Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION

1.        This action is in response to application amendments filed on 10-14-2021. 
2.        Claims 1 - 20 are pending.  Claims 1 - 5, 7 - 9, 11 - 16, 18, 20 have been amended.   Claims 1, 12 are independent.   This application was filed on 6-13-2019.  

Response to Arguments

3.    Applicant's arguments have been fully considered, however upon further consideration of the prior art and the claimed limitation, they were not persuasive.

A.  Applicant argues on page 18 of Remarks:    ...   each of the at least one URL identifies one web page provided by the protected host; determining a suspicious URL from the at least one URL saved in the web page visit record, wherein a total quantity of visits to the suspicious URL is less than a first threshold, and a ratio of a quantity of different IP addresses visiting the suspicious URL to the total quantity of visits to the suspicious URL is less than a second threshold; and determining whether a web page identified by the suspicious URL contains a webshell signature    ...   . 

    The Examiner respectfully disagrees.  Donahue discloses a URL associated with a 
    And, Roelker discloses a determination of whether a particular signature has been found (i.e. webshell signature). (see Roelker paragraph [0044], lines 1-6: IDS contains signatures to detect malicious parameters keys and values; (signature parameter designates a suspicious URL, IP address))

B.  Applicant argues on page 18 of Remarks:    ...   the suspicious URL in Applicant's claim 1 indicates a web page provided by the protected host, rather than an IP address of a client. 

    The Examiner respectfully disagrees.  Donahue discloses a determination of URLs 

C.  Applicant argues on page 20 of Remarks:    ...   a suspicious URL is determined based on whether a total quantity of visits to the suspicious URL is less than a first threshold, and whether a ratio of a quantity of different IP addresses visiting the suspicious URL to the total quantity of visits to the suspicious URL is less than a second threshold. 

    The Examiner respectfully disagrees.  Donahue discloses the determination of a suspicious URL by utilizing a count of the number of URLs determined to be suspicious and comparing value to a threshold. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria are designated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests; paragraph [0007], lines 1-5; paragraph 

D.  Applicant argues on page 21 of Remarks: Claim 12 recites limitations similar to those recited by claim 1 and therefore is also patentable over Donahue and Roelker. 

    Independent claim 12 has similar limitations as independent claim 1.  Responses to arguments against independent claim 1 also answer arguments against independent claim 12.   

E.  Applicant argues on page 21 of Remarks: Given that each of the rest of the claims depend from one of the above independent claims, at least for the reasons similar to those discussed above, it is respectfully submitted that each of the rest of the claims are patentable over Donahue and Roelker.

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.     

Claim Rejections - 35 USC § 103  

4.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


5.        Claims 1 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Donahue et al. (US PGPUB No. 20170366576) in view of Roelker et al. (US PGPUB No. 20080276316).     	

Regarding Claims 1, 12, Donahue discloses a webshell detection method and a security device, comprising: 
a)  obtaining first web traffic of a protected host, wherein the first web traffic is traffic generated when a web page provided by the protected host is visited during a first period; (see Donahue paragraph [0027], lines 3-10: client device transmits URL request to content server (protected host) to obtain webpages (web traffic); request received at proxy server, stored in access log, and transmits request to content server)    
b)  generating a web page visit record of the protected host based on the first web traffic, wherein the web page visit record saves at least one uniform resource locator (URL), an IP address visiting each of the at least one URL, and a total quantity of visits to each of the at least one URL, wherein each of the at least one URL identifies one web page provided by the protected host; (see Donahue paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server from multiple clients; paragraph [0027], lines 17-19: each URL request (URL points to a web page) to content server is 
c)  determining a suspicious URL from the at least one URL saved in the web page visit record, wherein a total quantity of visits to the suspicious URL is less than a first threshold, and a ratio of a quantity of different IP addresses visiting the suspicious URL to the total quantity of visits to the suspicious URL is less than a second threshold. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria  are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests) 

Furthermore, Donahue discloses for d) determining whether a web page is identified by a suspicious URL. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria  are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests)
Donahue does not specifically disclose for d) suspicious URL contains a signature within a signature database. 
However, Roelker discloses: 
d)  suspicious URL contains a webshell signature in a webshell signature database, and detecting, based on a webshell signature determining result, whether a webshell exists in the web page identified by the suspicious URL. (see Roelker paragraph [0044], lines 1-6: IDS contains signatures to detect malicious 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for b) suspicious URL contains a signature within a signature database as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Furthermore for Claim 12, Donahue discloses wherein comprising a memory, a processor, a network interface, and a bus, wherein the memory, the processor, and the network interface are connected to each other by using the bus. (see Donahue paragraph [0041], lines 1-8: computer readable devices coupled to processors; main memory for storing information and instructions used during execution; paragraph [0017], lines 1-5: managing distribution of content and/or communications from a computer network to an end user of network)    

