Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This is in response to the amendments filed on 09/13/202.  Claims 1, 3-7 have been amended.  Claims 1-7 are pending and have been considered.

Priority
16479924, filed 07/23/2019 is a national stage entry of PCT/JP2018/002532, International Filing Date: 01/26/2018; claims foreign priority to 2017-015951, filed 01/31/2017.

Drawings
The drawings filed on 07/23/2019 are accepted.

Specification
The specification filed on 06/20/2019 is accepted.

Response to Arguments
Applicant’s arguments, with respect to “Claim Objection to claims 3, 5 and 6” have been fully considered and are persuasive.  The objection to the claims has been withdrawn in view of the amendment to the claims. 
Applicant’s arguments, with respect to “Claim Rejections - 35 USC § 101”, remarks pages 5-6 have been fully considered and are not persuasive because the claim recites the limitations of comparing keywords characterizing the vulnerability and keywords included in a request used for an attack  and determining that the request is a zero day attack when a value of a score indicating a level of degree of inclusion of same keywords as the keywords characterizing the vulnerability in the request is smaller than a predetermined threshold. This limitation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting “a processor coupled to the memory,” nothing in the claim element precludes the step from practically being performed in the mind. For example, but for the “by a processor couple to the memory and programmed to execute a process” language, the claim encompasses a user simply comparing keywords characterizing vulnerability to keywords included in the request determining whatever the request is a zero day attack or not in his/her mind. The mere nominal recitation of a generic computer does not take the claim limitations out of the mental processes grouping. Thus, the claim recites a mental process.  The claims have been amended to specify that a zero day attack is an attack for which a countermeasure is not been established, the examiner further notes that the additional step  is no more than mere instruction to apply the exception using  generic computer component (processor coupled to the memory).  Accordingly, even in combination, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to abstract idea.
Applicant’s arguments with respect to newly amended independent claims such as prior art of fails to teach the newly added limitations, remarks pages 6-7, have been fully considered but are moot in view of the new prior art to But et al U.S. 2014/0380473 A1. See rejection below, But et al teaches see Figs.8 & 9 and par.72-75 the newly added limitations.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


