DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Remarks
On October 29, 2021 (the “Response”), Applicant cancels claim 17 and amends claims 1, 4-6, 8, 9, 12-16, 18-22, 24 and 25.
Claims 1-16 and 18-25 are presented for examination.
Response to Arguments
Applicant’s arguments submitted October 29, 2021 have been fully considered, but they are not persuasive for at least the following reasons.
On page 9, in the Remarks section of the Response, Applicant argues:
“the connector is [] defined in the claim as comprising a storage variable generator, and wherein the storage variable generator is configured to generate a plurality of storage variables corresponding to the HTTP request.  This gives the connector sufficient structure to not be interpreted under 35 U.S.C. 112(f).”

In response, Examiner notes that Applicant’s instant argument is presented without any actual support.  For example, the limitations of Applicant’s instant argument do not include any structure, and Applicant’s instant argument offers no explanation of how any element of these limitations “gives the connector sufficient structure.”  However, such conclusory arguments of counsel cannot take the place of objective evidence.  See MPEP § 2145.
On page 10 of the Response, Applicant argues:
computer system environment with bot detection, i.e., several computing devices that are arranged in a manner to provide bot detection.”

However, Applicant’s instant argument is not persuasive for at least the following reason(s).
For example, even assuming arguendo that “paragraphs 34-36” actually do teach “that what is being shown there” are “several computing devices,” Examiner respectfully submits that although the “web server” and “bot detection computer/server” that are “being shown there” may be “computing devices,” the “client application” and “connector” that are “being shown there” would not be considered “computing devices” by a person having ordinary skill in the art, because neither the plain meaning of an “application” nor that of a “connector” read on the plain meaning of the phrase “computing device.”
On page 10, Applicant also argues:
“it is readily apparent that the structure of the connector is at least [] computing hardware....”

However, Examiner respectfully disagrees with Applicant’s instant argument for at least the reasons set forth in item 5 above and below within and the indefiniteness rejection of Applicant’s claimed “connector.”
On page 10, Applicant further argues:
“it is readily apparent that the structure of the connector is at least...software.”

However, Applicant’s instant argument is not persuasive for at least the following reason(s).
arguendo that “it is readily apparent that the structure of the connector” actually is “software,” Examiner respectfully submits that unlike “hardware” the plain meaning of the term “software” does not actually include any structure.
On page 10, Applicant moreover argues:
“configuration and processing functionalities...is sufficient to provide the necessary structure....”

In response, Examiner notes that Applicant’s instant argument is presented without any actual support.  For example, Applicant’s instant argument offers no explanation of how a “configuration and processing functionalities” could provide any structure to a claim element.  However, such conclusory arguments of counsel cannot take the place of objective evidence.  See MPEP § 2145.
Furthermore, on page 10, Applicant argues:
“Applicants are acting as their own lexicographer to define such a specific computing arrangement in a shorthand way by virtual of the use of the word ‘connector’.”

However, Applicant’s instant argument is not persuasive because it fails to show that Applicant’s “written description clearly defines the term[].”  See MPEP §§ 2111.01(IV), 2173.05(a)(III).
On page 11, Applicant argues:
“proper parsing of the claim limitations in accordance with fundamental rules of English makes it clear that the receiving and injecting are performed by the connector....the phraseology is correct and clear and would be easily understood by one of ordinary skill in the art.”


Notwithstanding, Examiner respectfully disagrees with Applicant’s instant argument for at least the reasons set forth in the indefiniteness rejections below.
On page 11, Applicant also argues:
“it is clear on the face of the language that the plurality of storage variables corresponding to the HTTP request are being generated by the storage variable generator.  There is no need to rephrase or otherwise amend.”

However, Examiner respectfully disagrees with Applicant’s instant argument because the actual “face of the language” of Applicant’s claim explicitly states that it is its “HTTP request” that is “by a storage variable generator.”
Accordingly, Examiner notes that although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181 (Fed. Cir. 1993).
On page 11, Applicant further argues:
“the analyzing step is clear in that it properly calls for the bot detection computer/server to analyze he plurality of storage variables and client-side parameters in the HTTP response to detect bots.”

However, Examiner respectfully disagrees with Applicant’s instant argument because the actual language of Applicant’s claim explicitly states that it is its “HTTP response” that is “by the bot detection computer to detect bots.”
Accordingly, Examiner again notes that although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns
On page 11, Applicant moreover argues:
“a preset action is performed on the HTTP requests emerging from the client application in response to detection of a bot in the performing step.”

Therefore, as set forth in the indefiniteness rejection below, Examiner suggest that Applicant amend the disputed claim limitation as follows:
“in response to detection of a bot, performing a present action on the HTTP requests emerging from the client application....”

On page 11, Applicant argues furthermore that:
“claim 3 is...understood to mean the storage variable generator is used to generate the recited storage variables.”

However, Examiner respectfully disagrees with Applicant’s instant argument because the actual language of Applicant’s claim explicitly states that it is its “timestamp storage variables ‘B’ and ‘D’” that are “using a storage variable generator.”
As previously stated, although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181 (Fed. Cir. 1993).
On pages 11-12, Applicant argues:
“that use of the word ‘substantially’ in the amended claim is proper and not vague or indefinite....”

However, Applicant’s instant argument is nonresponsive because it fails to show that Applicant’s use of “the term ‘substantially’ servers reasonably to describe the subject matter so that its scope would be understood by persons in the field of the invention....”
For example, as set forth in the Federal Circuit case that is cited by Applicant’s instant argument:


See Verve, LLC v. Crane Cams, Inc., 311 F.3d 1116, 1120 (Fed. Cir. 2002).  However, Applicant use of the expression “substantially” covers both the presence and the absence of a “standard deviation,” which is hardly a “minor variation” and thus leaves one of ordinary skill in the art to speculate as to what the phrase “substantially zero” actually excludes.
For example, Examiner respectfully submits that: due to the numerical nature of the subject of “standard deviations,” one of ordinary skill in the art of Applicant’s claimed invention (1) is not reasonably apprised of the order of magnitude of Applicant’s use of the phrase “substantially zero” and, thus, (2) cannot determine whether Applicant’s use of the phrase “substantially zero” covers standard deviations that are less than one tenth, or one hundredth, or one thousandth, and so on and so forth.
On page 12, Applicant argues:
“Regarding claims 12 and 25, these claims are clear...claims 12 and 25 are [] clear and easily understood.”

However, Examiner respectfully disagrees with Applicant’s instant argument because the actual language of Applicant’s claim explicitly states that it is its “bot” that is “at one of a CDN, WAF, and hardware appliance....”
Accordingly, Examiner reiterates that although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181 (Fed. Cir. 1993).
On page 12, Applicant also argues:


However, Examiner respectfully disagrees with Applicant’s instant argument for at least the reason(s) set forth below by the indefiniteness rejections of claim 13.
On page 12, Applicant further argues:
“Turning to claim 19, it is not function of the claim to explain ‘how.’  That is the function of the specification, and such is done properly in this application.”

In response, Examiner notes that Applicant’s instant argument (i.e., “to explain ‘how’...is done properly in this application”) is presented without any actual support.  However, Examiner further notes that such conclusory arguments of counsel cannot take the place of objective evidence in the record.  See MPEP § 2145.
Notwithstanding, in response to Applicant’s instant argument, the indefiniteness rejection of claim 19 has been clarified as follows:
“it is unclear how the claimed analysis is actually performed “across a plurality of HTTP request” because: (1) the term “across” means  “from one side to the other of” or “on or to the other side of; beyond”; and (2) “HTTP requests” are dimensionless and thus do not have any “sides.”  Therefore, claim 19’s requirement to “analyze” storage variables “across a plurality of HTTP requests,” is indefinite because storage variables are not known to have any “sides” or “dimensions.”

On page 14, Applicant argues “that a bot is not [] malware....”  In response, Examiner notes that Applicant’s instant argument is presented without any actual support.  However, as previously stated, such conclusory arguments of counsel cannot take the place of factually supported objective evidence.  See MPEP § 2145.
Notwithstanding, Examiner respectfully disagrees with Applicant’s instant argument because: (1) the term “malware” refers to “any software intentionally designed 1; and (2) the term “bot” refers to “a software application that...perform[s] tasks that are simple and repetitive,” which paragraphs 4, 7, 9, 15, 40, 62 and 80 of Applicant’s Specification explicitly refer to as “malicious.”  Accordingly, Examiner disagrees with Applicant’s instant argument and respectfully submits that Applicant’s “bot” actually is “malware” because: Applicant’s “bot” refers to “software” that is “malicious.”
On page 14, Applicant also argues that “The Office Action” is “improperly stretch Schnieder by saying ‘malware’ instead of saying ‘virus.’”  However, Examiner respectfully disagrees with Applicant’s instant argument because it is axiomatic that: “A computer virus is a type of malware....”2
On page 14, Applicant further argues that “a bot is not...of Schneider...Schneider does not teach this claim element.”  However, Applicant’s instant argument because it does not address Examiner’s actual position.
To be specific, Examiner’s position is not that Schneider teaches “a bot.”  Rather, Examiner’s actual position is inter alia that the disclosure of Overson reads on Applicant’s “bot.”  See, e.g., Overson at ¶ 169, 170, 171, 172.  Accordingly, Examiner notes that one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413 (CCPA 1981); In re Merck & Co., 800 F.2d 1091 (Fed. Cir. 1986).
On page 14, Applicant moreover argues:
“the claim...requires generating the bot signature based on detection of a bot and then it is added to the database...in Schneider...this is not done...in the manner [] called for in the claim...Schneider does not teach or suggest bot detection computer, which it does not have, and certainly not storing of the another copy in a web server....”

However, Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
To be specific, Examiner’s position is not that Schneider teaches the limitations of Applicant’s instant argument.  Rather, Examiner’s actual position is inter alia that the limitations of Applicant’s instant argument are rendered obvious by Schneider in combination with the prior art of record.  Accordingly, Examiner notes that one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See Keller, 642 F.2d at 413; Merck & Co., 800 F.2d at 1091.
For example, inter alia Overson teaches:
“a system (200, FIG. 2) for detecting and blocking bots (¶ 104, 105 ‘system 200’)...connected to a web server (205, FIG. 2 / 630, FIG. 6...¶ 109 “infrastructure 205 may comprise...server computers that receive requests...from... computers, such as client computer 299’....”

And Schneider teaches:
“generating a malware signature based on detection of a malware and storing the generated malware signature in a database (512, FIG. 5) in a malware detection computer (216, FIG. 2) (note: the very existence of signatures in database 512 and virus scanning provider 216, requires that malware must have somehow been detected at some point in time and, thereafter, its signature must have somehow been generated/stored in database 512 and virus scanning provider 216 [see ¶ 44, 63])...
a replica of malware signature database is stored (514, FIG. 5) in the web server (202, FIG. 2 / 510, FIG. 5) (¶ 40, 45, 60, 63 “Virus database 512 provides/stores virus signature definitions to network server 510...whenever new virus signatures become available”; ¶ 4 “access [] a content provider via...web servers”; note: in order provide online access to its content, Schneider’s server 202/510 may be a “web server” [see ¶ 4], also note that Schneider’s database 512 and virus scanning provider 216 replicate signatures by sending them to network server 202/510 [see ¶ 44, 63])...”


“Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for having a malware signature database provide its malware signatures to a web server.  The teachings of Schneider, when used with the system of Overson...’s web server and system for detecting bots, will improve the efficiency of the system’s bot detection feature by enabling such detection to occur locally within the web server itself.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.”

Furthermore, on page 14, Applicant argues that a “claim element is lacking from Schneider, and hence” the “claim element is lacking...from the combination as a whole.”  However, Examiner disagrees with Applicant’s instant argument because: as previously stated, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See Keller, 642 F.2d at 413; Merck & Co., 800 F.2d at 1091.
On pages 14-15, Applicant argues that “the references do not teach all of the claim features.”  However, Examiner respectfully disagrees with Applicant’s instant argument for at least the reasons set forth in items 19 through 23 above.
On page 15, Applicant argues:
“...one dealing with bots would not looking to the art of virus scanning, especially not where the virus definitions are supplied from an external source as in Schneider.
Furthermore, Schneider is specifically directed to wireless networks.  However, wireless networks are typically slower than wired networks and mobile terminals are typically less capable than wire terminals, especially in the time frame of Schneider.  Indeed, the whole purpose of Schneider is to deal with such disparity.  Therefore, mobile terminals on wireless networks are not particularly suitable to meet the needs of those deploying bots, which generally are desired to operate at a high rate of speed to cause their not look to Schneider with regard to bots, as the terminals of Schneider would be deemed generally unsuitable to be made into bots.”

In response, Examiner notes that the only valid legal argument that Applicant’s instant arguments could be attempting to make is that the references are nonanalogous to Applicant’s claimed invention.  However, Examiner disagrees with that argument and respectfully submits that the references are analogous to Applicant’s claimed invention because: Overson and Schneider are both from the same field of endeavor as Applicant’s invention.  See MPEP § 2141.01(a).
For example, the second paragraph of Applicant’s instant Specification discloses that Applicant’s instant invention is from the “field of data communication.”  Similarly, the second paragraph of Overson explicitly discloses that its invention “relates to security... for detecting whether a client computer interacting with server computers...is of a purported type,” which falls under the “field of data communication.”  And the initial paragraph of Schneider explicitly discloses that its invention “relates in general to the controlled communication of content between user terminals, and...controlling the proliferation of virus[es],” which also falls under the “field of data communication.”
On page 17, Applicant argues:
“the API of Lo...is not seen to provide information sufficient such that analysis of would enable bot signature generation.”

In response, Examiner notes that the limitation upon which Applicant’s instant argument relies (i.e., “API...provide[s] information sufficient such that analysis of would enable bot signature generation”) is not actually recited in the rejected claims.  However, Examiner further notes, although the claims are interpreted in light of the specification, limitations In re Van Geuns, 988 F.2d 1181 (Fed. Cir. 1993).
For example, claim 12 actually recites inter alia the following limitation: “analyzing data received through [] API calls,” which paragraph 40 of Lo teaches by disclosing:
“aznAPI 316...allows an application to call out to an authorization service for authorization decisions...Information passed/received...can be analyzed /used to make access decisions....”

On page 17, Applicant also argues:
“Lo does not teach or suggest [] signature generation.”

However, Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
For example, Examiner’s position is not that Lo teaches “signature generation.”  Rather, as set forth in the prior art rejections below, Examiner’s actual position is inter alia that Schneider teaches “signature generation” because:
“the very existence of signatures in database 512 and virus scanning provider 216, requires that...signature must have somehow been generated at some point in time...”  See Schneider at ¶ 44, 63.

On page 17, Applicant further argues:
“the API of Lo is...very different from what is called for in the claim.”

However, Examiner respectfully disagrees with Applicant’s instant argument because inter alia Lo teaches:
“wherein a call that is initiated by a connector is an API call (¶ 40 ‘connector/ access manager implements aznAPI 316, which...allows an application to call out to an authorization service for authorization decisions’)....”

On page 17, Applicant moreover argues:
not a bot and hence has no need for a signature to be generated for it.”

However, Applicant’s instant argument is nonresponsive because it fails to address Examiner’s actual position.
To be specific, Examiner’s position is not that “access at all to an entity is being granted by Lo’s API” to “a bot.”  Rather, as set forth in the prior art rejections below, Examiner’s actual rationales for combining the prior art of record are inter alia that:
“Before the effective filing date of the invention, one of ordinary skill would have recognized the ability to utilize (1) the teachings of Lo for initiating a call to a detector for authorizing client-server communications and (2) Lo’s admitted prior art teachings for generating variables.  The teachings of Lo, when used within the existing system of Overson’s (1) initiation of a call to a detector in response to an HTTP request and (2) response to an HTTP request, will: (1) improve the system by enabling its bot detector to make more fine-grained access control decisions; and (2) improve security by providing the system with a means for protecting itself against a malicious site that exploits a trust.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention” and
“Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for having a malware signature database provide its malware signatures to a web server.  The teachings of Schneider, when used with the system of Overson...’s web server and system for detecting bots, will improve the efficiency of the system’s bot detection feature by enabling such detection to occur locally within the web server itself.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.”


Since Applicant argues its remaining claims mutatis mutandis as per the independent claims, Examiner’s rebuttal to Applicant’s foregoing arguments equally applies to Applicant’s remaining arguments.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):

(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:

An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

Claims 13-16 and 18-25 include one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation uses a generic placeholder (i.e., “a connector”) that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.
Because Applicant’s “connector” is being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it is being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this limitation interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:

(1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or

(2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Objections
Claim 1 is objected to because of the following informality: typographical error.
To be specific claim 1 includes inter alia the following phrase: “a replica of bot signature database....”  However, this phrase appears to include a typographical error.  Therefore, to cure the instant deficiency, Examiner suggests that Applicant amend the disputed phrase as follows: “a replica of the bot signature database....”
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):

(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:

