Notice of Pre-AIA  or AIA  Status

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

This action is in response to the communication filed on 5/4/21.
All objections and rejections not set forth below have been withdrawn.
Claims 1 – 8 and 21 – 32 are pending.
Any references to applicant’s specification are made by way of applicant’s U.S. pre-grant printed patent publication.


Claim Rejections - 35 USC § 103

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1 – 8 and 21 – 32 are rejected under 35 U.S.C. 103 as being unpatentable over Overcash et al. (Overcash), US 2008/0034425 A1 in view of Banerjee et al. (Banerjee), US 2017/0093918 A1.

Regarding claim 1, Overcash discloses:
A computing device comprising: a memory connected to at least one processor, the at least one processor configured (e.g. Overcash, fig. 1; par. 652, 653) to identify one or more of access-restricted URIs for a website(e.g. Overcash, par. 35, 40, 44, 99, 231, 129, 137, 170, 171, 185, 191, 192 – the examiner notes that a URL is a type of “URI”); and restrict access to the one or more access-restricted URIs for the website to one or more trusted IP addresses on a whitelist for the website …(e.g. Overcash, par. 580, 584, 603 – herein the system learns the URLs of resources and pages for one or more websites, and may display the resources within a hierarchical tree, all for the purpose of protecting the URLs from malicious access and attacks) 
Overcash, discloses a system for monitoring network traffic for anomalies and using a whitelist to restrict access to a plurality of access restricted URIs.  However, Overcash does not appear to explicitly state that the whitelist is based on historical data indicating that the one or more trusted IP addresses previously accessed the one or more access-restricted URIs.

It would have been obvious to one of ordinary skill in the art to include the whitelist generation techniques of Banerjee within the security system of Overcash which employs a whitelist.  This would have been obvious because one of ordinary skill in the art would have been motivated by the teachings that such automated generation of whitelists lowers the burden upon enterprises for securing their system and minimizes false positives compared to traditional techniques (e.g. Banerjee, par. 21, 24).
Thus, the combination enables:
… wherein the whitelist based upon historical data indicating that the one or more trusted IP addresses previously accessed the one or more access-restricted URIs (e.g. Banerjee, par. 46, 48 – 51).

Regarding claim 2, the combination enables:
wherein the at least one processor is further configured to: generate the whitelist based on the historical data, the historical data comprising a plurality of interactions of different accessor IP addresses with the one or more access-restricted URIs (e.g. Overcash, par. 113, 115, 231; e.g. Banerjee, par. 46, 48 – 51). 

Regarding claim 3, the combination enables:
wherein the historical data comprises server logs (e.g. Overcash, par. 80, 82, 113, 115; fig. 6 – security events; e.g. Banerjee, par. 46, 48 – 51). 

 Regarding claim 4, the combination enables:
wherein the at least one processor is further configured to: identify a particular access-restricted URI of the one or more access-restricted URIs based upon user input indicating that the particular access-restricted URI is a known sensitive URI (e.g. Overcash, par. 58, 430-434, 440). 

Regarding claim 5, the combination enables:
wherein the at least one processor is further configured to: identify a plurality of potentially trusted IP addresses in the historical data that have accessed the one or more access-restricted URIs during a specified time period and select the one or more trusted IP addresses to populate the whitelist from the plurality of potentially trusted IP addresses identified in the historical data (e.g. Overcash, par. 80, 82, 113, 115; fig. 6 – security events; e.g. Banerjee, par. 46, 48 – 51). 


wherein the at least one processor is further configured to: identify a scanner IP address that accessed more than a threshold number of web pages during the specified time period; and eliminate the scanner IP address from consideration as a trusted IP address for the website (e.g. Overcash, par. 43, 60, 67, 191, 192, 391, 599; e.g. Banerjee, par. 48, 49, 50, 51 – herein, malicious users who are found to be probing, scanning, or researching [i.e. “scanners”] the website over a threshold number or urls or time period can be identified by IP address blocked from access). 

Regarding claim 7, the combination enables:
wherein the at least one processor is further configured to: after eliminating the scanner IP address from consideration, designate a particular IP address in a remainder of the plurality of potentially trusted IP addresses as trusted in an instance when the particular IP address accessed a particular access-restricted URI on at least a configurable number of days during the specified time period (e.g. Overcash, par.  99, 183, 231, 190- 196, 224-226, 584, 603; e.g. Banerjee, par. 48, 49, 50, 51). 

Regarding claim 8, the combination enables:
wherein multiple IP addresses from the remainder are added to the whitelist (e.g. Overcash, par.  584, 603; e.g. Banerjee, par. 48 - 51).



Regarding claim 25, the combination enables:
using machine learning (e.g. Overcash, par. 102, 117, 354, 415, 497; e.g. Banerjee, par. 55), analyzing a plurality of webpages to identify the one or more access-restricted URIs based on an indication that the one or more access-restricted URIs are frequently scanned by scanners (e.g. Overcash, par. 43, 54, 58, 60, 391, 633 – hackers researching the websites using probing or scan tools), frequently attacked by brute force attackers (e.g. Overcash, par. 391, 628, 629), require a username and a password (e.g. Overcash, par. 391, 628, 629), or are well-known configuration sites (e.g. Overcash, par. 46, 49).

Regarding claim 32, the combination enables:
prior to adding the remainder to the whitelist, performing further filtering of other untrusted IP addresses that did not access the one or more access-restricted URIs at least a specified number of days during a specified time period (e.g. Overcash, par. 80, 82, 113, 115; fig. 6 – security events; e.g. Banerjee, par. 46, 48 – 51).  All IP addresses are filtered into trusted or untrusted categories before the whitelist is finalized to include all trusted IP addresses (i.e. “prior to adding the remainder to the whitelist”).
Response to Arguments

Applicant’s arguments with respect to the pending claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
See Notice of References Cited.	
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEFFERY L WILLIAMS whose telephone number is (571)272-7965.  The examiner can normally be reached on 7:30 am - 4:00 pm.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/JEFFERY L WILLIAMS/           Primary Examiner, Art Unit 2495