The claimed invention is directed to abstract idea without significantly more. The claim recites the limitation of “extracting keywords characterizing a vulnerability from known vulnerability information and comparing the keywords characterizing the vulnerability and keywords included in a request
This judicial exception is not integrated into a practical application. In particular, the claim only recites one additional element – using a processor to perform determining, and the comparing steps. The processor is recited at a high-level of generality (i.e., as a generic processor performing a generic computer function of comparing keywords characterizing vulnerability and determining a zero day attack.  This limitation, as drafted, is a process that, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components.  That is, other than reciting, a memory and a processor”, nothing in the claim element preclude the steps from practically being performed in the mind. For example, but for the “by memory” language, the claim encompasses a user simply comparing the extracted keywords to keywords characterizing vulnerability and determining 0-day attack in his/her mind. The mere nominal recitation of a generic processor does not take the claim limitation out of the mental processes grouping. Thus, the claim recites a mental process.  Accordingly, this additional element does not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the comparing and the determining step amounts to no more than mere instructions to apply the exception using a generic computer 
Regarding dependent claims 2-5 the claims provides more details on how specifying characteristics of keywords. As discussed above with respect to integration of the abstract idea into a practical application, the additional element of using a processor to perform the comparing and determining step amounts to no more than mere instructions to apply the exception using a generic computer component. Mere instructions to apply an exception using a generic computer component cannot provide an inventive concept. The claims are not patent eligible.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, and 5-7 are rejected under 35 U.S.C. 103 as being patentable over Sato et al U.S. 2016/0140344 A1 in view of Yang 9,479,526 B1 in further view of Bu et al U.S. 2014/0380473 A1.
Claim 1:  Sato et al a determination apparatus comprising:
 a memory (Fig.6, item 1010, par. 80); and
Fig.6, par.80-82) comprising: 
extracting keywords characterizing a vulnerability from known vulnerability information (par.11, 36, 74, a keyword is extracted from the referrer security information respectively for the classification of vulnerability. The security dictionary storage unit 13 stores therein a collection of keywords related to a security field to be referred to when relevance of security information is determined. The security dictionary storage unit 13 stores therein the security dictionary storing therein keywords related to security for each attribute, and for example, stores therein a vulnerability dictionary); and 
comparing the keywords characterizing the vulnerability and keywords included in a par.6, 41-42, 49, 51-53, the security information management device 10 then extracts a keyword from referrer security information that becomes a source to be compared with security information for relevance thereto, by referring to a security dictionary storing therein a keyword related to security for each attribute, and calculates relevance between the referrer security information and the security information, by comparing the extracted keyword with keywords included in the collected security information), and when a value of a score indicating a level of degree of inclusion of same keywords as the keywords characterizing par.41-42, 49, 51-3, The vulnerability score is a numerical value representing relevance when the referrer security information and each set of security information accumulated in the security information accumulating unit 12 are compared with each other by use of "vulnerability dictionary". The security information relevance calculating unit 16 then compares the keyword extracted from the referrer security information with the vulnerability keyword of each set of security information accumulated in the security information accumulating unit 12 to calculate a vulnerability score),
Sato et al does not explicitly teaches, however Yang in a similar field of endeavor teaches
keywords(string) included in a request used for an attack (Fig.3, items S1-S4, col.5, lines 20-50, col.7, line 64 to col.8, line request submitted to two testbed within the security appliance , one being a vulnerable (low security) testbed and the other being a secure (High security) testbed) 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Sato et al with the addition feature of Yam in order to provide the ability to defense against some attacks on the network computer system such as code injection attacks, as suggested by Yang col. 1, lines 60-65.
Bu et al in the same field of endeavor teaches 
determining that the request is a 0-day attack that is neither a known attack nor an attack similar to the known attack and which is an attack for which a countermeasure is not establish so as to determine whether the attack is a 0-day attack or not with accuracy (Fig. 8, items 860-880, Fig.9, item 920-940, par.72-75, In the zero-day analysis environment, a determination is made as to which fortified software profiles are used the VMs (block 850). This determination may be based on information provided by the exploit or information provided along with the exploit. After one or more VMs are instantiated based on the fortified software profiles, these VM are run with fortified software to determine if any zero-day exploits exist (block 860). If anomalous behavior is detected during VM analysis of the exploit, this exploit is determined to be a zero-day exploit and information gathered during analysis of the exploit (e.g., register key changes, etc.) is stored and reported (blocks 870 and 880). Otherwise, the analyzed exploit is considered to be associated with a known type of malware (block 890)).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Sato et al with the addition feature of Bu et al in order to provide the ability to optimize detection of zero-day attacks, as suggested by Bu et al col. 1, par.1, 16.
Claim 6:  Sato et al teaches a determination method comprising: 
extracting keywords characterizing a vulnerability from known vulnerability information (par.11, 36, 74, a keyword is extracted from the referrer security information respectively for the classification of vulnerability. The security dictionary storage unit 13 stores therein a collection of keywords related to a security field to be referred to when relevance of security information is determined. The security dictionary storage unit 13 stores therein the security dictionary storing therein keywords related to security for each attribute, and for example, stores therein a vulnerability dictionary); and 
comparing the keywords characterizing the vulnerability and keywords included in a par.6, 41-42, 49, 51-53, the security information management device 10 then extracts a keyword from referrer security information that becomes a source to be compared with security information for relevance thereto, by referring to a security dictionary storing therein a keyword related to security for each attribute, and calculates relevance between the referrer security information and the security information, by comparing the extracted keyword with keywords included in the collected security information), and when a score indicating a degree of inclusion of same keywords as die keywords characterizing the vulnerability in the request is smaller than a predetermined threshold (par.41-42, 49, 51-3, The vulnerability score is a numerical value representing relevance when the referrer security information and each set of security information accumulated in the security information accumulating unit 12 are compared with each other by use of "vulnerability dictionary". The security information relevance calculating unit 16 then compares the keyword extracted from the referrer security information with the vulnerability keyword of each set of security information accumulated in the security information accumulating unit 12 to calculate a vulnerability score), 
Sato et al does not explicitly teaches, however Yang in a similar field of endeavor teaches
Keywords (string) included in a request used for an attack (Fig.3, items S1-S4, col.5, lines 20-50, col.7, line 64 to col.8, line request submitted to two testbed within the security appliance , one being a vulnerable (low security) testbed and the other being a secure (High security) testbed) 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Sato et al with the addition feature of Yam in order to provide the ability to defense against some attacks on the network computer system such as code injection attacks, as suggested by Yang col.1, lines 60-65.
Bu et al in the same field of endeavor teaches 
determining that the request is a 0-day attack that is neither a known attack nor an attack similar to the known attack and which is an attack for which a countermeasure is not establish so as to determine whether the attack is a 0-day attack or not with accuracy (Fig. 18, items 860-880, Fig.9, item 920-940, par.72-75, In the zero-day analysis environment, a determination is made as to which fortified software profiles are used the VMs (block 850). This determination may be based on information provided by the exploit or information provided along with the exploit. After one or more VMs are instantiated based on the fortified software profiles, these VM are run with fortified software to determine if any zero-day exploits exist (block 860). If anomalous behavior is detected during VM analysis of the exploit, this exploit is determined to be a zero-day exploit and information gathered during analysis of the exploit (e.g., register key changes, etc.) is stored and reported (blocks 870 and 880). Otherwise, the analyzed exploit is considered to be associated with a known type of malware (block 890)).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Sato et al with the addition feature of Bu et al in order to provide the ability to optimize detection of zero-day attacks, as suggested by Bu et al col. 1, par.1, 16.

