DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to filing dated 10/30/2019. Claims 1-20 have been filed.

Priority
This application claims benefit of provisional application 62/753,766 filed 10/31/2018.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 11/30/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 8 and 15 are objected to because of the following informalities:  
Claims 8 and 15 disclose “…when executed by a computing system, direct the computing system to at least”. If broadly interpreted, directing is equivalent to triggering/activating the computer system to perform the recited functions, wherein triggering/activating may reasonably be construed as a checkbox selection to facilitate at least the recited group of functions among other functions of the computer system. As such, the language arguably promotes intended use. For purpose of examination, “…when executed by a computing system, direct the computing performs operations comprising: receiving…”.
Appropriate correction and/or clarification is required.

Examiner’s Note on 35 U.S.C. 101 (CRM/Signal per se. Analysis)
With regard to claims 8-14, claims are subject matter eligible because instant specification par. 0051 explicitly discloses “ In no case is the computer-readable storage media a propagated signal”.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-4, 6, 8-11, 13, 15-18 and 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-3, 8-10 and 15-17 of copending Application No. 16/681,548 (reference application - allowed not yet issued). Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-4, 6, 8-11, 13, 15-18 and 20 of the instant application are rendered obvious over claims 1-3, 8-10 and 15-17 in view of Gorny, US2017/032460. 
Per claims 1, 8 and 15, reference claims disclose all the instantly claimed features except the italic and bold font limitation as shown below in the table. Reference claims are not relied on to disclose but Gonry discloses generating a reputation score for each of the plurality of web resources based on the security risk factors determined for each of the web resources (Comparing risk assessments in finer detail than the overall risk score by comparing websites  – Gorny: par. 0076 – Note: a category-specific risk score is equivalent to per web resource reputation score). This modification would have allowed to include “a predefined range of probabilities to determine a degree of risk such as HIGH, MEDIUM, and LOW” – Gorny: par. 0065.

Claim #
Instant Application
Reference Application
Claim #
1-4 and 6
1. A method of operating a computing system to facilitate creation of security profiles for web application components, the method comprising: 

receiving a plurality of web resources used to construct web applications; 

analyzing the plurality of web resources to generate normalized fingerprints for each of the web resources; 

determining a plurality of security risk factors for each of the plurality of web resources based on the normalized fingerprints generated for each of the web resources; and 

generating a reputation score for each of the plurality of web resources based on the security risk factors determined for each of the web resources.

2. The method of claim 1 further comprising: 

receiving an application programming interface (API) call that identifies a web object of a web application; 

comparing the web object to the normalized fingerprints for each of the web resources to determine one of the web resources that matches the web object; and 



3. The method of claim 1 wherein analyzing the plurality of web resources to generate the normalized fingerprints for each of the web resources comprises analyzing syntactic structures of the plurality of web resources to generate the normalized fingerprints for each of the web resources.

4. The method of claim 1 wherein the normalized fingerprints generated for each of the web resources describe security attributes of each of the web resources.

6. The method of claim 1 wherein determining the plurality of security risk factors for each of the plurality of web resources comprises determining the plurality of security risk factors for each of the plurality of web resources based on prevalence of each of the web resources.


receiving a plurality of web resources used to construct web applications; 

receiving, over a secure application programming interface (API), component registration information associated with each of the plurality of web resources provided by producers of the plurality of web resources; 

analyzing the plurality of web resources to determine unique identities and security attributes for each of the plurality of web resources; 

identifying a plurality of security risk factors for each of the plurality of web resources based on the component registration information and the security attributes determined for each of the plurality of web resources; 

generating a security profile for each of the plurality of web resources based on the plurality of security risk factors identified for each of the plurality of web resources, receiving an API call that identifies a web object of a web application; 



returning the security profile for the one of the plurality of web resources that matches the web object. 

2. The method of claim 1 wherein the unique identities for each of the plurality of web resources comprise fingerprints for each of the plurality of web resources, and wherein comparing the web object to the unique identities for each of the plurality of web resources to determine the one of the plurality of web resources that matches the web object comprises comparing a fingerprint of the web object to the fingerprints for each of the plurality of web resources to determine the one of the plurality of web resources that matches the web object.  

