Notice of Pre-AIA  or AIA  Status
Claims 1-20 are presented for examination.  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 8/27/19 and 1/21/22 have been considered by the Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Araujo (U.S. Patent Publication 2019/0068641) in view of Little (U.S. Patent Publication 2011/0276597).

Regarding claim 1:
Araujo discloses a method for securing an application, the method comprising: during a session with an application, recording one or more queries made to a first dataset by the application (paragraph 0047); determining that the session is a malicious 
	Araujo does not explicitly disclose wherein the determination of a malicious session occurs after recording the one or more queries, nor that the sandbox is created based on the one or more recorded queries by the application.  However, Little discloses a related invention for creating decoy sandboxes explicitly comprising these limitations (e.g. paragraphs 0011 & 0040). Given that Araujo places no limits as to the specific nature of the application(s) that can be sandboxed, it would have been obvious prior to the effective filing date of the instant application for Araujo to create sandboxed database applications as disclosed by Little, thus resulting in the claimed invention, as establishing decoy databases that can be queried was a known option within the grasp of a person of ordinary skill in the art, in order to achieve the predictable effect of protecting one’s computer network from hackers (e.g. Little, paragraphs 0001-0002).

Regarding claim 2:	The combination further discloses wherein data in the first dataset that was not queried by the application prior to the transferring to the cloned application session is not included in the alternative dataset (Araujo: paragraphs 0028-0033).

Regarding claim 3:	The combination further discloses wherein generating the alternative dataset further comprises generating new data and combining the new data with the subset of the first dataset (Little, paragraphs 0011 & 0040).

Regarding claim 4:	The combination further discloses wherein the alternative dataset is at least as large as the first dataset and is used in place of the first dataset in the cloned application session (Little, Ibid).

Regarding claim 5:	The combination further discloses wherein the subset of the first dataset included in the alternative dataset is data determined to have been returned to the application as a result of the one or more queries (Little, Ibid).

Regarding claim 6:	The combination further discloses wherein the subset of the first dataset included in the alternative dataset is data determined to have been provided to a client computing device interacting with the application prior to determining the session is a malicious session (Little, Ibid; see also paragraph 0043).



The combination further discloses prior to determining that the session is a malicious session, recording one or more data types for data sent to the client computing device by the application during the session, wherein the recorded one or more data types are used in determining the portion of data in the first dataset provided to the client computing device (Araujo, paragraph 0047).

Regarding claim 8:	The combination further discloses wherein the data in the subset of the first dataset is selected based on a refinement of the one or more recorded queries (Little, paragraph 0043).

Regarding claim 9:	The combination further discloses wherein when a new query made during the cloned application session overlaps with the one or more queries recorded prior to determining that the session is malicious, query results for the overlapping portion of the new query are provided from the alternative dataset, and query results for the non-overlapping portion of the new query are automatically generated results that are not included in the first dataset (Little, paragraphs 0046-0048).

Regarding claim 10:	The combination further discloses wherein the application is a web application (Araujo, paragraphs 0066-0068), the first dataset is stored in a database (Little, 

Regarding claim 11:
Araujo discloses a system, comprising: a processor (paragraphs 0055-0056, and element 704 of Figure 7); and one or more computer-readable storage media storing computer-readable instructions (paragraph 0057) that, when executed by the processor, perform operations comprising: during a session with an application in which a web browser interacts with the application and the application accesses a dataset, recording path data for the session, the path data representing interactions among the web browser, application, and dataset (paragraphs 0045-0049; web-based application at paragraphs 0066-0068), 
	Araujo does not explicitly disclose wherein the path data includes one or more queries made by the application.  However, Little discloses a related invention for creating decoy sandboxes wherein the system keeps track of queries issued by requesting clients, including signature data that allows the system to distinguish 

Regarding claim 12:	The combination further discloses wherein the operations further comprise: populating a first part of an alternative dataset with the data in the compromised portion of the dataset; and populating a second part of the alternative dataset with new data not associated with the dataset, wherein the alternative dataset provides results for queries in the cloned application session (Little, paragraphs 0011, 0040, 0043, & 0047-0048).

Regarding claim 13:
The combination further discloses wherein the alternative dataset is at least as large as the dataset accessed by the application, wherein the alternative dataset is first populated with new data, and wherein the data in the compromised portion of the dataset is written over some of the new data based on identifiers associated with the data in the compromised portion of the dataset (Little, Ibid).



Regarding claim 15:
The combination further discloses wherein the path data further comprises at least one of HyperText Transfer Protocol (HTTP) requests from the browser, Structured Query Language (SQL) commands generated by the API, or JavaScript Object Notation (JSON) files returned from the API to the application (SQL at Little, paragraph 0039).

Regarding claim 16:	The combination further discloses wherein the compromised portion of the dataset is determined by constructing a refined query based on the path data and executing the refined query against the dataset accessed by the application (Little, paragraph 0043).

Regarding claim 17:	The combination further discloses wherein the operations further comprise: during the cloned application session, receiving a query; and executing the query 

Regarding claim 18:	The combination further discloses wherein the operations further comprise: storing data in the compromised portion of the dataset in a second dataset accessible in the cloned application session; assigning new identifiers to the data stored in the second dataset; and mapping identifiers of the data stored in the second dataset to identifiers of the data in the compromised portion of the dataset (Little, Ibid).

Regarding claim 19:
Araujo discloses one or more computer-readable storage media storing computer-executable instructions for securing an application, the securing comprising: during a session with an application, recording path data for the session, the path data including at least two of: one or more queries made by the application, one or more commands made by an application programming interface (API) in response to the one or more queries made by the application, information representing a response sent by the API to the application, or information sent to a web browser by the application (paragraphs 0047-0048; web browser at paragraphs 0066-0068); determining that the session is a malicious session (paragraphs 0023-0024); and transferring the session to a cloned application session, wherein queries in the cloned application session are 
	Araujo is silent regarding constructing a refined query based on the path data, wherein the refined query corresponds to a compromised portion of a first dataset that was provided to the web browser prior to the determination that the session is a malicious session; executing the refined query against the first dataset; and storing the results of the refined query as part of a second dataset.  However, Little discloses a related invention for creating decoy sandboxes comprising these limitations (e.g. paragraphs 0040-0048). Given that Araujo places no limits as to the specific nature of the application(s) that can be sandboxed, it would have been obvious prior to the effective filing date of the instant application for Araujo to create sandboxed database applications as disclosed by Little, thus resulting in the claimed invention, as establishing decoy databases that can be queried was a known option within the grasp of a person of ordinary skill in the art, in order to achieve the predictable effect of protecting one’s computer network from hackers (e.g. Little, paragraphs 0001-0002).


Regarding claim 20:
The combination further discloses wherein prior to determining that the session is a malicious session, the refined query is periodically updated to reflect changes in the recorded path data (Little, paragraph 0043).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
U.S. Patents 10,521,584 (Sharifi Mehr); 10,425,437 (Bog); and 8,955,143 (Ramalingam) 
U.S. Patent Publications 2020/0344247 (Fleming) and 2020/0267173 (Ghosh).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THOMAS A GYORFI whose telephone number is (571)272-3849. The examiner can normally be reached 10:00am - 6:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Joseph Hirl can be reached on 571-272-3685. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 

THOMAS A. GYORFI
Examiner
Art Unit 2435



/THOMAS A GYORFI/Examiner, Art Unit 2435                                                                                                                                                                                                        3/11/2022