DETAILED ACTION
This non-final office action is in response to claims 1-20 filed on 01/18/2019 for examination. Claims 1-20 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 1/18/2019 have been considered by the examiner. 

Drawings
The drawings are objected to as failing to comply with 37 CFR 1.84(p)(5) because they include the following reference character(s) not mentioned in the description: 230 (see fig. 2), 240 (see fig. 2), 450 (see fig. 4), and 460 (see fig. 4).  Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to add the reference character(s) in the description in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the 

Consideration Under 35 USC § 101
Note: the claims have been considered and analyzed by the Examiner under 35 USC § 101 with respect to statutory category and the abstract idea, and appear to recite a form of subject matter statutorily compliant with § 101.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 4, 8-11, 13, 16-17, and 19-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yona (US8566444, Hereinafter “Yona”) in view of Mundra et al. (US20120011351, Hereinafter “Mundra”).
Regarding claim 1, Yona discloses a method by a web application layer attack detector implemented by one or more electronic devices (see column 1 line 15-column 2 line 24 – web application requests/packets are received and scanned to detect attacks by a network traffic manager <i.e., attack detector>; column 3, lines 1-28 – received requests may be http resource requests <note: http is application layer protocol>), wherein the web application layer attack detector is communicatively coupled between a plurality of web application clients and one or more web application servers (fig. 1 & column 3 lines 30-54: attack detecting network traffic manager 110 is communicatively interposed between client computers 104, 106, and 108 and server 102), the method comprising: 
receiving, at the web application layer attack detector, one or more data streams each carrying one or more web application layer requests (column 3, lines 1-53 – network traffic manager 110 <i.e., web application layer attack detector> receives http/tcp requests from multiple client computers intended for server 102; column 4 lines 36- 58 – multiple streams each carrying separate requests may be received), wherein each of the one or more web application layer requests is generated by one of the plurality of web application clients and intended for one of the one or more web application servers  (column 3, lines 1-53 – network traffic manager 110 <i.e., web application layer attack detector> receives http/tcp requests from multiple client computers intended for server 102 <i.e., web application server>; column 4 lines 36- 58 – multiple streams each carrying separate requests may be received and may be received from different clients); 
forming chunks from each of the one or more web application layer requests as it is being received at the web application layer attack detector (column 4, lines 36-58 – access module 214 <i.e., web application layer attack detector> may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined for attacks); 
scanning the chunks for attacks as each of the chunks is formed without waiting to receive and store complete web application layer requests from which the chunks are formed (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to part of a packet <i.e., the entire packet is not required>. The processing of the requests does not need to be continuous, and may instead be interwoven with ; and 
sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received to determine whether to allow access to the server; column 4, lines 1-19 & column 17, lines 30-39 – when the scanned chunks satisfy the rules they are granted access to the server <i.e., the scanned chunks provided to the intended server to finish the request>).
While Yona discloses receiving multiple streams of requests and processing portions of a packet at a time (columns 2-3), Yona appears to fail to specifically disclose wherein each of the chunks is sized to be less than a preconfigured maximum chunk size.
However, Mundra discloses a system for processing packets received in a data stream (see abstract, [0027]) where the packet stream is split into a plurality of chunks without waiting for the complete packet(s) to finish ([0080]), wherein each of the chunks is sized to be less than a preconfigured maximum chunk size ([0059]-[0060], [0062] – the system receives streams of packets and breaks them into small chunks to be scheduled based upon priority or order of arrival; [0026-0027] – chunks are created such that they have a predetermined length or less; [0080] – chunks may be processed as they arrive without waiting for the complete packet to finish).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yona with the teachings of Mundra, wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, to reduce latency in the system by splitting large packets in to smaller sets of data, allowing for finer prioritization of received requests (see, e.g., Mundra at [0059-0060]).

