DETAILED ACTION
This non-final office action is in response to claims 1, 3-10, 12-16, and 18-20 filed on 11/30/2021 for examination. Claims 1, 3-10, 12-16, and 18-20 are being examined and are pending.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/30/2021 has been entered.

Response to Amendment
The amendment filed November 30, 2021 has been entered. Claims 1, 3-10, 12-16, and 18-20 remain pending in the application. Claims 2, 11, and 17 have been cancelled. The claims have been amended. Applicant’s arguments and amendments to the claims are directed to the 35 U.S.C. 103 rejection previously set forth in the Final Office Action mailed August 30, 2021. Claims 1, 9-10, and 16 

Interview Summary
Examiner initiated an Examiner Interview on 02/23/2022, wherein Applicant and Examiner discussed a potential Examiner's Amendment to the claims to overcome the art as cited with regards to Yona et al. (US8566444) in view of Kissel (US20040158732) and Mundra et al. (US20120011351), as well as to newly cited Kuznetsov et al. (US20060265689). Examiner directed Applicant to Kuznetsov regarding SAX parsers as a known system using opening/closing tags (e.g., Kuznetsov at [0136]). While Examiner and Applicant further discussed amending the claims to include language directed to the system of partially stored elements not included in previously parsed chunks (Note: specific language was not determined), Applicant declined the potential amendment.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 3-4, 8, 10, 12-13, 16, 18, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuznetsov et al. (US20060265689, Hereinafter “Kuznetsov”) in view of StackOverflow StackOverflow”) and Kissel (US20040158732, Hereinafter “Kissel”).
Regarding claim 1, Kuznetsov teaches a method by a web application layer attack detector implemented by one or more electronic devices ([0056] – markup language processing device 120 detects viruses and SQL injection attacks), wherein the web application layer attack detector is communicatively coupled between a plurality of web application clients and one or more web application servers (Fig. 1 and [0056] – markup language processing device 120 <i.e., web application layer attack detector> is positioned between web services server 110 and plurality of client computers 130 <i.e., web application clients>), the method comprising: 
receiving, at the web application layer attack detector, one or more data streams each carrying one or more web application layer requests (Fig. 1 and [0063] – client computers transmit messages to the server 110 to utilize web services, which are received by the markup language processing device 120 <i.e., web application layer attack detector>; [0082] – the application layer messages are analyzed at the markup language processing device), wherein each of the one or more web application layer requests is generated by one of the plurality of web application clients and intended for one of the one or more web application servers (Fig. 1 and [0063] – client computers 130 transmit messages to the server 110 to utilize web services, which are received by the markup language processing device 120 <i.e., web application layer attack detector>); 
forming chunks from each of the one or more web application layer requests as it is being received at the web application layer attack detector ([0057] – as the message arrives it is parsed by the markup processor 125; [0078] – parser 173 parses the incoming messages into data elements/data portions; [0090] and [0116] – parser is an SAX parser and can detect viruses), wherein forming the chunks includes forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk ([0023] and [0090] – parser is an SAX parser, which parses <i.e., divides into chunks> the incoming data stream into elements based on XML tags in the message/request; [0095] and [0136] – XML tags are used by the parser to determine when to start/end an analyzed element <i.e., recognize when a sufficient amount of data has been received to form the analyzed element>. The XML tags comprise an open <object> tag and end an </object> tag), wherein the chunk is formed to start at an end of a previous chunk and to end immediately after a closing tag that indicates an end of a complete element in the web application layer request but not an end of the web application layer request ([0078] – as elements are received they are parsed <i.e., elements start after the previous element>; [0090] – parser is an SAX parser, which parses <i.e., divides into chunks> the incoming data stream into elements based on XML tags in the message/request; [0095] and [0136] – XML tags are used by the parser to determine when to start/end an analyzed element. The XML tags comprise an open <object> tag and end an </object> tag); 
scanning the chunks for attacks as each of the chunks is formed without waiting to receive and store complete web application layer requests from which the chunks are formed ([0073] and [0076] – message is parsed and analyzed as the message data is streamed into the device without waiting to receive the entire message; see also, e.g., [0094] and [0097] – performing analysis upon receipt of a portion; [0056] and [0116] – parsed portions are scanned for viruses).
While Kuznetsov teaches using a standard SAX parser to parse the data (see, e.g., Kuznetsov at [0090-091]), Kuznetsov appears to fail to specifically disclose (1) wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, using tags that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size; and (2) sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is 
However, StackOverflow teaches standard SAX parsers have a maximum parsed string length of 1024 characters (see, e.g., StackOverflow at pg. 4). Further, StackOverflow teaches the element parsing length <i.e., chunked length> is designed to end at a detected closing tag (see, e.g., StackOverflow at pgs. 4-5). In other words, end tags allow the analyzed chunk/elements to be sized less than the 1024 character limit (Id.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kuznetsov with the teachings of StackOverflow, wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, using tags that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size, to comply with the standardized implementation of an SAX parser (see, e.g., Kuznetsov at  [0090-091], with StackOverflow at pgs. 4-5).
The combination of Kuznetsov and StackOverflow further teach sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned (see Kuznetsov at [0056], [0116]), yet, the combination of Kuznetsov and StackOverflow appear to fail to specifically teach sending the chunks to the server without waiting for other chunks of the web application layer request to be scanned.
However, Kissel teaches a similar system for processing packets received in a data stream (see abstract, [0009]), comprising sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned (Fig. 1 & [0009], 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kuznetsov and StackOverflow with the teachings of Kissel, comprising sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned, to improve the throughput of the data stream to the recipient (see, e.g., Kissel at [0007-008]).

