DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office action is a response to an application filed 04/29/2021. This application claims wherein claims 1 – 7 are pending and ready for examination.

Response to Arguments
Applicant’s arguments, see Remarks, filed 05/31/2020, with respect to the 35 USC § 101 rejections of claims 1-5 have been fully considered and are persuasive and is withdrawn due to applicant amendments. With respect to the rejection of claims 1, 6, and 7 under 35 USC § 101 as being directed to an abstract idea with significantly more, the examiner is persuaded by applicant arguments that driver 212 renders the claims into a practical application, and therefore rejection is withdrawn. With respect to the rejection of claim 2 under 35 U.S.C. § 112 the rejection is withdrawn due to applicant amendments.  With respect to the rejection of claims 1-7 under 35 U.S.C. 103 applicant amendments have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Gupta; Satya Vrat. US 20160337400 A1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta; Satya Vrat, US 20160337400 A1, November 17, 2016, hereafter referred to as Gupta in view of Abbasi; Fahim H. et al, US 20170083703, March 23, 2017, hereafter referred to as Abbasi.

           As to claim 1, Gupta teaches a computer implemented method to identify a malicious database request – Gupta [0043] FIG. 3A illustrates a flowchart depicting an example method of detecting (and preventing) injection attacks) with a computer  platform including computing hardware of at least one processor and memory operably coupled to the at least one processor - Gupta [0157] FIG. 9 is a diagram of an example internal structure of a computer (e.g., client processor/device 50 or server computers 60.  Here, the claimed ‘processor and memory’ is taught by Gupta as ‘internal structure’ illustrated for both client/server device), the method comprising:
           receiving, using the computing platform, a database query for retrieving data from a database – Gupta [0046] Once a golden table is present at the analysis engine…, web requests, and corresponding database entries, may be captured from network traffic received in the web application infrastructure.  Here, the claimed ‘database query’ is taught by Gupta as ‘database entries’ whereas the claimed ‘retrieving’ is taught by Gupta as ‘capture’);
           classifying, using the computing platform, the received database query based on query instructions contained in the database query to identify a class of query for the database query – Gupta [0046] … The instrumentation engine or analysis engine checks each captured web request …to determine if it matches a valid web request when cross correlated against the golden table.  Here, the claimed ‘classifying’ is suggested by Gupta as ‘cross correlated’ because the queries in the golden table are in a ‘valid’ class whereas the claimed ‘class’ is akin to Gupta’s ‘golden table’ defined by Gupta as ‘valid web requests’ containing golden references for all application requests), the class of query having associated attributes defining expected characteristics of queries of the class when executed by the database – Gupta [0041] …the information of the respective database queries (or other database activities) correlated/matched to a particular user, user data, context, URL, and session may be sent to an analysis engine (or security monitoring agent in other example embodiments) to check for a potential database injection attack (e.g., SQL injection attack.  Here, the claimed ‘expected characteristics’ is taught by Gupta as ‘user data, context, URL’ because these characteristics must match data stored in the golden table; the claimed ‘class of query’ is taught by Gupta as ‘correlated/matched’ because a criteria classifies the query);
            monitoring, using the computing platform,  characteristics of the received database query executed to retrieve data from the database - Gupta [0043]… security monitoring agent forms the golden table to prepare for detecting and preventing injection attacks that trigger invalid database queries.  Here, the claimed ‘characteristics’ is taught by Gupta as ‘injection attacks’ whereas the claimed ‘data’ is the SQL query); and
            responsive to a determination that the monitored characteristics deviate from the
expected characteristics, identifying, using the computing platform, the database query as malicious – Gupta [0050]… If the URL match fails, at step 311, the instrumentation engine checks for code at the URL path (e.g., methods of the web application for processing the web request), and if no such code exists for the web application, the instrumentation engine may communicate with the analysis engine, at step 312, to declare an attack; and
         responsive to the database query being identified as malicious, implementing, using the computing platform, at least one protective measure. GUPTA SUGGESTS classifying, using the computing platform, the received query based on database query instructions contained in the database query to identify a class of query for the database query HOWEVER ABBASI TEACHES 
             classifying, using the computing platform,  the received database query based on query instructions contained in the database query to identify a class of query for the database query – Abbasi [0059]…a class label may be assigned to the malware testing dataset 282. The class label may be determined by querying a label …A response to the query to the label database may include one or more known malware class labels that are used by different security vendors to identify the dataset associated with the sample 215.   Here, the claimed ‘class of query’ is taught by Abbasi as ‘class label’ because queries are identified/associated with a known class type such as sample 215.   It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Gupta Golden Table construct to include Abbasi class constructs.  Gupta already attempts to identify SQL injections targeted to exploit specific vulnerabilities in target applications.  Gupta with Abbasi now has a classification mechanism which would allow the detection of malware in a more timely fashion as taught by Gupta at location [0002]).