Regarding claim 2, the combination of Yona and Mundra teach the method of claim 1, wherein the forming the chunks from each of the one or more web application layer requests  (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined) comprises: 
forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk (Mundra at [0080] – packets are processed into chunks when a stream is being received, and it is not necessary to wait for the complete packets to arrive to produce a chunk <i.e., when enough information of the packet is received it is chunked, see e.g., [0027] – for determining a predetermined chunk length to be created>), wherein the chunk is formed to start at an end of a previous chunk and to end immediately after a last complete element or parameter in the web application layer request that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size (Mundra at [0080] & [0129] – packets are processed into chunks as a stream is being received, and are sequentially processed as they arrive <i.e., one chunk starts where the last one left off>; [0027] & [0263] – packet may be chunked into size less than the predetermined maximum chunk length, including control label such as “start of packet”, “middle of packet”, and “end of packet” (EOP) for linking the payload and indicating the form of chunk).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Yona and Mundra as taught in Mundro, comprising forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk, wherein the chunk is Mundro at [0027] & [0080]).

Regarding claim 4, the combination of Yona and Mundra teach the method of claim 1, further comprising: triggering a security response responsive to detecting, based on a result of the scanning, an attack in one of the chunks (Yona at column 3, lines 30-53 & column 1 lines 15-49 – the client requests are allowed access to the servers only when no attacks are detected <i.e., when an attack is detected, a security response is not allowing server access>).  

Regarding claim 7, the combination of Yona and Mundra teach the method of claim 1, wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received), and wherein the scanning the chunks for attacks comprises: 
interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the .  

Regarding claim 8, the combination of Yona and Mundra teach the method of claim 1, further comprising: 
storing, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams (Mundo at [0027] – each packet contains control information, which is received and stored in the system memory), wherein the contextual information for the web application layer request includes a partial element or parameter that was not included in a previous chunk formed from the web application layer request, a content type of the web application layer request, and/or an encoding format of the web application layer request (Mundo at [0027], e.g., “a packet interface circuit includes a control circuit operable to receive packets each having a header and a payload, some of the packets representing a first stream, and some others of the packets representing a second stream, the control circuit operable to assign thread identifications identifying each such stream, a memory, and a chunking circuit operable, when a given such packet has a payload exceeding a predetermined length, to store chunks in the memory so that the chunks have the predetermined length or less, and the chunking circuit operable to load chunk control information <i.e., context information> into the memory, the control information indicating start of packet (SOP), middle of packet (MOP), and end of packet (EOP), depending on the position in the payload of data in a given stored chunk” <i.e., parameter values are provided different to previous chunks>).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Yona and Mundra with the teachings of Mundra, comprising storing, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams, wherein the contextual information for the web application layer request includes a partial element or parameter that was not included in a previous chunk formed from the web application layer request, a content type of the web application layer request, and/or an encoding format of the web application layer request, so that the scanning system can link divided packets together (see, e.g., Mundra at [0027], [0142]).

