DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is a reply to the amendment filed on 07/13/2021, in which, claim(s) 1-21 are pending. Claim(s) 1, 5, 8-12 and 19-21 are amended. No claim(s) are cancelled or newly added.
Response to Arguments
Claim Objection: 
Applicant’s arguments with respect to objection of claim(s) 8-10 and 19-21 have been considered. The objection of claim(s) 8-10 and 19-21 have been withdrawn in view of the amendment to claim.
Applicant’s arguments with respect to objection of claim(s) 2 and 13 have been considered but are not persuasive since the term “authorization rules” is previously mentioned in the claims (Claim 2 (Line 3), and claim 13 (Line 2)). No amendments to claim are found, therefore, the objection of claim(s) 2 and 13 is maintained.

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicants’ arguments, see pages 7-13, filed 07/13/2021, regarding the U.S.C. 102 and 103 rejections of claims 1-21 have been fully considered and are not persuasive.
Applicants argue that “the claim, as indicated in the preamble, is directed to continuously configuring a web application firewall (WAF)… the Office Action fails to cite any section of Owens with regard to the preamble”. 
Examiner respectfully disagrees; see below (MPEP 2111.02 II),
If the body of a claim fully and intrinsically sets forth all of the limitations of the claimed invention, and the preamble merely states, for example, the purpose or intended use of the invention, rather than any distinct definition of any of the claimed invention’s limitations, then the preamble is not considered a limitation and is of no significance to claim construction. Pitney Bowes, Inc. v. Hewlett-Packard Co., 182 F.3d 1298, 1305, 51 USPQ2d 1161, 1165 (Fed. Cir. 1999).
Furthermore, applicant’s arguments with respect to the new limitation of claim 1 have been considered but are moot in view of the new ground(s) of rejection.
Therefore, the rejection is maintained.

Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.

Claim Objections
Claims 2 and 13 are objected to because of the following informalities:  
Claim 2 (Line 6), and claim 13 (Line 5) limitation “matching the request to authorization rules” should be “matching the request to the authorization rules” since the term “authorization rules” is previously mentioned in the claims.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-2, 7-13, and 18-21 are rejected under 35 U.S.C. 103 as being unpatentable over Owens et al. (US 2021/0036991 A1) in view of Yang et al. (US 2019/0215304 A1) further in view of Emanuele Altieri (US 2008/0034212 A1).
 Regarding Claims 1, 11 and 12, Owens discloses
receiving, by the WAF,  a request directed at a protected web application, wherein the request is received from a client device associated with a trusted user account, and wherein the protected web application is protected by the WAF request 305 may be an HTTP request that includes a uniform resource locator”, [0049], “receives an incoming application request directed to the target web application”, [0053], “application requests from a trusted user (account) or client”, [0051], “the incoming application request has been previously routed from the WAF”, i.e. protected by WAF, [0057], “identifying information about the client device to the web application”); 
validating, by the WAF,  the received request ([0048], “the WAF uses the associated security rules or a portion thereof to monitor and/or validate application requests transmitted to the web application”); 
when the received request is validated, generating an authorization rule based on the received request, wherein the authorization rule allows access to a resource of the protected web application designated in the received request, wherein the generated authorization rule is included in at least one whitelist the WAF is configured with ([0033], “apply one or more security rules to the updated application request”, [0056], “The security policy may include an "authorized resource types" field which identifies types of data that are authorized to be used”, [0060], “the WAF updates the application request to indicate that the application request has been validated or secure”, [0053], “The WAF performs the analysis by applying one or more of the security rules associated with the web application… The security policy can identify, among other information, authorized sources of data for the target web application. This can be represented as a whitelist”); and 
configuring the WAF with the generated authorization rule to allow the received request and subsequent request to be directed to the resource of the protected web application ([0058], “configuring and revising the security policies and/or security rules”, [0060], “the WAF updates the application request to indicate that the application request has been validated or secure”, [0030], “resources for use by web applications”, [0033], “apply one or more security rules to the updated application request”).  
Owens does not explicitly teach but Yang teaches validating the received request based on at least a signature included in a header of the received request ([0053], “signature of a browser extension is detected in a request from a client, e.g., some browser extensions can be identified by common attributes in an HTTP (Hyper Text Transfer Protocol) request header”). 
Owens and Yang are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to validate the received request (as disclosed by Owens) based on a signature included in the header of the request (as taught by Yang). The motivation/suggestion would have been to provide the ability to specify a fine-grained security policy (Yang, [0070]).
The combined teaching of Owens and Yang does not explicitly teach but Altieri teaches
wherein the at least one signature indicates that the client device from which the request was received corresponds to the trusted user account ([0032], “A valid signature proves that the message was not tampered with, the return address of the message is valid, the sender owns the indicated return address, the sender is who he or she claims to be, and the mail server hosting the sender's account can be trusted”).
Owens, Yang and Altieri are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to validate the received request based on a signature included in the header of the request (as taught by the combined teaching of Owens and Yang) wherein the signature indicates a trusted user account (as taught by Altieri). The motivation/suggestion would have been for authenticating the sender (Altieri, [0008]).

