DETAILED ACTION

Claims 1-20 are pending.

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Examiner’s Notes

Examiner has cited particular columns and line numbers, paragraph numbers, or figures in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant, in preparing the responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Claim Objections
Claims 5, 6, 14 and 15 are objected to because of the following informalities: The word “referer” seems to be a typo and should be “referrer.” Appropriate correction is required.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 5, 10, 14 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Boutros et al. (US-PAT-NO: 8,601,586 B1) hereinafter Boutros, in further view of Johns (US-PGPUB-NO: 2018/0349602 A1).

As per claim 1, Boutros teaches a system for detecting vulnerabilities in a web application, the system comprising: a programmable processor; and a non-transitory machine-readable medium comprising instructions thereon that, when executed by the programmable processor, cause the programmable processor to perform operations comprising: directing a plurality of request messages to a web application executed at a remote computing device (“During operation, user 102 sends a web request 110 through web browser 104 onto network 106. Note that web request 110 can be an HTTP request, an FTP request, or a web request based on any other communication protocol which may be used to render data through a browser,” see Boutros [column 3, lines 66-67 and column 4, lines 1-3]), the determining based at least in part on the first request message and a first response message generated by the web application in response to the first request message (“Next, webapp server 108 locates the requested web application software and an associated web page in a local directory, or from an external database 112, and sends out a web page 114 along with the dynamic content as a response back to user 102 via network 106,” see Boutros [column 4, lines 25-30], where the dynamic content is interpreted as the state change); generating a first tampered request message based at least in part on the first request message (“For example, malicious user 116 can send a URL link 120 directed to webapp server 108 via email or embedded in a web page to user 102,” see Boutros [column 4, lines 42-44], wherein the URL link is interpreted as the tampered request massage is sent based on the regular user request); directing the first tampered request message to the web application (“During operation, the system receives a set of predetermined attack strings, which are configured to test a range of vulnerabilities of the web application targeted by the suspicious web requests (step 402),” see Boutros [column 7, lines 15-18], where the suspicious web request is interpreted as the first tampered request message); and determining that the first request message indicates a vulnerability of the web application (“Next, for each suspicious request in the final list, the system determines whether the suspicious web request can cause a vulnerability of the web application to be exploited (step 308),” see Boutros [column 7, lines 3-6]), the determining based at least in part on the first tampered request message and a first traffic-tampered response message generated by the web application in response to the first tampered request message (“The system then replays the modified suspicious web request using the predetermined attack string (step 406). In some embodiments, the system replays the suspicious web request in a secure sandbox, so that the web application is protected from actually being exploited,” see Boutros [column 7, lines 41-45).
Boutros does not explicitly teach determining that a first request message of the plurality of request messages describes a state changing request. However, Johns teaches determining that a first request message of the plurality of request messages describes a state changing request (“This set of objectives directly translates into three distinct functional requirements of the detection system—the abilities to: [0080] i) detect permanent state changes in relation to incoming HTTP requests,” see Johns paragraph [0079]).
Boutros and Johns are analogous art because they are in the same field of endeavor of detecting vulnerabilities in web applications / websites. Therefore it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed 

As per claim 5, Boutros modified with Johns teaches the operations further comprising determining that the first request message is a pre-authentication request message, wherein generating the first tampered request message comprises: modifying a referrer header field of the first request message; and removing at least one cookie from the first request message (“The candidate request is replayed. This time all authentication credentials (such as HTTP Authorization or Cookies headers are removed) before the data is sent to the application's server-side,” see Johns paragraph [0139]).
Boutros and Johns are analogous art because they are in the same field of endeavor of detecting vulnerabilities in web applications / websites. Therefore it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to modify Boutros teaching of detecting security vulnerabilities in a web application by performing web request analysis and replay verification with Johns 

As per claims 10 and 14, these are the method claims to system claims 1 and 5, respectively. Therefore they are rejected for the same reasons as above.