Regarding claim 9, Yona discloses a method by a web application layer attack detector implemented by one or more electronic devices (see column 1 line 15-column 2 line 24 – web application requests/packets are received and scanned to detect attacks by a network traffic manager <i.e., attack detector>; column 3, lines 1-28 – received requests may be http resource requests <note: http is application layer protocol>), wherein the web application layer attack detector is communicatively coupled to a plurality of web application clients and one or more web application servers (fig. 1 & column 3 lines 30-54: attack detecting network traffic manager 110 is communicatively interposed between client computers 104, 106, and 108 and server 102), the method comprising: 
determining, at the web application layer attack detector, to form a first chunk out of a first received part of a first web application layer request that is being sent from a 26Atty. Docket No.: 9034PO45 (IMP-093) first of the plurality of the web application clients and that has an end which has not yet been received (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received <i.e., an end of the request has not yet been received>. E.g., Stream A may come from a client <i.e., a first of the plurality of the web application clients>, and stream B may come from a different client <see line 54>); 
receiving, at the web application layer attack detector, a second web application layer request that is smaller than the first web application layer request, that is being sent from a second of the plurality of the web application clients and that has an end which has been received (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received. E.g., Stream A may come from a client <i.e., a first of the plurality of the web application clients>, and stream B may come from a different client <i.e., a second of the plurality of the web application clients, see line 54>; Note: as would be recognized by one of ordinary skill in the art, interweaving of chunks upon arrival of data facilitates smaller requests being completed first in ordinary operation of the system); 
scanning, at the web application layer attack detector, the first chunk and the second web application layer request for attacks without waiting to receive and store the end of the first web application layer request so that the second web application layer request that is smaller than the first web application layer request is not held in the web application layer attack detector behind the first web application layer request [[that is considered large]]  (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received. E.g., Stream A may come from a client <i.e., a first of the plurality of the web application clients>, and stream B may come from a different client <i.e., a second of the plurality of the web application clients, see line 54>; Note: as would have been recognized by one of ordinary skill in the art, interweaving of chunks upon arrival of data facilitates smaller requests being completed first in ordinary operation of the system); 
forwarding, by the web application layer attack detector, the first chunk and the second web application layer request to one of the one or more web application servers (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received to determine whether to allow access to the server; column 4, lines 1-19 & column 17, lines 30-39 – when the scanned chunks satisfy the rules they are granted access to the server <i.e., the scanned chunks provided to the intended server to finish the request>); and 
determining, at the web application layer attack detector, to form a second chunk out of another received part of the first web application layer request (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received <i.e., second chunks may be formed of each/either stream as they arrive>); and 
scanning, at the web application layer attack detector, the second chunk for attacks after the scanning of the second web application layer request (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received; Note: as would have been recognized by one of ordinary skill in the art, interweaving of chunks upon arrival of data facilitates smaller requests being completed first in ordinary operation of the system).  
While Yona discloses receiving multiple streams of requests and determining to process portions of a packet at a time (columns 2-3), Yona appears to fail to specifically disclose wherein the determining means that the web application layer attack detector considers the first web application layer request to be large.
Mundra discloses a system for processing packets received in a data stream (see abstract, [0027]) and determining to split the packet data stream into a plurality of chunks without waiting for the complete packet(s) to finish ([0080]), wherein the determining means that the web application layer attack detector considers the first web application layer request to be large ([0059]-[0060], [0062] – the system receives streams of packets and breaks them into small chunks to be scheduled based upon priority or order of arrival; [0026-0027] – chunks are created from packets that are too large such that they have a predetermined length or less; [0080] – chunks may be processed as they arrive without waiting for the complete packet to finish).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yona with the teachings of Mundra, wherein the determining means that the web application layer attack detector considers the first web application layer request to be large, to reduce latency in the system by splitting large packets in to smaller sets of data, allowing for finer grain prioritization of received requests and preventing a lengthy packet from monopolizing the pipeline (see, e.g., Mundra at [0027] and [0059-0060]).