The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 13-16 and 18-25 are rejected under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph, because the claim (1) invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, as set forth in the “claim interpretation” set forth above, but (2) fails to recite a combination of elements as required by that statutory provision and thus cannot rely on the specification to provide the structure, material or acts to support the claimed function.  As such, the claim recites a function (i.e., the function(s) of the “connector” of Applicant’s claims) that has no limits and covers every conceivable means for achieving the stated function, while the specification discloses at most only 
Due to their dependency on claim 13, claims 14-16 and 18-25 are rejected for failing to cure the instant deficiency of claim 13.
The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
To be specific, claim 1 includes inter alia the following limitation: “receiving a HTTP request from a client application by a connector....”  However, it is unclear whether the “receiving a HTTP request” is “by a connector” because the claim merely requires that its “client application” is “by a connector.”  Therefore, to cure the instant deficiency, Examiner suggests that Applicant amend the disputed limitation as follows: “receiving, by a connector, a HTTP request from a client application . . . .”
Additionally, claim 1 also includes inter alia the following limitation: “generating a plurality of storage variables corresponding to the HTTP request by a storage variable generator....”  However, it is unclear whether the “generating a plurality of storage variables” is “by a storage variable generator” because the claim merely requires that its “HTTP request” is “by a storage variable generator.”  Therefore, to cure the instant , by a storage variable generator, a plurality of storage variables corresponding to the HTTP request....”
Moreover, claim 1 further includes inter alia the following limitation: “injecting storage variables in an HTTP response sent from web server to the client application by the connector....”  However, it is unclear whether the “injecting storage variables in an HTTP response” is “by the connector” because the claim merely requires that its “client application” is “by the connector.”  Therefore, to cure the instant deficiency, Examiner suggests that Applicant amend the disputed limitation as follows: “injecting, by the connector, storage variables in an HTTP response....”
Furthermore, claim 1 includes inter alia the following limitation: “analyzing the plurality of storage variables and client-side parameters in the HTTP response by the bot detection computer to detect bots....” However, it is unclear whether the “analyzing” is “by the bot detection computer to detect bots” because the claim merely requires that its “HTTP response” is “by the bot detection computer to detect bots.”  Therefore, to cure the instant deficiency, Examiner suggests that Applicant amend the disputed limitation as follows: “analyzing, by the bot detection computer, the plurality of storage variables and client-side parameters in the HTTP response....”
Claim 1 also includes inter alia the following limitation: “performing a present action on the HTTP requests emerging from the client application in response to detection of a bot....”  However, it is unclear whether the “performing a present action on the HTTP requests” is “in response to detection of a bot” because the claim merely requires that its “HTTP requests emerging from the client application” is “in response to in response to detection of a bot, performing a present action on the HTTP requests emerging from the client application....”
Due to their dependency on claim 1, claims 2-12 are rejected for failing to cure the foregoing deficiencies of claim 1.
Regarding claim 3, this claim includes the following limitation:
“initiates generation of a ‘A’ storage variable, ‘C’ storage variable, and timestamp storage variables ‘B’ and ‘D’ using a storage variable generator.”

However, it is unclear whether the initiation of the “generation” of storage variables is “using a storage variable generator” because claim 3 merely requires that its “timestamp storage variables ‘B’ and ‘D’” is “using a storage variable generator.”  Therefore, to cure the instant deficiency, Examiner suggests that Applicant amend the disputed limitation as follows: “ uses a storage variable generator to initiate a generation of a ‘A’ storage variable, ‘C’ storage variable, and timestamp storage variables ‘B’ and ‘D’....”
In addition, claims 9 and 22 also include inter alia the following limitation: “a standard deviation that is substantially zero.”  However, the term “substantially” is a relative term which renders the claim indefinite because: the term “substantially” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Regarding claims 12 and 25, these claims include inter alia the following limitation: “block consecutive HTTP request from a bot at one of a CDN, WAF, and hardware appliance....”  However, it is unclear whether the blocking of “consecutive 
Regarding claim 13, this claim includes inter alia the following limitation: “initiate an API call to a bot detection computer for every HTTP request received....”  However, it is unclear whether “an API call” is initiated “for every HTTP request received” because the claim merely requires that its “bot detection computer” is “for every HTTP request received.”
Regarding claim 13, this claim also includes inter alia the following limitation: “perform a preset action on the HTTP requests emerging from the client application in response to detection of a bot.”  However, it is unclear whether the performance of “a present action on the HTTP requests” is “in response to detection of a bot” because the claim merely requires that its “emerging” of “HTTP requests [] from the client application” is “in response to detection of a bot.”
Due to their dependency on claim 13, claims 14-25 are rejected for failing to cure the foregoing deficiencies of claim 13.
Regarding claim 19, this claim includes inter alia the following limitation: “analyze a ‘A’ storage variable and the ‘C’ storage variable across a plurality of HTTP requests....”  However, it is unclear how the claimed analysis is actually performed “across a plurality of HTTP request” because: (1) the term “across” means3 “from one side to the other of” or “on or to the other side of; beyond”; and (2) “HTTP requests” are dimensionless and thus do not have any “sides.”  Therefore, claim 19’s requirement to 
Claims 13-25 are also rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention because: (1) the “connector” limitation of claim 13 invokes 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; and (2) the written description fails to disclose the corresponding structure, material, or acts for performing the entire claimed function and to clearly link the structure, material, or acts to the function.
To be specific, the disclosure of Applicant’s instant invention: (1) discusses the configuration and processing functions of Applicant’s “connector” in detail; but (2) fails to disclose whether its “connector” actually has any structure.  See instant Specification at ¶ 16, 22, 23, 24, 28, 29, 41, 47, 48, 49, 53, 54, 63, 67, 95 and 96.  Therefore, since Applicant’s “connector” is disembodied, claim 13 is indefinite and is rejected under 35 U.S.C. 112(b) or pre-AIA  35 U.S.C. 112, second paragraph for: invoking a means-plus-function limitation for which no structure for performing the limitation, has been disclosed.
And due to their dependency on claim 13, claims 14-25 are rejected for failing to cure the instant deficiency of claim 13.
Applicant may:

(a)        Amend the claim so that the claim limitation will no longer be interpreted as a limitation under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph; 



(c)        Amend the written description of the specification such that it clearly links the structure, material, or acts disclosed therein to the function recited in the claim, without introducing any new matter (35 U.S.C. 132(a)).

If applicant is of the opinion that the written description of the specification already implicitly or inherently discloses the corresponding structure, material, or acts and clearly links them to the function so that one of ordinary skill in the art would recognize what structure, material, or acts perform the claimed function, applicant should clarify the record by either: 

(a)        Amending the written description of the specification such that it expressly recites the corresponding structure, material, or acts for performing the claimed function and clearly links or associates the structure, material, or acts to the claimed function, without introducing any new matter (35 U.S.C. 132(a)); or

(b)        Stating on the record what the corresponding structure, material, or acts, which are implicitly or inherently set forth in the written description of the specification, perform the claimed function. For more information, see 37 CFR 1.75(d) and MPEP §§ 608.01(o) and 2181.

Appropriate correction is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4, 11, 13-16 and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider (US 2004/0158741 A1, hereinafter Schneider).
garding claim 1, Overson teaches a computer implemented method for detecting and blocking bots, comprising:
receiving (400, FIG. 4) a HTTP request from a client application (295, FIG. 2) by a connector (230, FIG. 2) (¶ 156 “at step 400, the browser 295 sends a request...that is intercepted/received by the intermediary computer 230”; ¶ 107 “intermediary computer 230 may intercept/receive all network data”);
initiating a call by a connector to a bot detection computer (340, FIG. 3 / 600, FIG. 6) for every HTTP request received from the client application (¶ 185, 137 “intercept requests from client computer 299 and forward the requests to bot check logic 340”; note: Overson’s forwarding of “requests to bot check logic 340” reads on Applicant’s “call to a bot detection computer” because both communications implicitly request a “bot detection computer” to invoke a routine [see ¶ 137]);
injecting (404-405, FIG. 4 / 505-506, FIG. 5) a preset snippet into an HTTP response sent to the client application (¶ 167, 166, 156, 138, 63 “in response to receiving a request for data from a web browser, a web server may respond/an http response”; ¶ 57 “intercept messages and perform transformations to inject instructions... such as JavaScript instructions/the code snippet”; note: by definition, a “snippet” is merely insertable code4 such as Overson’s “instructions” [see ¶ 57]), and wherein the code snippet is configured to
execute (406, FIG. 4) at the client application (¶ 166, 156 “execute 406 the instructions”; ¶ 57 “code snippet/instructions [] force the user agent to utilize one or more specific features”) and

