Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions. 
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. 

DETAILED ACTION
Claims 1-26 are pending in this office action. 

Priority
No foreign priority is claimed.


Information Disclosure Statement
The information disclosure statements (IDS's) submitted on 12/30/2019 and 04/30/2021 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-26 are rejected under 35 U.S.C. 103 as being unpatentable over Kayacik et al. (US 2018/0219881 A1, hereinafter Kayacik), in view of Bar Noy et al. (US 2019/0334940 A1, Bar Noy hereinafter).
For claim 1, Kayacik teaches a method by one or more runtime agents implemented by one or more network devices for capturing contextual information for data accesses using flow enrichment (para 0027, 0048), wherein the one or more runtime agents protect a web application that is communicatively coupled to a web application firewall and a database server hosting a database monitored by a database activity monitor (Fig. 1-4; para 0027-0028, 0033, 0054 - communicatively coupled web application, firewall, communication interface, detection/monitoring component with database store and storing mechanism), the method comprising: determining first metadata associated with a web application layer request sent by the web application firewall to the web application, wherein the first metadata was determined by the web application firewall (Fig. 3A, 3B; para 0027, 0048-0050 - web application layer (HTTP) request metadata or feature parameters are determined by the firewall for the request routed via firewall to the web application); 
determining second metadata associated with the web application layer request based on information available to the web application (para 0027, 0031-0032 - parameters or attributes associated with the request are determined from the request); 
serializing the first metadata and the second metadata to generate serialized metadata (para 0028, 0031, 0049, 0054, 0061, 0065 - sequential data of various kinds obtained as parameters, and also structured data created as a sequence or format, and may be received and stored in the same sequence/format, i.e. arranged serially one after another); and 
adding the serialized metadata to a database by accessing the database as part of the web application processing the web application layer request, wherein the data storing operation includes the serialized metadata to cause the database activity monitor to store the serialized metadata and third metadata associated with the database storage operation determined by the database activity monitor in a data storage (para 0028, 0049, 0054, 0061, 0065, 0069 - received formatted metadata is stored in the database by the detection/monitoring component associated with database, and the invariant detection associated with the data supplied in the query/storage operation).
Although it is well-known to one of ordinary skill in the art that database operations such as data retrieval, storage or modifications are handled via database commands such as queries which would be part and partial of any data storage operations conducted in the previous steps, Kayacik does not appear to explicitly teach, however Bar Noy teaches adding the sequenced or arranged metadata to a database query that is to be submitted by the web application to the database server to access the database as part of the web (http) request processing, wherein execution of the database query that includes the sequenced or arranged metadata by the database server is to cause the database activity monitor to store the metadata and third metadata associated with the database query determined by the database activity monitor in a data storage (para 0076, 0085, 0092, 0095, 0098, 0102, 0122, 0124 - querying the database for attributes related to the request, and storing the web request attributes along with attack id and URL parameters included in the query or associated with the query, in the database as necessary).
Therefore, based on Kayacik in view of Bar Noy, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Bar Noy in the system of Kayacik, in order to query and populate the database with web request-specific attributes for further reference, in order to prepare he database with web request analysis data sets that may assist with determination of safety and security associated with the request.

For claim 2, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik further teaches wherein the first metadata that was determined by the web application firewall includes one or more of: an indication of whether the web application layer request was generated by a human or a bot, a source Internet Protocol (IP) address associated with the web application layer request, a reputation score of the source IP address associated with the web application layer request, a client type of a web application client that generated the web application layer request, and a geolocation from which the web application layer request originated (para 0026, 0053-0055 - IP address, geolocation, types etc. are among the metadata attributes received or determined).

For claim 3, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly disclose, however Bar Noy teaches wherein the second metadata determined by the one or more runtime agents includes a web application username (para 0064, 0080, 0092, 0098 - keywords/strings corresponding to users or user entries, and also user-agent details being obtained from the request).

For claim 4, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik further teaches the method of claim 3, wherein the second metadata determined by the one or more runtime agents further includes one or more of: the database query, a name of the database, a name of a database table being accessed using the database query, and a location of web application code that generated or submitted the database query (para 0027, 0055, 0065, 0069 - geolocation of the request, resource identifier or database to which the information is stored as part of the database operation).

For claim 5, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly disclose, however Bar Noy teaches wherein the third metadata associated with the database query determined by the database activity monitor includes one or more of: the database query submitted to the database, a name of the database, a name of a database table being accessed using the database query, a database username, a sensitivity score of data being accessed using the database query, and a number of records returned by the database (para 0060, 0072, 0075-0076, 0088-0089, 0092, 0124-0125 - scores associated with the suspicious request data).

For claim 6, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly disclose, however Bar Noy teaches wherein the serialized metadata is added to the database query in a comment field of the database query so that the serialized metadata is not executed by the database server (para 0076, 0085, 0094-0095, 0098, 0122 - the query simply returns a list of indicators as requested based on request attributes included in the query, and indicating the metadata is not executed itself).