Regarding claim 10, Yona discloses a set of one or more non-transitory machine-readable storage media storing instructions which, when executed by one or more processors of one or more electronic devices, cause the one or more electronic devices to perform operations (column 1, line 61-column 2, line 6 – instructions stored machine readable medium that causes processor to perform system instructions) of a web application layer attack detector (see column 1 line 15-column 2 line 24 – web application requests/packets are received and scanned to detect attacks by a network traffic manager <i.e., attack detector>; column 3, lines 1-28 – received requests may be http resource requests <note: http is application layer protocol>), wherein the web application layer attack detector is communicatively coupled between a plurality of web application clients and one or more web application servers (fig. 1 & column 3 lines 30-54: attack detecting network traffic manager 110 is communicatively interposed between client computers 104, 106, and 108 and server 102), the operations comprising: 
receiving, at the web application layer attack detector, one or more data streams each carrying one or more web application layer requests (column 3, lines 1-53 – network traffic manager 110 <i.e., web application layer attack detector> receives http/tcp requests from multiple client computers intended for server 102; column 4 lines 36- 58 – multiple streams each carrying separate requests may be received), wherein each of the one or more web application layer requests is generated by one of the plurality of web application clients and intended for one of the one or more web application servers (column 3, lines 1-53 – network traffic manager 110 <i.e., web application layer attack detector> receives http/tcp requests from multiple client computers intended for server 102; column 4 lines 36- 58 – multiple streams each carrying separate requests may be received); 
forming chunks from each of the one or more web application layer requests as it is being received at the web application layer attack detector (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined for attacks);  27Atty. Docket No.: 9034PO45 (IMP-093) 
scanning the chunks for attacks as each of the chunks is formed without waiting to receive and store complete web application layer requests from which the chunks are formed (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to part of a packet <i.e., the entire packet is not required>. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks of other streams as the requests arrive <i.e., chunk scanning is done whenever enough of a packet for a chunk arrives>); and 
sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received to determine whether to allow access to the server; column 4, lines 1-19 & column 17, lines 30-39 – when the scanned chunks satisfy the rules they are granted access to the server <i.e., the scanned chunks provided to the intended server to finish the request>).  
While Yona discloses receiving multiple streams of requests and processing portions of a packet at a time (columns 2-3), Yona appears to fail to specifically disclose wherein each of the chunks is sized to be less than a preconfigured maximum chunk size.
However, Mundra discloses a system for processing packets received in a data stream (see abstract, [0027]) where the packet stream is split into a plurality of chunks without waiting for the complete packet(s) to finish ([0080]), wherein each of the chunks is sized to be less than a preconfigured maximum chunk size ([0059]-[0060], [0062] – the system receives streams of packets and breaks them into small chunks to be scheduled based upon priority or order of arrival; [0026-0027] – chunks are created such that they have a predetermined length or less; [0080] – chunks may be processed as they arrive without waiting for the complete packet to finish).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yona with the teachings of Mundra, wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, to reduce latency in the system by splitting large packets in to smaller sets of data, allowing for finer prioritization of received requests (see, e.g., Mundra at [0059-0060]).

Regarding claim 11, the combination of Yona and Mundra teach the set of one or more non-transitory machine-readable storage media of claim 10, wherein the forming the chunks from each of the one or more web application layer requests (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined) comprises: 
forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk (Mundra at [0080] – packets are processed into chunks when a stream is being received, and it is not necessary to wait for the complete packets to arrive to produce a chunk <i.e., when enough information of the packet is received it is chunked, see e.g., [0027] – for determining a predetermined chunk length to be created>), wherein the chunk is formed to start at an end of a previous chunk and to end immediately after a last complete element or parameter in the web application layer request that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size (Mundra at [0080] & [0129] – packets are processed into chunks as a stream is being received, and are sequentially processed as they arrive <i.e., one chunk starts where the last one left off>; [0027] & [0263] – packet may be chunked into size less than the predetermined chunk length, and include control label such as “start of packet”, “middle of packet”, and “end of packet” (EOP) for linking the payload sequentially/indicating chunk type).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Yona and Mundra as taught in Mundro, comprising forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk, wherein the chunk is Mundro at [0027] & [0080]).

Regarding claim 13, the combination of Yona and Mundra teach the set of one or more non-transitory machine-readable storage media of claim 10, wherein the instructions, when executed by the one or more processors of the one or more electronic devices, further cause the one or more electronic devices to perform further operations (Yona at column 1, line 61-column 2, line 6 – instructions stored machine readable medium that causes processor to perform system instructions) comprising: 
triggering a security response responsive to detecting, based on a result of the scanning, an attack in one of the chunks (Yona at column 3, lines 30-53 & column 1 lines 15-49 – the client requests are allowed access to the servers only when no attacks are detected <i.e., when an attack is detected, a security response is not allowing server access>).  