3. The method of claim 1 wherein analyzing the plurality of web resources to determine the unique identities for each of the plurality of web resources comprises computing hashes of each of the plurality of web resources to determine the unique identities for each of the plurality of web resources.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1.	Claims 1-2, 5-9, 12-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalode, WO2018/081629 in view of Gorny, US2017/0324760.

(computing system 140 executes an advanced application analysis and threat analytics service to analyze a software application and generate an application information model – Bhalode et. al.: par. 0016), the method comprising: 
receiving a plurality of web resources used to construct web applications (Operation 200 may be employed by computing system 140 to facilitate security for a software application. As shown in the operational flow of Figure 2, computing system 140 performs static analysis on code resources associated with the software application to generate static analysis results (201). In some examples, the software application could comprise any application that interacts with server 130, whether through a web browser or a stand-alone application, such as a mobile application… The static analysis is performed on the code resources of the software application to get a more complete view of the operations that may be performed by the application… While performing the dynamic runtime analysis, any scripts and other resources that are accessed by the software application could be stored by computing system 140, which could then be subjected to the static analysis – Bhalode: par. 0018-0019); 
Bhalode is not relied on to explicitly disclose but Haddock discloses analyzing the plurality of web resources to generate normalized fingerprints for each of the web resources (metadata might describe dependencies in the application image file, such as the application relying on certain libraries, and this information could be included in the static analysis results. In at least one implementation, static analysis is used to analyze scripts and their structure,  – Bhalode: par. 0020 – Note: Abstract Syntax Tree (AST) is a fingerprinting algorithm);
Bhalode are not relied on to explicitly disclose but Gorny discloses determining a plurality of security risk factors for each of the plurality of web resources based on the normalized fingerprints generated for each of the web resources (Risk factors that can be determined with website content may include complexity factors, and the like. As an example, merely determining the number of different website elements 208 (e.g., apps, and the like) can help determine a risk level. Generally, a larger number of website elements is associated with a higher likelihood of incurring a security breach…second area for risk assessment has to do with website content popularity 212. Third-party provided presence popularity measures (“likes”, followers, social media hits, and the like) offer another avenue for assessing risk. A website that has a larger number of likes or followers may be more likely to experience a security breach than a less well known website – Gorny: par. 0073-0074 – Note: various file integrity techniques, such as signature matching, fuzzy content or derived metadata matching, fingerprinting, and the like may be used 504 to assess a degree of potential infection, security weakness, malware, virus infiltration, and the like – see par. 0102); and 
generating a reputation score for each of the plurality of web resources based on the security risk factors determined for each of the web resources (Comparing risk assessments in finer detail than the overall risk score by comparing websites that have content that results in similar high risk categories provides risk scores that are more actionable. Therefore, in  – Gorny: par. 0076 – Note: a category-specific risk score is equivalent to per web resource reputation score).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhalode in view of Gorny to include determining a plurality of security risk factors for each of the plurality of web resources based on the normalized fingerprints generated for each of the web resources; and generating a reputation score for each of the plurality of web resources based on the security risk factors determined for each of the web resources.
One of ordinary skill in the art would have been motivated because it would allow including “an algorithm that supports weighting certain characteristics over others to produce a rare website security breach event prediction” – Gorny: par. 0009. It would further allow to include “a predefined range of probabilities to determine a degree of risk such as HIGH, MEDIUM, and LOW” – Gorny: par. 0065.

