Detailed Action

1.	This Office Action is responsive to the Amendment filed 01/07/2022.  Claims 1, 9 and 11 have been amended.  Claims 1-20 are presented for examination.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority

2.	Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, or 365(c) is acknowledged.  

Information Disclosure Statement

3.	The information disclosure statement (IDS) submitted on 12/06/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103

4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


5.	Claims 1-19 are rejected under 35 U.S.C. 103 as being unpatentable over Daswani et al. (US 8,683,584), in view of Bach et al. (US 2016/0078231 A1), hereinafter “Daswani” and “Bach”.

6.	As to claim 1, Daswani teaches a method performed by a client device, comprising:
receiving a network message from a web server (col. 14, lines 57-58);
generating a risk score of the web server (i.e., the risk analysis feature extractor 1304 performs additional analyses, such as by categorizing elements as internal or externals, recognizing certain pieces of Javascript [name of interpreted language], and so on [such as name and version of servers/applications].  The risk analysis feature extractor provides a stream of its output to aggregator 1306 which is configured to assess the risk and to provide information about its assessment to reporting engine 1308 to generate a risk assessment report) (col. 15, lines 4-49); 
identifying a security policy (i.e.., how to minimize the risk) (col. 16, lines 26-28);
determining, based on the identified security policy and the risk score, an action (i.e., configuring the scanning frequency) (col. 19, line 57 – col. 20, line 19); and
performing the determined action (i.e., quarantining a malicious element, performing various scans, removing a widget, bringing the widget to the attention of the CISO) (col. 10, lines 34-52 and col. 19, line 57 – col. 20, line 19).  
Daswani does not explicitly teach “determining, based on the network message: a type of hypertext transfer protocol (http) server application of the web server, including a name of the http server application and a version of the http server application, a type of web application including a name of the web application, and a type of interpreted language used to implement the web server including a name of the interpreted language”.
In an analogous art, Bach teaches that scanners 240 may employ any or all of the following detection mechanisms to determine information about the types (i.e., names) and version of software on servers 210 and in applications 220: Response Headers and Header Ordering; Port Scanning; syn/ack and hello messages; IP-based fingerprinting technologies; Defined IP ranges; Response Body heuristics: Javascript include tags; Common error stack traces/messages; …; Signatures Analysis.  For example, scanners 240 may determine any or all of: SSL Library and Cryptographic Keys, e.g., OpenSSL, GNUTLS, Mozilla NSS, Java JSSE, MS SChannel Server OS, e.g., Apache, Tomcat, HP, IBM, Nginx, OS X, MS Server, Thin, Flask; Ancillary Server Software Installed; Programming Languages in Use: e.g., PHP, Ruby, etc.  In connection with the results of each scan, for example, vulnerability processing system 250 compares the scan results with the records of vulnerability database 230 to identify any vulnerabilities for the scanned server 210 or application 220 (Bach, paragraphs [0041-0079]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effectively filing date of the claimed invention to incorporate the features of “determining, based on the network message: a type of hypertext transfer protocol (http) server application of the web server, including a name of the http server application and a version of the http server application, a type of web application including a name of the web application, and a type of interpreted language used to implement the web server including a name of the interpreted language”, as disclosed by Bach, into the teachings of Daswani to detect software vulnerabilities, and more particularly, to automated detection and notification regarding software vulnerabilities (Bach, paragraph [0003]).

7.	As to claim 2, Daswani-Bach teaches the method of claim 1, wherein the determining of the type of web application comprises: identifying a sequence of uniform resource locators (URLs), comparing the sequence of URLs to URL signatures of known web applications; determining, based on the comparing, a matching URL signature; and determining, based on the matching URL signature, the type of web application (Daswani, col. 10, lines 53-58 and col. 15, lines 3-33).  

8.	As to claim 3, Daswani-Bach teaches the method of claim 1, further comprising: determining, based on the network message, a client executable framework or library, wherein the generating of the risk score is further based on the determined client executable framework or library (i.e., identify various elements such as JavaScript and iframe elements; recognizing certain pieces of JavaScript as being associated with an advertising network; access the risk posed by the various components of the website) (Daswani, col. 15, lines 3-40).  

9.	As to claim 4, Daswani-Bach teaches the method of claim 1, further comprising: identifying, based on one or more network messages including the network message, a sequence of document object model (DOM) xpath patterns; comparing the sequence of (Daswani, col. 5, lines 32-40 and col. 6, lines 8-25).  