             As to claim 2, the combination of Gupta and Abbasi teaches the method of claim 1 wherein the class of query further comprises a class query including the query instructions of the received database query – Gupta [0035] SQL injection attacks succeed because without having a deep understanding of the application, a cyber-security solution cannot determine if a malicious actor has inserted additional expressions into an SQL query.  Here, the claimed ‘query instructions’ is taught by Gupta as ‘SQL’ because in protocol provides for a ‘where clause’ which one of ordinary skill in the art would understand contains the instructions of the query) and the expected characteristics are defined based on the execution of the class query – Gupta [0035] …Cyber-security solutions, such as web application firewalls and intrusion detection/prevention engines, may only detect SQL keywords in web requests.  Here, the claimed ‘expected characteristics’ is taught by Gupta as ‘may only detect’ because the instructions are not thought to return nothing but what is expected).

           As to claim 3, the combination of Gupta and Abbasi teaches the method of claim 1 wherein the database query is received from a software application – Gupta [0045] using the extracted methods and corresponding data types for the expression parameters, the instrumentation engine may form the web requests for the web application) and responsive to the determination the software application is identified as a malicious application – Gupta [0041] ….the analysis engine may use the matched information (together with a generated golden table or AppMap table) to perform deep context aware searches for detecting a database injection attack.  Here, the claimed ‘software application’ is taught by Gupta as ‘injection attack’ whereas the claimed ‘identified’ is taught by Gupta as ‘detecting’).

              As to claim 4, the combination of Gupta and Abbasi teaches the method of claim 3, wherein the at least one protective measure includes rejecting subsequent queries received from the identified malicious application - Gupta [0089] New events can also be created and linked into the Event and Event Chain database 722 with a severity and remedial action recommended to the analyst. This allows unique events and event chains for a new attack at one installation to be dispatched to other installations. For this purpose, all new events and event chains are loaded into the Event Upgrade Server 735. Here, the claimed the claimed ‘protective measure’ is taught by Gupta as ‘remedial action’ whereas the claimed ‘subsequent queries’ are taught by Gupta as ‘new events’ whereby the claimed ‘rejecting’ is taught by Gupta as ‘remedial actions’).

            As to claim 5, the combination of Gupta and Abbasi teaches the method of claim 1 wherein the at least one protective measure includes rejecting subsequent queries belonging to the same class as the received database query - Gupta [0089] New events can also be created and linked into the Event and Event Chain database 722 with a severity and remedial action recommended to the analyst. This allows unique events and event chains for a new attack at one installation to be dispatched to other installations.  Here, the claimed the claimed ‘protective measure’ is taught by Gupta as ‘severity and remedial action’ whereas the claimed ‘same class’ are taught by Gupta as ‘event chains’) and having attributes determined to be similar to attributes of the received database query – Gupta [0071] …the output of the captured database query may also be referenced against an additional file on the REGEX engine to determine whether the captured query output matches valid output (e.g., in format or content) for the query) based on predetermined threshold degree of similarity of attributes – Gupta [0073] In addition, these cyber security tools depend on security analysts to set the threshold of events that signify an attack.  Here, the claimed ‘attributes’ are taught by Gupta as ‘events’ because the forensics of the events are captured/classified as further taught by Gupta at [0074]).

           As to claim 6, claim 6 is a system that is directed to the method of claim 1.  Therefore claim 6 is rejected for the reasons as set forth in claim 1.

            As to claim 7, claim 7 is a non-transitory computer readable medium that is directed to the method of claim 1.  Therefore, claim 7 is rejected for the reasons as set forth in claim 1. 

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 2491
7/8/2021
/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491