DETAILED ACTION

This action is in response to the communication filed on 4/19/21.
All objections and rejections not set forth below have been withdrawn.
Claims 1, 3 – 6, 9 – 11, 13 – 16, and 20 – 26 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.

Continued Examination Under 37 CFR 1.114

A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 4/19/21 has been entered.
 
	
Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

Claims 1, 3 – 6, 9 – 11, 13 – 16, and 20 – 26 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Scott et al. (Scott), “Abstracting Application-Level Web Security” in view of Hallak, US 8,464,318 B1.
	Regarding claim 1, Scott discloses:
intercepting, by a protection module …, a request for web content residing on a remote web server, the request made by a web browser application running on the client device (e.g. Scott, fig. 4: receive HTTP request by a security gateway, i.e. “protection module”). 
Scott discloses a system utilizing a security gateway for protecting web applications from malicious attacks, such as XSS attacks and other web attacks (e.g. Scott, Abstract; sect. 2), wherein the security gateway modifies responses received from web servers (e.g. Scott, fig. 4: “modify http response”).  However, Scott does not explicitly state that the security gateway resides on the same client device as the client’s browser application.  
Hallak also discloses a system utilizing a security gateway for protecting web applications from malicious attacks, such as XSS attacks and other web attacks (e.g. Hallak, Abstract; 12:10-22), wherein the security gateway modifies responses received 
It would have been obvious to one of ordinary skill in the art to art to recognize the teachings of Hallak for a security gateway that modifies responses from a web server, wherein the security gateway can be located on any of a server, a physically separate device, or the client device.  This would have been obvious because one of skill in the art would have been motivated by the teachings that either arrangement is useful for providing security for a web application (e.g. Hallak, 3:13-38).
Thus, the combination enables:
completing the request, by the protection module, without the help of the web browser application by (e.g. Scott, fig. 4: fetch page from server; Hallak, 5:3-6,58-63 – gateway forwards request and receives response to/from server).  
	receiving and caching, by the protection module, the requested web content from the remote web server, wherein the web content comprises data for assembling a web page containing the web content (e.g. Scott, fig. 4; sect. 3.4.1; Hallak, fig. 2a:response).  Herein, the security gateway receives in memory (at least temporarily – i.e. “caches”) a response from the web server. 
	analyzing, by the protection module, the cached web content to identify a malware of the requested web content (e.g. Scott, fig. 4, Abstract; sect. 2; sect. 3.4, par. 4; sect. 3.4.1; sect. 3.5.2; sect. 6, par. 3, 6; see also Hallak, 3:13-37).  Herein, the security gateway operates to identify harmful elements of code and parameters within the HTTP responses (e.g. HTML forms, <form> tags, “certain url parameters”,  
in response to identifying the malware threat, modifying, by the protection module, the requested web content to remove the malware threat of the web page to create a modified web page containing the web content, wherein the modified web page is free of the malware threat (e.g. Scott, sect. 3.4, par. 4; sect. 3.4.1; sect. 3.4.2; fig. 4: validation, transformation, modified response – herein a modified HTTP response, designed to remove the threat posed by malware, is generated; see also Hallak, 3:19-23, 35-37; 4:46-49, 53-57 – herein, the gateway removes harmful portions of the web content before sending the response to the client browser); 
and providing, by the protection module, the modified web page containing the web content to the web browser application for rendering and display (e.g. Scott, fig. 4: return HTTP request to client in the form of modified HTTP response, which is rendered on the client; see also Hallak, 3:19-23, 35-37; 4:53-57 – herein the gateway returns the response comprising the harmless content to the client browser). 

Regarding claim 3, the combination enables:
wherein providing the modified web page further comprises supplementing the web page with indicators regarding a vulnerability of one or more links within the web page (e.g. Scott, sect. 3.4, par. 2, 3 – error messages are sent extraneously to the web page – i.e. “supplementing”; sect. 3.4, par. 4, sect. 3.1, par. 2 – HTTP response annotated with validation code and MACs). 


wherein identifying the malware threat comprises one or more of URL (Uniform Resource Locator) analysis, IP (Internet Protocol) analysis, an image analysis, and a script/HTML analysis (e.g. Scott, pg. 401 – analysis of headers, html encoding, cookies, scripting, URLs, etc.; see also Hallak, 3:35-37; 4:53-57). 

