DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status
Claims 1-20 are allowed in this Office action.

		Examiner’s Amendment
An Examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to the Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this instant Examiner’s amendment was given in a telephonic communication (see attached Interview Summary) from Applicant’s representative Mr. Raffi Gostanian on February 10, 2022.
The claims are amended as presented below and will replace all previous versions of claims:
Claim 1. (Currently Amended) An apparatus comprising: 
a processor implemented at least partially by hardware and configured to:
identify, via a query collector service, a set of structured query language (SQL) queries submitted by one or more software applications to a database, 
generate a set of SQL syntax trees that correspond to the set of SQL queries; 
identify a unique subset of SQL syntax trees and a non-unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees; 
generate an encoded representation of a unique SQL syntax tree of the identified unique subset of SQL syntax trees based on a predefined syntax tree template
 Page 3 of 17Serial No.: 16/748,783 transmit an identifier of the predefined syntax tree template and the encoded representation of the unique syntax tree to a computing system without transmitting the unique SQL syntax tree to the computing system; and
detect anomaly within the set of submitted SQL queries based on the transmitted identifier and the encoded representation.
Claim 2. (Original) The apparatus of claim 1, wherein the processor is configured to generate, for each SQL query, a SQL syntax tree in which parts of the SQL query are assigned to nodes in the SQL syntax tree.  
Claim 3. (Currently Amended) The apparatus of claim 1, wherein the processor is configured to identify a SQL syntax tree that is a duplicate of a previously obtained SQL syntax tree, and filter out the duplicated SQL syntax tree from the generated set of SQL syntax trees to generate the unique subset of SQL syntax trees.  
Claim 4. (Original) The apparatus of claim 1, further comprising a storage configured to store a plurality of profile syntax trees, where each profile syntax tree comprises a predefined SQL syntax tree template.  
Claim 5. (Previously Presented) The apparatus of claim 4, wherein the processor is configured to compress the unique SQL syntax tree into the encoded value that comprises the identifier of the predefined syntax tree template from among a plurality of predefined syntax tree template.
Claim 6. (Currently Amended) The apparatus of claim 1, wherein the processor is further configured to build a profile syntax tree of a SQL query based on the generated set of SQL syntax trees.  
Claim 7. (Original) The apparatus of claim 6, wherein the processor is configured to determine a SQL syntax tree that is unique based on a difference between a structure of the SQL syntax tree with respect to a structure of the profile syntax tree of the normal SQL query.  
Claim 8. (Currently Amended) The apparatus of claim 1, wherein the processor is configured to remove SQL syntax trees from the generated set of SQL syntax trees that are stored in the previously obtained SQL syntax trees to generate the unique subset of SQL syntax trees.  
Claim 9. (Previously Presented) The apparatus of claim 1, wherein the processor is configured to identify SQL syntax trees that are possible security threats based on previously obtained SQL syntax trees that have been determined as safe. 