Regarding claim 16, Yona teaches an electronic device configured to implement a web application layer attack detector (column 1 line 15-column 2 line 24 – web application requests/packets are received and scanned to detect attacks by a network traffic manager <i.e., attack detector>; column 3, lines 1-28 – received requests may be http resource requests <note: http is application layer protocol>), wherein the web application layer attack detector is communicatively coupled between a plurality of web application clients and one or more web application servers (fig. 1 & column 3 lines 30-54: attack detecting network traffic manager 110 is communicatively interposed between client , the electronic device comprising: one or more processors (column 3, lines 30- 54 – system operates on processors); and a non-transitory machine-readable storage medium having instructions stored therein, which when executed by the one or more processors, cause the electronic device  (column 1, line 61-column 2, line 6 – instructions stored machine readable medium that causes processor to perform system instructions)  to: 
receive, at the web application layer attack detector, one or more data streams each carrying one or more web application layer requests (column 3, lines 1-53 – network traffic manager 110 <i.e., web application layer attack detector> receives http/tcp requests from multiple client computers intended for server 102; column 4 lines 36- 58 – multiple streams each carrying separate requests may be received), wherein each of the one or more web application layer requests is generated by one of the plurality of web application clients and intended for one of the one or more web application servers (column 3, lines 1-53 – network traffic manager 110 <i.e., web application layer attack detector> receives http/tcp requests from multiple client computers intended for server 102; column 4 lines 36- 58 – multiple streams each carrying separate requests may be received), 
form chunks from each of the one or more web application layer requests as it is being received at the web application layer attack detector (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined for attacks), 
scan the chunks for attacks as each of the chunks is formed without waiting to receive and store complete web application layer requests from which the chunks are formed (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to part of a packet <i.e., the entire packet is not required>. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks of other streams as the requests arrive <i.e., chunk scanning is done whenever enough of a , and send each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received to determine whether to allow access to the server; column 4, lines 1-19 & column 17, lines 30-39 – when the scanned chunks satisfy the rules they are granted access to the server <i.e., the scanned chunks provided to the intended server to finish the request>).  
While Yona discloses receiving multiple streams of requests and processing portions of a packet at a time (columns 2-3), Yona appears to fail to specifically disclose wherein each of the chunks is sized to be less than a preconfigured maximum chunk size.
However, Mundra discloses a system for processing packets received in a data stream (see abstract, [0027]) where the packet stream is split into a plurality of chunks without waiting for the complete packet(s) to finish ([0080]), wherein each of the chunks is sized to be less than a preconfigured maximum chunk size ([0059]-[0060], [0062] – the system receives streams of packets and breaks them into small chunks to be scheduled based upon priority or order of arrival; [0026-0027] – chunks are created such that they have a predetermined length or less; [0080] – chunks may be processed as they arrive without waiting for the complete packet to finish).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yona with the teachings of Mundra, wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, to reduce latency in the system by splitting large packets in to smaller sets of data, allowing for finer prioritization of received requests (see, e.g., Mundra at [0059-0060]).

Regarding claim 17, the combination of Yona and Mundra teach the electronic device of claim 16, wherein the forming the chunks from each of the one or more web application layer requests (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined) comprises:  29Atty. Docket No.: 9034PO45 (IMP-093) 
forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk (Mundra at [0080] – packets are processed into chunks when a stream is being received, and it is not necessary to wait for the complete packets to arrive to produce a chunk <i.e., when enough information of the packet is received it is chunked, see e.g., [0027] – for determining a predetermined chunk length to be created>), wherein the chunk is formed to start at an end of a previous chunk and to end immediately after a last complete element or parameter in the web application layer request that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size (Mundra at [0080] & [0129] – packets are processed into chunks as a stream is being received, and are sequentially processed as they arrive <i.e., one chunk starts where the last one left off>; [0027] & [0263] – packet may be chunked into size less than the predetermined chunk length, and include control label such as “start of packet”, “middle of packet”, and “end of packet” (EOP) for linking the payload sequentially/indicating chunk type).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Yona and Mundra as taught in Mundro, comprising forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk, wherein the chunk is Mundro at [0027] & [0080]).

