DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

This Office Action is in response to the patent application filed on December 28, 2018, for application number 16/314,148. Claims 1-20 have been considered. Claims 1, and 8-10 are independent claims.
This action is made Non-Final.

Specification





The disclosure is objected to because of the following informalities: 
The use of the term “JavaScript” or “javascript”, which is a trade name or a mark used in commerce, has been noted in this application. It should be capitalized wherever it appears and be accompanied by the generic terminology.
Although the use of trade names and marks used in commerce (i.e., trademarks, service marks, certification marks, and collective marks) are permissible in patent applications, the proprietary nature of the marks should be respected and every effort made to prevent their use in any manner which might adversely affect their validity as commercial marks.
Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim limitation “a code acquisition module, configured to acquire javascript code”, “a logic determining module, configured to determine code logic of the javascript code”, “a data acquisition module, configured to run the resource file with the inserted probe”, and “a data analysis module, configured to analyze the web application” in claim 8 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. However, the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function. In the original specification, page 12, lines 16-18 describes modules as equivalent to “software programs, computer executable programs, and program instructions” stored in the memory. The disclosure is devoid of any structure that performs the function in the claim. Therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph.
Applicant may:
(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 
(b)        Amend the written description of the specification such that it expressly recites what structure, material, or acts perform the entire claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 
(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or 
(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Claims 1, 3, and 6-20 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 3, and 6-20 contains the trademark/trade name javascript.  Where a trademark or trade name is used in a claim as a limitation to identify or describe a Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982).  The claim scope is uncertain since the trademark or trade name cannot be used properly to identify any particular material or product.  A trademark or trade name is used to identify a source of goods, and not the goods themselves.  Thus, a trademark or trade name does not identify or describe the goods associated with the trademark or trade name.  In the present case, the trademark/trade name is used to identify/describe a programming language that conforms to the ECMAScript specification, often abbreviated as JS and, accordingly, the identification/description is indefinite.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claim 10 rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the applicant has described that the applicant intends the term "computer storage medium” to include non-statutory matter.  The applicant describes a computer storage medium as including open ended language and thus it is reasonable to interpret it to include all possible mediums, including non-statutory mediums (see page 13, line 27 to page 14, line 2 of original specification.).  The words "storage" and/or "recording" are insufficient to convey only 


Prior Art
Listed herein below are the prior art references relied upon in this Office Action:
Wang et al., "Dynamically Detecting DOM-Related Atomicity Violations in JavaScript with Asynchronous Call," 2016 International Conference on Software Analysis, Testing and Evolution (SATE), 2016, pp. 42-47, doi: 10.1109/SATE.2016.14.
Zhang et al., (US Patent No. US 10298599 B1), referred to as Zhang herein.
Frank Cohen (US Patent Application Publication US 20140195858 A1), referred to as Cohen herein.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 3-5, and 8-10 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Wang.
Regarding independent claim 1, Wang discloses “A method for analyzing a data flow, which is applied to a browser side (Wang, at page 42 under Introduction subtitle, analyzing function callback flow in browser side.), comprising: 
acquiring, from a resource file corresponding to a web application to be analyzed, javascript code (id. at page 43, Figure 1 depicts an example html resource file contains embedded JavaScript® code.); 
determining code logic of the javascript code (id. at page 43, under subtitle A. Example of AJAX Process, analyzing code and determining JavaScript function logic to identify an XHR object.); 
inserting a probe into the javascript code according to the code logic, wherein the probe is a piece of code (id. at page 44, under subtitle A. Trade Collection, Jalangi provide a trace array for testers through inserting the related JavaScript codes.); 
running the resource file with the inserted probe (id. at page 44, Figure 3 depicts third object describes execution of the implemented source code in the browser.), acquiring, according to the probe, data in a process that the web application implements the code logic through a browser, (id. at page 44, under subtitle IV. Implementation, collects the execution information in the browser, which is the trace array that each element is an operation of a JavaScript statement when users makes operations on web applications.); 
and recording the data (id. at page 45, a paragraph starting with DOMElement, recording the related DOM elements.) and analyzing the web application based on the recorded data (id. at page 45, under B. to D. subtitles, finding atomic regions by taint analysis for the web application using recorded objects).”
Independent claim 8 is directed towards an apparatus equivalent to a method found in claim 1, and is therefore similarly rejected.
Independent claim 9 is directed towards a device equivalent to a method found in claim 1, and is therefore similarly rejected.
Independent claim 10 is directed towards a computer storage medium equivalent to a method found in claim 1, and is therefore similarly rejected.

