PNG
    media_image1.png
    340
    340
    media_image1.png
    Greyscale
United States Patent and Trademark Office    
        
            
                                
            
        
    

Commissioner for Patents
United States Patent and Trademark Office
P.O. Box 1450
Alexandria, VA 22313-1450
www.uspto.gov











BEFORE THE PATENT TRIAL AND APPEAL BOARD


Application Number: 16/594,075
Filing Date: 7 Oct 2019
Appellant(s): Ayoub et al.



__________________
Scott D. Paul
For Appellant


EXAMINER’S ANSWER





This is in response to the appeal brief filed 09/05/2021.

(1) Grounds of Rejection to be Reviewed on Appeal
Every ground of rejection set forth in the Office action dated 04/15/2021 from which the appeal is taken is being maintained by the examiner except for the grounds of rejection (if any) listed under the subheading “WITHDRAWN REJECTIONS.”  New grounds of rejection (if any) are provided under the subheading “NEW GROUNDS OF REJECTION.”
The following ground(s) of rejection are applicable to the appealed claims.
Claims 21 – 24, 26 – 30, 32 – 36 and 38 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over International Publication Number WO 2008/054849 A2 issued to Eisen further in view of U.S. Patent Number 6,584,569 issued to Reshef et al. further in view of web document titled “What is a hash map in programming and where can it be used” written by Chris et al. (http://stackoverflow.com/questions/2592043/what-is-a-hash-map-in-programming-and-where-can-it-be-used).
Claims 25, 31 and 37 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over International Publication Number WO 2008/054849 A2 issued to Eisen, in view of U.S. Patent Number 6,584,569 issued to Reshef et al. further in view of a web document titled “What is a hash map in programming and where can it be used” written by Chris et al., further in view of U.S. Publication Number 2007/0033264 issued to Edge et al.

WITHDRAWN REJECTIONS
The following grounds of rejection are not presented for review on appeal because they have been withdrawn by the examiner.  
In view of the Terminal Disclaimer filed 09/02/2021, the nonstatutory double patenting rejection is withdrawn.

(2) Response to Argument
THE REJECTION OF CLAIMS 21 – 24, 26 – 30, 32 – 36 AND 38 UNDER 35 U.S.C. § 103 FOR OBVIOUSNESS BASED UPON EISEN IN VIEW OF RESHEF, CURTIS
Examiner submits that the statement of argument submitted by the Appellant appears to have a typo “CURTIS” in place of “CHRIS”.
 
Appellant argues that Eisen is nonanalogous prior art that cannot be properly applied against the claimed invention. Appellant states that the claimed invention is within the field of testing web applications for security vulnerabilities, e.g., with a web application scanner and it accomplishes this in part, by crawling the pages of the web application (being tested) and identifying the links contained therein. Appellant argues that Eisen, however, is within a different field. In particular, Eisen is within the field of detecting actual attacks on a server. Appellant puts it as, the claimed invention determines whether a web application is susceptible to being attacked (i.e., vulnerable), Eisen determines whether the web application is actually being attacked.
In response to Appellant’s argument, the Examiner disagrees and submits that both the instant claimed application and the reference used Eisen are in the field of security vulnerabilities. The instant application and the Eisen both use crawling techniques to scan the data and identifying the security vulnerabilities.  The Appellant argues that Eisen is nonanalogous because it is in a field of detecting actual attacks on servers whereas the claimed application determines if a web application is vulnerable to an attack.  Examiner directs attention to paragraph 31 of Eisen where it states “detect session tampering may include an initial step of placing a plurality of fingerprint collectors in preselected or strategic locations on a Web site. A fingerprint collector may be described as a computer program residing in the memory of computer or server that is designed to extract device fingerprint information from the data or information exchanged between a (Web) server in order to identify a user device 

Appellant argues that Eisen does not state that the computer program designed to extract device fingerprint information is found within a client. Appellant argues that the Examiner's assertion that "the function of detecting vulnerabilities/attacks is client-side operation in Eisen" is not accurate.
In response to Appellant’s argument, the Examiner primarily presents that claim language recites “A computer-implemented method of crawling a website, comprising: recording a current page 

Appellant argues Claim 21 — Articulated reasoning for combining references does not lead to claimed combination. Once a malicious user has access to the server system (i.e., what Eisen looks to prevent), it is too late to identify potential security vulnerabilities. To use a brick-and-mortar analogy, 
In response to the Appellant’s argument, the Examiner disagrees with the analysis of the analogy used by the Appellant. Appellant says that “Once a malicious user has access to the server system (i.e., what Eisen looks to prevent), it is too late to identify potential security vulnerabilities. To use a brick-and-mortar analogy, once a thief has broken into the store in the middle of the night, a realization that the cash register is not locked comes too late”. Once a thief has broken into the store in the middle of the night a realization that the cash register is not locked is not too late, on realizing that the cash register is not locked a remote lock action can still secure the cash register and thus denying access to the cash register. Once a malicious user has access to the server system he can still be locked out or denied access and this is taught in Eisen in paragraph 35. It teaches in an example of online banking applications, the first fingerprint may be taken while the user is logging-on from a home page and before allowing the user to perform online banking functions or activity including but not limited to withdrawing or transferring finds or changing passwords, the second fingerprint may be collected along with its corresponding Session ID information. This additional authentication step is performed again so that the comparison between fingerprints can be performed for that particular session relative to the same Session ID. When the fingerprints do not match, then the activity requested may be immediately denied.  Furthermore, Reshef teaches there also exists a need to ensure that a web site or web application is secure at the application level. A malicious user can overcome or modify the limitations or logic embedded in the mobile agent and send destructive or forged data to the web server. Reshef fulfills the need for an application-level scanner to identify application-level vulnerabilities, columns 1, 2. 
	

Examiner submits that the statement of argument appears to have a typo “CURTIS” in place of “CHRIS”.
Appellant states that for convenience of the Honorable Board in addressing the rejections, claims 25, 31, and 37 stand or fall together with independent claim 21.
Examiner submits that the rationale used and explained for arguments of claim 21 is also similarly applied to claims 25, 31 and 37.

For the above reasons, it is believed that the rejections should be sustained.
Respectfully submitted,
/NAVNEET GMAHL/Examiner, Art Unit 2166                                                                                                                                                                                                        
Conferees:
/MARK D FEATHERSTONE/Supervisory Patent Examiner, Art Unit 2166                                                                                                                                                                                                        
/RYAN M STIGLIC/Primary Examiner 
Requirement to pay appeal forwarding fee.  In order to avoid dismissal of the instant appeal in any application or ex parte reexamination proceeding, 37 CFR 41.45 requires payment of an appeal forwarding fee within the time permitted by 37 CFR 41.45(a), unless appellant had timely paid the fee for filing a brief required by 37 CFR 41.20(b) in effect on March 18, 2013.