10.	As to claim 5, Daswani-Bach teaches the method of claim 1, further comprising: decoding a server header of the network message; 1777.D75US141407230-US-NPsecond determining, based on the decoded server header, an operating system of the web server, wherein the generating of the risk score is further based on the second determining (i.e., the version of the web server serving the content will be accessible to the content extraction engine via HTTP headers; the particular version is known to be vulnerable to malware attacks can be treated as posing a higher risk than if the installed version is not present in a vulnerability database) (Daswani, col. 18, line 32 – col. 19, line 4).  

11.	As to claim 6, Daswani-Bach teaches the method of claim 1, wherein performing the determined action comprises displaying a user interface on the client device, the user interface configured to display information derived from the risk score (Daswani, Fig. 14).  

12.	As to claim 7, Daswani-Bach teaches the method of claim 6, wherein the user interface is configured to display a control, the control configured to submit the network message for further processing by the client device (Daswani, Figs. 5 and 8). 
 
Daswani-Bach teaches the method of claim 1, wherein performing the determined action comprises blocking further processing of the network message by the client device (i.e., allow the administrator to initiate a remediation action that will prevent the iframe from being served to any future visitors to the page; Blacklist directive should be sent to prevent the malicious element from being served) (Daswani, col. 8, lines 33-38 and col. 12, lines 31-67).  

14.	As to claims 9-17, claims 9-17 are corresponding system and non-transitory computer readable storage medium of method claims 1-6 that recite similar limitations as of method claims 1-6 and do not contain any additional limitations with respect to novelty and/or inventive steps; therefore, they are rejected under the same rationale.

15.	As to claim 18, Daswani-Bach teaches the system of claim 11, the operations further comprising: determining a version of the web application; and comparing the version of the web application against a vulnerability data store, wherein the risk score is further based on the comparing (i.e., the particular version is known to be vulnerable to malware attacks can be treated as posing a higher risk than if the installed version is not present in a vulnerability database) (Daswani, col. 6, line 55 – col. 7, line 7 and col. 18, line 32 – col. 19, line 4).  

16.	As to claim 19, Daswani-Bach teaches the system of claim 11, wherein the network message is an http response message, and the risk score is based on a security a server header, a http strict-transport-security (HSTS) header, an X-content-Type-Options header, a referrer policy, or a feature policy (i.e., the version of the web server serving the content will be accessible to the content extraction engine via HTTP headers; the particular version is known to be vulnerable to malware attacks can be treated as posing a higher risk than if the installed version is not present in a vulnerability database) (Daswani, col. 18, line 32 – col. 19, line 4).  


17.	Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Daswani-Bach, in view of Ross et al. (US 2009/0119769 A1), hereinafter “Ross”.
  
18.	As to claim 20, Daswani-Bach teaches the system of claim 19, but does not explicitly teach “wherein the security indicator indicates one or more of whether mime-sniffing is disabled by the http response, whether the referrer policy is set to unsafe-url, whether the http response header indicates a request for access to a microphone or camera, whether the HSTS header specifies use of encrypted connections, or whether the X-XSS-Protection header enables an XSS filter”.
	In an analogous art, Ross teaches a method of employing an XSS filter, wherein the filter in the browser will allow the server to disable the XSS filter for a particular response by sending a specific HTTP response header (paragraph [0039]).  Ross also (paragraph [0045]).
	Therefore, it would have been obvious to one of ordinary skill in the art before the effectively filing date of the claimed invention to incorporate the features of “allowing the server to enable/disable the XSS filter for a particular response by sending a specific HTTP response header”, as disclosed by Ross, into the teachings of Daswani-Bach to allow the filter to quickly identify and pass through traffic which is deemed safe, keeping performance impact from the filter to a minimum (Ross, Abstract).

Response to Arguments

19.	Applicant’s arguments as well as request for reconsideration filed on 01/07/2022 have been fully considered but they are moot in view of the new ground(s) of rejection.
20.	Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until 

21.	Further references of interest are cited on Form PTO-892, which is an attachment to this Office Action.

22.	A shortened statutory period for reply to this action is set to expire THREE (3) months from the mailing date of this communication.  See 37 CFR 1.134.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to QUANG N NGUYEN whose telephone number is (571) 272-3886. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s SPE, Wing Chan, can be reached at (571) 272-7493.  The fax phone number for the organization is (571) 273-8300.


/QUANG N NGUYEN/Primary Examiner, Art Unit 2441