Per claim 8, it recites one or more computer-readable storage media having program instructions stored thereon to facilitate creation of security profiles for web application components, wherein the program instructions, when executed by a computing system (When executed by computing system 500 in general, and processing system 501 in particular, software 505 directs computing system 500 to operate as described herein for wireless communication device and/or server 130 for execution of software application security process 200 – Bhalode: par. 0040 – Fig. 5), direct the computing system to at least:


Per claim 15, it recites an apparatus comprising: 
one or more computer-readable storage media (storage system 503); and program instructions stored on the one or more computer-readable storage media (Computing system 500 includes processing system 501, storage system 503, software 505, communication interface 507, and user interface 509. Processing system 501 is operatively coupled with storage system 503, communication interface 507, and user interface 509. Processing system 501 loads and executes software 505 from storage system 503 – Bhalode: par. 0040 – Fig. 5) that, when executed by a processing system (When executed by computing system 500 in general, and processing system 501 in particular, software 505 directs computing system 500 to operate as described herein for wireless communication device and/or server 130 for execution of software application security process 200 – Bhalode: par. 0040 – Fig. 5), direct the processing system to at least operate as set forth by the method steps of claim 1. 
Therefore, claim 15 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2, 9 and 16, Bhalode and Gorny disclose features of claims 1, 8 and 15, respectively, further comprising: 
receiving an application programming interface (API) call that identifies a web object of a web application (Some relevant security features that are extracted during the AIM  – Bhalode: par. 0030); 
comparing the web object to the normalized fingerprints for each of the web resources to determine one of the web resources that matches the web object (The application information model can then be used to produce a comprehensive whitelist of security-relevant behaviors of the application, which can be used with various security applications such as attack prediction, detection, prevention, and response tools. In this manner, users of an enterprise software application are better safeguarded against client-side attacks on the application – Bhalode: par. 0032 – Note: prediction, detection, prevention, and response based on a comprehensive whitelist on AIM repository inherently include comparing to determine a match); and 
Bhalode and Gorny further disclose returning the reputation score for the one of the web resources that matches the web object (Comparing risk assessments in finer detail than the overall risk score by comparing websites that have content that results in similar high risk categories provides risk scores that are more actionable. Therefore, in addition to the overall risk score, a category-specific risk score is provided – Gorny: par. 0076).
The same motivation to modify Bhalode in view of Gorny applied to claim 1 above applies here.
(metadata might describe dependencies in the application image file, such as the application relying on certain libraries, and this information could be included in the static analysis results. In at least one implementation, static analysis is used to analyze scripts and their structure, and abstract syntax trees are built to break the scripts down to abstractions, and the scripts can then be mapped down to a fewer number of abstractions – Bhalode: par. 0020).

Per claims 6, 13 and 20, Bhalode, Haddock and Gorny discloses features of claims 1, 8 and 15, respectively,  wherein determining the plurality of security risk factors for each of the plurality of web resources comprises determining the plurality of security risk factors for each of the plurality of web resources based on prevalence of each of the web resources (Content elements, categories, risk factors and the like 106 may be processed with the website content to determine website characteristics 108 and their corresponding occurrence count 110. These characteristics may be dichotomized 112 to produce a website characteristic value 114. Such a value 114 may be weighted 118 to produce a characteristic contribution to website vulnerability risk value 120. Risk values in each of a plurality of categories of characteristics may be summed within each category and further processed to produce a risk sum 122 that may be normalized and fitted to a risk prediction range 124 to produce a risk assessment 128 
The same motivation to modify Bhalode in view of Gorny applied to claim 1 above applies here.

Per claims 7 and 14, Bhalode, Haddock and Gorny discloses features of claims 1 and 8, respectively, wherein generating the reputation score for each of the plurality of web resources based on the security risk factors comprises generating the reputation score for each of the web resources based on levels of information gain associated with each of the web resources (A second area for risk assessment has to do with website content popularity 212. Third-party provided presence popularity measures (“likes”, followers, social media hits, and the like) offer another avenue for assessing risk. A website that has a larger number of likes or followers may be more likely to experience a security breach than a less well known website. This may be true for at least two reasons: (i) higher visibility results in an increase in the possibility that a party wishing to attempt a security infiltration is aware of the website; and (ii) automated security breach engines rely on search results to target websites to attempt a breach – Gorny: par. 0074 – Note: more likes, followers, social media hits and the like indicate “content popularity” which is equivalent higher levels of information access by click-throughs, likes, downloads, etc.).
The same motivation to modify Bhalode in view of Gorny applied to claim 1 above applies here.

s 3-4, 10-11 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Bhalode, WO2018/081629 in view of Haddock, WO2013/009713.