Regarding claim 3, the combination of Kuznetsov, StackOverflow, and Kissel teach the method of claim 1, further comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended (Kissel at [0038] – the stream manager removes the data from the cache as the data is transmitted to the intended destination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel as taught in Kissel, comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended, to reduce the required size of the cache (see, e.g., Kissel at [0038]).

Regarding claim 4, the combination of Kuznetsov, StackOverflow, and Kissel teach the method of claim 1, further comprising: triggering a security response responsive to detecting, based on a result of the scanning, an attack in one of the chunks (Kuznetsov at [0056] and [0116] – rules may detect attacks such as virus or SQL injection; [0035] and [0094] – the message may be denied based on the element stored rules <i.e., a security response>).  

Regarding claim 8, the combination of Kuznetsov, StackOverflow, and Kissel teach the method of claim 1, further comprising: storing, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams, wherein the contextual information for the web application layer request includes a partial element or parameter that was not included in a previous chunk formed from the web application layer request, a content type of the web application layer request, and/or an encoding format of the web application layer request (StackOverflow at pgs. 4-5 teaches that in an SAX parser system, tested strings are determined based an opening and end tag in the XML. However, parsed strings have a maximum string size of 1024 characters, which may be exceeded by lengthy strings <i.e., sometimes the element is too long because it has not yet reached the end tag>. Pgs. 4-5 further teach that when a string is too long, the code can be altered to store and append the strings until all the characters may be joined and parsed <i.e., the partial string is stored and appended until the ending tag is reached>).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of StackOverflow, further comprising: storing, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams, wherein the contextual information for the web application layer request includes a partial element or parameter that was not included in a previous chunk formed from the web application layer Kuznetsov at [0056] with StackOverflow at pgs. 4-5).

