Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .




DETAILED ACTION
This action is in response to the Amendment filed on 01/20/2021.
Claims 1-20 are under examination.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-9, 12-15 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Weizman et al. (US 2019/0306178 A1) and Adams (US 2015/0096035 A1).
Regarding claim 1, Weizman et al. discloses A method for identifying and circumventing a security scanner [par. 0013, “(i) identifying one of the set of web services that received web requests corresponding to feature vectors in the selected cluster and (ii) generating a scanning alert for an administrator of the one of the set of web services”], the method comprising: monitoring, by a processor of a computing system, incoming traffic to a web application [par. 0013, “The method includes receiving data for a second set of web requests transmitted to a set of web services”, par. 0027, “FIGS. 7A-7C together form a flowchart depicting example operation of comparing web traffic to the known vulnerability scanner feature vector clusters”]; identifying, by the processor, a portion of the incoming traffic as security scanner traffic originating from the security scanner by comparing the incoming traffic to a security scanner traffic profile [par. 0013, “The method includes clustering the second set of feature vectors into a second set of clusters. The method includes, in response to a first distance between a selected cluster of the second set of clusters and one of the first set of clusters being less than a first predetermined distance, (i) identifying one of the set of web services that received web requests corresponding to feature vectors in the selected cluster and (ii) generating a scanning alert for an administrator of the one of the set of web services”]; 
Weizman et al.  does not explicitly disclose circumventing, by the processor, the security scanner by at least one of: providing, by the processor, dummy content to the security scanner; and signaling, by the processor, the web application to perform the step of providing dummy content to the security scanner; wherein the providing dummy content includes servicing a request of the security scanner to cause the security scanner to mistakenly believe an attack or probe of the web application is unsuccessful.
[par. 0063, “security device 240 may modify the response to include sanitized information (e.g., information that cannot be exploited by attacker device 210) that identifies the one or more input values (e.g., security device 240 may generate the sanitized information by performing an operation that is configured to sanitize the information that identifies the one or more input values)”, par. 0074, “Implementations described herein may allow a security device, associated with a server device, to modify a response to include information associated with each of one or more input values provided by an attacker device. In this way, the security device may indicate a vulnerability associated with every input value provided by the attacker device, and a hacker (e.g., associated with the attacker device) may be unable to identify an actual vulnerability (e.g., since the response will include one or more false positives associated with one or more of the input values)”]; wherein the providing dummy content includes servicing a request of the security scanner to cause the security scanner to mistakenly believe an attack or probe of the web application is unsuccessful [see fig. 1B, par. 0015, “the hacker wishes to identify the vulnerability based on one or more input values associated with the application (e.g., a reflected input may indicate a vulnerability)”, par. 0016, “the server device may receive the request, and may generate a response to the request. As shown, the response may include information that identifies input 2 (e.g., input 2 is reflected in the response)”, par. 0017, “As shown in FIG. 1B, the server device may provide the response (e.g., including the information that identifies input 2), to a security device (e.g., associated with the server device). As shown, the security device may determine (e.g., based on information received from the server device or information included in the request) information that identifies each of the N input values, and may modify the response based on the information that identifies each of the N input values (e.g., such that each of the N input values are reflected in the modified response)”, par. 0018, “the security device may provide the modified response to the attacker device. As shown, the attacker device may provide (e.g., to the hacker) information that indicates that each of the N input values are reflected in the response. As shown, the hacker may be unable to identify a vulnerability associated with the server device (e.g., since the response includes false positives associated with one or more of the N input values)” (the attacker mistakenly believe an attack or probe of the web application is unsuccessful since the hacker may be unable to identify a vulnerability associated with the server device even though the original response from the server response, before the security device modify it, identify the vulnerability)].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Adams into the teaching of Weizman et al. with the motivation to prevent the attacker device from identifying a vulnerability as taught by Adams [Adams: abs.].
Regarding claim 4, the rejection of claim 1 is incorporated.
Weizman et al. further discloses the security scanner traffic profile is created by modelling known security scanner traffic [par. 0062, “A machine learning module 320 may use supervised or unsupervised learning to identify traffic indicative of vulnerability scanning. For example, the machine learning module 320 may be trained with known vulnerability scanning traffic as well as known benign traffic... The machine learning module 320 defines a dictionary relevant to features of the known vulnerability scanner activity and stores the dictionary entries into dictionary storage 316”].
Regarding claim 5, the rejection of claim 1 is incorporated.
Weizman et al. further discloses the step of monitoring the incoming traffic comprises evaluating requests to the web application [abs, “The method includes identifying a set of clients that transmitted the second set of web requests. The method includes generating a second set of feature vectors, which each corresponds to one of the clients”].
Regarding claim 6, the rejection of claim 5 is incorporated.
Weizman et al. further discloses the requests to the web application are HTT[P requests [par. 0012, “the second set of web requests are hypertext transfer protocol (HTTP) requests”].
Regarding claim 7, the rejection of claim 1 is incorporated.
Weizman et al. further discloses receiving, by the processor, web application traffic generated by a plurality of security scanners; identifying, by the processor, web application traffic features common to at least a portion of the plurality of security scanners; and generating, by the processor, the security scanner traffic profile based on the identified web application traffic features common to the portion of the plurality of security scanners [par. 0007, “the instructions include obtaining a first set of web requests associated with the plurality of vulnerability scanners. The instructions include identifying patterns from the first set of web requests. Each of the patterns includes information from at least one of the first set of web requests. The instructions include creating the dictionary based on the identified patterns”, par. 0008, “Patterns in the first subset are more frequent in the first set of web requests than are patterns of the second subset. The dictionary is created from the first subset exclusive of the second subset. In other features, the first set of web requests are hypertext transfer protocol (HTTP) requests. Each of the HTTP requests is associated with an Internet Protocol (IP) address, a user agent string, and a path. Each of the identified patterns includes a uniform resource identifier (URI) from each of at least one of the HTTP requests”, par. 0036, “Those features that are more common are added to a dictionary”].
Regarding claim 8, the rejection of claim 1 is incorporated.
Weizman et al. further discloses the step of monitoring, by the processor, the incoming traffic comprises at least one of real time monitoring and monitoring access logs [par. 0038, “logs of HTTP requests can be analyzed for similarity to the known vulnerability scanner activity”].
Regarding claim 9, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 12, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 13, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 14, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.
Regarding claim 15, it recites limitations similar to claim 1. The reason for the rejection of claim 1 is incorporated herein.
Regarding claim 18, it recites limitations similar to claim 4. The reason for the rejection of claim 4 is incorporated herein.
Regarding claim 19, it recites limitations similar to claim 5. The reason for the rejection of claim 5 is incorporated herein.
Regarding claim 20, it recites limitations similar to claim 7. The reason for the rejection of claim 7 is incorporated herein.

