Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Office Action is in response to the reply filed by Applicant on 12/6/2021. Claims 1-20 are pending. No claims were added as New nor Cancelled.  This Office Action is Final.

Response to Arguments
A) Applicant argues that Kancharla in combination with Tulasi fails to disclose, teach or even suggest “determining a set of recently triggered security rules, wherein the set of recently triggered security rules is a subset of the set of security rules applied by the web application layer proxy which includes those security rules in the set of security rules that were triggered within a most recent period of time; applying a prediction model to the set of recently triggered security rules to determine one or more security rules that are predicted to be triggered after the security rules in the set of recently triggered security rules have been triggered,” with regards to claim 1.  Examiner respectfully disagrees.
Examiner submits that Tulasi teaches “determining a set of recently triggered security rules, wherein the set of recently triggered security rules is a subset of the set of security rules applied by the web application layer proxy which includes those security rules in the set of security rules that were triggered within a most recent period of time; applying a prediction model to the set of recently triggered security rules to determine one or more security rules that are predicted to be triggered after the security 
Examiner has interpreted the claims to be a set of triggered rules in a network security system, which leads to the generation of a predicted rule.  For example, Tulasi recites “The firewall rule may be applicable to packets that are associated with packet information that matches the one or more match condition values associated with the firewall rule. A match condition value, of the one or more match condition values, may be associated with a match count that identifies a quantity of times that packets, received by the device, are associated with packet information that matches the match condition value.” Where the match conditions, would read on triggered security rules, because the match values are based on when packet information matches a match condition.  This is very similar to a security rule, where a rule is triggered when a condition is met.  Next, Tulasi recites “The one or more processors may obtain a new firewall rule that may include one or more match condition values. The one or more 

B) Applicant's arguments, regarding the dependent claims, have been fully considered but they are not persuasive. The independent claims are still rejected under 35 USC 103 therefore the 103 rejections of the dependent claims remain rejected as well.




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 5, 10, 11, 12, 16, 17, 19 and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kancherla et al. (US 2021/0029146) in view of Tulasi (US 2018/0091474).

	As per claim 1, Kancherla teaches a method by a web application layer proxy implemented by one or more network devices for predictively activating security rules to protect one or more web application servers from attacks by one or more web application clients, wherein the web application layer proxy is communicatively coupled between the one or more web application clients and the one or more web application servers, the method comprising: 
	applying a set of security rules to web application layer requests received by the web application layer proxy from the one or more web application clients that are intended for the one or more web application servers (Kancherla, Paragraph 0033 recites “Operations 200 begin at step 210, where a plurality of firewall rules for request handling are identified. In some embodiments, the plurality of firewall rules are applied to requests sent to a web application in order to determine whether the requests are attacks and/or whether to deny the requests.”); 
	and activating the one or more security rules to cause the web application layer proxy to apply the one or more security rules to future web application layer requests received by the web application layer proxy from the one or more web application clients that are intended for the one or more web application servers (Kancherla, Paragraph 0038 recites “At step 250, an update to at least one firewall rule of the plurality of firewall rules is determined based on the urgency measure for each given firewall rule of the plurality of firewall rules. For example, an order for displaying the plurality of firewall rules may be determined based on the urgency measure for each given firewall rule of the plurality of firewall rules, and the plurality of firewall rules may be displayed via a user interface in the order for use in identifying logged false positives so that exceptions to firewall rules may be defined as appropriate. The plurality of firewall rules may be ordered from highest urgency measure to lowest urgency measure. Input may be received, in response to the displaying, that defines the update via the user interface. The update may, for example, be an exception to the at least one firewall rule.”).
	But fails to teach determining a set of recently triggered security rules, wherein the set of recently triggered security rules is a subset of the set of security rules applied by the web application layer proxy which includes those security rules in the set of security rules that were triggered within a most recent period of time; applying a prediction model to the set of recently triggered security rules to determine one or more security rules that are predicted to be triggered after the security rules in the set of recently triggered security rules have been triggered. 
	However, in an analogous art Tulasi teaches determining a set of recently triggered security rules, wherein the set of recently triggered security rules is a subset of the set of security rules applied by the web application layer proxy which includes those security rules in the set of security rules that were triggered within a most recent period of time; applying a prediction model to the set of recently triggered security rules to determine one or more security rules that are predicted to be triggered after the security rules in the set of recently triggered security rules have been triggered (Tulasi, Paragraph 0002 recites “A match condition value, of the one or more match condition values, may be associated with a match count that identifies a quantity of times that packets, received by the device, are associated with packet information that matches the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device. The one or more processors may obtain a new firewall rule that may include one or more match condition values. The one or more processors may predict a ranking value, as a predicted ranking value, of the new firewall rule based on the one or more match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules.” ).	
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Tulasi’s predicting firewall rule ranking value with Kancherla’s managing firewall rules based on triggering statistics because the use of applying new rules based on results will make the system more efficient.
	As per claim 5, Kancherla in combination with Tulasi teaches the method of claim 1, Tulasi further teaches wherein the prediction model is generated based on analyzing sequences of security rules that were previously triggered at one or more web application layer proxies (Tulasi, Paragraph 0002 recites “A match condition value, of the one or more match condition values, may be associated with a match count that identifies a quantity of times that packets, received by the device, are associated with packet information that matches the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device. The one or more processors may obtain a new firewall rule that may include one or more match condition values. The one or more processors may predict a ranking value, as a predicted ranking value, of the new firewall rule based on the one or more match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules.” ).	
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Tulasi’s predicting firewall rule ranking value with Kancherla’s managing firewall rules based on triggering statistics because the use of applying new rules based on results will make the system more efficient.

