DETAILED ACTION

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1 – 10, 12 – 21 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.
This action is in response to the communication filed on 3/1/21.
All objections and rejections not set forth below have been withdrawn.

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/1/21 has been entered.
 



Potentially Allowable Subject Matter

	The examiner suggests that the applicant amend the pending claims to incorporate, in combination with all existing claimed features, the features of paragraph 21 of applicant’s published specification.  Specifically, the subject matter of sending specially crafted hypertext transfer protocol (HTTP) headers when browsing the protected portal, maintaining a list of IP addresses where training machines can communicate from, and comparing the HTTP header of the state-report to the list of expected IP addresses.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1 and 14 – 21 are rejected under 35 U.S.C. 103 as being unpatentable over Call, US 2014/0283067, in view of Kumar et al. (Kumar), US 2012/0317644 A1.

Regarding claims 1, 19, and 20, Call discloses:
during a training phase (e.g. Call, par. 11, 12, 88 – herein, the security system continuously operates in a learning or “training” mode), generating, by a server computing device, one or more patterns of web page elements (e.g. Call, fig. 1b:104, 126; par. 11, 12, 19, 34, 35, 61, 88, 102).  Herein a security subsystem collects reports from instrumented code modules, wherein the reports comprise data characterizing the rendering of a webpage (i.e. “web page elements”), and wherein the collected data is 
wherein the web page elements comprise text strings of a web page document, wherein the server computing device generates the one or more patterns based on the text strings (e.g. Call, par. 10, 16, 62, 63, 70, 106).  Herein, the report (i.e. web page document), upon which the patterns are generated, comprises alphanumeric strings (i.e. “text strings”) relevant to the rendering of a web page, such strings including, but not limited to javascript, function and method names, and website and webpage identifiers.
of the web page document received in a state report from a training machine, the one or more patterns associated with non-modified web page states, …  (e.g. Call, par. 11, 12, 88), the training machine having an expected IP address (e.g. Call, par. 8, 9, 16, 21, 75, 78, 96).  Herein, the client devices are “training machines” because they provide reports used to “train” or refine the machine learning’s hypothesis.  Furthermore, the client devices have expected IP addresses, which is used to by the system to maintain client state, identify client specific keys, and to recorded in the hyperplane for the purpose of analyzing particular clients over time (e.g. across separate sessions).  
communicating, by the server computing device over a network, with a code module embedded in a web page that is presented on a client computing device,  wherein the code module is configured to collect data related to the web page in which the code module is embedded (e.g. Call, par. 7. 36, 88, 53, 55, 65; fig. 1B).  Herein, instrumented code is inserted into a web page served by a web server, wherein the instrumented with code is for detecting (and possibly deflecting) malicious activity or other abnormal computer behavior. 
receiving, by the server computing device from the code module embedded in the web page that is being presented on the client computing device, the data related to the web page presented on the client computing device (e.g. Call, par. 24, 68, 69, 74, 105-107; fig. 1B:115; fig. 3:306, 308). 
comparing, by the server computing device, the data received from the code module embedded in the web page to the generated one or more patterns of web page elements, including one or more of: the one or more patterns associated with no0n-modified web-page states (e.g. Call, par. 8, 17, 77, 11, 12); one or more patterns associated with malicious web page states (e.g. Call, par. 8, 13, 79); one or more patterns associated with innocuous web page modifications (e.g. Call, par. 8, 13, 79); or any combination thereof (e.g. Call, par. 10, 75, 77, 110, 112).
identifying, by the server computing device based on the comparing of the data from the code module and the generated one or more patterns of web page elements, a risk of the web page having been modified by malware (e.g. Call, par. 22).
and updating, based the identifying of the risk of the web page having been modified by malware, at least one of the one or more predetermined patterns (e.g. Call, par. 81, 88, 5, 39, 56, 69).  Herein, when it is detected that malware is/is not likely (i.e. “risk”) (e.g. Call, par. 5, 39, 77, 78) to have modified a served web page, then the system will continuously update or refine the patterns previously generated during the learning (i.e. “training”) phase.




It would have been obvious to one of ordinary skill in the art to recognize the XML report features of Kumar within the system of Call for reporting data from instrumented code to a server.  This would have been obvious because one of ordinary skill in the art would have been motivated by the practical need to embody the report in a known format that enable sending to a server.
 
Regarding claim 14, the combination enables:
wherein the generating one or more patterns of web page elements comprises generating the one or more patterns associated with malicious web page states (e.g. Call, par. 115, 78).  

Regarding claim 15, the combination enables:
wherein the generating one or more patterns of web page elements comprises generating the pattern associated with malware performing an injection to a web page (e.g. Call, par. 46, 69).  

Regarding claim 16, the combination enables:
wherein the generating one or more patterns of web page elements comprises generating the one or more patterns associated with innocuous web page modifications (e.g. Call, 19, 22, 80). 

Regarding claim 17, the combination enables:
wherein the generating one or more patterns of web page elements comprises generating the pattern associated with an extension and a plug-in for a web page (e.g. Call, par. 66).  

Regarding claim 18, the combination enables:
generating an alert associated with the web page in response to the risk meets or exceeds a predetermined threshold (e.g. Call, par. 15, 12).  