Regarding claim 10, Kuznetsov teaches a set of one or more non-transitory machine-readable storage media storing instructions which, when executed by one or more processors of one or more electronic devices, cause the one or more electronic devices to perform operations ([0040] – system implemented via a physical computing system storing computer instructions to be executed by a processor) of a web application layer attack detector ([0056] – markup language processing device 120 detects viruses and SQL injection attacks), wherein the web application layer attack detector is communicatively coupled between a plurality of web application clients and one or more web application servers (Fig. 1 and [0056] – markup language processing device 120 <i.e., web application layer attack detector> is positioned between web services server 110 and plurality of client computers 130 <i.e., web application clients>), the operations comprising: 
receiving, at the web application layer attack detector, one or more data streams each carrying one or more web application layer requests (Fig. 1 and [0063] – client computers transmit messages to the server 110 to utilize web services, which are received by the markup language processing device 120 <i.e., web application layer attack detector>; [0082] – the application layer messages are analyzed at the markup language processing device), wherein each of the one or more web application layer requests is generated by one of the plurality of web application clients and intended for one of the one or more web application servers (Fig. 1 and [0063] – client computers 130 transmit messages to the server 110 to utilize web services, which are received by the markup language processing device 120 <i.e., web application layer attack detector>); 
forming chunks from each of the one or more web application layer requests as it is being received at the web application layer attack detector ([0057] – as the message arrives it is parsed by the markup processor 125; [0078] – parser 173 parses the incoming messages into data elements/data portions; [0090] and [0116] – parser is an SAX parser and can detect viruses), wherein forming the chunks includes forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk ([0023] and [0090] – parser is an SAX parser, which parses <i.e., divides into chunks> the incoming data stream into elements based on XML tags in the message/request; [0095] and [0136] – XML tags are used by the parser to determine when to start/end an analyzed element <i.e., recognize when a sufficient amount of data has been received to form the analyzed element>. The XML tags comprise an open <object> tag and end an </object> tag), wherein the chunk is formed to start at an end of a previous chunk and to end immediately after a closing tag that indicates an end of a complete element in the web application layer request but not an end of the web application layer request ([0078] – as elements are received they are parsed <i.e., elements start after the previous element>; [0090] – parser is an SAX parser, which parses <i.e., divides into chunks> the incoming data stream into elements based on XML tags in the message/request; [0095] and [0136] – XML tags are used by the parser to determine when to start/end an analyzed element. The XML tags comprise an open <object> tag and end an </object> tag); 
5/14scanning the chunks for attacks as each of the chunks is formed without waiting to receive and store complete web application layer requests from which the chunks are formed ([0073] and [0076] – message is parsed and analyzed as the message data is streamed into the device without waiting to receive the entire message; see also, e.g., [0094] and [0097] – performing analysis upon receipt of a portion; [0056] and [0116] – parsed portions are scanned for viruses).
Kuznetsov teaches using a standard SAX parser to parse the data (see, e.g., Kuznetsov at [0090-091]), Kuznetsov appears to fail to specifically disclose (1) wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, using tags that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size; and (2) sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned.
However, StackOverflow teaches standard SAX parsers have a maximum parsed string length of 1024 characters (see, e.g., StackOverflow at pg. 4). Further, StackOverflow teaches the element parsing length <i.e., chunked length> is designed to end at a detected closing tag (see, e.g., StackOverflow at pgs. 4-5). In other words, end tags allow the analyzed chunk/elements to be sized less than the 1024 character limit (Id.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kuznetsov with the teachings of StackOverflow, wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, using tags that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size, to comply with the standardized implementation of an SAX parser (see, e.g., Kuznetsov at  [0090-091], with StackOverflow at pgs. 4-5).
The combination of Kuznetsov and StackOverflow further teach sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned (see Kuznetsov at [0056], [0116]), yet, the combination of Kuznetsov StackOverflow appear to fail to specifically teach sending the chunks to the server without waiting for other chunks of the web application layer request to be scanned.
However, Kissel teaches a similar system for processing packets received in a data stream (see abstract, [0009]), comprising sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned (Fig. 1 & [0009], [0033] – data stream of packets is received by stream manager; Fig. 2B & [0035-038] – stream is divided into portions <i.e., chunks> of a packet that are scanned and released <i.e., sent> to the destination upon completion of their scan <i.e., system does not wait for full stream, or packet, to be scanned to forward the portion>; [0003] – scanners forward content when an attack is not detected).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kuznetsov and StackOverflow with the teachings of Kissel, comprising sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned, to improve the throughput of the data stream to the recipient (see, e.g., Kissel at [0007-008]).

Regarding claim 12, the combination of Kuznetsov, StackOverflow, and Kissel teach the set of one or more non-transitory machine-readable storage media of claim 10, wherein the instructions, when executed by the one or more processors of the one or more electronic devices, further cause the one or more electronic devices to perform further operations (Kuznetsov at [0040] – system comprising: 
deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended (Kissel at [0038] – the stream manager removes the data from the cache as the data is transmitted to the intended destination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel as taught in Kissel, comprising: deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended, to reduce the required size of the cache (see, e.g., Kissel at [0038]).

Regarding claim 13, the combination of Kuznetsov, StackOverflow, and Kissel teach the set of one or more non-transitory machine-readable storage media of claim 10, wherein the instructions, when executed by the one or more processors of the one or more electronic devices, further cause the one or more electronic devices to perform further operations (Kuznetsov at [0040] – system implemented via a physical computing system storing computer instructions to be executed by a processor) comprising: 
triggering a security response responsive to detecting, based on a result of the scanning, an attack in one of the chunks (Kuznetsov at [0056] and [0116] – rules may detect attacks such as virus or SQL injection; [0035] and [0094] – the message may be denied based on the element stored rules <i.e., a security response>).  