	As per claim 10, Kancherla in combination with Tulasi teaches the method of claim 1, Tulasi further teaches wherein the one or more security rules that are activated are not included in the set of security rules that was previously applied by the web application layer proxy (Tulasi, Paragraph 0002 recites “A match condition value, of the one or more match condition values, may be associated with a match count that identifies a quantity of times that packets, received by the device, are associated with packet information that matches the match condition value. The ranking value may identify a quantity of times that the firewall rule has been applied to the packets received by the device. The one or more processors may obtain a new firewall rule that may include one or more match condition values. The one or more processors may predict a ranking value, as a predicted ranking value, of the new firewall rule based on the one or more match condition values of the new firewall rule and/or based on analyzing the information regarding the plurality of firewall rules.” ).	
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Tulasi’s predicting firewall rule ranking value with Kancherla’s 

	As per claim 11, Kancherla in combination with Tulasi teaches the method of claim 1, Tulasi further teaches sending data regarding security rules that were previously triggered at the web application layer proxy to a security manager, wherein the security manager is to use the data to generate the prediction model; receiving the prediction model from the security manager; and installing the prediction model in the web application layer proxy (Tulasi, Paragraph 0015 recites “In a situation where a new firewall rule, associated with no ranking information, is implemented, the firewall device may not be able to determine a ranking value of the new firewall rule. In such a situation, the firewall device may, for example, check the new firewall rule after checking each of the set of firewall rules. This may be problematic in situations where the new firewall rule is likely to apply to a larger quantity of packets than one or more of the set of firewall rules, because the firewall device may use time and/or processor power to check each of the set of firewall rules before checking the new firewall rule. Implementations described herein may enable the firewall device to predict a ranking value of the new firewall rule and to rank the new firewall rule accordingly, which may improve efficiency of the firewall device and/or reduce processing power used by the firewall device to check firewall rules, before the new firewall rule, that may be less likely to apply to a packet than the new firewall rule.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Tulasi’s predicting firewall rule ranking value with Kancherla’s 

Regarding claims 12 and 17, claims 12 and 17 are directed to a non-transitory readable medium and a computing device associated with the method of claim 1. Claims 12 and 17 are of similar scope to claim 1, and are therefore rejected under similar rationale.

Regarding claims 16 and 19, claims 16 and 19 are directed to a non-transitory readable medium and a computing device associated with the method of claim 5. Claims 16 and 19 are of similar scope to claim 5, and are therefore rejected under similar rationale.

Regarding claim 20, claim 20 is directed to a device associated with the method of claim 11. Claim 20 is of similar scope to claim 11, and is therefore rejected under similar rationale.




Claims 2-4, 13-15 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kancherla et al. (US 2021/0029146) and Tulasi (US 2018/0091474) and in further view of Pang et al. (US 2021/0036993).

	As per claim 2, Kancherla in combination with Tulasi teaches the method of claim 1, but fails to teach deactivating the one or more security rules after a period of time to cause the web application layer proxy to stop applying the one or more security rules.
	However, in an analogous art Pang teaches deactivating the one or more security rules after a period of time to cause the web application layer proxy to stop applying the one or more security rules (Pang, Paragraph 0050 recites “a user can query a list of invoked rules (e.g., a population of security rules) from the database to identify a plurality of redundant rules (e.g., redundant firewall exceptions). The identification of one or more dispensable rules may be based on a determination of redundancy, e.g., that each rule permitted the same communication session. Or, for example, a user can query the list to identify one or more dispensable rules that have not been invoked in some period of time, such as a week or a month (such as unused firewall exceptions). Thereby, the user is enabled to dispense or remove such dispensable (i.e., redundant or unused) rules from a rule set.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pang’s automated firewall feedback from network traffic analysis with Kancherla’s managing firewall rules based on triggering statistics because the use revoking some rules helps to save resources on unused systems.