Regarding Claims 2, 13, Donahue-Roelker discloses the method according to claim 1 and the security device according to claim 12, wherein the web page visit record comprises at least one entry, each of the at least one entry corresponds to one of the at least one URL, and saves a total quantity of visits and an IP address list; and wherein the generating the web page visit record of the protected host based on the first web traffic comprises:

e)  adding 1 to a total quantity of visits in the found entry, and recording the source IP address into an IP address list in the found entry if the entry corresponding to the URL carried in the access request packet is found, or creating, in the web page visit record, the entry corresponding to the URL, setting a total quantity of visits in the created entry to 1 and recording the source IP address into an IP address list in the created entry when the entry corresponding to the URL included in the access request packet is not found. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time, with each detected suspicious request being counted and then compared to a threshold; (creating entry corresponding to URI))    

Donahue does not specifically disclose obtaining access request packet from web traffic and parsing selected request packet to obtain a source IP address and a URL. 
However, Roelker discloses: 
a)  obtaining at least one access request packet from the first web traffic, wherein a destination IP address of each of the at least one access request packet is an IP 
b)  performing the following operations on each of the at least one access request packet; and c) parsing the access request packet to obtain a source IP address of and a URL in the access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)     
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for obtaining access request packet from web traffic and parsing selected request packet to obtain a source IP address and a URL as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Regarding Claims 3, 14, Donahue-Roelker discloses the method according to claim 2 and the security device according to claim 13, wherein the determining the suspicious URL from the at least one URL based on the web page visit record comprises:

b)  determining a quantity of IP addresses different from one another in an IP address list in the selected entry; and c) determining a URL corresponding to the selected entry as the suspicious URL when a total quantity of visits in the selected entry is less than the first threshold and a ratio of the determined quantity of IP addresses different from one another to the total quantity of visits in the selected entry is less than the second threshold. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold)     

Regarding Claims 4, 15, Donahue-Roelker discloses the method according to claim 1 and the security device according to claim 12, 
a)  wherein the web page visit record comprises at least one entry, each of the at least one entry corresponds to one of the at least one URL, and the entry saves a total quantity of visits, an IP address count, and an IP address list; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks 
generating a web page visit record of the protected host based on the first web traffic comprises:
e)  searching the web page visit record for an entry corresponding to the URL included in the access request packet; (see Donahue paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value)    
f)   adding 1 to a total quantity of visits in the found entry when the entry corresponding to the URL included in the access request packet is found; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold)    
g)  determining whether the source IP address has been saved in an IP address list in the found entry; (see Donahue paragraph [0027], lines 1-4: proxy server obtains an access log that includes URL requests intended for content server 
h)  ending processing the access request packet when the source IP address has been saved in the IP address list in the found entry; or adding 1 to an IP address count in the found entry and recording the source IP address into the IP address list in the found entry when the source IP address has not been saved in the IP address list in the found entry; or creating, in the web page visit record, the entry corresponding to the URL included in the access request packet, setting a total quantity of visits in the created entry to 1, setting an IP address count in the created entry to 1, and recording the source IP address into an IP address list in the created entry when the entry corresponding to the URL included in the access request packet is not found. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated (saved) over a particular period of time; with each detected suspicious request being counted and then compared to a threshold; (selected: adding 1 to an IP count)) 
   
Donahue does not specifically disclose obtaining, selecting and performing processing on selected access request packets. 
However, Roelker discloses: 
operations on each of the at least one access request packet is processed; and d) obtaining a source IP address of and a URL included in the selected access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)  
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for obtaining, selecting and performing processing on selected access request packets as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Regarding Claims 5, 16, Donahue-Roelker discloses the method according to claim 4 and the security device according to claim 15, wherein the determining the suspicious URL from the at least one URL based on the web page visit record comprises:
a)  selecting one entry from the web page visit record; (see Donahue paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value)  and
when a total quantity of visits in the selected entry is less than the first threshold and a ratio of an IP address count in the selected entry to the total quantity of visits in the selected entry is less than the second threshold. (see Donahue paragraph [0030], lines 1-22: entries in access log that meets predefined criteria  are indicated as suspicious; maintains a list of IP addresses (URLs) that are marked as suspicious; IP address and a count of the number of noted suspicious URL requests)     

Regarding Claims 6, 8, 17, Donahue-Roelker discloses the method according to claim 2 and the method according to claim 4 and the security device according to claim 13. 
Donahue does not specifically disclose selecting and obtaining an access request packet corresponding to each web page access response packet.
However, Roelker discloses wherein the obtaining at least one access request packet from the first web traffic comprises: 
a)  selecting at least one access response packet from the first web traffic, wherein a status code included in each of the at least one access response packet indicates a successful visit, and a source address of each access response packet is the IP address of the protected host; and b) obtaining an access request packet corresponding to each of the at least one web page access response packet from the first web traffic, as the obtained at least one access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for selecting and obtaining an access request packet corresponding to each web page access response packet as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)   