Regarding claim 16, Kuznetsov teaches an electronic device configured to implement a web application layer attack detector ([0056] – markup language processing device 120 detects viruses and SQL injection attacks), wherein the web application layer attack detector is communicatively coupled between a plurality of web application clients and one or more web application servers (Fig. 1 and [0056] – markup language processing device 120 <i.e., web application layer attack detector> is positioned between web services server 110 and plurality of client computers 130 <i.e., web application clients>), the electronic device comprising: one or more processors; and a non-transitory machine-readable storage medium having instructions stored therein, which when executed by the one or more processors ([0040] – system implemented via a physical computing system storing computer instructions to be executed by a processor), cause the electronic device to: 
receive, at the web application layer attack detector, one or more data streams each carrying one or more web application layer requests (Fig. 1 and [0063] – client computers transmit messages to the server 110 to utilize web services, which are received by the markup language processing device 120 <i.e., web application layer attack detector>; [0082] – the application layer messages are analyzed at the markup language processing device), wherein each of the one or more web application layer requests is generated by one of the plurality of web application clients and intended for one of the one or more web application servers (Fig. 1 and [0063] – client computers 130 transmit messages to the server 110 to utilize web services, which are received by the markup language processing device 120 <i.e., web application layer attack detector>), 
form chunks from each of the one or more web application layer requests as it is being received at the web application layer attack detector ([0057] – as the message arrives it is parsed by the markup processor 125; [0078] – parser 173 parses the incoming messages into data elements/data portions; [0090] and [0116] – parser is an SAX parser and can detect viruses), wherein forming the chunks includes forming a chunk from a web application layer request carried by a data stream of the one or more data streams responsive to a determination that a sufficient amount of data of the data stream has been received at the web application layer attack detector to form the chunk ([0023] and [0090] – parser is an SAX parser, which parses <i.e., divides into chunks> the incoming data stream into elements based on XML tags in the message/request; [0095] and [0136] – XML tags are used by the parser to determine when to start/end an analyzed element <i.e., recognize when a sufficient amount of data has been received to form the analyzed element>. The XML tags comprise an open <object> tag and end an </object> tag), wherein the chunk is formed to start at an end of a previous chunk and to end immediately after a closing tag that indicates an end of a complete element in the web application layer request but not an end of the web application layer request ([0078] – as elements are received they are parsed <i.e., elements start after the previous element>; [0090] – parser is an SAX parser, which parses <i.e., divides into chunks> the incoming data stream into elements based on XML tags in the message/request; [0095] and [0136] – XML tags are used by the parser to determine when to start/end an analyzed element. The XML tags comprise an open <object> tag and end an </object> tag), 
7/14scan the chunks for attacks as each of the chunks is formed without waiting to receive and store complete web application layer requests from which the chunks are formed ([0073] and [0076] – message is parsed and analyzed as the message data is streamed into the device without waiting to receive the entire message; see also, e.g., [0094] and [0097] – performing analysis upon receipt of a portion; [0056] and [0116] – parsed portions are scanned for viruses). 
While Kuznetsov teaches using a standard SAX parser to parse the data (see, e.g., Kuznetsov at [0090-091]), Kuznetsov appears to fail to specifically disclose (1) wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, using tags that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size; and (2) sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is 
However, StackOverflow teaches standard SAX parsers have a maximum parsed string length of 1024 characters (see, e.g., StackOverflow at pg. 4). Further, StackOverflow teaches the element parsing length <i.e., chunked length> is designed to end at a detected closing tag (see, e.g., StackOverflow at pgs. 4-5). In other words, end tags allow the analyzed chunk/elements to be sized less than the 1024 character limit (Id.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Kuznetsov with the teachings of StackOverflow, wherein each of the chunks is sized to be less than a preconfigured maximum chunk size, using tags that when included in the chunk allows the chunk to be sized less than the preconfigured maximum chunk size, to comply with the standardized implementation of an SAX parser (see, e.g., Kuznetsov at  [0090-091], with StackOverflow at pgs. 4-5).
The combination of Kuznetsov and StackOverflow further teach sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned (see Kuznetsov at [0056], [0116]), yet, the combination of Kuznetsov and StackOverflow appear to fail to specifically teach sending the chunks to the server without waiting for other chunks of the web application layer request to be scanned.
However, Kissel teaches a similar system for processing packets received in a data stream (see abstract, [0009]), comprising sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned (Fig. 1 & [0009], 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Kuznetsov and StackOverflow with the teachings of Kissel, comprising sending each of one or more of the chunks that were determined, based on a result of the scanning, not to include an attack to the web application server for which the web application layer request from which that chunk was formed is intended as that 2/14chunk is scanned without waiting for other chunks of the web application layer request to be scanned, to improve the throughput of the data stream to the recipient (see, e.g., Kissel at [0007-008]).