	As per claim 3, Kancherla in combination with Tulasi and Pang teaches the  method of claim 2, Pang further teaches wherein the one or more security rules are (Pang, Paragraph 0050 recites “a user can query a list of invoked rules (e.g., a population of security rules) from the database to identify a plurality of redundant rules (e.g., redundant firewall exceptions). The identification of one or more dispensable rules may be based on a determination of redundancy, e.g., that each rule permitted the same communication session. Or, for example, a user can query the list to identify one or more dispensable rules that have not been invoked in some period of time, such as a week or a month (such as unused firewall exceptions). Thereby, the user is enabled to dispense or remove such dispensable (i.e., redundant or unused) rules from a rule set.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pang’s automated firewall feedback from network traffic analysis with Kancherla’s managing firewall rules based on triggering statistics because the use revoking some rules helps to save resources on unused systems.

	As per claim 4, Kancherla in combination with Tulasi and Pang teaches the  method of claim 2, Pang further teaches wherein the one or more security rules are deactivated in response to a determination, based on applying the prediction model, that the one or more security rules are no longer predicted to be triggered (Pang, Paragraph 0050 recites “a user can query a list of invoked rules (e.g., a population of security rules) from the database to identify a plurality of redundant rules (e.g., redundant firewall exceptions). The identification of one or more dispensable rules may be based on a determination of redundancy, e.g., that each rule permitted the same communication session. Or, for example, a user can query the list to identify one or more dispensable rules that have not been invoked in some period of time, such as a week or a month (such as unused firewall exceptions). Thereby, the user is enabled to dispense or remove such dispensable (i.e., redundant or unused) rules from a rule set.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Pang’s automated firewall feedback from network traffic analysis with Kancherla’s managing firewall rules based on triggering statistics because the use revoking some rules helps to save resources on unused systems.

Regarding claims 13 and 18, claims 13 and 18 are directed to a non-transitory readable medium and a computing device associated with the method of claim 2. Claims 13 and 18 are of similar scope to claim 2, and are therefore rejected under similar rationale.


Regarding claim 14, claim 14 is directed to a non-transitory readable medium associated with the method of claim 3. Claim 14 is of similar scope to claim 3, and is therefore rejected under similar rationale.

Regarding claim 15, claim 15 is directed to a non-transitory readable medium associated with the method of claim 4. Claim 15 is of similar scope to claim 4, and is therefore rejected under similar rationale.

Claims 6 and 7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kancherla et al. (US 2021/0029146) and Tulasi (US 2018/0091474) and in further view of Han et al. (US 10,785,243).

	As per claim 6, Kancherla in combination with Tulasi teaches the  method of claim 5, but fails to teach wherein the prediction model is generated based on representing security rules as words, representing the sequences of security rules that were previously triggered as sentences, and applying a natural language processing algorithm to the sentences to arrange the security rules in a vector space, wherein distances between security rules in the vector space represent a likelihood that those security rules are triggered in the same context.
	However, in an analogous art Han teaches wherein the prediction model is generated based on representing security rules as words, representing the sequences of security rules that were previously triggered as sentences, and applying a natural language processing algorithm to the sentences to arrange the security rules in a vector space, wherein distances between security rules in the vector space represent a likelihood that those security rules are triggered in the same context (Han, Col. 7 Lines 49-66 recites “It is to be understood that although such probability distributions 319 can indicate whether a particular computing device 210 or networked organization/enterprise has been compromised or is currently under attack, the utility of such probability distributions 319 is far broader than that, as they can be used more generally. For example, probability distributions 319 can be provided as input to a Security Incident and Event Manager (SEIM) or Managed Security Service Provider (MSSP), for example to provide better prior probabilities, e.g., for detecting clusters of events that are more and less likely to be of interest to security analysts or clients of these services. Probability distributions 319 can instead or also be used to automatically prioritize and filter signatures to be used, e.g., in the creation of rule-based security analytics, security event identification and incident generation, e.g., within the context of a SEIM or MSSP, as well as by identifying interesting events to query on to build new rule based analytics.” See also Col. 6 Lines 27-40 recites “ For example, GloVe training can be performed on aggregated global word-word co-occurrence statistics from an input corpus (e.g., the log text 303), and the resulting representations show linear substructures of the word vector space. Word2vec neural networks can be trained to reconstruct linguistic contexts of words. Word2vec takes a corpus of text (e.g., the log text 303) as its input and produces a vector space. Word vectors are positioned in the vector space such that words that share common contexts in the input are located in close proximity to one another in the vector space. Seq2Seq or other temporal RNN methodology can be used to track temporal activity at the level of the low dimensional feature vector 307.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Han’s Identifying evidence of attacks by analyzing log text with Kancherla’s managing firewall rules based on triggering statistics because creating new policy rules helps to be more efficient in a system.