analyzing client-side parameters in the HTTP response by the bot detection computer to detect bots (¶ 169, 170, 171 “logic 340 may determine based, at least in part, on the results of executing the transformed instructions whether browser 295 is a legitimate browser and/or a bot”);
performing (511, FIG. 5) a preset action on the HTTP requests emerging from the client application in response to detection (508-511, FIG. 5) of a bot, wherein the preset action comprises one of blocking subsequent HTTP requests, displaying a captcha on the client application (¶ 172 “If the bot logic 340 determines the browser 295 to be a bot...computer 230 proceeds to block 511”; ¶ 174 “At block 511...computer 230 performs one or more countermeasures against the browser 295.  For example... computer 230 refuses to forward the request on to the web infrastructure 205, effectively shielding the web infrastructure 205 from...the bot”).
However, Overson does not explicitly disclose: generating a plurality of storage variables corresponding to the HTTP request by a storage variable generator; wherein the call that is initiated by the connector is an API call; injecting storage variables in an HTTP response sent from web server to the client application by the connector; analyzing the plurality of storage variables in the HTTP response by the bot detection computer to detect bots; generating a bot signature based on detection of a bot and storing the generated bot signature in a database in the bot detection computer, wherein the bot signature database is stored in the bot detection computer and a replica of bot signature database is stored in the web server.
In an analogous art, Lo teaches:
generating a plurality of storage variables corresponding to an HTTP request by a storage variable generator (note: Lo may generate “storage variables” such as “a verifiable session identifier” and “a session cookie” [see ¶ 5, 41]);
wherein a call that is initiated by a connector is an API call (¶ 40 “connector/ access manager implements aznAPI 316, which...allows an application to call out to an authorization service for authorization decisions”);
injecting storage variables in an HTTP response sent from web server to a client application by the connector (¶ 5 “inject [in an HTTP response] scripts and a verifiable session identifier/a storage variable”; note: by definition,5 a “cookie” may be “sent by [a] web server” to a browser in an http response, [see ¶ 41]); and
analyzing the plurality of storage variables in the HTTP response by a detection computer to detect trust (¶ 5 “use [session] identifier to detect/validate [] trust of a user and his/her web client”).
Before the effective filing date of the invention, one of ordinary skill would have recognized the ability to utilize (1) the teachings of Lo for initiating a call to a detector that authorizes client-server communications and (2) Lo’s admitted prior art teachings for generating variables to inject into an HTTP response and, later, analyze to detect trust.  The teachings of Lo, when used within the existing system of Overson’s (1) 
However, Overson in view of Lo does not explicitly disclose: generating a bot signature based on detection of a bot and storing the generated bot signature in a database in the bot detection computer, wherein the bot signature database is stored in the bot detection computer and a replica of bot signature database is stored in the web server.
In an analogous art, Schneider teaches generating a malware signature based on detection of a malware and storing the generated malware signature in a database (512, FIG. 5) in a malware detection computer (216, FIG. 2) (note: the very existence of signatures in database 512 and virus scanning provider 216, requires that malware must have somehow been detected at some point in time and, thereafter, its signature must have somehow been generated/stored in database 512 and virus scanning provider 216 [see ¶ 44, 63]), wherein:
the malware signature database is stored in the malware detection computer (note: it is implicit that Schneider’s virus scanning software provider 216 includes signature database 512 because the former requires the latter in order to update the signatures in Schneider’s network server 202/510 [see ¶ 44, 63]) and

Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for having a malware signature database provide its malware signatures to a web server.  The teachings of Schneider, when used with the system of Overson in view of Lo’s web server and system for detecting bots, will improve the efficiency of the system’s bot detection feature by enabling such detection to occur locally within the web server itself.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claim 4, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches: wherein the preset snippet is a Javascript code snippet, and wherein the Javascript code snippet is configured to collect client-side parameters (Overson ¶ 57 “instructions...such as JavaScript/the code snippet”; Overson ¶ 169, 170, 171 “logic 340 may determine based, at least in part, on the results of executing the transformed instructions whether browser 295 is a legitimate browser and/or a bot”; note: by definition, a “snippet” is merely 6 such as Overson’s “instructions” [see Overson ¶ 57], also note that Overson’s “results of executing the transformed instructions” may be an “HTTP response” and that Overson’s client/agent determines the “parameters” of the “results of executing the transformed instructions” [see Overson ¶ 82]).
Regarding claim 11, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches wherein blocking subsequent requests by analysis with the replica of bot signature database further comprises:
comparing (Schneider: 606, FIG. 6) the HTTP request at the connector with the replica of bot signature database before initiating API call (Overson ¶ 79, 160 “HTTP request”; Lo ¶ 40 “connector/access manager implements aznAPI 316, which...allows an application to call out to an authorization service for authorization decisions”; Schneider ¶ 63 “Virus database 512 replicates/provides virus signature definitions to network server 510...provide content checks/compare against the...virus signature”; Schneider ¶ 71 “content is...scanned/compared, step 606 is executed by the designated network server”; note: Schneider’s “scan” may include a “comparison” [see Schneider: ¶ 63; claims 13, 15], and Overson may perform an analysis before a call is made to Overson’s bot detection computer/server [see Overson ¶ 79, 130]);
providing the HTTP response to the client application immediately after analysis, thereby reducing a delay involved in providing HTTP response (Overson ¶ 79 “respond to a request from a legitimate browser with the data requested”; note: Overson may respond immediately after an analysis [see Overson ¶ 79]); and

Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for detecting and blocking malware by locally comparing content to a local signature database.  The teachings of Schneider, when used within the system of Overson in view of Lo further in view of Schneider’s connector, will improve the system’s efficiency by enabling the system to detect bots locally at a web server’s connector, rather than remotely at a bot detector computer/server.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claim 13, Overson teaches a system (200, FIG. 2) for detecting and blocking bots (¶ 104, 105 “system 200”), comprising:
a connector (230, FIG. 2) connected to a web server (205, FIG. 2 / 630, FIG. 6), wherein the connector is configured to receive an HTTP request of a client application (295, FIG. 2) sent from a client computing device (299, FIG. 2 / 624, FIG. 6) (¶ 195, 194, 107 “intermediary computer 230 may intercept/receive all network data sent to, and/or sent from, web infrastructure 205”; ¶ 109 “infrastructure 205 may comprise...server computers that receive requests...from... computers, such as client computer 299”; ¶ 112 “a request from browser 295”;  ¶ 156 “a request to the web infrastructure 205 that is intercepted/received by the intermediary computer 230”; ¶ 72 “a client computer 299”; ¶ 66 “a browser that is executed on a personal computer”),

the bot detection computer being connected to the web server over a computer network (622 and 626-628, FIG. 6) (note: bot detection computer 230/600 connects to server 630 over networks 622, 626 and 628 [see ¶ 195, 194, 193 and FIG. 6]), and
wherein the bot detection computer is configured to perform (511, FIG. 5) a preset action on every HTTP request emerging from the client application in response to detection of a bot (¶ 172 “If the bot logic 340 determines the browser 295 to be a bot...computer 230 proceeds to block 511”; ¶ 174 “At block 511... computer 230 performs one or more countermeasures against the browser 295.  For example...computer 230 refuses to forward the request on to the web infrastructure 205, effectively shielding the web infrastructure 205 from...the bot”; note: Overson’s connector 230 will refuse to forward each requests of a detected bot [see ¶ 174, 172]);
wherein the bot detection computer is further configured to: analyze client-side parameters in an HTTP response to detect bots (¶ 169, 170, 171 “logic 340 may determine based, at least in part, on the results of executing the transformed instructions whether browser 295 is a legitimate browser and/or a bot”; note: 
However, Overson does not explicitly disclose: wherein a call that a connector is configured to initiate is an API call, wherein the connector comprises a storage variable generator, wherein the storage variable generator is configured to generate a plurality of storage variables corresponding to an HTTP request; wherein the bot detection computer is further configured to: analyze the plurality of storage variables and client-side parameters in an HTTP response to detect bots, and generate a bot signature based on detection of a bot and storing the generated bot signature in a database in the bot detection computer, wherein the bot signature database is stored in the bot detection computer and a replica of the bot signature database is stored in the web server.
In an analogous art, Lo teaches:
wherein a call that a connector is configured to initiate is an API call (¶ 40 “connector/access manager implements aznAPI 316, which...allows an application to call out to an authorization service for authorization decisions”),
wherein the connector comprises a storage variable generator (note: collectively, the sources of Lo’s “verifiable session identifier” and “session cookie” read on Applicant’s “variable generator” [see ¶ 5, 41]), and
wherein the storage variable generator is configured to generate a plurality of storage variables corresponding to an HTTP request (note: Lo may generate “storage variables” such as “a verifiable session identifier” and “a session cookie” [see ¶ 5, 41]);
wherein the bot detection computer is further configured to: analyze the plurality of storage variables in an HTTP response to detect bots (¶ 5 “use [session] identifier to detect/validate [] trust of a user and his/her web client”; note: the plurality of bits of Lo’s “session identifier” reads on the phrase “plurality of storage variables” [see ¶ 5]).
Before the effective filing date of the invention, one of ordinary skill would have recognized the ability to utilize: (1) the teachings of Lo for initiating a call to a detector for authorizing client-server communications; (2) Lo’s admitted prior art teachings for generating variables; and (3) Lo’s admitted prior art teachings for analyzing an HTTP response’s variables in order to detect trust.  The teachings of Lo, when used within the existing system of Overson’s (1) initiation of a call to a detector in response to an HTTP request and (2) response to an HTTP request, will: (1) improve the system by enabling its bot detector to make more fine-grained access control decisions; (2) improve security by providing the system with a means for protecting itself against a malicious site that exploits a trust; and (3) improve security by protecting the system against a malicious site that exploits a trust.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo does not explicitly disclose: generate a bot signature based on detection of a bot and storing the generated bot signature in a database in a bot detection computer, wherein the bot signature database is stored in the malware bot computer and a replica of bot signature database is stored in the web server.
In an analogous art, Schneider teaches:
generate a malware signature based on detection of a bot and storing the generated malware signature in a database (512, FIG. 5) in a malware detection computer (216, FIG. 2) (note: the very existence of signatures in database 512 and virus scanning provider 216, requires that malware must have somehow been detected at some point in time and, thereafter, its signature must have somehow been generated/ stored in database 512 and virus scanning provider 216 [see ¶ 44, 63]), wherein
the malware signature database is stored in the malware detection computer (note: it is implicit that Schneider’s virus scanning software provider 216 includes signature database 512 because the former requires the latter in order to update the signatures in Schneider’s network server 202/510 [see ¶ 44, 63]) and
a replica of malware signature database is stored (514, FIG. 5) in a web server (202, FIG. 2 / 510, FIG. 5) (¶ 40, 45, 60, 63 “Virus database 512 provides/stores virus signature definitions to network server 510...whenever new virus signatures become available”; ¶ 4 “access [] a content provider via...web servers”; note: in order provide online access to its content, Schneider’s server 202/510 may be a “web server” [see ¶ 4], also note that Schneider’s database 512 and virus scanning provider 216 replicate signatures by sending them to network server 202/510 [see ¶ 44, 63]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for having a malware signature database provide its malware signatures to a web server.  The teachings of Schneider, when used with the system of Overson in view of Lo’s web server and system for detecting bots, will improve the efficiency of the system’s bot detection feature by enabling such detection to occur locally within the web server itself.  
Regarding claim 14, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 13, as previously stated, and further teaches: wherein the preset action comprises one of blocking subsequent HTTP requests, and displaying a captcha on the client computing device (Overson ¶ 174 “computer 230 performs one or more countermeasures against the browser 295.  For example...computer 230 blocks the request/refuses to forward the request on to the web infrastructure 205, effectively shielding the web infrastructure 205 from...the bot”).
Regarding claim 15, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 14, as previously stated, and further teaches: wherein the bot detection computer comprises (Overson: 340, FIG. 3) a bot detector and a bot detection signature database (Schneider: 512, FIG. 5) (Overson ¶ 137 “bot detector/bot check logic 340”; Schneider ¶ 63 “Virus database 512 provides virus signature definitions”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for having a malware signature database.  The teachings of Schneider, when used within the system of Overson in view of Lo further in view of Schneider’s bot detection computer/server, will improve the system’s efficiency by enabling the system to use an abbreviated analysis—such as a signature comparison—to detect a bot.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.