Regarding claim 18, the combination of Kuznetsov, StackOverflow, and Kissel teach the electronic device of claim 16, wherein the non-transitory machine-readable storage medium has further instructions stored therein, which when executed by the one or more processors, further cause the electronic device (Kuznetsov at [0040] – system implemented via a physical computing system storing computer instructions to be executed by a processor) to: 
deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended (Kissel at [0038] – the stream manager removes the data from the cache as the data is transmitted to the intended destination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel as taught in Kissel, comprising: deleting each of the one or more of the chunks from the web application layer Kissel at [0038]).

Regarding claim 20, the combination of Kuznetsov, StackOverflow, and Kissel teach The electronic device of claim 16, wherein the non-transitory machine- readable storage medium has further instructions stored therein, which when executed by the one or more processors, further cause the electronic device ([0040] – system implemented via a physical computing system storing computer instructions to be executed by a processor) to: 
store, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data streams, wherein the contextual information for the web application layer request includes a partial element or parameter that was not included in a previous chunk formed from the 8/14web application layer request, a content type of the web application layer request, and/or an encoding format of the web application layer request (StackOverflow at pgs. 4-5 teaches that in an SAX parser system, tested strings are determined based an opening and end tag in the XML. However, parsed strings have a maximum string size of 1024 characters, which may be exceeded by lengthy strings <i.e., sometimes the element is too long because it has not yet reached the end tag>. Pgs. 4-5 further teach that when a string is too long, the code can be altered to store and append the strings until all the characters may be joined and parsed <i.e., the partial string is stored and appended until the ending tag is reached>).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of StackOverflow, further comprising: storing, at the web application layer attack detector, contextual information for a web application layer request carried by one of the one or more data Kuznetsov at [0056] with StackOverflow at pgs. 4-5).9/14

Claim(s) 5 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuznetsov in view of StackOverflow and Kissel, further in view of Spremulli et al. (US20190104135, Hereinafter “Spremulli”).
Regarding claim 5, the combination of Kuznetsov, StackOverflow, and Kissel teach the method of claim 4, and causing the web application server for which the web application layer request from which the chunk with the attack was formed is intended to close a connection over which the web application layer request is being received (Kuznetsov at [0035] and [0056] – hostile web message streams may be rejected from arriving to the server <i.e., connection is closed>). While the combination Kuznetsov, StackOverflow, and Kissel further teach scanning the parsed message for injection attacks or viruses (see, e.g., Kuznetsov at [0056], [0129]), the combination of Kuznetsov, StackOverflow, and Kissel appear to fail to specifically disclose wherein the security response includes: sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed.  
However, Spremulli teaches a system for receiving web application layer requests (see abstract, [0010]), wherein a malicious request is received and a security response is provided (see [0025-0026]), comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed ([0025-0026] – server tests received , and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed ([0025-0026] – server tests received request, then “In the illustrated embodiment, server 12 (and, more particularly, the web server 30) ceases processing and redirects the client to an error page, if processing of the CSRF key and/or request with which it was received indicates that the request is likely a malicious one--for example, the underlying IP address is a known malicious one and/or the request is received as part of an apparent denial-of-service or other attack.”).  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of Spremulli, comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed, so that the requesting user may be informed their request was not found to be free of attacks (see, e.g., Spremulli at [0025-0026]).

