Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendments
The amended claims 1, 3-8, 10-15 and 17-23 were considered under 35 USC 112, 101 and 103 for patentability over closest and analogous prior arts Dinerstein et al (US 20180084007), hereafter Din and Varsanyi et al (US 9185125), hereafter Var have been fully considered and are persuasive. Claim(s) 2, 9 and 16 is/are cancelled.

Allowable Subject Matter
1.	Amended claims 1, 3-8, 10-15 and 17-23 are allowed in light of applicant’s arguments, approved examiner’s proposed amendments and in light of prior art(s) made of record. 

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.  Authorization for this examiner’s amendment was given in an interview with David Judson (attorney) for filed amended claims on 09-10-2021:
1.	(currently amended) A method operative in a security system wherein client requests directed to a monitored system are examined for validation against a security policy, the security system including a parser, comprising:
	receiving and analyzing a client request; 
 the client request from the monitored system; and
determining whether the response has an associated syntax error; 
based on a determination that the response does not have the associated syntax error, the parser self-extending its grammar by discovering a syntax pattern that caused the syntax error and automatically updating the grammar to reflect the discovered syntax pattern; and
filtering the syntax error;
	wherein the parser extends its grammar dynamically while continuing to operate as client requests are received and processed by the security system.      

2.	(cancelled)  

3.	(currently amended) The method as described in claim 1 further including parsing the client request against a security policy after the grammar has been updated.  

4.	(original) The method as described in claim 1 wherein the syntax error results from an installed version of the monitored system having been updated without patching of the parser.  

5.	(original) The method as described in claim 1 wherein the security system is a database access control system, and the monitored system is a database server.  

: 
classifying the syntax error as a false positive


7.	(original) The method as described in claim 1 wherein the syntax error is that the client request includes a syntax construct that is unknown to the parser of the security system.  

8.	(currently amended) Apparatus configured as a security system that examines client requests directed to a monitored system for validation against a security policy, the security system including a parser, comprising:
	a processor; 
computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to:
receive and analyze a client request; 
upon detecting that the client request has a syntax error, evaluate a response to the client request from the monitored system; 
determine whether the response has an associated syntax error; 
based on a determination that the response does not have the associated syntax error, control the parser to self-extend its grammar by discovering a syntax pattern that caused the syntax error and automatically updating the grammar to reflect the discovered syntax pattern; and
filter the syntax error;
	wherein the parser extends its grammar dynamically while continuing to operate as client requests are received and processed by the security system.  

9.	(cancelled)  

10.	(currently amended) The apparatus as described in claim 8 wherein the computer program code is further configured to parse the client request against a security policy after the grammar has been updated.



12.	(original)  The apparatus as described in claim 8 wherein the security system is a database access control system, and the monitored system is a database server.  

13.	(currently amended)  The apparatus as described in claim 8 wherein the program code is further configured to:
classify the syntax error as a false positive


14.	(original)  The apparatus as described in claim 8 wherein the syntax error is that the client request includes a syntax construct that is unknown to the parser of the security system.  


receive and analyze a client request; 
upon detecting that the client request has a syntax error, evaluate a response to the client request from the monitored system; 
determine whether the response has an associated syntax error; 
based on a determination that the response does not have the associated syntax error, control the parser to self-extend its grammar by discovering a syntax pattern that caused the syntax error and automatically updating the grammar to reflect the discovered syntax pattern; and
filter the syntax error;
	wherein the parser extends its grammar dynamically while continuing to operate as client requests are received and processed by the security system.  

16.	(cancelled)  

17.	(currently amended) The computer program product as described in claim  15 wherein the computer program code is further configured to parse the client request against a security policy after the grammar has been updated.  

18.	(original)  The computer program product as described in claim 15 wherein the syntax error results from an installed version of the monitored system having been updated without patching of the parser.  

19.	(original)  The computer program product as described in claim 15 wherein the security system is a database access control system, and the monitored system is a database server.  


classify the syntax error as a false positive


21.	(original)  The computer program product as described in claim 15 wherein the syntax error is that the client request includes a syntax construct that is unknown to the parser of the security system.  

22.	 (currently amended)  A security system operated in association with a monitored system, comprising:
a software-based security mechanism executed in hardware and configured to: (a) receive a query for validation against a security policy; (b) make a determination that the query so received has a syntax error that is not also recognized as such by the monitored server; (c) thereafter, and responsive to the determination, self-extend a parsing grammar used by the security mechanism and filter the syntax error; and (d) apply the self-extended parsing grammar to the query.

23.	(original)  The security system as described in claim 22 wherein the monitored system is a database, and the security mechanism comprises a protocol analyzer, and a statement/command parser, the parsing grammar being implemented by the statement/command parser.  

Reasons for Allowance
The following is an examiner’s statement of reasons for allowance: 
As to the independent claim 1, the prior art of reference Din teaches [0006] the injector detector is configured to determine whether the received database statement is syntactically correct and can be properly parsed; [0041] If the database statement is syntactically incorrect, the injection detector is configured to identify one or more previously saved syntactic patterns that match the erroneous database statement; [0044] if replacing an injection point in a syntactic pattern with the query term..., and the query term contains comments, reference to system resources, or other suitable signatures or checks if execution of the database statement leads to run-time error; [0008, 0044] the query term contains comments, reference to system resources, or other suitable signatures or if execution of the database statement leads to run-time error the injection detector indicates that the database statement is an injection attack, and update a corresponding vulnerability record by incrementing an attack count, the injection detector raises an alarm, issues a notification, discards the database statement or performs other suitable preventive actions.

Further, a second prior art of record Var teaches col. 9 lines 15-21, Fig. 14: analyzer determines if the request and response messages have any (col. 26 lines 50-58) associated syntactic, semantic and/or lexical issues; col. 87 lines 66-67: After sending the extracted response information to database firewall (col. 88 lines 1-5), it determines that the response is legitimate, it forwards the unaltered response and (col. 27 lines 40-44) operator interface provides... the ability to direct the analytical algorithms to learn specific instances of operations (SQL 

None of the other prior arts of record teach by themselves or in any combination, would have anticipated nor render obvious by combination the claimed invention of the present application at or before the time it was filed.  The prior arts of record fail to teach: security system protecting a monitored system is configured to self-update (extend) a statement/command parser grammar, dynamically. To accomplish this, the security system uses the monitored system itself as a syntax validator (on the parser's behalf), and without requiring any changes or modifications to the monitored server. The security system comprises a protocol analyzer and the parser. The protocol analyzer extracts a statement/command from a received request and passes it to the parser. If no parser syntax error is found, the statement/command is validated against a security policy. If a parser syntax error occurs, however, the system examines a response from the monitored system to determine whether the parser syntax error is a "false positive." If so, the parser then self-extends its own grammar automatically to correct for the parser syntax error. Once its grammar is updated, the parser is then able to process the original request.

Therefore, independent claim 1 and their corresponding dependent claims are allowed in light of applicant’s arguments, approved examiner’s amendments and prior arts of record. The same amendments and reasoning are applicable to independent claim(s) 8, 15 and 22 mutatis mutandis.  Claim(s) 2, 9 and 16 is/are cancelled.



Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Badri -- Champakesan whose telephone number is (571)270-3867.  The examiner can normally be reached on M-F: 7:45am-5pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T. Arani can be reached on 5712723787.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to 



/BADRINARAYANAN /Primary Examiner, Art Unit 2496.