Claims 2, 10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Weizman et al. (US 2019/0306178 A1) and Adams (US 2015/0096035 A1) as applied to claims 1, 4-9, 12-15 and 18-20 above, and further in view of Gray (US 2018/0075233 A1).
Regarding claim 2, the rejection of claim 1 is incorporated.
Adams discloses the step of providing dummy content to the security scanner.
Weizman et al. and Adams do not explicitly disclose the step of providing dummy content to the security scanner comprises least one of redirecting the security scanner traffic originating from the security scanner to a static site and serving requests from the security scanner with predefined static content.
However Gray discloses the step of providing dummy content to the security scanner comprises least one of redirecting the security scanner traffic originating from the security scanner to a static site and serving requests from the security scanner with predefined static content [par. 0031, “at step 182 the agent 106 may block the communication from reaching the application 102, if the threat level is determined to be MEDIUM or HIGH. This can include stopping the execution of the application 102 or diverting the communication to a page informing the likely malicious user that the application 102 is unavailable”].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Gray into the teaching of Weizman et al. and Adams with the motivation to protect the software application as taught by Gray [Gray: abs.].
Regarding claim 10, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.
Regarding claim 16, it recites limitations similar to claim 2. The reason for the rejection of claim 2 is incorporated herein.

Claims 3, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Weizman et al. (US 2019/0306178 A1) and Adams (US 2015/0096035 A1) as applied to claims 1, 4-9, 12-15 and 18-20 above, and further in view of Kamir et al. (US 2019/0222587 A1).
Regarding claim 3, the rejection of claim 1 is incorporated.
Weizman et al. and Adams discloses the step of providing dummy content to the security scanner.
They do not explicitly disclose the step of providing dummy content to the security scanner comprises at least one of redirecting security scanner traffic originating from the security scanner to a honeypot and serving requests from the security scanner predefined honeypot content.
[par. 0032, “the attack may be blocked upon such determination, for instance processor 201 may block IP addresses (e.g., of scanners) with a firewall of web server 202. In some embodiments, malicious interaction with server 202 may include at least one of attack and automated web application vulnerability scanning”, par. 0033, “at least one deception element 204 (e.g., a decoy HTML link or other software process) may be only accessible to automatic web scanners and/or application vulnerability scanners and not visible to regular users”, par. 0037, “the web object 206 (e.g., a web page at "index.html") may include hidden links 205 pointing to web pages 206 with a hidden tag and/or form with an action that points to another file on the web server 202, such that a regular user may not observe the at least one deception element 204 while visible to attackers and/or vulnerability scanners”, par. 0041, a honeypot server].
Before the effective filing date of the claimed invention, it would have been obvious to a person having ordinary skill in the art to incorporate the teaching of Kamir et al. into the teaching of Weizman et al. and Adams with the motivation to prevent scanners from identifying the pattern of the deception element and thereby ignoring them a regular user may not observe the at least one deception element 204 while visible to attackers and/or vulnerability scanners as taught by Kamir et al. [Kamir et al.: par. 0036, par. 0037].
Regarding claim 11, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.
Regarding claim 17, it recites limitations similar to claim 3. The reason for the rejection of claim 3 is incorporated herein.



Response to Arguments

Applicant’s arguments, filed on 01/20/2021, with respect to rejection under 35 USC § 103 have been considered but are moot in view of the new ground(s) of rejection.


Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure:
US 20150135265 A1		AUTOMATIC NETWORK FIREWALL POLICY DETERMINATION
US 20130333032 A1		NETWORK BASED DEVICE SECURITY AND CONTROLS
US 10044675 B1		Integrating a honey network with a target network to counter IP and peer-checking evasion techniques
US 9495188 B1		Synchronizing a honey network configuration to reflect a target network environment
US 20170270304 A1		METHOD AND DEVICE FOR VULNERABILITY SCANNING
US 8266703 B1		System, method and computer program product for improving computer network intrusion detection by risk prioritization
US 9462013 B1		Managing security breaches in a networked computing environment

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON CHIANG whose telephone number is (571)270-3393.  The examiner can normally be reached on 9 AM TO 6 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.










/JASON CHIANG/Primary Examiner, Art Unit 2431