Regarding claim 14, the combination of Kuznetsov, StackOverflow, and Kissel teach the set of one or more non-transitory machine-readable storage media of claim 13, wherein the security response includes: 
causing the web application server for which the web application layer request from which the chunk with the attack was formed is intended to close a connection over which the web application layer request is being received (Kuznetsov at [0035] and [0056] – hostile web message streams may be rejected from arriving to the server <i.e., connection is closed>). While the combination Kuznetsov, StackOverflow, and Kissel further teach scanning the parsed message for injection attacks or viruses (see, e.g., Kuznetsov at [0056], [0129]), the combination of Kuznetsov, StackOverflow, and Kissel appear to fail to specifically disclose wherein the security response includes: sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed.  
However, Spremulli teaches a system for receiving web application layer requests (see abstract, [0010]), wherein a malicious request is received and a security response is provided (see [0025-0026]), comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed ([0025-0026] – server tests received request, then “In the illustrated embodiment, server 12 (and, more particularly, the web server 30) ceases processing and redirects the client to an error page, if processing of the CSRF key and/or request with which it was received indicates that the request is likely a malicious one--for example, the underlying IP address is a known malicious one and/or the request is received as part of an apparent denial-of-service or other attack.”), and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed ([0025-0026] – server tests received request, then “In the illustrated embodiment, server 12 (and, more particularly, the web server 30) ceases processing and redirects the client to an error page, if processing of the CSRF key and/or request with which it was received indicates that the request is likely a malicious one--for example, the underlying IP address is a known malicious one and/or the request is received as part of an apparent denial-of-service or other attack.”).  
 Kuznetsov, StackOverflow, and Kissel with the teachings of Spremulli, comprising sending an error page to the web application client that generated the web application layer request from which the chunk with the attack was formed, and discontinuing, at the web application layer attack detector, processing of the web application layer request from which the chunk with the attack was formed, so that the requesting user may be informed their request was not found to be free of attacks (see, e.g., Spremulli at [0025-0026]).

Claim(s) 6 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuznetsov in view of StackOverflow and Kissel, further in view of Dubrovsky et al. (US7835361, Hereinafter “Dubrovsky”).
Regarding claim 6, the combination of Kuznetsov, StackOverflow, and Kissel teach the method of claim 4. While the combination of Kuznetsov, StackOverflow, and Kissel further teach detecting a virus using a virus scanner and having a security response (see, e.g., Kuznetsov at [0056]  and [0035]), the combination of Kuznetsov, StackOverflow, and Kissel appears to fail to specifically teach wherein the security response includes generating an alert.  
However, Dubrovsky teaches a system detecting an attack and producing a security response (see abstract, [0042], [0052]), wherein the security response includes generating an alert ([0042] and [0052] – a security alert is issued to a system administrator when an attack is detected).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of Dubrovsky, wherein the security response includes generating an alert, so that system administrators may analyze and respond to the attack (see, e.g., Dubrovsky at [0042], [0052]).

Regarding claim 15, the combination of Kuznetsov, StackOverflow, and Kissel teach the set of one or more non-transitory machine-readable storage media of claim 13. While the combination of Kuznetsov, StackOverflow, and Kissel further teach detecting a virus using a virus scanner and having a security response (see, e.g., Kuznetsov at [0056]  and [0035]), the combination of Kuznetsov, StackOverflow, and Kissel appears to fail to specifically teach wherein the security response includes generating an alert.  
However, Dubrovsky teaches a system detecting an attack and producing a security response (see abstract, [0042], [0052]), wherein the security response includes generating an alert ([0042] and [0052] – a security alert is issued to a system administrator when an attack is detected).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of Dubrovsky, wherein the security response includes generating an alert, so that system administrators may analyze and respond to the attack (see, e.g., Dubrovsky at [0042], [0052]).  

Claim(s) 7 and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Kuznetsov in view of StackOverflow and Kissel, further in view of Yona (US8566444, Hereinafter “Yona”).
Regarding claim 7, the combination of Kuznetsov, StackOverflow, and Kissel teach the method of claim 1. Yet, the combination of Kuznetsov, StackOverflow, and Kissel appear to fail to specifically teach wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients, and wherein the scanning the chunks for attacks comprises: interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client.  
Yona teaches a system for receiving an application layer request in a data stream and analyzing the request for threats (see, e.g., Yona at column 4, lines 36-58 and column 1, lines 15-26), wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received), and wherein the scanning the chunks for attacks comprises: interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of Yona, wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients, and wherein the scanning the chunks for attacks comprises: interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the Yona at column 4, lines 36-58 and column 1, lines 7-11).