Regarding claim 21, the combination enables:
wherein the text strings of the web page document received from the training machine comprise an adequate header (e.g. Call, par. 83, 92, 96).  


Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Call US 2014/0283067, in view of Kumar et al. (Kumar), US 2012/0317644 A1, in view of Shen, CN 103581162 A.


However, Shen teaches that a risk-assessment algorithm determines that the URL does not correspond to any entry in: a URL whitelist and a URL blacklist (see abstract: “a system and method for continuously updating event results and statistical information based on cloud. The method comprises the steps that a client terminal obtains URL events in a circulatory mode; whether URLs are matched with a white list or a black list or not is judged, and if yes, the URLs are processed according to the black list or the white list, detection results are recorded, and an event statistical list is updated; if not, the URLs are uploaded to a cloud analysis system; the client terminal inquires all cloud analysis results of the URLs with the detection results to be determined from the cloud analysis system at a preset interval; whether the cloud analysis results of the URLs exist or not is judged, and if yes, the cloud analysis results are obtained, and the corresponding URL detection results and the event statistical list are updated through the cloud analysis results”).
Both Call and Shen teach analyzing the trustworthiness of an entity using whitelists, blacklists and/or a risk-assessment algorithm. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let Call perform the risk-assessment algorithm on the entity only in response to a determination that the entity does not correspond to any entry in: a whitelist for the entity and a blacklist for the entity, as taught by Shen. It would have been obvious because Shen explicitly teaches that doing so can find the threat in the shortest .

Claims 3 – 8 are rejected under 35 U.S.C. 103 as being unpatentable over Call, US 2014/0283067, in view of Kumar et al. (Kumar), US 2012/0317644 A1, in view of Grimes, US 2010/0106568.

Regarding claim 3, Call fails to teach that embedding the code module into the web page includes inserting a loader module into the web page and executing the loader module to embed the code module into the web page.
However, Grimes teaches that embedding a code module into a web page includes inserting a loader module into the web page and executing the loader module to embed the code module into the web page (e.g. Grimes, par. 260) 
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let embedding the instrumentation code module into the web page taught by Call include inserting a loader module into the web page and executing the loader module to embed the code module into the web page, as taught by Grimes to predictably insert the instrumentation code into the web page.

Regarding claim 4, Call discloses:
wherein the data related to the web page includes a subset of elements present in the web page (e.g. Call, par. 105, 107; fig. 1B).

Regarding claim 5, Call discloses:
wherein the data related to the web page includes at least one of an identifier, a styling detail, a nesting detail, a location of an element within the web page, an element that requests a user of the client computing device to enter data, or a script element, or a combination thereof (e.g. Call, par. 69).

Regarding claim 6, Call discloses:
configuring the code module, by the server computing device, the code module to retrieve the data related to the web page based on one or more selected page elements (e.g. Call, par. 69, 53, 55, 97; fig. 1B).  

Regarding claim 7, Call discloses:
wherein the one or more selected page elements include one or more editable elements (e.g. Call, par. 69).

Regarding claim 8, Call discloses:
wherein the one or more selected page elements include a script tag (e.g. Call, par. 69).

Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Call, US 2014/0283067, in view of Kumar et al. (Kumar), US 2012/0317644 A1, in view of Kim, KR 100622129 B1.

Regarding claim 13, Call does not explicitly teach that generating the pattern for the one or more patterns associated with non-modified web page states includes generating a pattern associated with a new version of a web page.
In the same field of endeavor, Kim et al. teaches that generating a pattern for one or more patterns associated with non-modified web page states includes generating a pattern associated with a new version of a web page (see page 1, Derwent title: “System and method for checking modification of dynamically changed webpages with discrimination between normal update and changes by hacking". And see page 2, Derwent abstract: “NOVELTY - A system and a method for checking modification of dynamically changed webpages are provided to detect the modification of the webpage in an early stage by remotely checking the modification, which is caused from hacking and normal update, of the webpages stored to a web server in real-time”).
Both Call and Kim et al. teach detect modification of a webpage caused by hacking. Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to let Call generate the pattern for the one or more patterns associated with non-modified web page states by generating a pattern associated with a new version of a web page, as taught by Kim et al. It would have been obvious because doing so achieves the commonly understood benefit of reducing a false positive rate in the detection of modification of a webpage caused by hacking by .

Response to Arguments

Applicant's arguments filed 3/1/21 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
Call does not teach or suggest generating a pattern during a training phase where the pattern is based on a state-report received from a training machine, and wherein the state-report comprises an adequate header and is received from a training machine having an expected IP address, as claimed. Instead, Call merely describes a primary cluster and the identifying of nodes outside of this cluster. …
…
(Remarks, pg. 8)

Examiner respectfully responds:
The examiner respectfully disagrees.  Specifically, the client devices of Call are “training machines” because they provide reports used to “train” or refine the machine learning’s hypothesis, thus the period in which reports and patterns are generated may be said to be during “a training phase”.  Furthermore, the client devices have expected IP addresses which are recorded in the hyperplane for the purpose of analyzing 


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JEFFERY L WILLIAMS/Primary Examiner, Art Unit 2495