Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Terminal Disclaimer
The terminal disclaimer filed on 02/01/2021 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of 15/270,214 (U.S. Patent No. 10404744) has been reviewed and is accepted.  The terminal disclaimer has been recorded.
Examiner’s Note
Examiner contacted applicant's representative Chen Liang (Registration No. 51,945) on March 10, 2021 and left a message. Applicant’s representative called examiner back on March 11. Examiner requested some minor amendments to avoid some potential antecedent basis issues. Examiner suggested putting the changes in an examiner's amendment. Applicant's representative on March 11 emailed to examiner a Word document with the suggested changes.
See Examiner's Amendment below.

Examiner’s Amendment
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner's amendment was given via telephone conversation and email from Attorney Chen Liang (Registration No. 51,945) on March 11, 2021.

The application has been amended as follows:

Amendments to the Claims:
This listing of claims will replace prior versions, and listings, of claims in the application:
Listing of Claims: 
3.	(Currently Amended)  The method of claim 1, further comprising retrieving the syntactic pattern in response to determining that the received database statement causes a syntax error, the retrieved syntactic pattern corresponding to multiple previously received database statements from an application, the multiple previously received database statements having the distinct syntactic structure but with different query terms.  
4.	(Currently Amended)  The method of claim 1, further comprising: 
retrieving the syntactic pattern in response to determining that the received database statement causes a syntax error, the retrieved syntactic pattern corresponding to multiple previously received database statements from an application, the multiple previously received database statements having the distinct syntactic structure but with different query terms; and
in response to determining that parsing the syntactic pattern with the inserted query term does not cause the same syntax error, retrieving another syntactic pattern and determining whether parsing the retrieved another syntactic pattern causes the same syntax error when the query term of the received database statement is inserted into the another syntactic pattern.  
7.	(Currently Amended)  The method of claim 1, further comprising:
in response to determining that parsing the received database statement does not cause a syntax error,
determining a syntactic pattern corresponding to the received database statement by replacing one or more query terms with a placeholder value; 
a database; and
in response to determining that an identical syntactic pattern does not exist in the database, 
determining whether the determined syntactic pattern of the received database statement corresponds to a syntactic pattern having an injection point marked as attacked; and
in response to determining that the syntactic pattern of the received database statement corresponds to a syntactic pattern having an injection point marked as being attacked, performing at least one of disallowing execution of the database statement in the database, notifying an administrator of the database that an injection attack is detected, or updating the vulnerable syntactic pattern in the database.  
10.	(Currently Amended)  The method of claim 9 wherein indicating that the received database statement involves an injection attack includes disallowing execution of the database statement in a database, notifying an administrator of the database that an injection attack is detected, or updating an attack count related to the injection point of the existing syntactic pattern.


Response to Amendment
This communication is in response to the amendment filed on 02/01/2021. The Examiner acknowledges amended claims 1-20. No claims have been cancelled or added. Claims 1-20 are pending and claims 1-20 are allowed.  Claims 1, 9, and 17 is/are independent. 

The double patenting rejection(s) of claims 1-20 are withdrawn in view of the properly filed terminal disclaimer.
Claims 3-4, 7, and 10 have been amended with this Examiner’s amendment.
Applicant's arguments/amendments have been fully considered and are persuasive.

Allowable Subject Matter
Claims 1-20 are allowed.

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:

The prior art of record (in particular, Li U.S. Publication 20120284237 (hereinafter "Li")), Nachenberg U.S. Patent 7444331 (hereinafter "Nachenberg"), Averbuch U.S. Patent 9843596 (hereinafter "Averbuch"), Beresniewicz U.S. Patent 8051486 (hereinafter "Beresniewicz")) does not expressly disclose all the limitations recited in independent claims and the combination of their features thereon. With respect to independent claim 1 the closest prior art does not disclose at least the following limitations in the recited context:

based at least on determining that parsing the received database statement causes a syntax error: 

determining whether a syntactic pattern causes the same syntax error when the query term of the received database statement is inserted into an injection point in the syntactic pattern, the syntactic pattern corresponding to a distinct syntactic structure; and 

based at least on determining that the syntactic pattern with the inserted query term causes the same syntax error, marking and storing the injection point in the syntactic pattern as vulnerable and detecting an injection attack based on the stored vulnerable injection point.