Regarding claim 19, the combination of Kuznetsov, StackOverflow, and Kissel teach the electronic device of claim 16. Yet, the combination of Kuznetsov, StackOverflow, and Kissel appear to fail to specifically teach wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients, and wherein the scanning the chunks for attacks comprises: interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client.  
However, Yona teaches a system for receiving an application layer request in a data stream and analyzing the request for threats (see, e.g., Yona at column 4, lines 36-58 and column 1, lines 15-26), wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received), and wherein the scanning the chunks for attacks comprises: interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client (Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement the combination of Kuznetsov, StackOverflow, and Kissel with the teachings of Yona, wherein the one or more web application layer requests include web application layer requests generated by a first web application client and a second web application client of the plurality of web application clients, and wherein the scanning the chunks for attacks comprises: interleaving the scanning of chunks formed from the web application layer request generated by the first web application client and chunks formed from the web application layer request generated by the second web application client, to allow faster processing of the incoming datastreams (see, e.g., Yona at column 4, lines 36-58 and column 1, lines 7-11).

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Yona in view of Kissel and StackOverflow.
Regarding claim 9, Yona discloses a method by a web application layer attack detector implemented by one or more electronic devices (see column 1 line 15-column 2 line 24 – web application requests/packets are received and scanned to detect attacks by a network traffic manager <i.e., attack detector>; column 3, lines 1-28 – received requests may be http resource requests <note: http is application layer protocol>), wherein the web application layer attack detector is communicatively coupled to a plurality of web application clients and one or more web application servers (fig. 1 & column 3 lines 30-54: attack detecting network traffic manager 110 is communicatively interposed between client computers 104, 106, and 108 and server 102), the method comprising: 
determining, at the web application layer attack detector, to form a first chunk out of a first received part of a first web application layer request that is being sent from a first of the plurality of the web application clients and that has an end which has not yet been received (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received <i.e., an end of the request has not yet been received>. E.g., Stream A may come from a client <i.e., a first of the plurality of the web application clients>, and stream B may come from a different client <see line 54>); 
receiving, at the web application layer attack detector, a second web application layer request that is smaller than the first web application layer request, that is being sent from a second of the plurality of the web application clients and that has an end which has been received (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received. E.g., Stream A may come from a client <i.e., a first of the plurality of the web application clients>, and stream B may come from a different client <i.e., a second of the plurality of the web application clients, see line 54>; Note: as would be recognized by one of ordinary skill in the art, interweaving of chunks upon arrival of data facilitates smaller requests being completed first in ordinary operation of the system; 
scanning, at the web application layer attack detector, the first chunk and the second web application layer request for attacks without waiting to receive and store the end of the first web application layer request so that the second web application layer request that is smaller than the first web application layer request is not held in the web application layer attack detector behind the first web application layer request [[that is considered large]] (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received. E.g., Stream A may come from a client <i.e., a first of the plurality of the web application clients>, and stream B may come from a different client <i.e., a second of the plurality of the web application clients, see line 54>; Note: as would have been recognized by one of ordinary skill in the art, interweaving of chunks upon arrival of data facilitates smaller requests being completed first in ordinary operation of the system); 
4/14forwarding, by the web application layer attack detector, the first chunk and the second web application layer request to one of the one or more web application servers, wherein the first chunk is forwarded without waiting for other chunks of the first web application layer request to be scanned (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received to determine whether to allow access to the server; column 4, lines 1-19 & column 17, lines 30-39 – when the scanned chunks satisfy the rules they are granted access to the server <i.e., the scanned chunks provided to the intended server to finish the request>); 
determining, at the web application layer attack detector, to form a second chunk out of another received part of the first web application layer request (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received, and the scanning may be e.g., to parts of a packet to be examined. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received <i.e., second chunks may be formed of each/either stream as they arrive>); and 
scanning, at the web application layer attack detector, the second chunk for attacks after the scanning of the second web application layer request (column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received. The processing of the requests does not need to be continuous, and may instead be interwoven with other chunks as streams arrive from different clients without waiting for entire requests to be received; Note: as would have been recognized by one of ordinary skill in the art, interweaving of chunks upon arrival of data facilitates smaller requests being completed first in ordinary operation of the system).  
While Yona discloses scanning chunks/parts of a packet as they are received (see, e.g., Yona column 4, lines 36-58), and further forwarding packets determined to not contain an attack to an intended recipient (see, e.g., Yona at column 17, lines 30-39), Yona appears to fail to specifically disclose (1) wherein the first chunk is forwarded without waiting for other chunks of the first web application layer request to be scanned, and (2) wherein the determining means that the web application layer attack detector considers the first web application layer request to be large, wherein the first chunk is formed to start at an end of a previous chunk and to end immediately after a closing tag that indicates an end of a complete element in the first web application layer request that when included in the first chunk allows the first chunk to be sized less than a preconfigured maximum chunk size.
However, Kissel teaches a system for processing packets received in a data stream (see abstract, [000]), wherein the first chunk is forwarded without waiting for other chunks of the first web application layer request to be scanned (Fig. 1 & [0009], [0033] – data stream of packets is received by stream manager; Fig. 2B & [0035-038] – stream is divided into portions <i.e., chunks> of a packet that are scanned and released <i.e., sent> to the destination upon completion of their scan <i.e., system does not wait for a full stream, or packet, to be scanned to forward the portion>; [0003] – scanners forward content when an attack is not detected).
Yona with the teachings of Kissel, wherein the first chunk is forwarded without waiting for other chunks of the first web application layer request to be scanned, to improve the throughput of the data stream to the recipient (see, e.g., Kissel at [0007-008]).
While the combination of Yona and Kissel further disclose receiving multiple streams of requests and determining to process portions of a packet at a time (e.g., Yona at columns 2-3), the combination of Yona and Kissel appear to fail to specifically disclose wherein the determining means that the web application layer attack detector considers the first web application layer request to be large, wherein the first chunk is formed to start at an end of a previous chunk and to end immediately after a closing tag that indicates an end of a complete element in the first web application layer request that when included in the first chunk allows the first chunk to be sized less than a preconfigured maximum chunk size. 
However, StackOverflow teaches a standard parser for application layer requests that parses data requests into elements <i.e., chunks> and has a maximum parse length of 1024 characters (see, e.g., StackOverflow at pg. 4). Further, StackOverflow teaches an element parsing length <i.e., chunked length> is designed to end at a detected closing tag (see, e.g., StackOverflow at pgs. 4-5). In other words, end tags allow the analyzed chunk/elements to be sized less than the 1024 character limit (Id.).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to implement Yona and Kissel with the teachings of StackOverflow, wherein the determining means that the web application layer attack detector considers the first web application layer request to be large (StackOverflow at pgs. 4-5 – the parser for XML parses the data request into elements <i.e., chunks> and has a maximum parse length of 1024 characters <i.e., in excess of the limit is too large>), wherein the first chunk is formed to start at an end of a previous chunk and to end immediately after a closing tag that indicates an end of a complete element in the first web application layer request that when included in the first chunk allows the first chunk to be sized less than a preconfigured maximum chunk size (StackOverflow at pgs. 4-5 an element parsing length <i.e., chunked length> is designed to end at a detected closing tag. The size from the open tag to end tag which forms the parsed element is less than that 1024 characters. In other words, end tags allow the analyzed chunk/elements to be sized less than the 1024 character limit; see with Yona at column 4, lines 36-58 – access module 214 may process incoming data requests into chunks for scanning as the stream is received <i.e., starts after previous chunks>), to comply with a standardized implementation of an application layer parser (see, e.g., StackOverflow at pgs. 4-5).

