DETAILED ACTION
This final office action is in response to claims 1-2, 7-15, 19-20, 25-33, and 37-38 filed on 12/12/2021 for examination. Claims 1-2, 7-15, 19-20, 25-33, and 37-38 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Response to Amendment
The amendment filed December 12, 2021 has been entered. Claims 1-2, 7-15, 19-20, and 25-33 remain pending in the application. The claims have been amended. Further, claims 37-38 are newly added. Applicant’s arguments and amendments to the claims respond to rejections previously set forth in the Non-Final Office Action mailed September 17, 2020. Claims 1 and 19 have been amended and have necessitated a new ground(s) of rejection in this Office Action. Therefore, Applicants’ arguments filed on 12/19/2019 have been fully considered but are moot in view of the new ground(s) of rejection because the arguments do not apply to any of the updated reference(s) being used in the current rejection.

Claim Objections
Claims 1, 7, 9, 19, 25, 27, and 37-38 is/are objected to because of the following informalities:
Claim 1 recites “base-rule patterns” (line 4) and “at least one base-rule pattern” (line 20). Subsequently claim 1 recites “the base-rule patterns” (lines 21, 23-24 and line 27). There is unclear antecedent basis as to which of the first or second introduced base-rule patterns are referred to by “the base-rule patterns”. Claims 7, 19, 25, and 37-38 recite a similar deficiency.
Claim 1 recites “custom-rule patterns” (line 4) and “at least one custom-rule pattern” (line 16). Subsequently claim 1 recites  “the custom-rule patterns” (lines 22, 24-25, and 27). There is unclear antecedent basis as to which of the first or second introduced custom-rule patterns are referred to by “the custom-rule patterns”. Claims 7, 19, 25, and 37-38 recite a similar deficiency.
Claim 1 recites “at least one white-list pattern” (line 8), “at least one white-list pattern” (line 9), “at least one white-list pattern” (line 10), “at least one white-list pattern” (line 12), and “at least one white-list pattern” (lines 26-27). It is unclear as to whether each of the subsequently introduced “at least one white-list pattern” refer to the original “at least one white-list pattern”. For consistency with previously introduced terms in the claim, examiner suggests amending to recite, e.g., “the at least one white-list pattern” after introduction of the first “at least one white-list pattern”. Claims 9, 19, and 27 recite a similar deficiency.
Claim 1 recites “subsequent to phase one filtering […]” in line 17. For clarity of antecedent basis with the previously introduced term (see line 14), examiner suggests amending to, e.g., “subsequent to the 
Claim 19 recites “that are not URLs (uniform resource locators.” Examiner suggests amending to close the parenthesis, and if intended finish this amended limitation as presented with claim 1 (as appears to be the intention based on the arguments pg. 12).
Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims  1-2, 7-15, 19-20, 25-33, and 37-38 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Particularly:
Claim 1 recites the limitation "the logic" in lines 7, 13, and 26. There is insufficient antecedent basis for this limitation in the claim. Claim 19 recites a similar deficiency, and is rejected under a like rationale. Claims 2, 7-15, 20, 25-33, and 37-38 are dependent on claims 1 or 19, and are rejected for at least the same reason as their base claim. 
Claim 1 recites “the step” in lines 14 and 18. There is insufficient antecedent basis for this limitation in the claim. Claims 2 and 19 recite a similar deficiency, and are rejected under a like rationale. Claims 7-15, 20, 25-33, and 37-38 are dependent on claims 1 or 19, and are rejected for at least the same reason as their base claim.
Claim 10 recites the limitation “the modified service request” in line 3. There is insufficient antecedent basis for this limitation in the claim. Claim 28 recites a similar deficiency, and is rejected under a like rationale.
Claim 13 recites the limitations "the discovered custom-rule pattern" and “the discovered base-rule pattern” in lines 3-4. There is insufficient antecedent basis for these limitations in the claim. Claim 31 recites a similar deficiency, and is rejected under a like rationale.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 8-9, 11-12, 14, 19-20, 26-27, 29-30, and 32 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamilton et al. (US20060114832, Hereinafter “Hamilton”) in view of Levow et al. (US20160127461, Hereinafter “Levow”).
In regards to claim 1, Hamilton discloses a method for preventing computer attacks in a network comprising a plurality of protected computer-assets (abstract: “The method includes detecting an event associated with data communication arriving at the node from the first data network, and determining whether the data communication is to be suspended for service at the node based on the detected event.”; [0057] – viruses attacks are blocked), performed by a processing unit of an apparatus (service node 30, Fig. 1A), comprising: 
providing a plurality of white-list patterns ([0061], e.g., “process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a , base-rule patterns ([0084] – stored legitimate business site list 83 for request filtering), and custom-rule patterns ([0082-83] – stored override list 79 for request filtering); 
receiving a service request from a client system, wherein the service request requests a service to one of the protected computer-assets (first end station 12 requests a service of second end station 16, fig. 1, e.g.: [0066], e.g., “The packet inspection engine 32 suspends a flow of packets 22 from the first end station 12 to the second end station 16 after detecting characteristics of the flow 22 that indicates that a communication protocol (e.g., HTTP) is in a particular state. In this case, the detected state corresponds to a content request (e.g., an HTTP GET command). The packet inspection engine 32 inspects a packet in the suspended flow to determine information to characterize the content request (e.g., a uniform resource identifier (URI), or uniform resource locator (URL)), and sends the information to the content filtering engine 34.”; [0057] – the node protects the system from attacks); 
performing the logic of: 
determining whether the service request contains at least one white-list pattern ([0061], e.g., “process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed.”; [0014], e.g., “The list includes a white list and the data communication is continued if information in the data communication corresponds to an entry in the white list.); 
