DETAILED ACTION
1.	Claims 1-30 are pending in this examination.
Notice of Pre-AIA  or AIA  Status
2.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Allowable Subject Matter
4.	Claims 6-7, 16-17, 23 and 26 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Response to Arguments 	
5.1.	Applicant’s arguments filed 9/29/2021 have been fully considered but they are not persuasive.
5.2.	Applicant’s Response applicant argues, in substance that  “Claim 1 recites among other elements the element of, "providing, by the DAM to the WAF, sensitive data information describing the portion of the requested data identified as sensitive." …. Claim 1 also recites among other elements the element of, "identifying, by the WAF,  sensitive data within the response data based on the sensitive data information… Applicant respectfully disagree” with cited arts (remark, pages 9-15).
In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
The examiner submits that the combination of Raab and Shulman discloses above features.  For example Raab discloses database activity monitor (DAM) (fig. 1, item 20) coupled between the database (fig. 1, item 10) and the WAF(fig. 1, item 22); receiving the sensitive data information, receiving, by the WAF, response data from the application server ([0053]).
Secondary references Shulman discloses in paragraphs 52-53 discloses secured gateway and secure server/databaseservers which identifying sensitive information.


  
    PNG
    media_image1.png
    295
    453
    media_image1.png
    Greyscale




    PNG
    media_image2.png
    568
    441
    media_image2.png
    Greyscale

5.4.	Appellant argues, in substance, that , “Applicant respectfully submits that the Examiner has failed to establish a prima facie case of obviousness for claim 1. (remark page 9-13). The Examiner disagrees.  Sufficient motivation has been provided that one of ordinary skill in the art would find it obvious to combine the teachings of Raab and Shulman.  



Therefore, in view of the above reasons, the rejections are maintained.

Claim Rejections - 35 USC § 103
6.1.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.


6.2.	Claims 1, 5, 9, 10, 13, 19, 20, 24-25, 28, and 30 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent Application No. 20060059154 to Raab et al (“Raab”) in view of US Patent Application No. 20070294539 to Shulman et al (“Shulman”).
 	As per claim 1, Raab discloses a method for protecting information, the method comprising: receiving, at a web application firewall (WAF) (fig. 1, item 22) from a client device (fig. 1, item 16), a request for data (fig. 1, item 10, [0046]-[0047], also see fig. 2);

in response to the requested data being output by the database, identifying, by a database activity monitor (DAM) (fig. 1, item 20) coupled between the database (fig. 1, item 10)  and the WAF(fig. 1, item 22)  for data; wherein the WAF and DAM are implemented by one or more computing devices ([0052]).
after receiving the sensitive data information, receiving, by the WAF, response data from the application server ([0053]).
	Raab does not explicitly disclose however in the same field of endeavor, Shulman discloses database activity monitor (DAM) identifying a portion of the requested data as sensitive (fig. 6, items 630, [0053])
providing, by the DAM to the WAF, sensitive data information describing the portion of the requested data identified as sensitive ([0050]);
 	identifying, by the WAF, sensitive data within the response data based on the sensitive data information ([0042]-[0043],);
performing, by the WAF, one or more security operations based the identifying of sensitive data ([0043], [0050] if user allowed to view such sensitive information, otherwise preventing for viewing).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Raab with the teaching of Shulman by including the feature of sensitive data, in order for Raab’s system for 

As per claim 5, the combination of Raab and Shulman discloses the method of claim 1, wherein the portion of the requested data is identified as sensitive based on one or more of: database metadata found in the query, information that may be associated with the query, and/or pattern matching on the query result (Shulman, [0042], [0046], also see [0053]). The motivation regarding the obviousness of claim 1 is also applied to claim 5. 

As per claim 9, the combination of Raab and Shulman discloses the method of claim 1, wherein the DAM, WAF, and application server comprise distinct, different computing devices (Raab, fig. 1, item 22 (WAF) , (fig. 1, item 20 (DAM),  fig. 1, item 26, (server), also see  fig. 2, [0046]-[0048]).

As per claim 10, the combination of Raab and Shulman discloses the method of claim 1, wherein the performing includes: performing one or more security operations on the identified sensitive data to produce protected data; and providing the protected data to the client device (Shulman, [0050], also see fig. 5 and associated texts). The motivation regarding the obviousness of claim 1 is also applied to claim 10.