Regarding claim 19, the combination of Yona and Mundra teach the electronic device of claim 16, wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received), and wherein the scanning the chunks for attacks comprises: 
interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received).  

Regarding claim 20, the combination of Yona and Mundra teach the electronic device of claim 16, wherein the non-transitory machine-readable storage medium has further instructions stored therein, which when executed by the one or more processors, further cause the electronic device (Yona at column 1, line 61-column 2, line 6 – instructions stored machine readable medium that causes processor to perform system instructions) to: store, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams (Mundo at [0027] – each packet contains control information, which is received and stored in the system memory), wherein the contextual information for the web application layer request includes a partial element or parameter that was not included in a previous chunk formed from the web application layer request, a content type of the web application layer request, and/or an encoding format of the web application layer request (Mundo at [0027], e.g., “a packet interface circuit includes a control circuit operable to receive packets each having a header and a payload, some of the packets representing a first stream, and some others of the packets representing a second stream, the control circuit operable to assign thread identifications identifying each such stream, a memory, and a chunking circuit operable, when a given such packet has a payload exceeding a predetermined length, to store chunks in the memory so that the chunks have the predetermined length or less, and the chunking circuit operable to load chunk control information <i.e., context information> into the memory, the control information indicating start of packet (SOP), middle of packet (MOP), and end of packet (EOP), depending on the position in the payload of data in a given stored chunk” <i.e., parameter values are provided different to previous chunks>).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Yona and Mundra with the teachings of Mundra, wherein the non-transitory machine-readable storage medium has further instructions stored therein, which when executed by the one or more processors, further cause the electronic device to: store, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams, wherein the contextual information for the Mundra at [0027], [0142]).

Claim(s) 3, 12, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yona in view of Mundra, further in view of Anderson et al. (US20190138747, Hereinafter “Anderson”).
Regarding claim 3, the combination of Yona and Mundra teach the method of claim 1.
The combination of Yona and Mundra appear to fail to teach deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended.  
However, Anderson discloses a similar system for identifying threats in downloaded files (see abstract), breaking a bitstream into scannable chunks (see, e.g., [0041]-[0042]), and removing chunks after scanning from the scanner (see, e.g., [0066]), further comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended ([0066], e.g., “the documents themselves are never stored in full format on any of the servers used to facilitate the threat scanning and Web page presentation operations, including never being stored in memory. Rather, documents are scanned for threats using the streamed document content that is received from their host cloud-based storage services in combination partitioning the streamed content into paragraphs or chunks as it is received, meaning only a portion (such as the paragraphs or chunks) of a document is stored in memory at any given point in time” <i.e., chunks are deleted as they pass through the scanner); [0070] – communication occurs using HTTP/TCP <i.e., are .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yona and Mundra with the teachings of Anderson comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended, so that the scanning infrastructure is not exposed to potential attacks by holding the complete attack (see, e.g., Anderson at [0066]).