For claim 7, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik further teaches wherein the first metadata that was determined by the web application firewall is included in a header of the web application layer request sent by the web application firewall to the web application (para 0023, 0025, 0027, 0031, 0048-0050, 0069 - web application layer (HTTP) request metadata or feature parameters are determined by the firewall for the request routed via firewall to the web application, wherein the request includes attributes such as content or data type, HTTP agent).

For claim 8, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly disclose, however Bar Noy teaches receiving an instruction to block a specified web application user; and activating a mechanism for blocking the specified web application user (para 0064, 0080-0081, 0092, 0098, 0113 - keywords/strings corresponding to users or user entries, and also user-agent details being obtained from the request wherein the requests are blocked for specific user/agents based on determination of suspiciousness).

For claim 9, Kayacik teaches a method by one or more runtime agents implemented by one or more network devices for capturing contextual information for data accesses using distributed tracing (para 0027, 0048, 0055 - attributes along with tracking/tracing of access time), wherein the one or more runtime agents protect a web application that is communicatively coupled to a web application firewall and a database server hosting a database monitored by a database activity monitor (Fig. 1, 2, 3A, 3B; para 0023, 0027-0028, 0033, 0054 - communicatively coupled web application, processors, firewall, networked communication interface, detection/monitoring component with database store and storing mechanism), the method comprising: determining first metadata associated with a web application layer request sent by the web application firewall to the web application, wherein the first metadata was determined by the web application firewall (Fig. 3A, 3B; para 0027, 0048-0050 - web application layer (HTTP) request metadata or feature parameters are determined by the firewall for the request routed via firewall to the web application); 
determining second metadata associated with the web application layer request based on information available to the web application (para 0027, 0031-0032 - parameters or attributes associated with the request are determined from the request);
storing the first metadata and the second metadata in a data storage (para 0028, 0049, 0054, 0061, 0065, 0069 - received formatted metadata is stored in the database by the detection/monitoring component associated with database, and the invariant detection associated with the data supplied in the query/storage operation);
associating the first metadata and the second metadata with a time tracking (para 0027, 0055, 0069 - access time is tracked for requests and added); and 
causing the web application to send the tracking data to the database when the web application submits a data storing operation to the database server to access the database as part of the web application processing the web application layer request, wherein execution of the data storing operation is to cause the database activity monitor to store third metadata associated with the database storage operation determined by the database activity monitor in the data storage and associate the third metadata with the trace identifier (para 0028, 0049, 0054, 0061, 0065, 0069 - received formatted metadata is stored in the database by the detection/monitoring component associated with database, and the invariant detection associated with the data supplied in the query/storage operation; para 0027, 0055, 0069 - access time is tracked for requests and added corresponding to the respective request).
Although it is well-known to one of ordinary skill in the art that database operations with storing of specific fields for further utilization in maliciousness detection of requests would be part and partial of any data storage operations conducted, Kayacik does not appear to explicitly teach, however Bar Noy teaches associating the metadata with a trace identifier; and causing the web application to send the trace identifier to the database when the web application submits a database query to the database server, and associate the third metadata with the trace identifier (para 0076, 0085, 0092, 0095, 0098, 0102, 0122, 0124 - querying the database for attributes related to the request, and storing the web request attributes along with attack id and URL parameters included in the query or associated with the query, in the database as necessary; para 0079, 0118, 0149 - response time (metadata) as an identifier associated with the request is traced or tracked, and utilized for identifying of attack associated with respective requests).
Therefore, based on Kayacik in view of Bar Noy, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to utilize teachings of Bar Noy in the system of Kayacik, in order to query and populate the database with web request-specific attributes for further reference, in order to prepare he database with web request analysis data sets that may track and assist with further determination of safety and security associated with the request.

For claim 10, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik further teaches wherein the first metadata that was determined by the web application firewall includes one or more of: an indication of whether the web application layer request was generated by a human or a bot, a source Internet Protocol (IP) address associated with the web application layer request, a reputation score of the source IP address associated with the web application layer request, a client type of a web application client that generated the web application layer request, and a geolocation from which the web application layer request originated (para 0026, 0053-0055 - IP address, geolocation, types etc. are among the metadata attributes received or determined).

For claim 11, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly disclose, however Bar Noy teaches wherein the second metadata determined by the one or more runtime agents includes a web application username (para 0064, 0080, 0092, 0098 - keywords/strings corresponding to users or user entries, and also user-agent details being obtained from the request).

For claim 12, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik further teaches the method of claim 11, wherein the second metadata determined by the one or more runtime agents further includes one or more of: the database query, a name of the database, a name of a database table being accessed using the database query, and a location of web application code that generated or submitted the database query (para 0027, 0055, 0065, 0069 - geolocation of the request, resource identifier or database to which the information is stored as part of the database operation).