when the service request contains at least one white-list pattern (see, e.g., fig. 1C, “is URL in whitelist”, then following “yes” path), forwarding the service request to the protected computer-asset when discovering a white-list pattern from the service request ([0061], e.g., “process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed.”; 62 will make a decision as to the handling of the request 64 and provide instruction via an API to the Packet Inspection Function 60. The Packet Inspection Function 60 will either forward the previously suspended request to the content server (API Continue Request) to serve the content 66, instruct the client to redirect to an alternate destination (API Connect Request), or drop the request (API End Request) resulting in the failure of the request, and redirect to a blocking page 68”; see fig. 1C and “yes” path to serve content 66); and 
when the service request does not contain at least one white-list pattern (see, e.g., fig. 1C, “is URL in whitelist”, then following “no” path), performing the logic of: 
performing a phase one filtering ([0082-0084] – the filtering comprising the standard-use filtering of a whitelist, blacklist, and override/custom rule <phase one> before the subsequent optional filtering [0084], equivalent to applicant’s phase one filtering which may include a whitelist, blacklist, and custom rule (see applicant specification, [0019]) comprising the step of: 
performing an attack prevention operation when the service request comprises at least one custom-rule pattern (see, e.g., [0082-0083] & fig. 1C: “is URL in Override list”, then following “yes” path, then “no” path from block 80 to block the request <i.e., an attack prevention operation, see [0057]>); and 
subsequent to phase one filtering, performing a phase two filtering ([0082]&[0084] – following standard filtering (as in [0082]), additional optional filtering may be performed <i.e., phase two> (as in [0084]); see, additionally, fig. 1C: “is URL in Override List”, then following “no” path to “is URL in Legitimate Business Site List” <further optional filtering is subsequent>) comprising the step of: 
performing the attack prevention operation when the service request comprises at least one base-rule pattern (see, e.g., [0082-0084] & fig. 1C: “is URL in Legitimate Business Site List”, then following “yes” path, then “no” path from block 80 to block the request  <i.e., an attack prevention operation, see [0057]>); 
wherein the base-rule patterns include patterns related to vulnerabilities in protected computer-assets not present in the network (Fig. 1C “82” & [0084] disclose filtering each requests in the content filtering engine involving known legitimate businesses and/or legitimate business URLs <i.e., these rules would cover any systems, even those note currently present in the network>; [0057] – the node filtering may be to a firewall and/or virus protection service <i.e., related to vulnerabilities in computer assets>), the custom-rule patterns are related to vulnerabilities in only protected [[requestors]] present in the network ([0082], [0072] – override rules <i.e., custom rules> cover specific user profiles on the network; [0057] – the node filtering may be to a firewall and/or virus protection service <i.e., related to vulnerabilities in computers>), and the base-rule patterns include patterns covering more types of protected computer-assets than the custom-rule patterns (as the override rules <i.e., custom rules> of Hamilton cover specific users profiles on the network <see as with regards to [0082]> and the business rules cover any of the requests involving business’s sites <see with regards to [0084]>, the business rule patterns cover (or in most typical use cases would cover) more types of computer-assets than the override-rule patterns); 
wherein the logic performed when the service request does not contain at least one white-list pattern terminates when an attack prevention operation is performed (see, e.g., fig. 1C, wherein the “No” arrow extends from the “Is URL in whitelist” <i.e., the request does not contain at least one white-list patter>, then the “Yes” arrow extending from the “Is URL in the Blacklist” to the blocking page 68 <i.e., the subsequent filtering is not performed when the attack prevention option is performed>).
While Hamilton discloses customized rules for specific user profiles (see, e.g., [0082]), Hamilton appears to fail to specifically disclose the custom-rule patterns for only protected computer-assets present in the network; and Page 2 of 14Appl. No. 15/770,749Date: December 12, 2020wherein the custom-rule patterns and the base-rule patterns each include patterns that are not URLs (uniform resource locators) or IP addresses.
Levow discloses a system for receiving requests and determining whether to allow or deny access to content based on a series of access policies (see abstract, [0016]), with custom-rule patterns for only the protected computer-assets present in the network ([0016], [0011] – custom policies may be specific to each of the monitored system’s requestors <i.e., rules relate to only requestors within the protected network>, wherein the requestor accesses via their associated electronic device <i.e., the user’s specific device is protected by the rule, but a different user’s device is not>); and Page 2 of 14Appl. No. 15/770,749Date: December 12, 2020wherein the custom-rule patterns and the base-rule patterns each include patterns that are not URLs (uniform resource locators) or IP addresses ([0016] – “the policies and constraints are applicable at the website level (e.g., all contents on YouTube are accessible or not by certain content requester), at the category level (e.g., URL's including certain keywords or phrases are allowed or denied for access)” <i.e., defined policies may be based on strings located in the URL>; note: while applicant’s language denotes “patterns that are not URLs”, it is clear from applicant’s specification and remarks (see, e.g., remarks pg. 11) that strings included in a URL are not interpreted by applicant as a URL).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hamilton with the teachings of Levow, wherein the custom-rule patterns cover only protected computer-assets present in the network; and Page 2 of 14Appl. No. 15/770,749Date: December 12, 2020wherein the custom-rule patterns and the base-rule patterns each include patterns that are not URLs (uniform resource locators) or IP addresses, so that requests may be controlled on a per-device and per-content basis in lieu of blocking an entire website (see, e.g., Levow at [0003]).