Regarding claim 12, the combination of Yona and Mundra teach the set of one or more non-transitory machine-readable storage media of claim 10. 
The combination of Yona and Mundra appear to fail to teach wherein the instructions, when executed by the one or more processors of the one or more electronic devices, further cause the one or more electronic devices to perform further operations comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended.
However, Anderson discloses a similar system for identifying threats in downloaded files (see abstract), breaking a bitstream into scannable chunks (see, e.g., [0041]-[0042]), and removing chunks after scanning from the scanner (see, e.g., [0066]), wherein the instructions, when executed by the one or more processors of the one or more electronic devices, further cause the one or more electronic devices to perform further operations ([0076] – system implemented via instructions stored on non-transitory storage mediums to be executed by processors) comprising: 
deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended ([0066], e.g., “the documents themselves are never stored in full format on any of the servers used to facilitate the threat scanning and Web page presentation operations, including never being stored in memory. Rather, documents are scanned for threats using the streamed document content that is received from their host cloud-based storage services in combination partitioning the streamed content into paragraphs or chunks as it is received, meaning only a portion (such as the paragraphs or chunks) of a document is stored in memory at any given point in time” <i.e., chunks are deleted as they pass through the scanner); [0070] – communication occurs using HTTP/TCP <i.e., are application layer>; [0030] – content is parsed without fully storing on the scanning server infrastructure).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yona and Mundra with the teachings of Anderson wherein the instructions, when executed by the one or more processors of the one or more electronic devices, further cause the one or more electronic devices to perform further operations comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended, so that the scanning infrastructure is not exposed to potential attacks by holding the complete attack (see, e.g., Anderson at [0066]).

Regarding claim 18, the combination of Yona and Mundra teach the electronic device of claim 16.
The combination of Yona and Mundra appear to fail to teach wherein the non-transitory machine-readable storage medium has further instructions stored therein, which when executed by the 
However, Anderson discloses a similar system for identifying threats in downloaded files (see abstract), breaking a bitstream into scannable chunks (see, e.g., [0041]-[0042]), and removing chunks after scanning from the scanner (see, e.g., [0066]), wherein the non-transitory machine-readable storage medium has further instructions stored therein, which when executed by the one or more processors, further cause the electronic device ([0076] – system implemented via instructions stored on non-transitory storage mediums to be executed by processors) to: 
deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended ([0066], e.g., “the documents themselves are never stored in full format on any of the servers used to facilitate the threat scanning and Web page presentation operations, including never being stored in memory. Rather, documents are scanned for threats using the streamed document content that is received from their host cloud-based storage services in combination partitioning the streamed content into paragraphs or chunks as it is received, meaning only a portion (such as the paragraphs or chunks) of a document is stored in memory at any given point in time” <i.e., chunks are deleted as they pass through the scanner); [0070] – communication occurs using HTTP/TCP <i.e., are application layer>; [0030] – content is parsed without fully storing on the scanning server infrastructure).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yona and Mundra with the teachings of Anderson wherein the non-transitory machine-readable storage medium has further instructions stored therein, Anderson at [0066]).

Claim(s) 5 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yona in view of Mundra, further in view of Spremulli et al. (US20190104135, Hereinafter “Spremulli”).
Regarding claim 5, the combination of Yona and Mundra teach the method of claim 4, wherein the security response includes: causing the web application server for which the web application layer request from which the chunk with the attack was formed is intended to close a connection over which the web application layer request is being received (Yona at column 3, lines 30-53 and column 1 lines 15-49 – the client requests are allowed access to the servers only when no attacks are detected <i.e., when an attack is detected, a security response is not allowing server access>).
While the combination of Yona and Mundra teach detecting and responding to a malicious request (see, e.g., Yona at column 3, lines 30-53 & column 1 lines 15-49), the combination of Yona and Mundra appear to fail to teach sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed.
However, Spremulli teaches a system for receiving web application layer requests (see abstract, [0010]), wherein a malicious request is received and a security response is provided (see [0025-0026]), comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed([0025-0026] – server tests received , and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed ([0025-0026] – server tests received request, then “In the illustrated embodiment, server 12 (and, more particularly, the web server 30) ceases processing and redirects the client to an error page, if processing of the CSRF key and/or request with which it was received indicates that the request is likely a malicious one--for example, the underlying IP address is a known malicious one and/or the request is received as part of an apparent denial-of-service or other attack.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yona and Mundra with the teachings of Spremulli, comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed, so that the requesting user may be informed their request was not found to be free of attacks (see, e.g., Spremulli at [0025-0026]).