For claim 13, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly disclose, however Bar Noy teaches wherein the third metadata associated with the database query determined by the database activity monitor includes one or more of: the database query submitted to the database server, a name of the database, a name of a database table being accessed using the database query, a database username, a sensitivity score of data being accessed using the database query, and a number of records returned by the database (para 0060, 0072, 0075-0076, 0088-0089, 0092, 0124-0125 - scores associated with the suspicious request data).

For claim 14, Kayacik in view of Bar Noy teaches the claimed subject matter as discussed above. Kayacik does not appear to explicitly teach, however Bar Noy teaches wherein the trace identifier is generated by the one or more runtime agents (para 0079, 0092-0093, 0098, 0114, 0118, 0149 - processes executing in real-time or running to determine response time (metadata) as an identifier associated with the request is traced or tracked, and utilized for identifying of attack associated with respective requests, storing the web request attributes along with attack id and URL parameters, in the database).

As to claim 15, the claim limitations are similar to those of claim 1 above, except claim 15 is drawn to a  set of one or more non-transitory machine-readable storage media storing instructions which, when executed by one or more processors of one or more network devices implementing one or more runtime agents protecting a web application that is communicatively coupled to a web application firewall and a database server hosting a database monitored by a database activity monitor (Fig. 1, 2, 3A, 3B; para 0010, 0023, 0027-0028, 0033, 0048, 0054 - communicatively coupled web application, firewall, processors, networked communication interface, detection/monitoring component with database store and storing mechanism), causes the one or more network devices to perform the method steps of claim 1. Therefore claim 15 is rejected according to claim 1 above.

As to claim 16, the claim limitations are similar to those of claim 3 above. Therefore claim 16 is rejected according to claim 3 above.

As to claim 17, the claim limitations are similar to those of claim 6 above. Therefore claim 17 is rejected according to claim 6 above.

As to claim 18, the claim limitations are similar to those of claim 9 above, except claim 18 is drawn to a  set of one or more non-transitory machine-readable storage media storing instructions which, when executed by one or more processors of one or more network devices implementing one or more runtime agents protecting a web application that is communicatively coupled to a web application firewall and a database server hosting a database monitored by a database activity monitor (Fig. 1, 2, 3A, 3B; para 0010, 0023, 0027-0028, 0033, 0048, 0054 - communicatively coupled web application, processors, firewall, communication interface, detection/monitoring component with database store and storing mechanism), causes the one or more network devices to perform the method steps of claim 9. Therefore claim 18 is rejected according to claim 9 above.

As to claim 19, the claim limitations are similar to those of claim 11 above. Therefore claim 19 is rejected according to claim 11 above.

As to claim 20, the claim limitations are similar to those of claim 14 above. Therefore claim 20 is rejected according to claim 14 above.

As to claim 21, the claim limitations are similar to those of claim 1 above, except claim 21 is drawn to a network device configured to implement a runtime agent that protects a web application that is communicatively coupled to a web application firewall and a database server hosting a database monitored by a database activity monitor, wherein the runtime agent is configured to capture contextual information for data accesses using flow enrichment, the network device comprising: one or more processors; and a non-transitory machine-readable storage medium having instructions stored therein (Fig. 1, 2, 3A, 3B; para 0010, 0023, 0027-0028, 0033, 0048, 0054 - communicatively coupled web application, processing devices, network devices, firewall, communication interface, detection/monitoring component with database store and storing mechanism), which when executed by the one or more processors, causes the network device to perform the method steps of claim 1. Therefore claim 21 is rejected according to claim 1 above.

As to claim 22, the claim limitations are similar to those of claim 3 above. Therefore claim 22 is rejected according to claim 3 above.

As to claim 23, the claim limitations are similar to those of claim 6 above. Therefore claim 23 is rejected according to claim 6 above.

As to claim 24, the claim limitations are similar to those of claim 9 above, except claim 24 is drawn to a network device configured to implement a runtime agent that protects a web application that is communicatively coupled to a web application firewall and a database server hosting a database monitored by a database activity monitor, wherein the runtime agent is configured to capture contextual information for data accesses using distributed tracing, the network device comprising: one or more processors; and a non-transitory machine-readable storage medium having instructions stored therein (Fig. 1, 2, 3A, 3B; para 0010, 0023, 0027-0028, 0033, 0048, 0054 - communicatively coupled web application, processing devices, network devices, firewall, communication interface, detection/monitoring component with database store and storing mechanism), which when executed by the one or more processors, causes the network device to perform the method steps of claim 9. Therefore claim 24 is rejected according to claim 9 above.

As to claim 25, the claim limitations are similar to those of claim 11 above. Therefore claim 25 is rejected according to claim 11 above.

As to claim 26, the claim limitations are similar to those of claim 14 above. Therefore claim 26 is rejected according to claim 14 above.

    
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAYESH JHAVERI whose telephone number is (571)270-7584. The examiner can normally be reached on Mon-Fri 9 AM to 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JAYESH M JHAVERI/Primary Examiner, Art Unit 2433