Regarding claim 5, the combination enables:
determining whether the request for the web page from the web browser application is a first request (e.g. Scott, sect. 3.4.2 – replays are detected, i.e. determining whether a “first request” was received; see also, sect. 3.4.1, par. 3 – a check is performed to determine if there was already a “onSubmit” attribute –then no validation code is inserted; see also Hallak, 4:38-45 – gateway check a list to see if a request was previously made). 

Regarding claim 6, the combination enables:
wherein modifying the malware threat further comprises performing one or more of pre-process data decryption, de-chunking and decompressing (e.g. Scott, sect. 3.2). 

	Regarding claim 9, the combination enables:
wherein receiving the web content further comprises performing cloud verification of the web content (e.g. Scott, fig. 1; abstract – the verifications are performed within the web, i.e. “cloud”).


further comprising allocating memory for caching of the web content (e.g. Scott, fig. 4; sect. 3.4 – memory is allocated within the security gateway to analyze the content; see also Hallak, fig. 4:410). 

Regarding claims 11, 13 – 16 and 20 – 26, they are system and program claims essentially corresponding to the above method claims and they are rejected, at least, for the same reasons.  Furthermore:

Regarding claim 21, the combination enables:
wherein sending the request to one or more web servers comprises iteratively sending a plurality of requests to the one or more web servers (e.g. Scott, sect. 2, par. 3; sect. 3.1, par. 2). 

Regarding claim 22, the combination enables:
	further comprising processing the web content prior to identifying the malware threat within the web content (e.g. Scott, fig. 4 – the web content must be analyzed before malicious content can be identified). 

Regarding claims 23, the combination enables:
wherein the malware threat comprises a Uniform Resource Locator (URL) (e.g. Scott, pg. 401 – analysis of headers, html encoding, cookies, scripting, URLs, etc.; see also Hallak, 3:19-23, 35-37; 4:53-57  ). 

Regarding claim 24, the combination enables:
wherein the malware threat is at a protocol level of the web page (e.g. Scott, sect. 2 – application level; see also Hallak, 3:41-54). 

Regarding claim 25, the combination enables:
wherein the malware threat comprises a Uniform Resource Locator (URL) (e.g. Scott, pg. 401 – analysis of headers, html encoding, cookies, scripting, URLs, etc.). 

Response to Arguments

Applicant's arguments filed 4/19/21 have been fully considered but they are not persuasive.

Applicant argues or alleges essentially that:
…
… In Hallak … With the web page running in a sandbox in the gateway, the gateway sends only user interface parts of the web page (e.g., "Ul part of CSA" 380 in FIG. 3). This way, the web page is run virtually on the gateway, not on the client, thus protecting the client. Thus, under the teachings of Hallak, when a web page contains a malware threat, a modified web page containing the web content is not provided to the web client 210, as recited in the independent claims. Rather, the gateway 200 of Hallak only provides the web client 210 with the user interface part of the web page, since the web page is running separately in the sandbox of the gateway 200. …
…
(Remarks, pg. 9)

Examiner respectfully responds:
The examiner respectfully disagrees and notes that the applicant’s remarks are unpersuasive, at least, for the reason that the Office Action does not rely upon Hallak for the teaching of providing a modified webpage to a client’s browser application.  Specifically, the office action relies upon Hallak for the teaching that a security gateway, which modifies web responses from a server, may reside on the same client device as the client’s browser application.  Furthermore, the Office Action clearly shows that Scott teaches that the security gateway may provide the modified web page to the client’s browser application.  The examiner points out that while the Office Action further encourages the applicant to also see or consider the teachings of Hallak, this is for the applicant’s benefit, illustrating that Hallak’s teachings are harmonious with the teachings of Scott.  Therefore, in response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Furthermore, the examiner finds the applicant’s arguments to be unpersuasive, at least, for the reason that they are based upon a misinterpretation of the teachings of Hallak.  Specifically, the applicant appears to mischaracterize the prior art of Hallak, wherein the applicant errs in the conclusion that Hallak fails to teach providing a modified webpage to the client’s browser.  On the contrary, the examiner points out that Hallak teaches that the client’s UI entity or browser (e.g. Hallak, 4:46-49) is provided 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/JEFFERY L WILLIAMS/           Primary Examiner, Art Unit 2495