As per claim 13, the combination of Raab and Shulman discloses the method for protecting information, the method comprising: receiving, at a WAF  (fig. 1, item 22)  from a client device (fig. 1, item 16),  a request for data (fig. 1, item 10, [0046]-[0047], also see fig. 2);
 providing, by the WAF (fig. 1, item 22),  the request for data to an application server ([0048], also see fig. 1, item 26) coupled between the WAF and the database, the application server configured to query the database for the requested data [0047]-[0048], also see figs. 1&2);
receiving, at the WAF, data information from a DAM (fig. 1, item 20), the DAM coupled between the database (fig. 1, item 10)  and the WAF(fig. 1, item 22)  for data;, wherein the WAF and DAM are implemented by one or more computing devices ([0052]).
after receiving the sensitive data information, receiving, by the WAF, response data from the application server ([0053]).
	Raab does not explicitly disclose however in the same field of endeavor, Shulman discloses database activity monitor (DAM) identifying a portion of the requested data as sensitive (fig. 6, items 630, [0053])
the sensitive data information describing a portion of the requested data identified as sensitive by the DAM ([0050]);
identifying, by the WAF, sensitive data within the response data based on the sensitive data information ([0042]-[0043]);

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Raab with the teaching of Shulman by including the feature of sensitive data, in order for Raab’s system for servicing requests from clients for computational or data storage resources. A database is coupled to the database server and is capable of saving sensitive information. An encryption gateway is installed between the clients and the database server and is capable of performing transparent encrypting which will protecting sensitive data form hacker.

Claims 19, 20, 24-25, 28, and 30 are rejected for similar reasons as stated above.


6.3.	Claims 2-4, 11-12, 14-15, 21-22, 27 and 29 are rejected under 35 U.S.C. 103 as being unpatentable over Raab and Shulman as applied to claim above, and in view of US Patent No. 8856869 issued to Brinskelle et al (“Brinskelle”).

	As per claim 2, the combination of Raab and Shulman discloses the invention as described above. Raab and Shulman does not explicitly disclose however in the same field of endeavor, Brinskelle discloses the method of claim 1, further comprising: 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Raab with the teaching of Shulman by including the feature of tracking previous activity, in order for Raab’s system for determing whether all previous accessed content are authorized triggers--if not then one or more messages are blocked or an alert raised, Determining whether the release of an HTTP cookie is authorized (such as for example the destination of the HTTP request is authorized, the client application is an authorized client application, the user is an authorized user for the HTTP cookie, etc. . . . ) and using such a determination to recommend, allow, or transmit the HTTP request, Translating HTTP cookies (such as between original and acting cookies). Such actions may help to detect unauthorized use of cookies and/or act as a gatekeeper to the original cookies, Provide a recommendation on whether to allow or block release of the HTTP request, or outright block or allow release of the HTTP request (Brinskelle).

As per claim 3, the combination of Raab, Shulman and Brinskelle discloses the method of claim 2, further comprising: determining, by the WAF, a likelihood that the received request is malicious based on the tracked activity of the user of the client device  responsive to determining that the likelihood is greater than a pre-determined 

	As per claim 4, the combination of Raab, Shulman and Brinskelle discloses the method of claim 1, wherein the portion of the requested data is identified as


	As per claim 11, the combination of Raab, Shulman and Brinskelle discloses the method of claim 1, wherein the one or more security operations comprises flagging the identified sensitive data for review by personnel associated with the WAF (Brinskelle, 29:15-30). The motivation regarding the obviousness of claim 2 is also applied to claim 11.

	As per claim 12, the combination of Raab, Shulman and Brinskelle discloses the method of claim 1, wherein the one or more security operations are configurable by an entity associated with the WAF (Brinskelle, 29:15-30). The motivation regarding the obviousness of claim 2 is also applied to claim 12.



Claims 14-15, 21-22, 27 and 29 are rejected for similar reasons as stated above.



	As per claim 8, the combination of Raab, Shulman and Brinskelle discloses the invention as described above. Raab, Shulman and Brinskelle does not explicitly disclose however in the same field of endeavor, Gluck discloses the method of claim 1, wherein the requested data output by the database is structured data, the method further comprising: parsing, by the WAF, unstructured markup language data of the response data from the application server to identify the sensitive data ([0025], [0040], also see fig. 2 and associated texts).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Raab, Shulman and Brinskelle with the teaching of Gluck by including the feature of markup language, in order for Raab’s system for determine sensitive information; which achieving efficient searches on relevant sensitive data by using the developed set of predefined document classifications as well as Better representation of information provided in database with better restructuring by recommending.

Claim 18 is rejected for similar reasons as stated above.

as the prior art discloses many of the claim features (See PTO-form 892).
a). US Application Patent No. 20200106749 to Jain et al discloses a gateway device for implementing data security is described herein. The gateway device is coupled between a client device and a server device, and is configured to receive encoded data and a set of operations from the server device in response to a request for cloud services from the client device. The gateway device is configured to decode the encoded data, and to provide the decoded data and the set of operations to the client device. The client device is configured to perform the set of operations on the decoded data, and to incorporate the operation results into an application or interface corresponding to the requested cloud service. The gateway device is configured to encode the operation result data, and to provide the encoded operation result data to the server device for storage.
Conclusion
8.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HARUNUR RASHID whose telephone number is (571)270-7195. The examiner can normally be reached 9 AM to 5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

HARUNUR . RASHID
Primary Examiner
Art Unit 2497



/HARUNUR RASHID/Primary Examiner, Art Unit 2497