Regarding Claims 2 and 13, the combined teaching of Owens, Yang and Altieri teaches matching the received request against authorization rules included in the at least one whitelist (Yang, [0067], “example of a configurable a security policy with 5 rules is shown in Table 1”, [0068], “Table 1 shows match criteria and actions corresponding to each of the 5 rules” included in the whitelist, see table 1 with whitelist Rule Name); and generating the authorization rule based on the received request, in response to unsuccessfully matching the request to authorization rules included in the at least one whitelist, wherein each generated authorization rule is associated with a creation timestamp (Owens, [0061], “compare the URL in the second header and compare it with the URL in the application request. If the URLs do not match then the router may drop the application request. In addition, the router may also determine whether the timestamp has expired and/or whether the application request was rerouted from the WAF”, [0047], “whether the timestamp is within the allotted time period, that is the application request is not expired. Generally, the 

Regarding Claims 7 and 18, the combined teaching of Owens, Yang and Altieri teaches wherein the trusted user account is registered and authenticated by the WAF (Owens, [0053], “application requests from a trusted user (account)”, [0055], “The security policy may include "authorized clients" field, which may identify (registered) an IP address, a MAC address, a client name, a domain name, etc. that are authorized or whitelisted to access the web application. Any other client attempting to access the web application may be rejected or blocked”).

Regarding Claims 8 and 19, the combined teaching of Owens, Yang and Altieri teaches wherein the signature is added by a monitoring agent installed on the client device as a plugin of a web browser (Yang, [0034], “a component operating in conjunction with a web browser on a client device that augments the web browser's standard functionality. A browser extension is sometimes also referred to as an "add-on," a "plug-in,"”)

Regarding Claims 9 and 20, the combined teaching of Owens, Yang and Altieri teaches identifying an address of a resource of the protected web application, wherein the address is at least a uniform resource identifier (URI); and associating an action with the identified address (Owens, [0003], “the first header uniform resource locator of the application request, and updates the uniform resource locator to indicate an address of the web application”).


Regarding Claims 10 and 21, the combined teaching of Owens, Yang and Altieri teaches wherein the resource of the protected web application includes any one of: an image, a HTML page, an XML file, a script, a downloadable file, and a library (Owens, [0026], “hardware and software computing resources that are provided as a service. Cloud computing system 220 can include information handling systems, file-based storage”, which indicates the file is downloadable from the cloud).

Claims 3 and 14, are rejected under 35 U.S.C. 103 as being unpatentable over Owens et al. (US 2021/0036991 A1) in view of Yang et al. (US 2019/0215304 A1) further in view of Emanuele Altieri (US 2008/0034212 A1) and further in view of Urmanov et al. (US 2018/0069896 A1).
Regarding Claims 3 and 14, the combined teaching of Owens, Yang and Altieri teaches authorization rule included in the at least one whitelist (Owens, [0053], “The security policy can identify, among other information, authorized sources of data for the target web application. This can be represented as a whitelist”),
The combined teaching of Owens, Yang and Altieri does not explicitly teach but Urmanov teaches updating a timestamp of an rule in response to the received request matching at least one existing rule ([0043], “When a matching tracer data structure is found in the rules database device 190, tracer matching logic 140 is configured to update a list of timestamps associated with the tracer data structure in the with a new timestamp”).  
Owens, Yang, Altieri and Urmanov are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Urmanov with the combined teaching of Owens, Yang and Altieri. The motivation/suggestion would have been to help detecting a malicious authentication attempt to the computing device by a malicious user (Urmanov, Abstract).

Claims 4 and 15, are rejected under 35 U.S.C. 103 as being unpatentable over Owens et al. (US 2021/0036991 A1) in view of Yang et al. (US 2019/0215304 A1) further in view of Emanuele Altieri (US 2008/0034212 A1) and further in view of Urmanov et al. (US 2018/0069896 A1) and further in view of Barzilai et al. (US 2002/0104015 A1).
Regarding Claims 4 and 15, the combined teaching of Owens, Yang, Altieri and Urmanov does not explicitly teach but Barzilai teaches periodically culling authorization rules, wherein the timestamp of an authorization rule indicates that a period of time exceeding a threshold has lapsed ([0078], “A garbage collector 64 periodically deletes outdates policies in repository”).
Owens, Yang, Altieri, Urmanov and Barzilai are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Barzilai with the combined teaching of Owens, Yang, Altieri and Urmanov. The motivation/suggestion would have been to provide comprehensive .

Claims 5-6 and 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Owens et al. (US 2021/0036991 A1) in view of Yang et al. (US 2019/0215304 A1) further in view of Emanuele Altieri (US 2008/0034212 A1) and further in view of Beddus et al. (US 2019/0014114 A1).
Regarding Claims 5 and 16, the combined teaching of Owens, Yang and Altieri does not explicitly teach but Beddus teaches wherein the signature is a hash message authentication code (HMAC), generated by the client device using a an authentication process ([0045], “derived from an algorithm such as Time-based One-time Password Algorithm (TOTP),…to generate a hash-based message authentication code (HMAC)”).
Owens, Yang, Altieri and Beddus are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Beddus with the combined teaching of Owens, Yang and Altieri. The motivation/suggestion would have been to ensure that any user intercepting communications using the key cannot use the intercepted communication as a model for a rogue communication emulating the genuine originator of the original message (Beddus, [0045]).

Regarding Claims 6 and 17, the combined teaching of Owens, Yang, Altieri and extracting the signature from the header from the received request (Yang, [0053], “signature of a browser extension is detected in a request from a client, e.g., some browser extensions can be identified by common attributes in an HTTP (Hyper Text Transfer Protocol) request header”); and 
verifying the extracted signature using the authentication process, wherein the authentication process is a time-based one-time password (TOTP) (Beddus, [0045], “derived from an algorithm such as Time-based One-time Password Algorithm (TOTP),…to generate a hash-based message authentication code (HMAC)”, [0012], “to verify the authenticity of the remote terminal”).  

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will .
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186.  The examiner can normally be reached on Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497