Rather, Li discloses 
Query structure analysis, such as comparing the structure of a generated query to one or more expected query structures, may be performed by validation computing device 220 to detect code injection (e.g., SQL injection) attacks. Validation computing device 220 may perform such query structure analysis only when a suspicious pattern appears in the input data. For 
Upon receiving a request, intermediate software application 510 generates a query.
Parsing component 540 parses 630 the query to create an expected query structure. Parsing component 540 provides the query structure to a query processor component 545. When expected query structures associated with intermediate software application 510 have been stored 635, code injection detector component 525 may be used to detect and/or prevent code injection attacks. 
For example, when a request including input data is received Filter component 535 determines 710 whether the input data includes one or more predetermined suspicious patterns. When validation 730 fails (e.g., parsing component 540 determines 740 that a created query structure does not match an expected query structure), parsing component 540 discards 750 the query, preventing destination software application 515 from executing code injected by an attacker.
When validation 730 succeeds (e.g., parsing component 540 determines 740 that a created query structure matches an expected query structure), parsing component 540 forwards 745 the query to destination software application 515. Destination software application 515 executes the query [Li para. [0041], [0045], [0047]-[0049], [0053], [0055]-[0059].
However, Li does not disclose at least: 
based at least on determining that parsing the received database statement causes a syntax error: 

determining whether a syntactic pattern causes the same syntax error when the query term of the received database statement is inserted into an injection point in the syntactic pattern, the syntactic pattern corresponding to a distinct syntactic structure; and 

based at least on determining that the syntactic pattern with the inserted query term causes the same syntax error, marking and storing the injection point in the syntactic pattern as vulnerable and detecting an injection attack based on the stored vulnerable injection point.

Similarly, regarding claim 9, for reasons analogous to that discussed above with respect to claim 1, Li does not disclose at least: 

in response to determining that parsing the received database statement does not cause a syntax error, 
determining a syntactic pattern corresponding to the received database statement by replacing one or more query terms with a placeholder value; 
determining whether an identical syntactic pattern already exists in the database; and
in response to determining that an identical syntactic pattern does not exist in the database, 	
determining whether the determined syntactic pattern of the received database statement corresponds to a syntactic pattern having an injection point marked as attacked; and 	in response to determining that the syntactic pattern of the received database statement corresponds to a syntactic pattern having an injection point marked as attacked, performing at least one of disallowing execution of the database statement in the database, notifying an administrator of the database that an injection attack is detected, or updating the vulnerable syntactic pattern in the database.

Similarly, regarding claim 17, for reasons analogous to that discussed above with respect to claim 1, Li does not disclose at least: 
determining whether parsing a database statement cause a syntax error in a database; and 
based at least on determining that parsing the received database statement does not cause a syntax error, 
determining whether an identical syntactic pattern already exists, the identical syntactic pattern having identical number and sequence of database commands as that of the received database statement; and 
based at least on determining that an identical syntactic pattern already exists in the database, indicating that the received database statement does not involve an injection attack.

To the disclosure of Li, Nachenberg adds converting an incoming query into a canonical form, and then comparing the canonical incoming query with stored template queries. If there is a match then the query is legitimate. If there is no match then it may be malicious. If tokens in the incoming query are not present in a similar template query and the tokens have meaning in 
However, the combination of Li, Nachenberg, Averbuch, and Beresniewicz does not teach the limitations of the independent claims quoted above.  
None of the prior art of record, either taken by itself or in any combination, would have anticipated or made obvious the invention of the present application at or before the time it was filed. 
For the reasons described above, the prior art of record does not disclose, with respect to independent claims 1, 9, and 17, features corresponding to those of independent claims 1, 9, and 17 in their respective contexts. Therefore, the independent claims 1, 9, and 17 are allowed.

Dependent claims 2-8, 10-16, and 18-20 are allowed in view of their respective dependence from independent claims 1, 9, and 17.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for
Allowance.”

Conclusion
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/HOWARD H. LOUIE/Examiner, Art Unit 2494

/JUNG W KIM/Supervisory Patent Examiner, Art Unit 2494