Conclusion
The prior art made of record and not presently relied upon is considered pertinent to applicant's disclosure. Kay (US20100011434) discloses a system for receiving network traffic and analyzing it for attacks (abstract), wherein a segment is formed to start at an end of a previous chunk and to end immediately after a parameter in the request that when included in the segment allows the segment to be sized less than the preconfigured maximum chunk size (see, e.g., [0027], [0035]). See also, Marinescu et al. (US20060224724) disclosing a system for identifying attacking requests in a firewall, and forwarding packets immediately without waiting for the entire request to be received. Anderson et al. (US20190138747) discloses a similar system for identifying threats in downloaded files (see abstract), breaking a bitstream into scannable chunks (see, e.g., [0041]-[0042]), removing chunks after scanning from the scanner, and deleting each of the one or more of the chunks from the web application layer attack detector after that chunk has been sent to the web application server for which the web application layer request from which that chunk was formed is intended ([0030], [0066], [0070]).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOSHUA RAYMOND WHITE whose telephone number is (571)272-4365. The examiner can normally be reached Monday-Thursday, & Alternate Fridays.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on 5712723787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/J.R.W./Examiner, Art Unit 2438                                                                                                                                                                                                        /TAGHI T ARANI/Supervisory Patent Examiner, Art Unit 2438