inject storage variables in the HTTP response sent from web server to the client application (Lo ¶ 5 “inject [in an HTTP response] scripts and a verifiable session identifier/a storage variable”; note: by definition,7 a “cookie” may be “sent by [a] web server” to a browser in an http response, [see Lo ¶ 41]);
inject (Overson: 404, FIG. 4 / 505, FIG. 5) a code snippet into the HTTP response sent to the client application (Overson ¶ 166, 156, 57 “intercept messages and perform transformations to inject instructions...such as JavaScript instructions/the code snippet”; note: by definition, a “snippet” is merely insertable code8 such as Overson’s “instructions” [see Overson ¶ 57], also note that Overson’s intercepted message may be an “HTTP response” [see Overson ¶ 79]),
wherein the JavaScript code snippet is configured to collect client-side parameters (Overson ¶ 169 “client side parameters/additional data generated as a result of executing the transformed instructions/code snippet”; Overson ¶ 166, 156 “execute 406 the instructions”; Overson ¶ 57 “code snippet/instructions [] force the user agent to utilize one or more specific features”);
inject storage variables in an HTTP response sent from web server/server to the client application (Lo ¶ 5 “inject [in an HTTP response] scripts and a verifiable session 9 a “cookie” may be “sent by [a] web server” to a browser in an http response, [see Lo ¶ 41]); and
block (Overson: 511, FIG. 5) HTTP requests from the client application in response to detection (Overson: 508-511, FIG. 5) of a bot (Overson ¶ 172 “If the bot logic 340 determines the browser 295 to be a bot... computer 230 proceeds to block 511”; Overson ¶ 174 “At block 511...computer 230 performs one or more countermeasures against the browser 295.  For example...computer 230 refuses to forward the request on to the web infrastructure 205, effectively shielding the web infrastructure 205 from...the bot”).
Before the effective filing date of the invention, one of ordinary skill would have recognized the ability to utilize Lo’s admitted prior art teachings for injecting variables into an HTTP response in order to detect trust.  The teachings of Lo, when used within the injection that is performed on the system of Overson in view of Lo’s HTTP response, will improve security by protecting the system against a malicious site that exploits a trust.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claim 24, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 13, as previously stated, and further teaches wherein the connector is further configured to:
compare (Schneider: 606, FIG. 6) the HTTP request at the connector with the replica of bot signature database before initiating the API call (Overson ¶ 79, 139, 160 “HTTP request”; Lo ¶ 40 “connector/access manager implements aznAPI 316, 
provide the HTTP response to the client application immediately after analysis, thereby reducing a delay involved in providing the HTTP response (Overson ¶ 79 “respond to a request from a legitimate browser with the data requested”; note: Overson may respond immediately after an analysis [see Overson ¶ 79, 139]); and
block the HTTP request when a bot is detected after comparison with the malware signature database (Overson ¶ 79 “ignore a request from a bot”; Schneider ¶ 37 “block/prevent proliferation of [] content”; note: Overson may effectively “block” a request by ignoring it [see Overson ¶ 79], also note that Schneider’s “scan” may include a “comparison” [see Schneider ¶ 63; claims 13, 15]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for detecting and blocking malware by locally comparing content to a local signature database.  The teachings of Schneider, when used within the system of Overson in view of Lo further in view of Schneider’s connector, will improve the system’s efficiency by enabling the system to detect bots locally at a web server’s connector, rather than remotely at a bot .
Claim 2 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Vines et al. (US 10,326,789 B1, hereinafter Vines).
Regarding claim 2, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches:
wherein the plurality of storage variables includes a ‘A’ storage variable, ‘D’ storage variable and ‘B’ storage variable (Overson ¶ 125 “‘D’ and ‘B’ storage variables/ session information that identifies browser 295, such as...time request was received”; Lo ¶ 5 “identifier/‘A’ storage variable”; note: when it is received, Overson’s “first request” is the “current request” [see Overson ¶ 125]), and
wherein ‘A’ storage variable is a HTTP storage variable used for uniquely identifying a session (Lo ¶ 5 “use [session] identifier to detect/validate [] trust of a user and his/her web client”), and
wherein ‘D’ is a HTTP storage variable used for uniquely identifying a timestamp of a first request (Overson ¶ 125 “session information that identifies browser 295, such as...time request was received”; note: when it is received, Overson’s “first request” is the “current request” [see Overson ¶ 125]), and
wherein ‘B’ is a HTTP storage variable used for uniquely identifying the timestamp of a current request (Overson ¶ 125 “session information that identifies browser 295, such as...time request was received”; note: when it is received, Overson’s “first request” is the “current request” [see Overson ¶ 125]).
Vines teaches: wherein the plurality of storage variables includes ‘C’ storage variable, and wherein ‘C’ is a HTTP storage variable used for identifying the number of pages accessed in the session (col. 11, ln. 46 through col. 12, ln. 11; col. 7, lns. 3-26 “Bot detection service 118 tracks various activity of interest from requests/ responses within the network session.  The analysis involves...reviewing...activity... Examples of activity data may include ‘C’ storage variable/the number of webpages visited...session activity may be determined...from cookies and/or other information within...the HTTP request”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Vines for having a variable store the number of pages accessed within a session.  The teachings of Vines, when used within the activity information of the system of Overson in view of Lo further in view of Schneider’s bot detection feature, will improve the reliability of the bot detection feature by providing it with more details about the network activity of a web server that the system protects.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Jenkins et al. (US 2012/0072925 A1, hereinafter Jenkins).
Regarding claim 3, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches: generation of a ‘A’ storage variable, ‘C’ storage variable, and timestamp storage variables ‘B’ and ‘D’ using 
However, Overson in view of Lo further in view of Schneider does not explicitly disclose yet, Jenkins teaches: wherein an API call initiates generation of storage variables (¶ 27 “generate data object 157 in response to the service API call”).
Before the effective filing date of the invention, one of ordinary skill would have recognized the ability to utilize the teachings of Jenkins for having a service provider respond to a service API call by generating variables for storage.  The teachings of Jenkins, when used to trigger generation of the variables that are analyzed in response to the system of Overson in view of Lo further in view of Schneider’s API call, will improve efficiency by only generating the system’s storage variables when they need to be analyzed (i.e., when an API call is initiated to the system’s bot detection computer/ server).  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Vines further in view of Poole (US 9,673,979 B1, hereinafter Poole).
Regarding claim 5, Overson in view of Lo further in view of Schneider further in view of Vines teaches all of the limitations of claim 2, as previously stated, and further 
tracking visitors accessing the client application using ‘A’ storage variable and IP address of the client application (Overson ¶ 125 “store session information that identifies browser 295, such as by IP address; Vines: col. 11, ln. 46 through col. 12, ln. 11 “session ID/‘A’ storage variable”); 
each HTTP request from the client application (Overson ¶ 156 “request may be an HTTP request for a web page”; Overson ¶ 160 “computer 230 intercepts the request by being physically located between browser 295 and web infrastructure 205, such as a gateway device to a local network containing web infrastructure 205”; note: a “gateway,” such as connector 230, intercepts each HTTP request [see Overson ¶ 160]); and
determining (Overson: 508-511, FIG. 5) a visitor as a bot (Overson ¶ 170, 172 “bot check logic 340 determines the browser 295 to be a bot”).
However, Overson in view of Lo further in view of Schneider further in view of Vines does not explicitly disclose yet, Poole teaches wherein analyzing a storage variable (col. 6, lns. 44-56 “analyze/compare...‘C’ storage variable/nonce against the previously highest nonce value”) comprises:
incrementing a ‘C’ storage variable on each request (col. 6, lns. 27-35 “incorporating an incrementing nonce/‘C’ storage variable...that increments with each subsequent [] communication, for example, increments by one each time an authentication request is made”); and
determining a visitor as malicious when the ‘C’ storage variable is detected to be not incremented (col. 6, lns. 44-56 “If...‘C’ storage variable/nonce value is equal to or 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Poole for determining that a requestor is malicious when it fails to increment a nonce.  The teachings of Poole, when used with the HTTP request analyses performed by the system of Overson in view of Lo further in view of Schneider further in view of Vines’ bot detection feature, will improve security by protecting the system from bots engaging in a replay attack.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claim 6, Overson in view of Lo further in view of Schneider further in view of Vines teaches all of the limitations of claim 2, as previously stated, and further teaches wherein analyzing (Overson: 508, FIG. 5 / Vine: 606, FIG. 6) the plurality of storage variables (Overson ¶ 170, 171; Vines: col. 19, lns. 4-18) comprises:
analyzing the ‘A’ and ‘C’ storage variables across a plurality of HTTP requests (Overson ¶ 125 “store session information; Overson ¶ 138 “pulling the IP address from a...header”; Overson ¶ 156 “inspect...new request/another HTTP request”; Lo ¶ 5 “‘A’ storage variable/identifier in a subsequent HTTP request”; Vines: col. 7, lns. 3-26 “analyze/track various activity of interest from requests[] within the network session...Examples of activity data may include ‘C’ storage variable/the number of webpages visited...session activity may be determined...from...information within...the HTTP request”; Vines: col. 11, ln. 46 through col. 12, ln. 11 “analyze/identifies the session ID/‘A’ storage variable from the incoming HTTP request”); and
 when a storage variable remains same for a request (Overson ¶ 79 “a malicious bot may spoof its identity by using the same value for the "user-agent" attribute as a legitimate browser”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Vines for analyzing: (1) session IDs of HTTP requests; and (2) a number of webpages visited during a session.  The teachings of Vines, when respectively used with the (1) session identifier and (2) session information of the system of Overson in view of Lo further in view of Schneider further in view of Vines’ plurality of HTTP requests, will improve the accuracy of the system’s bot detection feature by enabling it to correlate attributes of a plurality of HTTP requests to one another.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo further in view of Schneider further in view of Vines does not explicitly disclose, yet Poole teaches: determining a spoofing of storage variable when a ‘C’ storage variable remains same for a plurality of requests (col. 6, lns. 44-56 “If...‘C’ storage variable/nonce value is equal to/the same as...a previously received nonce value, then System [] can assume/determine that a spoofing/replay attack is under way”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Poole for determining a spoofing when a storage variable remains the same for a plurality of requests.  The teachings of Poole, when used within the bot detection feature of the system of Overson in view of Lo further in view of Schneider further in view of Vines’ analysis of a ‘C’ .
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Dias et al. (US 6,170,017 B1, hereinafter Dias).
Regarding claim 7, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches: wherein analyzing (Overson: 508, FIG. 5 / Schneider: 606, FIG. 6) the plurality of storage variables comprises determining (Overson: 508-511, FIG. 5) a visitor as a distributed bot (Overson ¶ 5 “Attackers may use bots to commit...unauthorized acts...such as...DDoS attacks”; Overson ¶ 170, 171, 172 “bot check logic 340 determines the browser 295 to be a bot”; Schneider ¶ 71; note: Overson may be applied to detect a “distributed bot” because, by definition, the “incoming traffic” of a “DDoS attack”—such as the “DDoS attack” of Overson’s “unauthorized acts”—is “distributed,” i.e., “originates from many different sources”10 [see Overson ¶ 5]).
However, Overson in view of Lo further in view of Schneider does not explicitly disclose yet, Dias teaches: determining a visitor as malicious when a single ‘A’ storage variable is received from multiple IP address (col. 11, lns. 48-65 “require all transactions from a particular session ID/‘A’ storage variable to come from the same IP address...[to] prevent a malicious user/visitor from stealing a session ID/‘A’ storage variable from a client”).
.
Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Wo et al. (US 2014/0019488 A1, hereinafter Wo).
Regarding claim 8, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches: wherein analyzing (Overson: 508, FIG. 5 / Schneider: 606, FIG. 6) the plurality of storage variables comprises determining (Overson: 508-511, FIG. 5) a visitor as a bot (Overson ¶ 170, 171, 172 “bot check logic 340 determines the browser 295 to be a bot”; Schneider ¶ 71).
However, Overson in view of Lo further in view of Schneider does not explicitly disclose yet, Wo teaches: determining a visitor as a possible bot when a single ‘A’ storage or IP address makes requests at a rate higher than a specified threshold (¶ 35 “track...the source, e.g...IP address...associated with each of those requests and storage variables/a timestamp indicating when each respective request was made”; ¶ 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Wo for determining that a visitor is a bot when its IP address makes requests at a rate higher than a specified threshold.  The teachings of Wo, when used within the system of Overson in view of Lo further in view of Schneider’s bot detection feature, will improve security by providing the bot detection feature with an additional means for determining whether a requestor is a bot.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Baradaran et al. (US 2017/0126718 A1, hereinafter Baradaran).
Regarding claim 9, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches wherein analyzing (Overson: 508, FIG. 5 / Schneider: 606, FIG. 6) the plurality of storage variables (Overson ¶ 170, 171; Schneider ¶ 71) comprises: analyzing time series anomalies between the plurality of HTTP requests (Overson ¶ 125 “store session information that identifies browser 295, such as...time request was received”; Overson ¶ 156 “inspect...new request”; Overson ¶ 171 “computer 230 may...timeout...if the response is not received within a threshold period of time...For instance...[a] bot might be unable...to generate a new request”; note: Overson’s algorithm would analyze a plurality of a legitimate browser’s HTTP requests [see Overson ¶ 171, 110]).
Baradaran teaches:
analyzing time series anomalies between a plurality of HTTP requests (¶ 277 “relevant detection features for detecting bots may include...time...between requests”; ¶ 271 “network traffic may include HHTP [] traffic”); and
determining interarrival time between successive requests from a same IP address or ‘A’ has a standard deviation that is substantially zero (¶ 277 “when uniform values or values within a relatively narrow range, for each feature, are observed over a period of time, it may be a sign that the network traffic is initiated by a bot”; note: Baradaran’s standard deviation is close to zero when detection features have “uniform values or values within a relatively narrow range within a session/‘A’” [see ¶ 277]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Baradaran for analyzing the arrival of HTTP requests of a session in order to determine whether the interarrival time between successive requests has a standard deviation close to zero.  The teachings of Baradaran, when used within the system of verson in view of Lo further in view of Schneider’s bot detection feature, will improve security by providing the bot detection feature with an additional means for detecting a bot.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claims 10, 23 and 25 are rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Chakra et al. (US 2015/0051934 A1, hereinafter Chakra).

Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for blocking malware by locally analyzing content against a local signature database.  The teachings of Schneider, when used within the system of Overson in view of Lo further in view of Schneider’s connector, will improve the system’s efficiency by enabling the system to block bots locally at a web server’s connector, rather than remotely at a bot detector computer/server.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo further in view of Schneider does not explicitly disclose yet, Chakra teaches wherein performing preset action by blocking subsequent 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Chakra for having an asynchronous feed provide content and block subsequent content until processing of the provided content is complete.  The teachings of Chakra, when used to process requests for the system of Overson in view of Lo further in view of Schneider’s request analysis and blocking features, will (1) make the system of more robust and (1) prevent a single user from overloading it, by limiting the requests that the system’s server may process, to one-at-a-time per-user.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claim 23, Overson in view of Lo teaches all of the limitations of claim 13, as previously stated, and further teaches: wherein the connector is configured to perform a preset action of
blocking (Overson: 511, FIG. 5) subsequent requests (Overson ¶ 172, 174 “computer 230 blocks/refuses to forward the request on to the web infrastructure 205”; Overson ¶ 174, 172, 79 “ignore a request from a bot”; note: Overson may effectively “block” a request by ignoring it [see Overson ¶ 79], also note that Schneider’s server 510  may store signatures [see Schneider ¶ 63, 71, 72]).