Regarding claim 14, the combination of Yona and Mundra teach the set of one or more non-transitory machine-readable storage media of claim 13, wherein the security response includes: causing the web application server for which the web application layer request from which the chunk with the attack was formed is intended to close a connection over which the web application layer request is being received (Yona at column 3, lines 30-53 and column 1 lines 15-49 – the client requests . 
While the combination of Yona and Mundra teach detecting and responding to a malicious request (see, e.g., Yona at column 3, lines 30-53 & column 1 lines 15-49), the combination of Yona and Mundra appear to fail to teach sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed.
However, Spremulli teaches a system for receiving web application layer requests (see abstract, [0010]), wherein a malicious request is received and a security response is provided (see [0025-0026]), comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed([0025-0026] – server tests received request, then “In the illustrated embodiment, server 12 (and, more particularly, the web server 30) ceases processing and redirects the client to an error page, if processing of the CSRF key and/or request with which it was received indicates that the request is likely a malicious one--for example, the underlying IP address is a known malicious one and/or the request is received as part of an apparent denial-of-service or other attack.”), and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed ([0025-0026] – server tests received request, then “In the illustrated embodiment, server 12 (and, more particularly, the web server 30) ceases processing and redirects the client to an error page, if processing of the CSRF key and/or request with which it was received indicates that the request is likely a malicious one--for example, the underlying IP address is a known malicious one and/or the request is received as part of an apparent denial-of-service or other attack.”).  
Yona and Mundra with the teachings of Spremulli, comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed, so that the requesting user may be informed their request was not found to be free of attacks (see, e.g., Spremulli at [0025-0026]).

Claim(s) 6 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yona in view of Mundra, further in view of Dubrovsky et al. (US7835361, Hereinafter “Dubrovsky”).
Regarding claim 6, the combination of Yona and Mundra teach the method of claim 4. While the combination of Yona and Mundra discloses detecting an attack and determining whether to allow a request (see, e.g., Yona at column 3, line 30-53 and column 1, line 15-49), the combination of Yona and Mundra appear to fail to specifically disclose wherein the security response includes generating an alert. 
However, Dubrovsky teaches a system detecting an attack and producing a security response (see abstract, [0042], [0052]), wherein the security response includes generating an alert ([0042] and [0052] – a security alert is issued to a system administrator when an attack is detected).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yona and Mundra with the teachings of Dubrovsky, wherein the security response includes generating an alert, so that system administrators may analyze and respond to the attack (see, e.g., Dubrovsky at [0042], [0052]).

Regarding claim 15, the combination of Yona and Mundra teach the set of one or more non-transitory machine-readable storage media of claim 13. While the combination of Yona and Mundra Yona at column 3, line 30-53 and column 1, line 15-49), the combination of Yona and Mundra appear to fail to specifically disclose wherein the security response includes generating an alert. 
However, Dubrovsky teaches a system detecting an attack and producing a security response (see abstract, [0042], [0052]), wherein the security response includes generating an alert ([0042] and [0052] – a security alert is issued to a system administrator when an attack is detected).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Yona and Mundra with the teachings of Dubrovsky, wherein the security response includes generating an alert, so that system administrators may analyze and respond to the attack (see, e.g., Dubrovsky at [0042], [0052]).

Conclusion
The prior art made of record and not presently relied upon is considered pertinent to applicant's disclosure. Kay (US20100011434) discloses a system for receiving network traffic and analyzing it for attacks (abstract), wherein a segment is formed to start at an end of a previous chunk and to end immediately after a parameter in the request that when included in the segment allows the segment to be sized less than the preconfigured maximum chunk size (see, e.g., [0027], [0035]). See also, Marinescu et al. (US20060224724) disclosing a system for identifying attacking requests in a firewall, and forwarding packets immediately without waiting for the entire request to be received.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA RAYMOND WHITE whose telephone number is (571)272-4365.  The examiner can normally be reached on Monday-Thursday, & Alternate Fridays.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/J.R.W./Examiner, Art Unit 2438                                                                                                                                                                                                        /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438