In regards to claim 2, the combination of Hamilton and Levow teach the method of claim 1, further comprising providing a plurality of black-list patterns (Hamilton at [0070] – “The white/black list module 46 provides “white listing” and “black listing” functions for quickly identifying content requests that are to be allowed and denied, respectively. If a request string corresponds to a string 48, then the content request is allowed. If a request string corresponds to a string found in a black list 50, then the content request is denied”; [0071] – “For request strings that do not correspond to a string in either the white list 48 or the black list 50, the white/black list module 46 submits information in the request string (e.g., a URL) to the categorization database 36 which replies with an identifier (e.g., a number from 1 to N) describing in which of N categories the content request has been categorized. For example, the categorization database 36 can be provided by a third party vendor (e.g., SurfControl™, from SurfControl Inc. of Westborough, Mass.) that maintains a database of URIs and URLs categorized according to the content that they provide.”), wherein the step for performing a phase one filtering further comprises: performing an attack prevention operation when the service request comprises at least one black-list pattern (Hamilton at the white-list/black-list patterns may comprise patterns that appear in the request strings: [0070] – “The white/black list module 46 provides “white listing” and “black listing” functions for quickly identifying content requests that are to be allowed and denied, respectively. If a request string corresponds to a string found in a white list 48, then the content request is allowed. If a request string corresponds to a string found in a black list 50, then the content request is denied”; [0061] – “The process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed”).  

In regards to claim 8, the combination of Hamilton and Levow teach t 1he method of claim 1, wherein the service request comprises a layer 7 2message (Hamilton at [0029]-[0030] – “Detecting the event includes detecting a protocol state based on protocol information in a payload of a packet of the data communication. The protocol information in the payload of the packet includes application layer protocol information.” [emphasis added]).

In regards to claim 9, the combination of Hamilton and Levow teach the method of claim 1, wherein the service request is carried by a plurality of TCP/IP (Transmission Control Protocol/Internet Protocol) packets (Hamilton at [0034]-[0036] – types of filtering may be to packet request flows for a TCP/IP connection), the method comprising: caching the TCP/IP packets (Hamilton at [0034]-[0036] and [0061] – types of filtering may be to packet request flows for a TCP/IP connection, the packets are received, then analyzed <i.e., cached for analyzing>, then the system determines whether to forward the packets to their destination); and forwarding the cached TCP/IP packets to the protected computer-asset when discovering that a white-list pattern is included in the service request (Hamilton at [0034]-[0036] – types of filtering may be to packet request flows for a TCP/IP connection, the packets are received, then analyzed <i.e., cached for analyzing>, then the system determines whether to forward the packets to their destination; [0017] and [0061] – the packet flow forwarded if the information in the data communication corresponds to an entry in the white list).  

In regards to claim 11, the combination of Hamilton and Levow teach the method of claim 1, wherein the attack prevention operation is performed to drop the service request, without forwarding the service request to the protected computer-asset (Hamilton at [0067] – “The Content Filtering Function 62 will make a decision as to the handling of the request 64 and provide instruction via an API to the Packet Inspection Function 60. The Packet Inspection Function 60 will either forward the previously suspended request to the content server (API Continue Request) to serve the content 66, instruct the client to redirect to an alternate destination (API Connect Request), or drop the request (API End Request) resulting in the failure of the request, and redirect to a blocking page 68.”).  

In regards to claim 12, the combination of Hamilton and Levow teach the method of claim 1, wherein the attack prevention operation is performed to block the service request from being forwarded to the protected computer-asset and respond with a message to the client system (Levow at [0017] – “If a match is found, the traffic interceptor 106 is configured to allow or block/deny the request and notify the content requester accordingly (e.g., via an approved or blocked webpage on the electronic device 102) without forwarding the request to the traffic moderator 108.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hamilton with the teachings of Levow, wherein the attack prevention operation is 2performed to block the service request from being forwarded to the protected computer-asset and respond with a message to the client system, so that users may be alerted they are performing an unauthorized action and alter their request.  

In regards to claim 14, the combination of Hamilton and Levow teach the method of claim 1, wherein the attack prevention operation is performed to respond to the client system with an url (uniform resource locator) linking to a warning web page (Levow at [0017] – “If a match is found, the traffic interceptor 106 is configured to allow or block/deny the request and notify the content requester accordingly (e.g., via an approved or blocked webpage on the electronic device 102) without forwarding the request to the traffic moderator 108.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hamilton with the teachings of Levow, wherein the attack prevention operation is 2performed to respond to the client system with an url (uniform resource locator) 3linking to a warning web page, so that users may see and be alerted that they are performing an unauthorized action and alter their request.