As per claim 19, this is the non-transitory machine-readable medium claim to system claim 1. Therefore it is rejected for the same reason as above.

Claims 2-4, 11-13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Boutros (US-PAT-NO: 8,601,586 B1) and Johns (US-PGPUB-NO: 2018/0349602 A1), in further view of Bar Noy et al. (US-PGPUB-NO: 2019/0334940 A1) hereinafter Bar Noy.

As per claim 2, Boutros modified with Johns teaches does not teach wherein determining that the first request message describes a state changing request comprises: modifying a state-changing score for the first request message based at least in part on a first criterion (“The correlation score of the HTTP request is used, either by the behavioral analysis module 146 or the correlation module 148, to update (i.e., modifies/adjusts) the “interim” reputation scores output by the behavioral analysis module 146,” see Bar Noy paragraph [0097], where the correlation score is interpreted as the first criterion and the reputation scores is interpreted and the state-changing score); modifying the state-changing score for the first request message based at least in part on a second criterion (“For example, the correlation module 148 may evaluate the correlation score against a FP/TP threshold criterion,” see Bar Noy paragraph [0097], where the correlation score is based on two criterions, FP (false positive) or TP (true positive); and determining that the state-changing score meets a state-changing request message threshold (“such that the HTTP request is considered a FP if the correlation score is greater than or equal to a FP/TP threshold value, and is considered a TP if the correlation score is less than the FP/TP threshold value. The “interim” reputation scores may then be adjusted in the FP or TP direction based on the correlation scores,” see Bar Noy paragraph [0097]).
Boutros, Johns and Bar Noy are analogous art because they are in the same field of endeavor of detecting vulnerabilities in web applications / websites. Therefore it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to modify Boutros teaching of detecting security vulnerabilities in a web application by performing web request analysis and replay verification and Johns teaching of a web application security testing framework which includes an HTTP browser engine 

As per claim 3, Boutros modified with Johns and Bar Noy teaches wherein determining that the first request message describes a state changing request further comprises determining that the first response message comprises more than a threshold number of cookies (“The process of checking whether the HTTP request is generated by the HTML page is performed in block 516, where the bot detection module 154 checks whether the request includes a cookie (i.e., the cookie that is only generated in response to execution of the injected JavaScript code),” see Bar Noy paragraph [0145], where in the request is checked to see if a cookie is included which examiner is interpreting as a threshold for beginning to see whether the request is generated).

As per claim 4, Boutros modified with Johns and Bar Noy teaches wherein determining that the first request message describes a state changing request further comprises determining that the first request message comprises a first keyword (“Potential attack indicators that are to be identified by the detection module 140 may be, for example, any keyword or keyword strings in text or objects in the scanned payloads that are anomalous or suspicious in nature.,” see Bar Noy paragraph [0064]).

As per claims 11, 12 and 13, these are the method claims to system claims 2, 3 and 4, respectively. Therefore they are rejected for the same reasons as above.

As per claim 20, this is the non-transitory machine-readable medium claim to system claim 2. Therefore it is rejected for the same reason as above.

Claims 6 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Boutros (US-PAT-NO: 8,601,586 B1) and Johns (US-PGPUB-NO: 2018/0349602 A1), in further view of Wilton et al. (US-PGPUB-NO: 2018/0255089 A1) hereinafter Wilton.