claim 3, Wang discloses all the limitation of independent claim 1. Wang further teaches “wherein the analyzing the web application based on the recorded data comprises: 
reading the recorded data (Wang, at page 44, under the subtitle A. Trace Collection, Jalangi collect the trace array that each element is an operation of a JavaScript statement.); 
reconstructing, according to a data object, generation time of the data object, and an input of the data object and an output of the data object in the recorded data, an entire event tree (id. at page 47, under the subtitle VI Case Study teaches how to reconstructing according to the time of the JavaScript functions as depicted at Figure 5, and input and output of the JavaScript function call in the recorded data, and an entire event tree.); and 
determining, based on the event tree and a data object of interest as acquired, an execution state of the data object of interest in execution of the web application; wherein the execution state comprises a state of the data object of interest in performing the browser mechanism, the data object of interest is any data object triggered during the execution of the web application, and the browser mechanism comprising any one of the following: data cookies stored on a local user device, asynchronous javascript, extensible markup language (XML), web storage, and document object model (DOM) event mechanism (id. at page 47, as circled in the Figure 5, determining a function call to setChatStatus is an atomicity violation status in performing DOM evet mechanism for any asynchronous JavaScript function calls as depicted.).”
claim 4, Wang discloses all the limitation of independent claims 1 and its dependent claim 3. Wang further teaches “wherein the determining, based on the event tree and the data object of interest as acquired, the execution state of the data object of interest in the execution of the Web application comprises: 
determining a node corresponding to the data object of interest in the event tree, and taking the node as a current node (Wang, at page 45, after collects the execution information of source codes in the browser, the ith element in AT(Ai) is a current node after taking the Aevent trace and the atomic region as input.); 
traversing forward and backward on the basis of the current node, based on the event tree, a data object corresponding to a node which has at least one of a direct relationship and indirect relationship with the current node (id. at page 45, The ith element in AT(Ai) is compared with DOM elements before it one by one (Line 2-3).); and 
determining a reachable set of the data object of interest based on the data object, wherein the reachable set is associated data objects comprising the data object of interest (id. at page 45, if two events are triggered by the same DOM element (Line 4), then the two events may have atomicity violations, and necessary information is recorded. getType (Line 6, 12, 15) is used to take two events' operation type of DOM elements.).” 
Regarding claim 5, Wang discloses all the limitation of independent claims 1 and its dependent claim 3. Wang further discloses “wherein the determining, based on the event tree and the data object of interest as acquired, the execution state of the data object of interest in the execution of the Web application comprises: 
acquiring data of interest (Wang, at page 45, under subtitle B. Atomic Region Identification, acquiring atomic regions by two rules.); 
determining, according to the data of interest, a node corresponding to the data object of interest in which the data of interest is located (id. at page 45, determine a DOM element corresponding to the atomic region in which have atomic violation.); and 
determining, based on the node and the event tree, an execution state of the data of interest in the execution of the web application (id. at page 45, under subtitle D, Atomicity Violation Detection, determining atomicity violation when two events are triggered by the same DOM element.).”

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 2, 11 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Cohen.
Regarding claim 2, Wang discloses all the limitation of independent claim 1. Wang further teaches “wherein the acquiring, according to the probe, the data in the process that the web application implements the code logic through the browser, and recording the data, comprises: 
acquiring, based on preset analysis code in the browser and according to the probe, the data in the process that the web application implements the code logic through the browser (Examiner notes that the present analysis code as parse the DOM tree, analyze and record the user operation events, user data and data flow direction. Wang, at page 44, under subtitle B. Even-based Model to C. Atomic Region Classification, teaches substantially similar operation by putting forward a dynamic event model, Aevent to give each event an attribute to show which AJAX step the current state is in, and classify four types of atomic regions about the DOM elements in HTML page, Global-related, Cookie-related, Form-related, and Node-related.);” However, Wang does not explicitly teach “and normalizing the data and storing the normalized data.”
Cohen is in the same field of a web browser to Web browser testing of a computer software application (Cohen, at Abstract) that processing recorded events to recognize objects and normalize the recorded events (id. at ¶ [0044]).
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to combine Wang’s method with storing normalized data as taught by Cohen because it enables to use the browser's native APIs and spoofing 
Regarding claim 11, Wang in view of Cohen discloses all the limitation of independent claim 1 and its dependent claim 2. Claim 11 contains the limitations substantially similar to those in claim 3, therefore claim 11 is similarly rejected.
Regarding claim 16, Wang in view of Cohen discloses all the limitation of independent claim 1 and its dependent claim 2. Claim 16 contains the limitations substantially similar to those in claim 7, therefore claim 16 is similarly rejected.