In regards to claim 19, Hamilton discloses an apparatus for preventing computer attacks in a network comprising a plurality of protected computer-assets (abstract: “The method includes detecting an event associated with data communication arriving at the node from the first data network, , comprising: 
a storage device, storing a plurality of white-list patterns ([0061], e.g., “process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed.”; [0014] & [0017] – a whitelist is stored on the system), base-rule patterns ([0084] – stored legitimate business site list 83 for request filtering), and custom-rule patterns([0082-83] – stored override list 79 for request filtering); and 
a processing unit (service node 30, Fig. 1A), configured to: 
receive a service request from a client system, wherein the service request requests a service to one of the protected computer-assets (first end station 12 requests a service of second end station 16, fig. 1, e.g.: [0066], e.g., “The packet inspection engine 32 suspends a flow of packets 22 from the first end station 12 to the second end station 16 after detecting characteristics of the flow 22 that indicates that a communication protocol (e.g., HTTP) is in a particular state. In this case, the detected state corresponds to a content request (e.g., an HTTP GET command). The packet inspection engine 32 inspects a packet in the suspended flow to determine information to characterize the content request (e.g., a uniform resource identifier (URI), or uniform resource locator (URL)), and sends the information to the content filtering engine 34.”; [0057] – the node protects the system from attacks); perform the logic of: 
determining whether the service request contains at least one white-list pattern ([0061], e.g., “process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed.”; [0014], e.g., “The list includes a white list and the data communication is continued if information in the data communication corresponds to an entry in the white list.”); 
when the service request contains at least one white-list pattern (see, e.g., fig. 1C, “is URL in whitelist”, then following “yes” path), forwarding the service request to the protected computer-asset ([0061], e.g., “process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed.”; [0078], e.g., “The Content Filtering Function 62 will make a decision as to the handling of the request 64 and provide instruction via an API to the Packet Inspection Function 60. The Packet Inspection Function 60 will either forward the previously suspended request to the content server (API Continue Request) to serve the content 66, instruct the client to redirect to an alternate destination (API Connect Request), or drop the request (API End Request) resulting in the failure of the request, and redirect to a blocking page 68”; see fig. 1C and “yes” path to serve content 66); and 
when the service request does not contain at least one white-list pattern(see, e.g., fig. 1C, “is URL in whitelist”, then following “no” path), performing the logic of: performing a phase one filtering ([0082-0084] – the filtering comprising the standard-use filtering of a whitelist, blacklist, and override/custom rule <phase one> before the subsequent optional filtering [0084], equivalent to applicant’s phase one filtering which may include a whitelist, blacklist, and custom rule (see applicant specification, [0019]) comprising the step of: 
performing an attack prevention operation when the service request comprises at least one custom-rule pattern (see, e.g., [0082-0083] & fig. 1C: “is URL in Override list”, then following “yes” path, then “no” path from block 80 to block the requested); and 
subsequent to phase one filtering, performing a phase two filtering ([0082]&[0084] – following standard filtering (as in [0082]), additional optional filtering may be performed <i.e., phase two> (as in [0084]); see, additionally, fig. 1C: “is URL in Override List”, then following “no” path to “is URL in Legitimate Business Site List” <further optional filtering>) comprising the step of: performing the attack prevention operation when the service request comprises at least one base-rule pattern (see, e.g., [0082-0084] & fig. 1C: “is URL in Legitimate Business Site List”, then following “yes” path, then “no” path from block 80 to block the requested); 
wherein the base-rule patterns include patterns covering protected computer-assets not present in the network (Fig. 1C “82” & [0084] disclose filtering each requests in the content filtering engine involving known legitimate businesses and/or legitimate business’’ URLs <i.e., these rules would cover any systems, even those note currently present in the network>; [0057] – the node filtering may be to a firewall and/or virus protection service <i.e., related to vulnerabilities in computers>), the custom-rule patterns cover only protected [[requestors]] present in the network ([0082], [0072] – override rules <i.e., custom rules> cover specific user profiles on the network; [0057] – the node filtering may be to a firewall and/or virus protection service <i.e., related to vulnerabilities in computers>), and the base-rule patterns include patterns covering more types of protected computer-assets than the custom-rule patterns (as the override rules <i.e., custom rules> of Hamilton cover specific users profiles on the network <see as with regards to [0082]> and the business rules cover any of the requests involving business’s sites <see with regards to [0084]>, the business rule patterns cover (or in most typical use cases would cover) more types of computer-assets than the override-rule patterns); 
wherein the logic performed when the service request does not contain at least one white-list pattern terminates when an attack prevention operation is performed (see, e.g., fig. 1C, wherein the “No” arrow extends from the “Is URL in whitelist” <i.e., the request does not contain at least one white-list patter>, then the “Yes” arrow extending from the “Is URL in the Blacklist” to the blocking  page 68 <i.e., the subsequent filtering is not performed when the attack prevention option is performed>).
While Hamilton discloses customized rules for specific user profiles (see, e.g., [0082]), Hamilton appears to fail to specifically disclose the custom-rule patterns are related to vulnerabilities in only computer-assets present in the network; and Page 2 of 14Appl. No. 15/770,749Date: December 12, 2020wherein the custom-rule patterns and the base-rule patterns each include patterns that are not URLs (uniform resource locators) or IP addresses.
However, Levow discloses a system for receiving requests and determining whether to allow or deny access to content based on a series of access policies (see abstract, [0016]), with custom-rule patterns for only protected computer-assets present in the network ([0016], [0011] – policies may be specific to each of the monitored system’s requestor <i.e., related to only assets within the protected network> <i.e., custom rules>, wherein the requestor accesses via their associated electronic device <i.e., the user’s specific device is protected by the rule, but a different user’s device is not>); and Page 2 of 14Appl. No. 15/770,749Date: December 12, 2020wherein the custom-rule patterns and the base-rule patterns each include patterns that are not URLs (uniform resource locators ([0016] – “the policies and constraints are applicable at the website level (e.g., all contents on YouTube are accessible or not by certain content requester), at the category level (e.g., URL's including certain keywords or phrases are allowed or denied for access)” <i.e., defined policies may be based on strings located in the URL>; note: while applicant’s language denotes “patterns that are not URLs”, it is clear from applicant’s specification and remarks (see, e.g., remarks pg. 11) that strings included in a URL are not interpreted by applicant as a URL).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hamilton with the teachings of Levow, wherein the custom-rule patterns cover only protected computer-assets present in the network; and Page 2 of 14Appl. No. 15/770,749Date: December 12, 2020wherein the custom-rule patterns and the base-rule patterns each include patterns that are not URLs (uniform resource locators) or IP addresses, so that requests may be controlled on a per-device and per-content basis in lieu of blocking an entire website (see, e.g., Levow at [0003]).

