Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . This communication is in reply to 04/29/2019.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over  CARNEY et al., US 20150058976 A1, in view of  Ramsey, US 20070067853 A1 .
Regarding claim 1, CARNEY teaches a method for providing security to a web server hosting at least one web application (fig. 1A), comprising: receiving a request message from a client device that is addressed to the web server (0048 and 0048); analyzing the request message to identify potential attack indicators that are present in the request message, each potential attack indicator having a score (Abstract, par. 0062 and 0070); a reputation score assigned to the request message that is associated with behavior of the client device relative other client devices sending request message to the web server (par. 0046-0049, 0058 and 0062). However, CARNEY does not disclose the details of “…calculating a composite score for the request message based in part on: the scores of the potential attack indicators…, and handling the request message in accordance with the composite score”.  This feature is well-known in the art as evidenced by Ramsey. In the same field of invention. Ramsey teaches “…When a current user connects to the resource and when the current user attempts to access the resource, an access management process, such as access management process 308 in FIG. 3, passes the current user 

Regarding claims 2-20, the combination CARNEY-Ramsey teaches:

2. The method of claim 1, wherein the reputation scores are calculated based on comparisons between attributes of one or more identifiers of the client device and attributes of one or more identifiers of the other client devices (CARNEY, par. 0033).  
3. The method of claim 2, wherein the attributes of the one or more identifiers of the other client devices are stored as entries in a source database and are updated based on the comparisons (Ramsey. 0007, 0046 and disclosure of par. 1 and 8).  
4. The method of claim 3, wherein the assigned scores are stored as entries in an indicator score database, and wherein the assigned scores in the indicator score database are updated based on the comparisons (Ramsey, par. 0049).  

6. The method of claim 5, further comprising: updating the reputation score assigned to the request message based on the correlation score (CARNEY 0029, 0046, and 0047).  
7. The method of claim 1, further comprising: calculating combinations of the potential attack indicators and combination scores for the combinations of the potential attack indicators, and wherein the composite score is further based in part on the combination scores (CARNEY, par. 0058).  
8. The method of claim 1, further comprising: comparing a Uniform Resource Locator (URL) and one or more parameters of the request message with a listing of URLs and parameters known to be subject to malicious attacks; comparing the URL and the one or more parameters of the request message with a listing of URLs and parameters known to be to generate false indications of being malicious request messages, and wherein the composite score is further based in part on the comparisons with the listing of URLs and parameters known to be subject to malicious attacks and the listing of URLs and parameters known to be to generate false indications of being malicious request messages (CARNEY, abstract, 0041, 0046, 0066 and 0076).  Substituting the network address by Uniform Resource Locator (URL) of the claim is well-known in the art. The Examiner takes the Office notice that It would have been obvious for an ordinary skilled in the art before the effective filing date of the claimed invention to substitute the network address comparison of the malicious attack requests of CARNEY by the URLs of the claimed invention as stated in the claim. By this rationale, this claim is rejected.
9. The method of claim 1, wherein the handling includes at least one of blocking the request message or passing the request message to the web server (CARNEY, par. 0036, 0037, 0073-0076).  
10. The method of claim 1, further comprising: evaluating the composite score against at least one threshold criterion, and wherein the handling includes blocking the request message if the composite score satisfies the at least one threshold criterion, and wherein the handling includes passing the request message to the web server if the composite score dissatisfies the at least one threshold criterion (Ramsey, 0049 and 0052).  
11. The method of claim 1, wherein the request message is a hypertext transfer protocol (HTTP) request message. The Examiner takes the Official Notice that utilizing an HTTP request message in the context of the invention is well-known in the art. By this rationale, claim 11 is rejected.  
12. A computer system for providing security to a web server hosting at least one web application, comprising: a storage medium for storing computer components; and a computerized processor for executing the computer components comprising: a detection module configured for: receiving a request message from a client device that is addressed to the web server, and analyzing the request message to identify potential attack indicators that are present in the request message, each potential attack indicator having a score (CARNEY Fig. 1, Abstract, par. 0062 and 007; par. 0046-0049, 0058 and 0062). 0); and a composite scoring module configured for: calculating a composite score for the request message based in part on: the scores of the potential attack indicators, and a reputation score assigned to the request message that is associated with behavior of the client device relative other client devices sending request message to the web server; and handling the request message in accordance with the composite score (See Ramsey, par. 0049 and 0052). The same motivation and reason to combine used for the rejection of claim 1 is also valid for this claim.  By this rationale, claim 12 is rejected.
13. The computer system of claim 12, further comprising: a source database, and wherein the computer components further comprise: a source collection module configured for: analyzing request messages to extract source identifiers of other client devices that previously sent request messages to the web server, assigning one or more attributes to each of the source identifiers, and storing the assigned attributes and source identifiers in the source database. (CARNEY, fig. 1A, par. 0033).    
14. The computer system of claim 13, wherein the computer components further comprise: a behavioral analysis module configured for: calculating the reputation scores based on comparisons between attributes of one or more identifiers of the client device and assigned attributes and the source identifiers stored in the source database (CARNEY, par. 0033, 0058).   
15. The computer system of claim 14, wherein the behavioral analysis module is further configured for: updating the assigned attributes and the source identifiers stored in the source database are based on the comparisons (Ramsey. 0007, 0046 and disclosure of par. 1 and 8).   
16. The computer system of claim 15, further comprising: an indicator score database that stores the assigned scores, and wherein the computer components further comprise: an indicator analysis module configured for: retrieving the assigned scores from the indicator score database, and updating the assigned scores based on the comparisons (Ramsey. 0007, 0046, 0049, and disclosure of par. 1 and 8).    
17. The computer system of claim 16, wherein the indicator analysis module is further configured for: calculating combinations of the potential attack indicators and combination scores for the combinations of the potential attack indicators, and   wherein the composite score is further based in part on the combination scores (CARNEY, par. 0058).  
18. The computer system of claim 12, wherein the computer components further comprise: a correlation module configured for: calculating a correlation score for the request message based on attributes of the request message that are related to attributes of other request messages associated with malicious attacks on the web server (CARNEY; 0048, 0062, and 0066).  
19. The computer system of claim 12, wherein the computer components further comprise: an application mapping module configured for: comparing a Uniform Resource Locator (URL) and one or more parameters of the request message with a listing of URLs and parameters known to be subject to malicious attacks; comparing the URL and the one or more parameters of the request message with a listing of URLs and parameters known to be to generate false indications of being malicious request messages, and wherein the composite score is further based in part on the comparisons with the listing of URLs and parameters known to be subject to malicious attacks and the listing of URLs and parameters known to be to generate false indications of being malicious request message (CARNEY, abstract, 0041, 0046, 0066 and 0076).  Substituting the network address by Uniform Resource Locator (URL) of the claim is well-known in the art. The Examiner takes the Office notice that It would have been obvious for an ordinary skilled in the art before the effective filing date of the claimed invention to substitute the network address comparison of the malicious attack requests of CARNEY by the URLs of the claimed invention as stated in the claim. By this rationale, this claim is rejected.  
20. The computer system of claim 12, wherein the request message is a hypertext transfer protocol (HTTP) request message. The Examiner takes the Official Notice that utilizing an HTTP request message in the context of the invention is well-known in the art. By this rationale, claim 11 is rejected.   

Conclusions
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUDE JEAN GILLES whose telephone number is (571)272-3914.  The examiner can normally be reached on Mon-Fri, from 9:00AM-7:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, James Hwang can be reached on 571-272-4036.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JUDE JEAN GILLES/Primary Examiner, Art Unit 2447                                                                                                                                                                                                        April 30, 2021