In an analogous art, Schneider teaches: blocking subsequent requests by analysis with the replica of bot signature database (¶ 37 “block/prevent proliferation of [] content”; ¶ 63 “Virus database 512 replicates/provides virus signature definitions to network server 510...provide content checks/analysis against the...virus signature”; ¶ 71 “content is...scanned, step 606 is executed by the designated network server”; note: Schneider’s database 512 and virus scanning provider 216 replicate signatures within their bot signature database, by sending them to network server 202/510 [see ¶ 44, 63, 71]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for blocking malware by locally analyzing content against a local signature database.  The teachings of Schneider, when used within the system of Overson in view of Lo further in view of Schneider’s connector, will improve the system’s efficiency by enabling the system to block bots locally at a web server’s connector, rather than remotely at a bot detector computer/server.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo further in view of Schneider does not explicitly disclose, yet Chakra teaches: blocking content by using an asynchronous feed (¶ 33 “receive requests and create individualized asynchronous feed for each user...where content is not provided all at once, but is provided on an as-needed basis”; note: when 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Chakra for having an asynchronous feed provide content.  The teachings of Chakra, when used to process requests for the system of Overson in view of Lo further in view of Schneider’s blocking features, will (1) make the system of more robust and (2) prevent a single user from overloading it, by limiting the requests that the system’s server may process, to one-at-a-time per-user.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Regarding claim 25, Overson in view of Lo teaches all of the limitations of claim 13, as previously stated, and further teaches wherein the connector is further configured to:
provide the HTTP response to the client application immediately in response to the HTTP request (Overson ¶ 79 “server may respond to a request from a legitimate browser with the data requested”; note: Overson may respond immediately after an analysis [see Overson ¶ 79]);
analyze (Overson: 508, FIG. 5) data received (Overson: 507, FIG. 5) through the API calls at the bot detection computer to compute bot signatures (Overson ¶ 171, 170, 169 “receive...data generated”; Lo ¶ 40 “aznAPI 316...allows an application to call out to an authorization service for authorization decisions...Information passed/received...can be analyzed/used to make access decisions”);

block (Overson: 511, FIG. 5) consecutive HTTP request from a bot at one of a CDN, WAF, and hardware appliance (Overson ¶ 172, 174 “computer 230 blocks/refuses to forward the request on to the web infrastructure 205”; Overson ¶ 174, 172, 79 “ignore a request from a bot”; note: Overson may effectively “block” a request by ignoring it, and Overson’s features may performed by a “hardware appliance” [see Overson ¶ 79, 184]).
However, Overson in view of Lo does not explicitly disclose: provide the computed bot signatures asynchronously through a feed to the web server; store the computed bot signatures in one of a Content Delivery Network (CDN), Web Application Firewall (WAF), and hardware appliance present at the web server; and block a bot at one of a CDN, WAF, and hardware appliance using the computed bot signatures.
In an analogous art, Schneider teaches:
provide computed malware signatures to a web server (¶ 40, 44, 45, 60, 63 “database 512 provide [] signature definitions to network server 510”);
store the computed malware signatures in one of a Content Delivery Network (CDN), Web Application Firewall (WAF), and hardware appliance present at the web server (¶ 4 “access [] a content provider via...web servers”; ¶ 40, 44, 45, 60, 63 “database 512 provide [] signature definitions to network server 510”; ¶ 71, 72 “Hardware...may be used to perform...scan operations”; note: in order provide online access to its content, Schneider’s server 202/510 may be a “web server,” and Schneider may store signature definitions provided to server 510 [see ¶ 4, 63]); and

Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Schneider for having a malware signature database provide the malware signatures to a web server hardware appliance.  The teachings of Schneider, when used within the analysis of the system of Overson in view of Lo’s web server hardware appliance, will improve the system’s efficiency by enabling the system to detect bots locally at a web server that is protected by the system.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo does not explicitly disclose, yet Chakra teaches: provide asynchronously through a feed to a web server (¶ 33 “receive requests and create individualized asynchronous feed for each user....where content is not provided all at once, but is provided on an as-needed basis”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Chakra for having an asynchronous feed provide content.  The teachings of Chakra, when used to provide signatures to the system of Overson in view of Lo further in view of Schneider’s web server, will (1) make the system of more robust and (1) prevent its web server from being overwhelmed by the signatures that it is provided, by limiting the signatures that may be provided, to one-at-a-time per-user.  Therefore, Examiner concludes that it .
Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Brinskelle (US 8,856,869 B1, hereinafter Brinskelle) further in view of Chakra.
Regarding claim 12, Overson in view of Lo further in view of Schneider teaches all of the limitations of claim 1, as previously stated, and further teaches wherein blocking subsequent requests further comprises:
providing the HTTP response to the client application immediately in response to the HTTP request (Overson ¶ 79 “server may respond to a request from a legitimate browser with the data requested”; note: Overson may respond immediately after an analysis [see Overson ¶ 79]);
analyzing (Overson: 508, FIG. 5 / Schneider: 606, FIG. 6) data received (Overson: 507, FIG. 5) through the API calls at the bot detection computer (Overson ¶ 171, 170, 169 “receive...data generated”; Lo ¶ 40 “aznAPI 316...allows an application to call out to an authorization service for authorization decisions...Information passed/received...can be analyzed/used to make access decisions”);
providing bot signatures to the web server (Schneider ¶ 40, 44, 45, 60, 63 “database 512 provide [] signature definitions to network server 510”);
storing computed bot signatures in one of a Content Delivery Network (CDN), Web Application Firewall (WAF), and hardware appliance present at the web server (Overson ¶ 79; Schneider ¶ 4 “access [] a content provider via...web servers”; Schneider ¶ 40, 44, 45, 60, 63 “database 512 provide [] signature definitions to network 
blocking (Overson: 511, FIG. 5) consecutive HTTP request from a bot at one of a CDN, WAF, and hardware appliance using the computed bot signatures (Overson ¶ 172, 174 “computer 230 blocks/refuses to forward the request on to the web infrastructure 205”; Overson ¶ 174, 172, 79 “ignore a request from a bot”; Schneider ¶ 71, 72 “Hardware...may be used to perform...scan operations”; note: Overson may effectively “block” a request by ignoring it, and Overson’s features may performed by a “hardware appliance” [see Overson ¶ 79, 184], also note that Schneider’s server 510  may store signatures [see Schneider ¶ 63, 71, 72]).
Before the effective filing date of the invention, one of ordinary skill would have recognized the ability to utilize the teachings of Lo for receiving data through an API call.  The teachings of Lo, when used within the existing system of Overso in view of Lo further in view of Schneider’s receipt of data variables, will improve the system by enabling its bot detector to make a more fine-grained access control decision.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo further in view of Schneider does not explicitly disclose wherein blocking subsequent requests by using an asynchronous feed further comprises: analyzing data received through the API calls at the bot detection computer 
In an analogous art, Brinskelle teaches wherein blocking subsequent content (col. 68, lns. 39-51 “blocking or preventing transmissions”) comprises:
analyzing data received at a bot detection computer to compute bot signatures (col. 68, lns. 39-51 “analysis may be used to help generate...signatures”; col. 67, ln. 65 “botnet clients”); and
storing the computed bot signatures in one of a CDN and WAF (col. 68, lns. 39-51 “creates a signature, that signature is provided to an component, such as for example an IDS, a firewall, a WAF”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Brinskelle for: (1) computing bot signatures by analyzing received data; and (2) storing the computed bot signatures in a WAF.  The teachings of Binskelle, when used to (1) generate and (2) the system of Overson in view of Lo further in view of Schneider’s bot signatures, will: (1) make the system’s bot detection computer/server more self-sufficient by enabling it to create its own bot signatures; and (2) improve the security of the system’s web server by incorporating a firewall into the system’s connector, respectively.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo further in view of Schneider does not explicitly disclose yet, Chakra teaches wherein blocking subsequent content by using an asynchronous feed (note: when content is provided, Chakra’s “asynchronous feed” 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Chakra for having an asynchronous feed provide content.  The teachings of Chakra, when used to process requests for the system of Overson in view of Lo further in view of Schneider further in view of Brinskelle’s request analysis and blocking features, will (1) make the system of more robust and (2) prevent a single user from overloading it, by limiting the requests that the system’s server may process, to one-at-a-time per-user.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Vines further in view of Poole.
Regarding claim 18, Overson in view of Lo teaches all of the limitations of claim 13, as previously stated, and further teaches wherein the bot detection computer is further configured to:
track visitors accessing the client application using IP address of the client application (Overson ¶ 125 “store session information that identifies browser 295, such as by IP address; Vines: col. 11, ln. 46 through col. 12, ln. 11 “session ID/‘A’ storage variable”);

determine (Overson: 508-511, FIG. 5) a visitor as a bot (Overson ¶ 170, 172 “bot check logic 340 determines the browser 295 to be a bot”).
However, Overson in view of Lo does not explicitly disclose wherein the bot detection computer is further configured to: increment a `C` storage variable on each request; and determine a visitor as a bot when the `C` storage variable is detected to be not incremented, and wherein the `C` storage variable is a HTTP storage variable used for identifying the number of pages accessed in the session.
In an analogous, Vines teaches: 
track visitors accessing the client application using ‘A’ storage variable (col. 11, ln. 46 through col. 12, ln. 11 “session ID/‘A’ storage variable”),
wherein a `C` storage variable is a HTTP storage variable used for identifying a number of pages accessed in a session (col. 11, ln. 46 through col. 12, ln. 11; col. 7, lns. 3-26 “Bot detection service 118 tracks various activity of interest from requests/ responses within the network session.  The analysis involves...reviewing...activity... Examples of activity data may include ‘C’ storage variable/the number of webpages visited...session activity may be determined...from cookies and/or other information within...the HTTP request”).