In regards to claim 20, the combination of Hamilton and Levow teach the apparatus of claim 19, wherein the storage device stores a plurality of black-list patterns, and the processing unit, during the phase one filtering, performs an attack prevention operation when the service request comprises at least one black-list pattern (Hamilton at [0061] – “The process of categorizing the request to determine if it should be allowed typically involves a number of phases. The first phase is usually a comparison against a white or black list where requests are either allowed or disallowed”; [0070] – “The white/black list module 46 provides “white listing” and “black listing” functions for quickly identifying content requests that are to be allowed and denied, respectively. If a request string corresponds to a string found in a white list 48, then the content request is allowed. If a request string corresponds to a string found in a black list 50, then the content request is denied”; [0071] – “For request strings that do not correspond to a string in either the white list 48 or the black list 50, the white/black list module 46 submits information in the request string (e.g., a URL) to the categorization database 36 which replies with an identifier (e.g., a number from 1 to N) describing in which of N categories the content request has been categorized. For example, the categorization database 36 can be provided by a third party vendor (e.g., SurfControl™, from SurfControl Inc. of Westborough, Mass.) that maintains a database of URIs and URLs categorized according to the content that they provide.”).  

In regards to claim 26, the combination of Hamilton and Levow teaches the apparatus of claim 19, wherein the service request comprises a layer 7 message (Hamilton at [0029]-[0030] – “Detecting the event includes detecting a protocol state based on protocol information in a payload of a packet of the data communication. The protocol information in the payload of the packet includes application layer protocol information.” [emphasis added]).  

In regards to claim 27, the combination of Hamilton and Levow teaches the apparatus of claim 19, further comprising: Page 5 of 14Appl. No. 15/770,749Date: December 12, 2020 a memory caching the TCP/IP (Transmission Control Protocol/Internet Protocol) packets (Hamilton at [0034]-[0036] – types of filtering may be to packet request flows for a , wherein the service request is carried by a plurality of TCP/IP packets (Hamilton at [0034]-[0036] and [0061] – types of filtering may be to packet request flows for a TCP/IP connection, the packets are received, then analyzed <i.e., cached for analyzing>, then the system determines whether to forward the packets to their destination), and the processing unit forwards the cached TCP/IP packets to the protected computer-asset when discovering that a white-list pattern is included in the service request (Hamilton at [0034]-[0036] – types of filtering may be to packet request flows for a TCP/IP connection, the packets are received, then analyzed <i.e., cached for analyzing>, then the system determines whether to forward the packets to their destination; [0017] and [0061] – the packet flow forwarded if the information in the data communication corresponds to an entry in the white list).  

In regards to claim 29, the combination of Hamilton and Levow teach the apparatus of claim 19, wherein the attack prevention operation is performed to drop the service request, without forwarding the service request to the protected computer-asset (Hamilton at [0067] – “The Content Filtering Function 62 will make a decision as to the handling of the request 64 and provide instruction via an API to the Packet Inspection Function 60. The Packet Inspection Function 60 will either forward the previously suspended request to the content server (API Continue Request) to serve the content 66, instruct the client to redirect to an alternate destination (API Connect Request), or drop the request (API End Request) resulting in the failure of the request, and redirect to a blocking page 68.”).  

In regards to claim 30, the combination of Hamilton and Levow teach the apparatus of claim 19, wherein the attack prevention operation is performed to block the service request from being forwarded to the protected computer-asset and respond with a message to the client system (Levow at [0017] – “If a match is found, the traffic interceptor 106 is configured to allow or block/deny the request and notify the content requester accordingly (e.g., via an approved or blocked webpage on the 102) without forwarding the request to the traffic moderator 108.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Hamilton with the teachings of Levow, wherein the attack prevention operation is 2performed to block the service request from being forwarded to the protected computer-asset and respond with a message to the client system, so that users may be alerted they are performing an unauthorized action and alter their request.

In regards to claim 32, the combination of Hamilton and Levow teach the apparatus of claim 19, wherein the attack prevention operation is performed to respond to the client system with an url (uniform resource locator) linking to a warning web page (Levow at [0017] – “If a match is found, the traffic interceptor 106 is configured to allow or block/deny the request and notify the content requester accordingly (e.g., via an approved or blocked webpage on the electronic device 102) without forwarding the request to the traffic moderator 108.”). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Hamilton with the teachings of Levow, wherein the attack prevention operation is 2performed to respond to the client system with an url (uniform resource locator) 3linking to a warning web page, so that users may see and be alerted that they are performing an unauthorized action and alter their request.   