Claim 7: Sato et al teaches a non-transitory computer-readable recording medium having stored a determination program causing a computer to execute a process comprising: 
extracting keywords characterizing a vulnerability from known vulnerability information (par.11, 36, 74, a keyword is extracted from the referrer security information respectively for the classification of vulnerability. The security dictionary storage unit 13 stores therein a collection of keywords related to a security field to be referred to when relevance of security information is determined. The security dictionary storage unit 13 stores therein the security dictionary storing therein keywords related to security for each attribute, and for example, stores therein a vulnerability dictionary); and 
comparing die keywords characterizing the vulnerability and keywords included in a par.6, 41-42, 49, 51-53, the security information management device 10 then extracts a keyword from referrer security information that becomes a source to be compared with security information for relevance thereto, by referring to a security dictionary storing therein a keyword related to security for each attribute, and calculates relevance between the referrer security information and the security information, by comparing the extracted keyword with keywords included in the collected security information), and when a score indicating a degree of inclusion of same keywords as the keywords characterizing the vulnerability in the request is smaller than a predetermined threshold (par.41-42, 49, 51-3, The vulnerability score is a numerical value representing relevance when the referrer security information and each set of security information accumulated in the security information accumulating unit 12 are compared with each other by use of "vulnerability dictionary". The security information relevance calculating unit 16 then compares the keyword extracted from the referrer security information with the vulnerability keyword of each set of security information accumulated in the security information accumulating unit 12 to calculate a vulnerability score), 
Sato et al does not explicitly teaches, however Yang in a similar field of endeavor teaches
Keywords (string) included in a request used for an attack (Fig.3, items S1-S4, col.5, lines 20-50, col.7, line 64 to col.8, line request submitted to two testbed within the security appliance , one being a vulnerable (low security) testbed and the other being a secure (High security) testbed) 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the teaching of Sato et al with the addition feature of Yam in order to provide the ability to defense against some Yang col.1, lines 60-65.
The combination does not explicitly teaches, however Bu et al in the same field of endeavor teaches 
determining that the request is a 0-day attack that is neither a known attack nor an attack similar to the known attack and which is an attack for which a countermeasure is not establish so as to determine whether the attack is a 0-day attack or not with accuracy (Fig. 18, items 860-880, Fig.9, item 920-940, par.72-75, In the zero-day analysis environment, a determination is made as to which fortified software profiles are used the VMs (block 850). This determination may be based on information provided by the exploit or information provided along with the exploit. After one or more VMs are instantiated based on the fortified software profiles, these VM are run with fortified software to determine if any zero-day exploits exist (block 860). If anomalous behavior is detected during VM analysis of the exploit, this exploit is determined to be a zero-day exploit and information gathered during analysis of the exploit (e.g., register key changes, etc.) is stored and reported (blocks 870 and 880). Otherwise, the analyzed exploit is considered to be associated with a known type of malware (block 890)).
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Sato et al with the addition feature of Bu et al in order to provide the ability to optimize detection of zero-day attacks, as suggested by Bu et al col. 1, par.1, 16.
Claim 2: the combination teaches  
wherein the value of the score is a ratio of the number of keywords that are the same as the keywords characterizing the vulnerability and that are included in the request to the number of the keywords characterizing the vulnerability (Sato et al, par.42, 43, 46, 51-54). 
Claim 5: the combination teaches
 wherein when extracting the keywords characterizing the vulnerability from the known vulnerability information, the process further includes eliminating a keyword that is commonly used for attacks against a plurality of vulnerabilities or eliminating a predetermined keyword that is prepared in advance (Sato et al, par.42, 43, 46, 51-54).

Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Sato et al U.S. 2016/0140344 A1 in view of Yang 9,479,526 B1 in further view of Bu et al U.S. 2014/0380473 A1 and Reshef et al U.S. 2003/0233581 A1.
Claim 3: the combination fails to teach, however Reshef et al in the same field of endeavor teaches
par.51, 55, 58, 66, 80). 
Therefore, it would have been obvious for one ordinary skill in the art before the effective filing date of the invention to modify the combined teaching of Sato et al with the addition feature of Reshef et al in order to provide the ability for detecting security vulnerabilities in a web application includes analyzing the client requests and server responses resulting therefrom in order to discover pre-defined elements of the application's interface with external clients and the attributes of these elements, as suggested by Reshef et al abstract.
Claim 4: the combination teaches
wherein when comparing the keywords, comparing keywords in a same field of an extraction source between the keywords characterizing the vulnerability and the keywords included in the request used for the attack (Sato et al, par. 47, 51, 53, 63, Yang Fig.3, col.2, lines 30-55). 
The same motivation to modify Sato et al in view of Yang applied to claim 52 above applies here.

Conclusion
The following prior art are cited to further show the state of the art at the time of applicant’s invention.
	Abadi et al U.S. 2011/0283360 A1 Identifying Malicious Queries.
Long U.S. 2017/0034203 A1 Method and Apparatus for Detection Website Security.
Stolfo et al U.S. 8,448,242 B2 Systems Methods, and Media for Outputting Data Based upon Anomaly Detection.
Kejriwal et al 2011/0289582 A1 U.S. Method for Detection Malicious JavaScript.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FATOUMATA TRAORE whose telephone number is (571)270-1685. The examiner can normally be reached 6:30-3:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on 5712724219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





Thursday, November 4, 2021
/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436