Claim 10. (Currently Amended) A method comprising: 
identifying, via a query collector service, a set of structured query language (SQL) queries submitted by one or more software applications to a database, wherein the query collector service resides on a network communication channel between the one or more software applications and the database; 
generating a set of SQL syntax trees that correspond to the set of SQL queries; 
identifying a unique subset of SQL syntax trees and a non-unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees; 
generating an encoded representation of a unique SQL syntax tree of the identified unique subset of SQL syntax trees based on a predefined syntax tree template
 Page 3 of 17Serial No.: 16/748,783 transmitting an identifier of the predefined syntax tree template and the encoded representation of the unique syntax tree to a computing system without transmitting the unique SQL syntax tree to the computing system; and
detecting anomaly within the set of submitted SQL queries based on the transmitted identifier and the encoded representation.
Claim 11. (Currently Amended) The method of claim 10, wherein the generating the set of SQL syntax trees comprises, for each SQL query, generating a SQL syntax tree in which parts of the SQL query are assigned to nodes in the SQL syntax tree.  
Claim 12. (Currently Amended) The method of claim 10, wherein the identifying further comprises identifying a SQL syntax tree that is a duplicate of a previously obtained SQL syntax tree, and filtering out the duplicated SQL syntax tree from the generated set of SQL syntax trees to generate the unique subset of SQL syntax trees.  
Claim 13. (Original) The method of claim 10, further comprising storing a plurality of profile syntax trees, where each profile syntax tree comprises a predefined SQL syntax tree template.
Claim 14. (Previously Presented) The method of claim 13, wherein the transmitting comprises compressing the unique SQL syntax tree into the encoded value that comprises the identifier of the predefined syntax tree template from among a plurality of predefined syntax tree templates. 
Claim 15. (Currently Amended) The method of claim 10, further comprising building a profile syntax tree of a SQL query based on the generated set of SQL syntax trees.  
Claim 16. (Original) The method of claim 15, wherein the identifying comprises determining a SQL syntax tree that is unique based on a difference between a structure of the SQL syntax tree with respect to a structure of the profile syntax tree of the normal SQL query.  
Claim 17. (Currently Amended) The method of claim 10, wherein the identifying comprises removing SQL syntax trees from the generated set of SQL syntax trees that are stored in the previously obtained SQL syntax trees to generate the unique subset of SQL syntax trees.  
Claim 18. (Currently Amended) A non-transitory computer readable medium comprising instructions, that when read by a processor, cause the processor to perform a method comprising: 
identifying, via a query collector service, a set of structured query language (SQL) queries submitted by one or more software applications to a database, wherein the query collector service resides on a network communication channel between the one or more software applications and the database; 
generating a set of SQL syntax trees that correspond to the set of SQL queries; 
identifying a unique subset of SQL syntax trees and a non-unique subset of SQL syntax trees among the generated set of SQL syntax trees based on previously obtained SQL syntax trees; 
generating an encoded representation of a unique SQL syntax tree of the identified unique subset of SQL syntax trees based on a predefined syntax tree template
 Page 3 of 17Serial No.: 16/748,783 transmitting an identifier of the predefined syntax tree template and the encoded representation of the unique syntax tree to a computing system without transmitting the unique SQL syntax tree to the computing system; and
detecting anomaly within the set of submitted SQL queries based on the transmitted identifier and the encoded representation.


Claim 19. (Currently Amended) The non-transitory computer readable medium of claim 18, wherein the generating the set of SQL syntax trees comprises, for each SQL query, generating a SQL syntax tree in which parts of the SQL query are assigned to nodes in the SQL syntax tree.  
Claim 20. (Currently Amended) The non-transitory computer readable medium of claim 18, wherein the identifying further comprises identifying a SQL syntax tree that is a duplicate of a previously obtained SQL syntax tree, and filtering out the duplicated SQL syntax tree from the generated set of SQL syntax trees to generate the unique subset of SQL syntax trees.

Summary of Related Prior Arts
The prior arts on record are summarized as follows:
i)	Neerumalla et al. (Pub. No. US 2014/0283096) teaches a request that includes an indication of an execution context and data that represents executable code is obtained. An analysis of the data is initiated based on generating a first templatized representation of the executable code. A list of clearance indicators that indicate a blocking status associated with respective forms of templatized representations is accessed. A workflow policy is determined based on the accessing of the list of clearance indicators. The list of clearance indicators is updated, based on a result of the analysis of the data. 
ii)	Ziemann et al. (Pub. No. US 2005/0065965) teaches data items are represented by trees and stored in a database, the collection of data items defining a forest. Queries and masks are also represented by trees. A method for navigating the 
iii)	Chen et al. (Pub. No. US 2019/0306191) teaches detecting SQL injection interception by detecting a received SQL instruction according to a SQL syntax tree rule to determine that the received SQL instruction is a malicious instruction; and analyzing the received SQL instruction by using an analysis model to determine that the received SQL instruction is a potentially malicious instruction, in a case that the received SQL instruction is not determined to be a malicious instruction according to the SQL syntax tree rule.
iv)	Johns et al. (Pub. No. US 2018/0351986) teaches monitoring, mutation, and analysis of suspect requests that are received by an application server. An engine observes UI interaction, HTTP traffic, and server-side changes in order to create an initial list of CSRF candidates (e.g., HTTP requests that could indicate a CSRF vulnerability). By performing value mutation operations on these components and repeated replay of the resulting HTTP requests, CSRF candidates are tested to see if the underlying HTTP request could be utilized in the context of a CSRF attack. Subsequent validation and exploitability assessment may reduce the initial list 

