Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This office action is in response to application filed 7/31/2019. Claims 1-20 are currently pending and claims 1, 8, and 15 are the independent claims.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because:
As per independent claim 15, it recites “A computer program product being tangibly stored on a non-transient machine-readable medium and comprising machine-executable instructions, the instructions, when executed on a device, causing the device to perform actions including…” As such, with broadest reasonable interpretation, the claimed computer program product may be interpreted as machine-executable instructions/software/code/etc., which is being stored on a non-transitory machine-readable medium, and not necessarily the non-transitory machine-readable medium itself. Accordingly, with broadest reasonable interpretation, the claimed computer 
As per dependent claims 16-20, they incorporate the deficiencies of independent claim 15 and fail to correct the deficiency of independent claim 15, and therefore are rejected for the same reasoning as independent claim 15, above. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

s 1-4, 6-11, 13-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Reshef et al. (herein called Reshef) (US Patent 6,584,569 B2 and Sharifi Mehr et al. (herein called Sharifi) (US Patent 9,749,305 B1).

As per claim 1, Reshef teaches a computer-implemented method comprising:
receiving, by one or more processors, a first request for a target application from a first user (col. 2 lines 60-col. 3 line 5, col. 4 lines 5-20, col. 6 lines 25-40, col. 7 lines 35-65, col. 8 lines 60-col. 9 line 5, web applications interface with external clients which make web/http requests to the web application, and the requests are identified/logged/etc. (receive request for target application from user) and changed/mutated/etc. to create mutated request which are used to test the application.); 
generating, by one or more processors, a first malicious request by modifying the first request, the first malicious request associated with a malicious action on the target application (col. 3 lines 1-5, col. 4 lines 8-25, col. 7 lines 60-67, col. 9 lines 60-col. 10 line 50, client/http/user request is mutated/modified according to rules/security flaws/vulnerabilities/etc. to create mutated requests representing “hacks” which are used to test the security of the application (generate malicious/mutated request associated with malicious action/security flaw/vulnerability/hack/etc. on application by modifying/mutating client/user/first request which is used to test the application security).); 
sending, by one or more processors, the first malicious request to an instance of the target application (col. 4 lines 15-30, col. 10 lines 40-67, mutated/malicious request 
determining, by one or more processors, a first security level of the target application against the malicious action, based on a first response generated by the offline instance in response to the first malicious request (col. 4 lines 20-30, col. 10 lines 55-col. 11 line 10, response to mutated/first malicious request is received and analyzed, and results are ranked by severity and success rating/potential vulnerability is assigned a success and severity rating/attack score based on success probability to mutation rule is determined/determination is made as to whether attack was successful or if application withstood the attack/etc. (determine first security level of application against the malicious action/severity and success rating/attack score based on success probability/whether application withstood attack/etc. based on first response generated by the instance in response to the malicious/mutated request). And as Sharifi teaches that the application may be tested offline, it is obvious that mutated request/malicious request is sent to an offline instance of the application to test the security of the application and as such the response in generated by an offline instance of the application in response to the malicious request.).
While Reshef teaches performing testing of web application by sending mutated/malicious requests to the application and analyzing the response/reply of the application, it does not explicitly state that the application may be tested offline, and as such does not explicitly state, however Sharifi teaches:
sending, by one or more processors, the first malicious request to an offline instance of the target application (col. 6 lines 45-46, browser application/web 
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Reshef such that the web/target application is tested offline, as conceptually taught by Sharifi, to create sending, by one or more processors, the first malicious request to an offline instance of the target application, because these modifications allow for the application to be tested offline in a controlled environment which is desirable as it helps allow for security flaws/vulnerabilities/errors/etc. to be determined and corrected in an controlled environment where outside/other/malicious/etc. users are not attempting to exploit vulnerabilities/hack the application/etc. as they may be able to when the application is online, thereby helping to ensure security of the application by helping to ensure that errors/vulnerabilities/security flaws/etc. are found and corrected before they may be exploited by malicious users/in undesirable ways/etc. 

As per claim 2, Reshef further teaches:
generating, by one or more processors, a second malicious request by modifying the second request, the second malicious request associated with the same malicious action on the target application as the first malicious request (col. 3 lines 1-5, col. 4 lines 
sending, by one or more processors, the second malicious request to the instance (col. 4 lines 15-30, col. 10 lines 40-67, mutated/malicious request is sent to website/application (send malicious request to instance of target application) and response/reply is received and used to determine potential security vulnerability. As Sharifi teaches that multiple users send http requests to the application, as seen below, it is obvious to repeat Reshef’s sending of the malicious request to the web application for the second malicious request to perform further testing.);
determining, by one or more processors, a second security level of the target application against the malicious action, based on a second response generated by the offline instance in response to the second malicious request (col. 4 lines 20-30, col. 10 lines 55-col. 11 line 10, response to mutated/malicious request is received and analyzed, and results are ranked by severity and success rating/potential vulnerability is 
While Reshef teaches mutating/modifying user requests according to mutation rules/published security flaws/vulnerabilities/etc. to generate mutated/malicious requests to perform testing on web applications, it does not explicitly state that there may be requests from multiple users, and as such does not explicitly state, however Sharifi teaches:
receiving, by one or more processors, a second request for the target application from a second user different from the first user (col. 5 lines 50-col. 6 line 50, destination server/web server/etc. provides web pages/files/web applications/etc. to various users (multiple users including a first and second user) who submit http requests to the web server/website/application that include user-agent header and cipher suites  to identify user and cryptographic process that is to be used for communication with the user client, and server/application/website/etc. includes a database of entries for each known 
sending, by one or more processors, the second malicious request to the offline instance (col. 2 lines 18-60, col. 3 line 30-65, col. 4 line 25-48, col. 5 lines 33-40, col. 6 lines 45-46, col. 10 lines 35-60, application/server/etc. is tested offline in controlled environment and user client submits http request that includes user-agent header and cipher suites to server/application etc. which analyzes request/received user-agent hearder and cipher suite/etc. and determines that the request has been forged/manipulated/etc. and may be a nefarious user attempting to access proprietary data with the server/application/etc. (malicious http request is sent to the instance/application web server). As multiple users send requests to the server/application/etc. it is obvious that the forged/manipulated/malicious request may be from a second user and therefore is a second malicious request, and as the application/server/etc. is tested offline in a controlled environment and Reshef teaches submitting malicious/mutated/etc. requests to test application, it is obvious that the second malicious request is sent to the offline instance.); and
identifying, by one or more processors, a malicious user from the first and second users by comparing the first and second security levels (col. 2. Lines 33-60, col. 4 lines 10-45, col. 6 lines 34-50, col. 10 lines 35-60, database of known user-agent headers and cipher suites is generated/built/etc. from received http requests (first 
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Sheref such that requests are sent from multiple users, as conceptually taught by Sharifi, to create receiving, by one or more processors, a second request for the target application from a second user different from the first user; sending, by one or more processors, the second malicious request to the offline instance; and identifying, by one or more processors, a malicious user from the first and second users by comparing the first and second security levels, because these modifications allow for identification of malicious/unauthorized/etc. users that are attempting to gain access to content provided by the application, thereby helping to increase the security of content provided by the application and ensure that it is only accessed by desired/authorized/etc. users.