Claims 7, 13, 25, and 31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamilton in view of Levow, further in view of Xie et al. (US20140282816, Hereinafter “Xie”).
In regards to claim 7, the combination of Hamilton and Levow teaches the method of claim 1. Further, while the combination of Hamilton and Levow further disclose custom rule patterns that protect individual user devices (see, e.g., Levow at [0016]), the combination of Hamilton and Levow 
However, Xie discloses a filtering device to protect computer networks against threats (see abstract, [0007]) having a custom-rule pattern in the filtering device ([0095]), wherein the custom-rule patterns are specifically designed for an individual system or vulnerability ([0095] – Further, proxy module 608 may restrict access to/from specific protocols for some machines, while rest machines are allowed to access. For example, some machines may be allowed to access port 21, but port 21 may be blocked on others machines.”)  and the base-rule patterns are designed to prevent common attacks ([0062] – “Some examples of general policies are – “don't allow users to download file having extensions .exe, .wmv, .mp3 or any unknown extensions”; it is inherent preventing downloads of unknown extensions is designed to help prevent common attacks). It would have been obvious for one of ordinary skill in the art to modify the combination of Hamilton and Levow with the teachings of Xie, wherein the custom-rule patterns are specifically 2designed for an individual system or vulnerability and the base-rule 3 patterns are designed to prevent common attacks because the different rule-levels allow administrators broad and localized control of what the machines on the network may access (e.g., Xie at [0062], by avoiding unsafe links). 

In regards to claim 13, the combination of Hamilton and Levow teach the method of claim 1, wherein the attack prevention operation is performed to forward the service request to the protected computer-asset (Hamilton at [0077] – “The Packet Inspection Function 60 will either forward the previously suspended request to the content server (API Continue Request) to serve the content 66, instruct the client to redirect to an alternate destination (API Connect Request), or drop the request (API End Request) resulting in the failure of the request, and redirect to a blocking page 68”) and record a log describing [[a detection time]] with the discovered custom-rule pattern or the discovered base-rule pattern (Hamilton at [0068] – “The DPM 38 optionally reports the result of a request (i.e., allowed or denied) to a log manager 44. For example, the DPM 38 logs the result of a request if a logging flag is set in the request information. The DPM 38 also reports any protocol errors encountered in communication with the packet inspection engine 32 or the request mapper 40 or the profile manager 42 to the log manager 44.”).
Yet, the combination of Hamilton and Levow appear to fail to specifically disclose logging the detection time. However, Xie discloses a filtering device to protect computer networks against threats (see abstract, [0007]) having a custom-rule pattern in the filtering device ([0095]), wherein the log records a detection time when the patterns are detected ([0074] – logging request timestamps: “in a scenario in which the application (e.g., the web browser) through which filtering notifications are to be displayed is not active at the time a request is blocked, the filtering device may log appropriate information (e.g., the action and a timestamp) to allow an asynchronous notification to be provided to the user at a later time when the application is active.”).  It would have been obvious for one of ordinary skill in the art to modify the combination of Hamilton and Levow with the teachings of Xie, to utilize log manager 44, wherein log manager 44 records a 3log describing a detection time with the discovered custom-rule pattern or the 4discovered base-rule pattern because it would allow administrator to see access attempts and behavior of client systems that may be malicious or out of the ordinary. 

In regards to claim 25, the combination of Hamilton and Xie teach the apparatus of claim 19. Further, while the combination of Hamilton and Levow further disclose custom rule patterns that protect individual user devices (see, e.g., Levow at [0016]), the combination of Hamilton and Levow appear to fail to specifically discloses wherein the custom-rule patterns are specifically designed for an individual system or vulnerability and the base-rule patterns are designed to prevent common attacks.  
Xie discloses a filtering device to protect computer networks against threats (see abstract, [0007]) having a custom-rule pattern in the filtering device ([0095]), wherein the custom-rule patterns are specifically designed for an individual system or vulnerability ([0095] – Further, proxy module 608 may restrict access to/from specific protocols for some machines, while rest machines are allowed to access. For example, some machines may be allowed to access port 21, but port 21 may be blocked on others machines.”)  and the base-rule patterns are designed to prevent common attacks ([0062] – “Some examples of general policies are – “don't allow users to download file having extensions .exe, .wmv, .mp3 or any unknown extensions”; it is inherent preventing downloads of unknown extensions is designed to help prevent common attacks). It would have been obvious for one of ordinary skill in the art to modify the combination of Hamilton and Levow with the teachings of Xie, wherein the custom-rule patterns are specifically 2designed for an individual system or vulnerability and the base-rule 3 patterns are designed to prevent common attacks because the different rule-levels allow administrators broad and localized control of what the machines on the network may access (e.g., Xie at [0062], by avoiding unsafe links). 

In regards to claim 31, the combination of Hamilton and Levow teach the method of claim 19, wherein the attack prevention operation is performed to forward the service request to the protected computer-asset (Hamilton at [0077] – “The Packet Inspection Function 60 will either forward the previously suspended request to the content server (API Continue Request) to serve the content 66, instruct the client to redirect to an alternate destination (API Connect Request), or drop the request (API End Request) resulting in the failure of the request, and redirect to a blocking page 68”) and record a log describing [[a detection time]] with the discovered custom-rule pattern or the discovered base-rule pattern (Hamilton at [0068] – “The DPM 38 optionally reports the result of a request (i.e., allowed or denied) to a log manager 44. For example, the DPM 38 logs the result of a request if a logging flag is set 38 also reports any protocol errors encountered in communication with the packet inspection engine 32 or the request mapper 40 or the profile manager 42 to the log manager 44.”).
Yet, the combination of Hamilton and Levow appear to fail to specifically disclose logging the detection time. However, Xie discloses a filtering device to protect computer networks against threats (see abstract, [0007]) having a custom-rule pattern in the filtering device ([0095]), wherein the log records a detection time when the patterns are detected ([0074] – logging request timestamps: “in a scenario in which the application (e.g., the web browser) through which filtering notifications are to be displayed is not active at the time a request is blocked, the filtering device may log appropriate information (e.g., the action and a timestamp) to allow an asynchronous notification to be provided to the user at a later time when the application is active.”).  It would have been obvious for one of ordinary skill in the art to modify the combination of Hamilton and Levow with the teachings of Xie, to utilize log manager 44, wherein log manager 44 records a 3log describing a detection time with the discovered custom-rule pattern or the 4discovered base-rule pattern because it would allow administrator to see access attempts and behavior of client systems that may be malicious or out of the ordinary. 