As per claim 6, Boutros modified with Johns do not teach the operations further comprising determining that the first request message is a post-authentication request message, wherein generating the first tampered request message comprises: modifying a referrer header field of the first request message; and replacing at least a portion of a body of the first request message. However, Wilton teaches the operations further comprising determining that the first request message is a post-authentication request message (“Each authentication unit receives an input request,” see Wilton paragraph [0040], examiner is interpreting the input request as the first request post authenticating), wherein generating the first tampered request message comprises: modifying a referrer header field of the first request message; and replacing at least a portion of a body of the first request message (“such that the modified request output by the last authentication unit in the series is a valid authenticated request 420. The authentication units may include adding query parameters, adding headers, performing an OAuth2 handshake (using implicit, client credentials, password, or authorization code grant types),” see Wilton paragraph [0040], wherein the modified request is interpreted as the tampered message which includes adding headers which examiner is interpreting as modifying header field).
Boutros, Johns and Wilton are analogous art because they are in the same field of endeavor of detecting vulnerabilities in web applications / websites. Therefore it would have been obvious to one of ordinary skills in the art before the effective filing date of the claimed invention to modify Boutros teaching of detecting security vulnerabilities in a web application by performing web request analysis and replay verification and Johns teaching of a web application security testing framework which includes an HTTP browser engine replaying recorded sessions to identify candidate trace indicative of an attack with Wilton’s teaching of detecting vulnerabilities by receiving API documentation from a third-party system associated with the API and organizing it in an API specification 

As per claim 15, this is the method claim to system claim 6. Therefore, it is rejected for the same reason as above.

Claims 7-9 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Boutros (US-PAT-NO: 8,601,586 B1) and Johns (US-PGPUB-NO: 2018/0349602 A1), in further view of Compagna et al. (US-PGPUB-NO: 2017/0109534 A1) hereinafter Compagna.

As per claim 7, Boutros modified with Johns does not explicitly teach the operations further comprising determining that a first field of the first response message matches a corresponding field of the first traffic-tampered response message. However, Compagna teaches the operations further comprising determining that a first field of the first response message matches a corresponding field of the first traffic-tampered response message (“The API is invoked to Evaluate Flag. Execute regular expression-based pattern matching within the HTTP trace so to, e.g., evaluate whether the Flag is present in the HTTP trace,” see Compagna paragraph [0178], wherein the flag evaluation determines whether a message has been tampered with).


As per claim 8, Boutros modified with Johns and Compagna teaches the operations further comprising determining that a first test exit code associated with the first response message matches a second test exit code associated with the first traffic-tampered response message (“By activating this proxy rule (Step 7), the inference module re-execute the UA corresponding to the session (U.sub.M, SP.sub.T) and checks whether the corresponding Flag is present in the resulting trace (steps 8-9). For instance, the element Token (see FIG. 7) is assigned the syntactic labels BLOB and the semantic labels SU and MAND,” see Compagna paragraph [0184], where the re-execution is interpreted as .

As per claim 9, Boutros modified with Johns and Compagna teaches the operations further comprising determining that the first traffic-tampered response message indicates a result requested by the first tampered request message (“Attack strategy #6 is the composition of two basic reply attack strategies. The element AppId, obtained by running a session between the victim user U.sub.V and the malicious service provider SP.sub.M, is replayed to get the AccessToken which is then in turn replayed by the attacker U.sub.M to authenticate as U.sub.V at SP.sub.T. Thus, the result should be the same obtained by completing a session between U.sub.V and SP.sub.T,” see Compagna paragraph [0113]).

As per claims 16, 17 and 18, these are the method claims to system claims 7, 8 and 9, respectively. Therefore, they are rejected for the same reasons as above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
 Ta et al. (US-PGPUB-NO: 2007/0101034 A1) teaches applying an interrupt service routing to generate entrant code and generating via a daemon an exit code and storing both entrant and exit code for debugging purposes.
 Champagne (US-PAT-NO: 7,194,761 B1) teaches automatic authentication of a client device to a server device.
 Chester (US-PGPUB-NO: 2018/0124043 A1) teaches authenticating the legitimacy of a request for a resource by a user.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LENIN PAULINO whose telephone number is (571)270-1734. The examiner can normally be reached Week 1: Mon-Thu 7:30am - 5:00pm Week 2: Mon-Thu 7:30am - 5:00pm and Fri 7:30am - 4:00pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do can be reached on (571) 272-3721. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/LENIN PAULINO/Examiner, Art Unit 2193                                                                                                                                                                                                        
/Chat C Do/Supervisory Patent Examiner, Art Unit 2193