	As per claim 7, Kancherla in combination with Tulasi and Han teaches the  method of claim 6, Han further teaches wherein the prediction model is applied to determine the one or more security rules based on determining security rules that are within a predefined distance in the vector space from the security rules in the set of recently triggered security rules (Han, Col. 7 Lines 49-66 recites “It is to be understood that although such probability distributions 319 can indicate whether a particular computing device 210 or networked organization/enterprise has been compromised or is currently under attack, the utility of such probability distributions 319 is far broader than that, as they can be used more generally. For example, probability distributions 319 can be provided as input to a Security Incident and Event Manager (SEIM) or Managed Security Service Provider (MSSP), for example to provide better prior probabilities, e.g., for detecting clusters of events that are more and less likely to be of interest to security analysts or clients of these services. Probability distributions 319 can instead or also be used to automatically prioritize and filter signatures to be used, e.g., in the creation of rule-based security analytics, security event identification and incident generation, e.g., within the context of a SEIM or MSSP, as well as by identifying interesting events to query on to build new rule based analytics.” See also Col. 6 Lines 27-40 recites “ For example, GloVe training can be performed on aggregated global word-word co-occurrence statistics from an input corpus (e.g., the log text 303), and the resulting representations show linear substructures of the word vector space. Word2vec neural networks can be trained to reconstruct linguistic contexts of words. Word2vec takes a corpus of text (e.g., the log text 303) as its input and produces a vector space. Word vectors are positioned in the vector space such that words that share common contexts in the input are located in close proximity to one another in the vector space. Seq2Seq or other temporal RNN methodology can be used to track temporal activity at the level of the low dimensional feature vector 307.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Han’s Identifying evidence of attacks by analyzing log text with Kancherla’s managing firewall rules based on triggering statistics because creating new policy rules helps to be more efficient in a system.

Claims 8 and 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kancherla et al. (US 2021/0029146) and Tulasi (US 2018/0091474) and in further view of Cox et al. (US 2010/0011027).
	
	As per claim 8, Kancherla in combination with Tulasi teaches the  method of claim 5, but fails to teach wherein the prediction model is generated based on determining conditional probabilities for pairs of security rules in the sequences of security rules that were previously triggered, wherein a conditional probability for a pair of security rules indicates a probability that a first security rule in the pair of security rules is triggered within a predefined period of time after a second security rule in the pair of security rules has been triggered.
	However, in an analogous art Cox teaches wherein the prediction model is generated based on determining conditional probabilities for pairs of security rules in the sequences of security rules that were previously triggered, wherein a conditional probability for a pair of security rules indicates a probability that a first security rule in  (Cox, Paragraph 0029 recites “If the conflict manager 118 determines that a conflict is possible (e.g. determine that a probability of a conflict is above a given threshold) after this comparison, then the policy conflict manager 118 further performs pair-wise comparisons of each of the policy rule components of the new policy rule 120 to each of the policy rule components of each policy rule of the policy group 128.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Cox’s policy rule conflict detection and management
  with Kancherla’s managing firewall rules based on triggering statistics because creating new policy rules helps to be more efficient in a system.


	As per claim 9, Kancherla in combination with Tulasi and Cox teaches the  method of claim 8, Cox further teaches wherein the prediction model is applied to determine the one or more security rules based on determining, based on the conditional probabilities, security rules having a probability that is higher than a predefined threshold probability of being triggered within the predefined period of time after the security rules in the set of recently triggered security rules have been triggered (Cox, Paragraph 0029 recites “If the conflict manager 118 determines that a conflict is possible (e.g. determine that a probability of a conflict is above a given threshold) after this comparison, then the policy conflict manager 118 further performs pair-wise comparisons of each of the policy rule components of the new policy rule 120 to each of the policy rule components of each policy rule of the policy group 128.”).
	It would have been obvious to a person of ordinary skill in the art, at the earliest effective filing date to use Cox’s policy rule conflict detection and management
  with Kancherla’s managing firewall rules based on triggering statistics because creating new policy rules helps to be more efficient in a system.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODERICK TOLENTINO whose telephone number is (571)272-2661.  The examiner can normally be reached on Mon- Fri 8am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-


RODERICK . TOLENTINO
Examiner
Art Unit 2439



/RODERICK TOLENTINO/Primary Examiner, Art Unit 2439