Claims 10 and 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamilton in view of Levow, further in view of Ichnowski (US20110219446, Hereinfter “Ichnowski”).
1In regards to claim 10, the combination of Hamilton and Levow teach the method of claim 1. The combination of Hamilton and Levow fail to teach wherein the attack prevention operation is 2performed to replace special characters to prevent strings from switching into any 3execution context, and forward the modified service request to the protected 4computer-asset.
However, Ichnowski teaches wherein an attack prevention operation is 2performed to replace special characters to prevent strings from switching into any 3execution context ([0026] – “a malicious 250. That is, a malicious person could use the form 245 as a platform for launching an SQL injection attack. To address this scenario, in one embodiment, an input parameter filter may be used to evaluate the strings included in the form and replace a set of triggering characters prior to the input fields being passed to and processed by the application server.”; also, Fig. 4), and forward the modified service request to the protected 4computer-asset ([0026] – “To address this scenario, in one embodiment, an input parameter filter may be used to evaluate the strings included in the form and replace a set of triggering characters prior to the input fields being passed to and processed by the application server.” [emphasis added]; See also, Fig. 4, block 445). It would have been obvious for one of ordinary skill in the art to modify the combination of Hamilton and Levow with the teachings of Ichnowski, wherein the attack prevention operation is 2performed to replace special characters to prevent strings from switching into any 3execution context, and forward the modified service request to the protected 4computer-asset, because it would sanitize queries to prevent SQL injection attacks (Ichnowski at [0026]).

23WO 2017/074402PCT/US2015/058158In regards to claim 28, the combination of Hamilton and Levow teach the apparatus of claim 19. The combination of Hamilton and Levow appear to fail to teach wherein the attack prevention operation is 2performed to replace special characters to prevent strings from switching into any 3execution context, and forward the modified service request to the protected 4computer-asset.  
However, Ichnowski teaches wherein the attack prevention operation is 2performed to replace special characters to prevent strings from switching into any 3execution context ([0026] – “a malicious person could cause a database on the server to execute an arbitrary SQL statement using an appropriately crafted exploit string 250. That is, a malicious person could use the form 245 as a platform for launching an SQL injection attack. To address this scenario, in one embodiment, an input parameter , and forward the modified service request to the protected 4computer-asset ([0026] – “To address this scenario, in one embodiment, an input parameter filter may be used to evaluate the strings included in the form and replace a set of triggering characters prior to the input fields being passed to and processed by the application server.” [emphasis added]; See also, Fig. 4, block 445). It would have been obvious for one of ordinary skill in the art to modify the combination of Hamilton and Levow with the teachings of Ichnowski, wherein the attack prevention operation is 2performed to replace special characters to prevent strings from switching into any 3execution context, and forward the modified service request to the protected 4computer-asset, because it would sanitize queries to prevent SQL injection attacks (Ichnowski at [0026]).

Claims 15 and 33 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamilton in view of Levow, further in view of Brickell (US20060021029, Hereinafter “Brickell”).
1In regards to claim 15, the combination of Hamilton and Levow teach the method of claim 1. The combination of Hamilton and Levow fail to teach wherein the attack prevention operation is 2performed to forward the service request to a destination site of a sandbox.  
However, Brickell teaches wherein the attack prevention operation is 2performed to forward the service request to a destination site of a sandbox ([0032] – “At block 304, once files are determined to be suspect, the entity marks the suspect files to denote that they are suspect. One skilled in the art will recognize that there are many ways to mark the files”; and [0033] – “At block 308, it may be determined whether the file is currently marked as suspect. If the file is not suspect, then the file may be executed or accessed within the user virtual machine at block 310. If the file is suspect, then the file may be processed within a sandbox virtual machine. In one embodiment, at block 312 a sandbox virtual . It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hamilton and Levow as taught by Brickell, wherein the attack prevention operation is 2performed to forward the service request to a destination site of a sandbox, because it would improve computer security by opening the suspected/flagged program to analyze the attack code and contain the attack (see, e.g., Brickell at [0013]).

24WO 2017/074402PCT/US2015/05815823WO 2017/074402PCT/US2015/058158In regards to claim 33, the combination of Hamilton and Levow teach the method of claim 19. The combination of Hamilton and Levow appear to fail to teach wherein the attack prevention operation is 2performed to forward the service request to a destination site of a sandbox.  
However, Brickell teaches wherein the attack prevention operation is 2performed to forward the service request to a destination site of a sandbox ([0032] – “At block 304, once files are determined to be suspect, the entity marks the suspect files to denote that they are suspect. One skilled in the art will recognize that there are many ways to mark the files”; and [0033] – “At block 308, it may be determined whether the file is currently marked as suspect. If the file is not suspect, then the file may be executed or accessed within the user virtual machine at block 310. If the file is suspect, then the file may be processed within a sandbox virtual machine. In one embodiment, at block 312 a sandbox virtual machine may be created to process this particular file access request. In another embodiment, a permanent sandbox virtual machine may be active in the processing system to handle all such requests to access suspect files.”). It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hamilton and Levow as taught by Brickell, wherein the attack prevention operation is 2performed to forward the service request Brickell at [0013]).

