripting that can alter the value).
Regarding claim 10, Kim, Motsinger, and Song disclose the method of claim 7. Motsinger further disclose wherein determining that at least one of the one or more resources (Motsinger: par. 0364, detector D47 can trigger when a cookie returned from the web application has been modified. If the value is different, it can indicate that the user of the web-enabled device has altered the value. Detector D47 can be disabled for the web applications that are designed to use client side scripting that can alter the value).
Regarding claim 11, claim 11 is directed to a computer program product associated with the method claimed in claim 1; Claim 11 is similar scope to claim 1 and is therefore rejected similar rationale.
Regarding claims 12-20, claims 12-20 are directed to a computer program product associated with the method claimed in claims 2-10, respectively; Claims 12-20 are similar scope to claims 2-10, respectively, and are therefore rejected similar rationale.
Conclusion
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
  The examiner can normally be reached from 10 AM to 6 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
		If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached at 571-272-6798.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ELLEN TRAN/Primary Examiner, Art Unit 2433                                                                                                                                                                                                        19 January 2021