Claims 6, 13-15 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Zhang.
Regarding claim 6, Wang discloses all the limitation of independent claims 1. However, Wang does not explicitly teach “wherein the determining the code logic of the javascript code and inserting the probe into the javascript code according to the code logic, comprises: determining whether the resource file corresponding to the javascript code is a preset resource file to be ignored; if not, determining the code logic of the javascript code; and inserting the probe into the javascript code according to the code logic; wherein the preset resource file to be ignored is a resource file into which the probe does not need to be inserted.”  Original specification describes “determining whether the resource file corresponding to the javascript code is a preset resource file to be ignored” as one of three examples, ‘it may be a preset resource file that does not care, or a resource file that does not help the 
Zhang is in the same field of security techniques applicable to client/server systems (Zhang, at column 1, lines 20-21) that determining whether adding detection instruction into a web page by checking whether requesting browser is a particular browser or type of browser may be referred to herein as identification data, comparing the identification data with the data stored in storage, and ignore adding the detection instruction when the requested browser is a legitimate browser (Zhang, at column 21, lines 3-21) while the detection instruction is JavaScript instruction (id. at column 22, lines 48-50). 
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to modify Wang’s method with determining whether the web page source file has predetermined data is to be ignored, and if not, inserting the JavaScript instructions as taught by Zhang because browsers are powerful computer program applications that may request and execute instructions received from a web server to generate complex user interfaces that are presented to a user through one or more devices, but attackers may use software, often referred to as a “bot” or “headless browser”, which imitates a browser and a user by receiving instructions from a web server and use bots to commit many types of unauthorized acts, crimes or computer fraud (Zhang, at column 1, line 38 to column 2, line 12).
Regarding Claims 13-15, Wang discloses all the limitation of independent claim 1 and its dependent claims 3-5. Claims 13-15 contain the limitations substantially similar to those in claim 6, therefore claims 13-15 is similarly rejected.
claim 20, Wang discloses all the limitation of independent claim 1 and its dependent claim 6. Claim 20 contains the limitations substantially similar to those in claim 7, therefore claim 20 is similarly rejected.

Claims 7, and 17-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang.
Regarding claim 7, Wang discloses all the limitation of independent claims 1. Wang further discloses “wherein the acquiring, from the resource file corresponding to the web application to be analyzed, the javascript code, comprises: acquiring the resource file, related to the web application to be analyzed and returned by a server corresponding to the web application to be analyzed; determining the type of the resource file; acquire code in the resource file, if the resource file is a javascript file; and determining embedded javascript code according to a preset identifier, if the resource file is a hypertext markup language (html) file (Examiner notes that current claim limitations recite a resource file as a source file contains JavaScript code. Wang, at page 42, teaches the web application is AJAX-based application which contains JavaScript code, and detecting AJAX-related atomicity violation in front-end Web applications, which means analyzing client-side code. As an example, Wang, at page 43 and Figure 1, discloses a html file for an AJAX operation includes embedded JavaScript code according to <script> and </script> tags. Further, Wang discloses calling APIs from external JS libraries, and exampled the external JS library at Figure 4.).” However, Wang does not explicitly teach “acquiring the resource file returned by a server”.

Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to modify Wang with the web application source file having JavaScript code is requested from client and acquired from a web server because as a definition, web application (or web app) is application software that runs on a web server, it is accessed by the user through a web browser, and executing a Web application contains the operations on HTML pages, CSS and the database in server-side (Wang, at page 43). 
Regarding Claims 17-19, Wang discloses all the limitation of independent claim 1 and its dependent claims 3-5. Claims 17-19 contain the limitations substantially similar to those in claim 7, therefore claims 17-19 is similarly rejected.

Claim 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Wang in view of Cohen as applied to claim 2 above, and further in view of Zhang.
Regarding claim 12, Wang in view of Cohen discloses all the limitation of independent claim 1 and its dependent claim 2. However, Wang in view of Cohen does not explicitly teach “wherein the determining the code logic of the javascript code and inserting the probe into the javascript code according to the code logic, comprises: determining whether the resource file corresponding to the javascript code is a preset resource file to be ignored; if not, determining the code logic of the javascript code; and inserting the probe into the javascript code according to the code logic; wherein the preset resource file to be ignored is a resource file into which the probe does not need to be inserted.”  Original specification describes “determining whether the resource file corresponding to the javascript code is a preset resource file to be ignored” as one of three examples, ‘it may be a preset resource file that does not care, or a resource file that does not help the analysis of the Web application, or a resource file whose data logic is already known.’ (Original specification, page 6, lines 23-25).
Zhang is in the same field of security techniques applicable to client/server systems (Zhang, at column 1, lines 20-21) that determining whether adding detection instruction into a web page by checking whether requesting browser is a particular browser or type of browser may be referred to herein as identification data, comparing the identification data with the data stored in storage, and ignore adding the detection instruction when the requested browser is a legitimate browser (Zhang, at column 21, lines 3-21) while the detection instruction is JavaScript instruction (id. at column 22, lines 48-50). 
Accordingly, it would have been obvious to one of ordinary skill in the art at the filing date of this application to modify Wang in view of Cohen’s method with determining whether the web page source file has predetermined data is to be ignored, and if not, inserting the JavaScript instructions as taught by Zhang because browsers are powerful computer program applications that may request and execute instructions received from a web server to generate complex user interfaces that are presented to a user through one or more devices, but attackers may use software, often referred to as a “bot” or “headless browser”, which imitates a browser and a user by receiving 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SEUNG W JUNG whose telephone number is (571)270-5249.  The examiner can normally be reached on Monday-Friday, 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Scott Baderman can be reached on (571)272-3644.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access 


SEUNG W. JUNG
Examiner
Art Unit 2144



/SCOTT T BADERMAN/           Supervisory Patent Examiner, Art Unit 2144