Claims 37 and 38 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hamilton in view of Levow, further in view of Motsinger et al. (US20050198099, Hereinfter “Motsinger”) and Ross et al. (US20090119769, Hereinafter “Ross”).
	
In regards to claim 37, the combination of Hamilton and Levow teach the method of claim 1. The combination of Hamilton and Levow teach wherein the custom-rule patterns comprise strings that when included in a url (uniform resource locator) of a get request trigger an application error and/or encoded malicious content related to vulnerabilities of specific protected computer- assets present in the network, and the base-rule patterns comprise strings found in executable scripts and/or malicious scripts.  
However, Motsinger discloses a system for receiving access requests at a detector and scanning them for attacks (abstract, [0107]), wherein the custom-rule patterns comprise strings that when included in a url (uniform resource locator) of a get request trigger an application error and/or encoded malicious content related to vulnerabilities of specific protected computer- assets present in the network ([0350-0357] – a get URL request is received at detector system, the detector checks the received URL for encoded attack strings that when received are unsupported by specific systems and may be used to attack the system <e.g., [0355] when “% uXXXX” is detected in a URL encoded string by the detector, the detector recognizes this is an attack string in [0356]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hamilton and Levow with the teachings of Motsinger, wherein the custom-rule patterns comprise strings that when included in a url (uniform 
The combination of Hamilton, Levow, and Motsinger appear to fail to specifically disclose wherein the base-rule patterns comprise strings found in executable scripts and/or malicious scripts.  
However, Ross discloses a system for detecting XSS attacks to a client system by filtering requests (see abstract, [0006]), the base-rule patterns comprise strings found in executable scripts and/or malicious scripts ([0007] and [0046] – URLs are checked for portions/patterns indicative of XSS attacks; [0002] and [0032] – XSS attacks are wherein malicious scripts are included in the URL <i.e., the URLs a filtered for these malicious scripts based on strings>).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hamilton, Levow, and Motsinger with the teachings of Ross, wherein the base-rule patterns comprise strings found in executable scripts and/or malicious scripts, to detect and remove attempts to attack the client device using malicious links (see, e.g., Ross at [0001]-[0003]).

In regards to claim 38, the combination of Hamilton and Levow teach the apparatus of claim 19. The combination of Hamilton and Levow teach wherein the custom-rule patterns comprise strings that when included in a url (uniform resource locator) of a get request trigger an application error and/or encoded malicious content related to vulnerabilities of specific protected computer- assets present in the network, and the base-rule patterns comprise strings found in executable scripts and/or malicious scripts.  
Motsinger discloses a system for receiving access requests at a detector and scanning them for attacks (abstract, [0107]), wherein the custom-rule patterns comprise strings that when included in a url (uniform resource locator) of a get request trigger an application error and/or encoded malicious content related to vulnerabilities of specific protected computer- assets present in the network ([0350-0357] – a get URL request is received at detector system, the detector checks the received URL for encoded attack strings that when received are unsupported by specific systems and may be used to attack the system; e.g., [0355] when “% uXXXX” is detected in a URL encoded string by the detector, the detector recognizes this is an attack string in [0356]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hamilton and Levow with the teachings of Motsinger, wherein the custom-rule patterns comprise strings that when included in a url (uniform resource locator) of a get request trigger an application error and/or encoded malicious content related to vulnerabilities of specific protected computer- assets present in the network, so that rules may be created to protect against the web server attacks designed to circumvent standard intrusion prevention systems (see, e.g., [0356-0357]).
The combination of Hamilton, Levow, and Motsinger appear to fail to specifically disclose wherein the base-rule patterns comprise strings found in executable scripts and/or malicious scripts.  
However, Ross discloses a system for detecting XSS attacks to a client system by filtering requests (see abstract, [0006]), the base-rule patterns comprise strings found in executable scripts and/or malicious scripts ([0007] and [0046] – URLs are checked for portions/patterns indicative of XSS attacks; [0002] and [0032] – detected XSS attacks are wherein malicious scripts are included in the URL <i.e., the URLs a filtered for these malicious scripts based on strings>).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Hamilton, Levow, and Motsinger with the teachings Ross, wherein the base-rule patterns comprise strings found in executable scripts and/or malicious scripts, to detect and remove attempts to attack the client device using malicious links (see, e.g., Ross at [0001]-[0003]).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Montoro (US20140101764) teaches extracting characteristics from a header of a received hypertext transport protocol (HTTP) request, determining a first score corresponding to a first characteristic of the characteristics (reflecting phase 1 policies), determining a second score corresponding to a second characteristic of the characteristics (reflecting phase two policies), adding the first score and the second score to determine a combined score, and indicating that the received HTTP request is malware when the combined score meets a threshold (see, e.g., Fig. 3 & rules [0035]-[0043]).
Sainio (US9838392) teaches a proxy platform for receiving network traffic/service requests and enforcing rules (see, e.g., fig. 4, and column 12) including custom rules (e.g. column 9, lines 33-39), base rules (e.g. column 10, lines 3-14), whitelists (e.g. column 12, lines 21-34), blacklists (e.g. column 12, lines 21-34).
Kassovic (US20080276311) teaches multi-phase rule enforcement/filtering of network traffic/service requests (e.g., [0037] – [0042]). 
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA RAYMOND WHITE whose telephone number is (571)272-4365.  The examiner can normally be reached on Monday-Thursday, & Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438