DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 12/06/2021 has been entered.
This Office action is in response to RCE filed on 12/06/2021.
As per instant Examiner Amendment, Claims 1, 8-9, 13 and 18 have been amended. Claims 6-7 and 10-11 have been cancelled without prejudice. Claims 21-22 have been added. Claims 1, 13 and 18 are independent.  Claims 1-5, 8-9 and 12-22 have been examined and are pending in this application. 
Claims 1-5, 8-9 and 12-22 are allowed




Examiner Amendments


An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
In attempt to accelerate the prosecution process, the Examiner has contacted the Applicant’s representative, Mr. Sean C. Crandall (Reg. No 57776), and conducted a telephone interview on 02/03/2022. During the interview, the Examiner proposed an examiner amendment to the claims with some minor amendments for better clarity of the claims’ scope, and for putting the application in condition for allowance. Authorization for this Examiner's Amendment was given by Mr. Sean C. Crandall (Reg. No 57776), on 02/03/2022. Mr. Sean C. Crandall (Reg. No 57776) has agreed and authorized the Examiner’s amendment. 


Amendments to the Claims:

Please replace claims 1-5, 8-9 and 12-22 as following:

Claim 1. 	(Currently Amended) A computing apparatus, comprising:
a processor and a memory;
		a web browser; and
a web exploit mitigation engine, comprising instructions within the memory to instruct the processor to:
, including instructions to hook application programming interface (API) function calls of a scripting language, the API function calls for a plurality of API functions commonly used by browser exploits;
observe, within a running script of the incoming webpage, arguments passed to the plurality of API functions;
first, correlate the called API functions and arguments to a malware model, comprising assigning individual scores to calls to [[the ]] a plurality of API functions commonly used by browser exploits, and computing a sum of the individual scores;
second, correlate the called API functions to the malware model during a memory layout preparation phase;
based at least in part on the first and second correlating, detect the 
block the running script.

Claim 2.   	(Original) The computing apparatus of claim 1, wherein the inserted script is written in the scripting language.

Claim 3.  	(Original) The computing apparatus of claim 1, wherein the web exploit mitigation engine comprises a browser plugin to insert the script.



Claim 5. 	(Original) The computing apparatus of claim 1, further comprising a security agent resident on the computing apparatus and external to the web exploit mitigation engine, wherein the security agent includes instructions to provide support services to the web exploit mitigation engine.

Claims 6 – 7. (Canceled)

Claim 8. 	(Currently Amended) The computing apparatus of claim [[6]] 1, wherein the web exploit detection engine is to log the individual scores.

Claim 9. 	(Currently Amended) The computing apparatus of claim [[6]] 1, wherein the web exploit detection engine is further to compute a running sum of individual scores, and to detect the webpage when the running sum exceeds a threshold.

Claims 10 – 11 (Canceled)

Claim 12. 	(Original) The computing apparatus of claim 1, wherein the scripting language is JavaScript.


receive an incoming webpage from a remote server;
select the incoming webpage for verification;
inject a monitoring script, written in a scripting language, at or near the top of the incoming webpage, the monitoring script comprising hooks into application programming interface (API) functions of the scripting language;
observe individual calls to the hooked APIs by a script under analysis, including correlating API function calls to a malware model during a memory layout preparation phase, and observing arguments passed to the API function calls when the API function calls are invoked;
based at least in part on the observation, assign to the individual calls individual scores, the individual scores representing a weighted probability that the individual calls are malicious activity;
compute a sum of individual scores; and
if the sum of individual scores exceeds a threshold, 
block the script under analysis.

Claim 14. 	(Original) The one or more tangible, non-transitory computer-readable media of claim 13, wherein injecting the monitoring script is performed via a browser extension.



Claim 16. 	(Original) The one or more tangible, non-transitory computer-readable media of claim 13, wherein the instructions are to assign the individual scores during a memory layout preparation phase.

Claim 17. 	(Original) The one or more tangible, non-transitory computer-readable media of claim 13, wherein the scripting language is JavaScript.

Claim 18. 	(Currently Amended) A computer-implemented method of remediating browser exploits via a browser extension, comprising:
receiving an incoming webpage;
selecting the incoming webpage for injection;
injecting, via the browser extension, a monitoring script written in a scripting language, the monitoring script comprising hooks into application programming interfaces (API) function calls of the scripting language, and injected so as to be executed before other scripts;
monitoring access of the API calls by a script of the incoming webpage, including correlating API function calls to a malware model during a memory layout preparation phase and monitoring parameter data passed to the API function calls when the API function calls are invoked;

detecting the script of the incoming webpage as malicious or suspicious, comprising comparing the sum of the individual scores to a threshold; and
based at least in part on the detecting, block the script of the incoming webpage.

Claim 19. 	(Original) The method of claim 18, further comprising performing the correlating during a memory layout phase of the script of the incoming webpage.

Claim 20. 	(Original) The method of claim 18, wherein the scripting language is JavaScript.

Claim 21. 	(New) The method of claim 18, wherein acting on the detecting comprises blocking the incoming webpage.

Claim 22. 	(New) The method of claim 18, wherein detecting the script as malicious or suspicious comprises computing a running sum of individual scores, and detecting the script as malicious or suspicious when the running sum exceeds a threshold.



Response to Arguments/Remarks
Claims 1-5, 8-9 and 12-22 are allowed

Examiner’s Statement of reason for Allowance
Claims 1-5, 8-9 and 12-22 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is protecting the browser by using inject a monitoring script to the incoming webpage, the monitoring script will hooks into application programming interface functions of the scripting language. Observe individual calls to the hooked APIs including correlating API function calls to a malware model during a memory layout preparation phase. Based on the observation, assign the individual scores and compute a sum of individual scores. If the sum of individual scores exceeds a threshold, determine the webpage containing a browser exploit and block.
The closest prior art, as previously recited, are Ross (US 20070113282), SHUKLA (US 20190180036), Scott (US 10079854), Kim (US 20160359875), in which, Ross discloses a device for receiving and processing data content having at least one original function call includes a hook script generator and a script processing engine. The hook script generator is configured to generate a hook script having at least one hook function. Each hook function is configured to supersede a corresponding original function. The script processing engine is configured to receive and process a combination of the hook script and the data content. The hook function 
	However, none of Ross (US 20070113282), SHUKLA (US 20190180036), Scott (US 10079854), Kim (US 20160359875), teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the insert a script into an incoming webpage, the script, including instructions to hook application programming interface (API) function calls of a scripting language, the API function calls for a plurality of API functions commonly used by browser exploits; observe, within a running script of the incoming webpage, arguments passed to the plurality of API functions; first, correlate the called API functions and arguments to a malware model, comprising assigning individual scores to calls to a plurality of API functions commonly used by browser exploits, and computing a sum of the individual scores; second, correlate the called API functions to the malware model during a memory layout preparation phase; based at least in part on the first and second correlating, detect the block the running script.

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”





Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  










/C.W./
Examiner, Art Unit 2439 



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439