As per claim 3, Reshef further teaches: 
forwarding, by one or more processors, the first request to the target application (col. 6 lines 25-50, col. 7 lines 1-20, request/http request is sent/forwarded/etc. to web application/web server/etc. (forward first request to target application) which provides 
forwarding, by one or more processors, to the first user an application response generated by the target application in response to the first request (col. 6 lines 29-42, col. 7 lines 1-20, operator/client browser/etc. (first user) sends http request to web server/web application which returns/replies with a response that is received and logged (forward application response generated by the target application in response to the first request to the first user).).

As per claim 4, Reshef further teaches: wherein generating the first malicious request comprises: 
modifying, by one or more processors, at least a portion of the first request according to a characteristic of the malicious action (col. 4 lines 8-20, col. 7 lines 60-67, col. 9 line 60-col. 10 line 40, mutation rules are used to mutate/modify http request/first request/at least a portion of first request into mutated/modified http request (malicious request) with changed/modified parameters based on published security flaws/vulnerabilities/etc. (according to characteristic of malicious action).).

As per claim 6, Reshef further teaches: 
in response to the first security level being below a predetermined threshold level, providing, by one or more processors, an indication of a potential vulnerability associated with the malicious action (col. 11 lines 5-10, lines 25-45, attack score are based on attack results and a success probability assigned to mutation 

As per claim 7, Reshef further teaches: wherein the target application is an online web application and the first request is a Hyper Text Transport Protocol (HTTP) request (col. 2 lines 43-67, col. 4 lines 1-25, col. 6 lines 25-40, col. 7 lines 35-65, web application hosted on web server/web application server (online web application) interface with external clients and receive/are sent HTTP requests (request is hyper text transport protocol/HTTP request).).

As per claims 8-11, and 13-14, they recite systems having similar limitations to the methods of claims 1-4, and 6-7, respectively, and are therefore rejected for the same reasoning as claims 1-4, and 6-7, respectively, above. 

.

Claims 5, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Reshef et al. (herein called Reshef) (US Patent 6,584,569 B2 and Sharifi Mehr et al. (herein called Sharifi) (US Patent 9,749,305 B1) in further view of Amit et al. (herein called Amit) (US PG Pub. 2013/0167237 A1).

As per claim 5, Reshef further teaches: wherein determining the first security level comprises: 
comparing, by one or more processors, the first response with a predetermined response to the malicious action (col. 10 lines 50-col. 11 line 45, reply/response to mutated/malicious request is received and analyzed to determine rating and severity of the potential vulnerability, and rating is based on recognition of keywords in the response, i.e. http response that includes pre-defined keywords such as “error”, “sorry”, “not found”, etc.(predetermined response to malicious action) indicates that application withstood attack while responses that do not include pre-defined keywords indicates that attack was successful. As the response to the mutated/malicious request/action is analyzed for/compared to/etc. pre-determined keywords/response to determine if the attack was successful it is obvious that the response is compared with a predetermined response to the malicious action.).

in response to determining a match between the first response and the predetermined response, associating, by one or more processors, the target application with a potential vulnerability for the malicious action (pars. [0039]-[0041], [0056]-[0057], request/payload/etc. is submitted to web service/application that simulates an attack, web service/application processes the request and provides a response, and response is compared with expected/predetermined response characteristic of a vulnerability, and when the response is consistent with/matches the expected/predetermined response determination is made that the web service/application is vulnerable to the attack (associate target application with potential vulnerability for the malicious action/attack in response to determining a match between the first response and the predetermined response.).
Therefore it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to add in response to determining a match between the first response and the predetermined response, associating, by one or more processors, the target application with a potential vulnerability for the malicious action, as conceptually taught by Amit, into that of Reshef and Sharifi because these modifications allow for an effective and efficient method of identifying vulnerabilities in the application based on responses/replies known to be characteristic of vulnerabilities, thereby increasing the effectiveness of the testing of the application by helping to identify vulnerabilities/security flaws/etc. for correction.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DOUGLAS M SLACHTA whose telephone number is (571)270-0653. The examiner can normally be reached Monday-Friday 6:30am-4pm.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on 571-272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/DOUGLAS M SLACHTA/Examiner, Art Unit 2193