Per claims 3, 10 and 17, Bhalode and Haddock discloses features of claims 1, 8 and 15, respectively, wherein analyzing the plurality of web resources to generate the normalized fingerprints for each of the web resources comprises analyzing syntactic structures of the plurality of web resources to generate the normalized fingerprints for each of the web resources (Using syntactical fingerprinting as a distance metric has shown the ability to group websites based on the common structural components that compose the main index page of the website. Analysis shows syntactical fingerprinting at varying thresholds may cause clustering based on phish versus nonphish, branding, or possibly the phisher…Members in the same high threshold cluster may have been created by the same phisher – Haddock: pages 17-18).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhalode in view of Haddock to include analyzing the plurality of web resources to generate the normalized fingerprints for each of the web resources comprises analyzing syntactic structures of the plurality of web resources to generate the normalized fingerprints for each of the web resources.
One of ordinary skill in the art would have been motivated because it would allow “to show relationships between files that could lead to file provenance and family, especially when the file format follows a particular syntax tree or protocol” – Haddock: page 4, which would allow “comparing similar phishing website file structural components, or constructs, to determine similarity” – Haddock: page 5.

Per claims 4, 11 and 18, Bhalode, Haddock and Gorny discloses features of claims 1, 8 and 15, respectively, wherein the normalized fingerprints generated for each of the web resources describe security attributes of each of the web resources (static analysis is used to analyze scripts and their structure, and abstract syntax trees are built to break the scripts down to abstractions, and the scripts can then be mapped down to a fewer number of abstractions – Bhalode: par. 0020 – Note: instant specification par. 0023 discloses that in order to generate the normalized fingerprints, each of the web resources 110 are processed by computing system 101 to perform various techniques for extracting security attributes of the web objects, such as object fingerprinting algorithms, abstract syntax trees, hash functions, and other data categorization and parsing techniques; therefore, abstract syntax trees are used to break down a script and map it into fewer number of abstractions, wherein the abstractions are equivalent to description of security attributes).
In the alternative where one argues that Bhalode does not inherently disclose the limitation, Haddock explicitly discloses the normalized fingerprints generated for each of the web resources describe security attributes of each of the web resources (Utilizing a program such as Beautiful Soup, a Python package that parses broken HTML, HTML tags within the normalized website content files, such as <form>, <script>, and <table> tags, are identified, and an abstract syntax tree 17 is created for each website…Following parsing of the normalized website content files into abstract syntax trees, a hash value is calculated 18 for each of the identified HTML entities. Hash value sets are constructed from the hash values of each HTML entity of each website content file and stored in database… Once stored, a randomly selected hash value from the set of hash values of a website content file is compared 19 to the hash values of HTML entities of known phishing websites. Hash values are presented in a chronologically arranged hash value table and stored on a database 20 – Haddock: pages 6 and 7 – Note: HTML tags are equivalent to security attributes in the context of the instant disclosure).
The same motivation to modify Bhalode in view of Haddock applied to claim 3 above applies here.
Additionally, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Bhalode in view of Haddock to include analyzing the plurality of web resources to generate normalized fingerprints for each of the web resources.
One of ordinary skill in the art would have been motivated because it would allow “automatically identifying newly observed phishing websites within a toolbar, correctly branding the phishing websites for investigation, and determining the prevalence and provenance of the phishing websites” – Haddock: page 1. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Falkowitz (US9350757B1) discloses analyzing by a first binary analysis unit 722 a first binary that is referenced in a particular web page, and by a second binary analysis unit 722 a second binary that is referenced in the same particular web page, resulting in different reputation or threat scores for the two different binaries. A binary analysis aggregator 724 may determine an aggregated score for all binaries referenced in the particular web page. Aggregation may use 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) 





/AREZOO SHERKAT/Examiner, Art Unit 2494