However, Overson in view of Lo further in view of Vines does not explicitly disclose, yet Poole teaches wherein a bot detector/computer is further configured to:
increment a `C` storage variable on each request (col. 6, lns. 27-35 “incorporating an incrementing nonce/‘C’ storage variable...that increments with each subsequent [] communication, for example, increments by one each time an authentication request is made”); and
determine a visitor as malicious when the `C` storage variable is detected to be not incremented (col. 6, lns. 44-56 “If...‘C’ storage variable/nonce value is equal to or lower than a previously received nonce value, then System [] can assume that a replay attack is under way/malicious requestor”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Poole for determining maliciousness when a storage variable remains the same for a plurality of requests.  The teachings of Poole, when used within the bot detection feature of the system of 
Regarding claim 19, Overson in view of Lo teaches all of the limitations of claim 13, as previously stated, and further teaches wherein the bot detector/computer is further configured to:
analyze a ‘A’ storage variable across a plurality of HTTP requests (Overson ¶ 125 “store session information; Overson ¶ 138 “pulling the IP address from a...header”; Overson ¶ 156 “inspect...new request/another HTTP request”; Lo ¶ 5 “‘A’ storage variable/identifier in a subsequent HTTP request”); and
determine a spoofing of storage variables if a storage variable remains same for the plurality of HTTP requests (Overson ¶ 79 “a malicious bot may spoof its identity by using the same value for the "user-agent" attribute as a legitimate browser”).
However, Overson in view of Lo does not explicitly disclose: analyze a ‘A’ storage variable and a ‘C’ storage variable across a plurality of HTTP requests; and determine a spoofing of storage variables if the ‘C’ storage variables remains same for the plurality of HTTP requests.
In an analogous art, Vines teaches: analyze a ‘A’ storage variable and a ‘C’ storage variable across a plurality of HTTP requests (col. 7, lns. 3-26 “analyze/track various activity of interest from requests[] within the network session...Examples of activity data may include ‘C’ storage variable/the number of webpages visited...session activity may be determined...from... information within...the HTTP request”; col. 11, ln. 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Vines for analyzing: (1) session IDs of HTTP requests; and (2) a number of webpages visited during a session.  The teachings of Vines, when respectively used with the (1) session identifier and (2) session information of the system of Overson in view of Lo’s plurality of HTTP requests, will improve the accuracy of the system’s bot detection feature by enabling it to correlate attributes of a plurality of HTTP requests to one another.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
However, Overson in view of Lo further in view of Vines does not explicitly disclose, yet Poole teaches: determine a spoofing of storage variables if a ‘C’ storage variables remains same for the plurality of requests (col. 6, lns. 44-56 “If...‘C’ storage variable/nonce value is equal to/the same as...a previously received nonce value, then System [] can assume/determine that a spoofing/replay attack is under way”).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Poole for determining a spoofing when a storage variable remains the same for a plurality of requests.  The teachings of Poole, when used within the bot detection feature of the system of Overson in view of Lo further in view of Vines’ analysis of storage variables, will improve security by protecting the system against spoofing attacks.  Therefore, Examiner concludes that .
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Dias.
Regarding claim 20, Overson in view of Lo teaches all of the limitations of claim 13, as previously stated, and further teaches wherein the bot detection computer is configured to analyze (Overson: 508, FIG. 5 / Schneider: 606, FIG. 6) the plurality of storage variables by determining (Overson: 508-511, FIG. 5) a visitor as a distributed bot, wherein the ‘A’ storage variable is a HTTP storage variable used for uniquely identifying a session  (Overson ¶ 5 “Attackers may use bots to commit...unauthorized acts...such as...DDoS attacks”; Overson ¶ 170, 171, 172 “bot check logic 340 determines the browser 295 to be a bot”; Lo ¶ 5 “a verifiable session identifier”/‘A’ storage variable”; note: Overson may be applied to detect a “distributed bot” because, by definition, the “incoming traffic” of a “DDoS attack”—such as the “DDoS attack” of Overson’s “unauthorized acts”—is “distributed,” i.e., “originates from many different sources”11 [see Overson ¶ 5]).
However, Overson in view of Lo further in view of Vines does not explicitly disclose, yet Dias teaches: determining a visitor as a distributed bot when a constant ‘A’ storage variable is received from multiple IP address, wherein the ‘A’ storage variable is a HTTP storage variable used for uniquely identifying a session (col. 11, lns. 48-65 “require all transactions from a particular session ID/‘A’ storage variable to come from the same IP address...[to] prevent a malicious user/visitor from stealing a session ID/‘A’ 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Dias for determining that a visitor is malicious when a session ID received from the visitor’s IP address, is the same as a session ID that was received beforehand from a different IP address.  The teachings of Dias, when used within the system of Overson in view of Lo’s bot detection feature, will improve security by preventing a bot from stealing a session ID, such as Applicant’s ‘A’ storage variable.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claim 21 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Wo.
Regarding claim 21, Overson in view of Lo teaches all of the limitations of claim 13, as previously stated, and further teaches: wherein the bot detection computer is configured to analyze (Overson: 508, FIG. 5) the plurality of storage variables by determining (Overson: 508-511, FIG. 5) a visitor as a bot (Overson ¶ 170, 171, 172 “bot check logic 340 determines the browser 295 to be a bot”).
However, Overson in view of Lo further in view of Vines does not explicitly disclose, yet Wo teaches: determining a visitor as a possible bot when a single `A` storage or IP address makes requests at a rate higher than a specified threshold (¶ 35 “track...the source, e.g...IP address...associated with each of those requests and storage variables/a timestamp indicating when each respective request was made”; ¶ 
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Wo for determining that a visitor is a bot when its IP address makes requests at a high rate.  The teachings of Wo, when used within the system of Overson in view of Lo’s bot detection feature, will improve security by providing the bot detection feature with an additional means for determining whether a requestor is a bot.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Overson in view of Lo further in view of Schneider further in view of Chakra further in view of Baradaran.
Regarding claim 22, Overson in view of Lo further in view of Schneider further in view of Chakra teaches all of the limitations of claim 10, as previously stated, and further teaches: wherein the bot detection computer is configured to: analyze (Overson: 508, FIG. 5) time series anomalies between the plurality of HTTP requests (Overson ¶ 125 “store session information that identifies browser 295, such as...time request was received”; Overson ¶ 156 “inspect...new request”; Overson ¶ 170, 171 “computer 230 may...timeout...if the response is not received within a threshold period of time...For instance...[a] bot might be unable...to generate a new request”; note: Overson’s algorithm would analyze a plurality of a legitimate browser’s HTTP requests [see Overson ¶ 171, 110]).
Baradaran teaches:
analyze time series anomalies between the plurality of HTTP requests (¶ 277 “relevant detection features for detecting bots may include...time...between requests”; ¶ 271 “network traffic may include HHTP [] traffic”); and
determine interarrival time between successive requests from a same IP address or ‘A’ has a standard deviation that is substantially zero  (¶ 277 “when uniform values or values within a relatively narrow range, for each feature, are observed over a period of time, it may be a sign that the network traffic is initiated by a bot”; note: Baradaran’s standard deviation is close to zero when detection features have “uniform values or values within a relatively narrow range within a session/‘A’” [see ¶ 277]).
Before the effective filing date of the invention, one of ordinary skill in the art would have recognized the ability to utilize the teachings of Baradaran for analyzing the arrival of HTTP requests of a session in order to determine whether the interarrival time between successive requests has a standard deviation close to zero.  The teachings of Baradaran, when used within the system of verson in view of Lo further in view of Schneider further in view of Chakra’s bot detection feature, will improve security by providing the bot detection feature with an additional means for detecting a bot.  Therefore, Examiner concludes that it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kalish Bell whose telephone number is (571) 272-5294. The examiner can normally be reached 9am-5pm, M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235.  The fax phone 
Information regarding the status of published or unpublished applications may be obtained from Patent Center.  Unpublished application information in Patent Center is available to registered users.  To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format.  For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/KALISH K BELL/Examiner, Art Unit 2432





    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Retrieved on November 16, 2021 at: “https://en.wikipedia.org/wiki/Malware”.
        2 Retrieved on November 16, 2021 at: “https://www.malwarebytes.com/computer-virus”.
        3 Retrieved on November 16, 2021 at: “https://www.dictionary.com/browse/across”.
        4 Retrieved on June 17, 2021 at: “https://techterms.com/definition/snippet”.
        5 Retrieved on June 15, 2021 at: “https://en.wikipedia.org/wiki/HTTP_cookie”.
        6 Retrieved on June 17, 2021 at: “https://techterms.com/definition/snippet”.
        7 Retrieved on June 15, 2021 at: “https://en.wikipedia.org/wiki/HTTP_cookie”.
        8 Retrieved on June 17, 2021 at: “https://techterms.com/definition/snippet”.
        9 Retrieved on June 15, 2021 at: “https://en.wikipedia.org/wiki/HTTP_cookie”.
        10 Retrieved on July 18, 2021 at: “https://en.wikipedia.org/wiki/Denial-of-service_attack”.
        11 Retrieved on July 18, 2021 at: “https://en.wikipedia.org/wiki/Denial-of-service_attack”.