Regarding Claims 7, 9, 18, Donahue-Roelker discloses the method according to claim 2 and the method according to claim 4 and the security device according to claim 13, wherein the searching the web page visit record for the entry corresponding to the URL carried in the access request packet comprises:
b)  searching the web page visit record for an entry corresponding to the processed URL; (see Donahue paragraph [0007], lines 1-5: comparing the plurality of entries in access log (i.e. particular IP addresses and URLs received by proxy server) to a threshold value) and
c)  creating, in the web page visit record, the entry corresponding to the processed URL. (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis 

Donahue does not specifically disclose for performing at least one type of normalization processing on a URL carried in a selected access request packet to obtain a normalization-processed URL. 
However, Roelker discloses: 
a)  performing at least one type of normalization processing on the URL carried included in the access request packet to obtain a normalization-processed URL, wherein the normalization processing comprises one or more of the following: converting the URL included in the access request packet into a predetermined code scheme, converting characters in the URL included in the access request packet into a predetermined uppercase/lowercase type, and removing a parameter in the URL included in the access request packet; and c) a normalization-processed URL, and d) a normalization-processed URL. (see Roelker paragraph [0103], lines 8-10: URI normalization module: attempts to decode an obfuscation within a URI; decodes obfuscations detected by URI discovery components including encoded characters; (selected: converting characters in URL)) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for performing at least one type of normalization processing on a URL carried in a selected access 

Regarding Claims 10, 19, Donahue-Roelker discloses the method according to claim 1 and the security device according to claim 12, further comprising: 
a)  determining a normal URL from the at least one URL saved in the web page visit record, wherein the normal URL is a URL whose total quantity of visits is greater than the first threshold in the at least one URL or a suspicious URL for which a webshell detection result indicates that no webshell exists in an identified web page; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold) and
b)  deleting an IP address visiting the normal URL and a total quantity of visits to the normal URL that are saved in the web page visit record. (see Donahue paragraph [0034], lines 18-20: suspicious included in IP table for a set period of time and removed when period of time expires)    

Regarding Claims 11, 20, Donahue-Roelker discloses the method according to claim 10 and the security device according to claim 19, further comprising: 
a)  obtaining second web traffic of the protected host, wherein the second web traffic is traffic generated when the web page provided by the protected host is visited during a second period after the first period; (see Donahue paragraph [0027], lines 3-10: client device transmits a URL request to content server (protected host) to obtain a webpage (web traffic); request received at proxy server, stored in access log, and transmit request to content server)       
d)  adding 1 to a total quantity of visits to the saved URL included in the first access request packet, and adding the source IP address of the first access request packet to an IP address visiting the URL included in the first access request packet when the URL included in the first access request packet is different from the normal URL and the URL included in the first access request packet has been saved in the web page visit record; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold)    
f)   saving the URL carried in the second access request packet into the web page visit record, setting a total quantity of visits to the URL carried in the second when the URL included in the second access request packet is different from the normal URL and the URL included in the second request packet has not been saved in the web page visit record; (see Donahue paragraph [0007], lines 1-5; paragraph [0007], lines 15-21: storing particular IP addresses (URLs) in a listing of potential sources of DOS attacks associated with a content server; paragraph [0014], lines 7-20: analysis of content requests received at proxy server and identified as involved in suspicious behavior; once identified IP addresses tracked and aggregated over a particular period of time; with each detected suspicious request being counted and then compared to a threshold) and    
h)  ending processing the third access request packet when the URL included in the third access request packet is the same as the normal URL. (see Donahue paragraph [0034], lines 8-11: if count for IP address has not exceeded threshold proxy server returns to monitoring additional potential suspicious URL requests (i.e. normal operation))    

Donahue does not specifically disclose obtaining an access request packet (first, second, third) and parsing an access request packet (first, second, third) to obtain a source IP address of and a URL. 
However, Roelker discloses:
b)  obtaining a first access request packet, a second access request packet, and a third access request packet from the second web traffic; (see Roelker paragraph 
c)  parsing the first access request packet to obtain a source IP address of and a URL carried in the first access request packet; e) parsing the second access request packet to obtain a source IP address of and a URL included in the second access request packet; and g) parsing the third access request packet to obtain a URL carried in the third access request packet. (see Roelker paragraph [0017], lines 1-11: packet is parsed and IP address of packet identified, HTTP IDS located at IP address; paragraph [0020], lines 1-6: one or more additional URIs embedded in packet are identified)      
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Donahue for obtaining an access request packet (first, second, third) and parsing an access request packet (first, second, third) to obtain a source IP address of and a URL as taught by Roelker. One of ordinary skill in the art would have been motivated to employ the teachings of Roelker for the benefits achieved from a system that enables the identification of Intrusion Detection System (IDS) evasions that utilize HTTP encoding schemes or HTTP protocol parameters.  (see Roelker paragraph [0012], lines 1-5)

Conclusion

          THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARLTON JOHNSON whose telephone number is (571)270-1032.  The examiner can normally be reached on Work: 12-9PM (most days).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  





/CJ/
January 3, 2022
/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436