v)	Jas et al. (Pub. No. US 2019/0207974) teaches analysis device may perform an action based on whether the abstract syntax tree matches the list (e.g., any entry of the list). As an example, assume that the list is a whitelist. In that case, analysis device may forward the query to the storage device for provision of the data associated with the query when the abstract syntax tree matches the list. Furthermore, when the abstract syntax tree does not match the list, analysis device may perform another action, such as notifying an administrator, providing the query to security server, flagging the query for review (e.g., by the administrator), blocking client device from which the query was received, quarantining storage device, and/or the like.
vi)	Antunes et al. (Pub. No. US 2019/0102390) teaches applying tokenization, stemming, spell-checking, and other procedures to generate a sequence of tokens representing the underlying query. During a syntactic phase, the method may employ object identification, attribute identification, and other procedures to generate a parse tree (e.g., using a chart parser) representing the sequence of tokens. Finally, in the semantic phase, the method may perform various operations to analyze and parse the parse trees including removing invalid and duplicate interpretations.
vii)	Arnold (Pub. No. US 2021/0191942) teaches an operator tree is generated based on a nested ordering of a plurality of operators indicated by the query expression. A normalized query expression is generated based on conversion selection data. Execution of the query is facilitated in accordance with the normalized query expression.

Zhang (Pub. No. CN-104123497-A) teaches effectively avoid the attacker obtained by SQL injection of sensitive data in the server, attack caused by the application program, so as to realize the error and without omission. Before sending the structured query language SQL sentence to the database server, the semantic information into the SQL sentence, generating the SQL sentence and the semantic information of the submitted data, wherein the semantic information includes SQL template corresponding to the SQL statements and SQL template for marking the position of the start symbol and the end symbol; sending the submit data to the database server. The method provided by the invention can.
ix)	Brown (Pub. No. US 2019/0207969) teaches using a control unit for detecting events of various types within a time interval and aggregate the detected events into an incident. The control unit can detect patterns within the events based at least in part on predetermined criterion. In examples, the control unit can determine pattern scores for the patterns based on the probability of occurrence for the patterns and determine a composite score based on the pattern scores. The control unit can determine that an incident indicating malicious activity has been detected based in part determining that the composite score is above a predetermined threshold score. The control unit can determine if an incident indicates malicious activity including malware or targeted attack.
x)	Waltz et al. (Pub. No. US 2019/0372924) teaches the database firewall 248 can inspect the contents of database traffic and block certain content or database requests. The database firewall can work on the SQL application level atop the TCP/IP stack, managing applications' connection to the database 

Reasons for Allowance
The following is an examiner's statement of reasons for allowance of Claims 1-20:
In interpreting the claims filed on 8 November 2021, the interview dated 10 February 2022, and the available prior art, the Examiner finds the claimed invention to be patentably distinct from the prior art of records. Specifically, the prior art of records, individually or in combination, fail to explicitly teach, suggest or render obvious the claimed invention as recited in independent claims 1, 10, and 18.
Other dependent claims are also allowed based on their dependencies on claims 1, 10, and 18.
Any comments considered necessary by the Applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”



Contact Information
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Son Hoang whose telephone number is (571) 270-1752. The Examiner can normally be reached on Monday – Friday (7:00 AM – 4:00 PM).
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Usmaan Saeed can be reached on (571) 272-4046. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

          /SON T HOANG/Primary Examiner, Art Unit 2169                                                                                                                                                                                                                 February 11, 2022