DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This written action is responding to the amendment dated February 14, 2022.
In the amendment dated February 14, 2022, claims 1, 19 and 20 have been amended, 5, 12-13, 15-17 have been canceled.
Claims 1-4, 6-11, 14 and 18-20 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may filed as provided by 37 CFR 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mr. Richard R. Peters of registration number 61,441, on March 01, 2022.  During the telephone conference, Mr. Peters has agreed and authorized the examiner to further amend Claims 1-4, 6-11, 14 and 18-20  on the amendment dated on February 14, 2022.

Claims
Replacing Claims 1-4, 6-11, 14 and 18-20 of the amendment dated on February 14, 2022 with the following:

Claims:
1.      A computerized method of automatically detecting and blocking at least one attack on an application comprising:
wherein the at least one attack is on the application;
modifying, from within the application, instructions of the application to include at least one sensor, wherein the sensor generates a set of events related to detecting an attack on the application, when executed by one or more processors, or a computing system implementing the application, wherein the at least one sensor is configured to create an event based on a configuration information for the application, and wherein the sensor comprises a passive sensor that generates an event that is collected and analyzed whenever an instrumented method is invoked;
reviewing, from within the application, the set of events generated by the at least one sensor;
detecting, from within the application, a presence of the at least one attack on the application based on the review of the set of events; and
invoking, from within the application, an attack response action, wherein the step of invoking an attack response action further comprises:
enabling a custom set of rules and responses to be enforced as a virtual patch,
modifying a set of instructions of the application snapshot to include at least one sensor adapted to generate an action selected by testing and a runtime behavior of a run-time library or run time component, and
dynamically patchinga code segment at a run-time of the application, and
wherein the sensors and the attack response actions are controlled by a set of custom rules created by a user, and
wherein the set of custom rules are used to implement the virtual patch to the application.
2.      The computerized method of claim 1, wherein the set of events are related to detecting both the attack on the application or the computing system implementing the application and a vulnerability detection related to an attack vulnerability of the application or in the computing system implementing the application.
3.      The computerized method of claim 1, wherein the detected attack comprises a bot attack.
4.      The computerized method of claim 1, wherein the detected attack comprises an attempt to exploit a specific known vulnerability in a library the application or in the computing system implementing the application.
5.      (Cancelled).
6.      The computerized method of claim 1 further comprising:
implementing a lazy-attack evaluation.

8.      The computerized method of claim 1, wherein the attack response action comprises throwing an exception.
9.      The computerized method of claim 1, wherein the attack response action comprises redirecting the user's web browser to another web page.
10.  The computerized method of claim 1, wherein the attack response action comprises sending the user's web browser to a honeypot mechanism.
11.  The computerized method of claim 1, wherein the attack response action comprising adding or enabling a specified security feature or reconfiguring the application.
12.  (Cancelled).
13.  (Cancelled).
14.  The computerized method of claim 1, wherein the sensor is configured to create an action snapshot based on the data in HTTP requests and a response that is either received or transmitted by the application.
15.  (Previously Cancelled).
16.  (Cancelled).
17.  (Cancelled).
18.  The computerized method of claim 1, wherein [[a]] the code segment to be patched is a software component or library that is a part of the application.

a processor configured to execute instructions;
a memory containing instructions when executed on the processor, causes the processor to perform operations that:
modify, from within the application, instructions of the application to include at least one sensor, wherein the sensor generates a set of events related to detecting an attack on the application or a computing system implementing the application, wherein the at least one sensor is configured to create an event based on a configuration information for the application, and wherein the sensor comprises a passive sensor that generates an event that is collected and analyzed whenever an instrumented method is invoked;
review, from within the application, the set of events generated by the at least one sensor;
detect, from within the application, a presence of at least one attack on the application based on the review of the set of events; and
invoke, from within the application, an attack response action by:
enabling a custom set of rules and responses to be enforced as a virtual patch,
modifying a set of instructions of the application snapshot to include at least one sensor adapted to generate an action selected by testing and a runtime behavior of a run-time library or run time component, and
dynamically patchinga code segment at a run-time of the application, and
wherein the sensors and the attack response actions are controlled by a set of custom rules created by a user, and
wherein the set of custom rules are used to implement the virtual patch to the application.
20.  A computerized method of automatically detecting and blocking at least one attack on an application comprising:
modifying, from within the application, instructions of the application to include at least one sensor, wherein the sensor generates a set of events related to detecting an attack on the application, when executed by one or more processors, or a computing system implementing the application, wherein the sensor is configured to create an event based on a configuration information for the application, and wherein the sensor comprises an active sensor or a passive sensor that generates an event that is collected and analyzed whenever an instrumented method is invoked;
reviewing, from within the application, the set of events generated by the at least one sensor;
detecting, from within the application, a presence of at least one attack on the application based on the review of the set of events; and

enabling a custom set of rules and responses to be enforced as a virtual patch,
modifying a set of instructions of the application snapshot to include at least one sensor adapted to generate an action selected by testing and analyzing a runtime behavior of a run-time library or run time component, and
dynamically patching a code segment at a run-time of the application, and
wherein the sensors and the attack response actions are controlled by a set of custom rules created by a user, and
wherein the set of custom rules are used to implement the virtual patch to the application.
Allowable Subject Matter
Claims 1-4, 6-11, 14 and 18-20 are allowed.

Examiner’s Statement of Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:
Independent claim 1 is allowable based on the amendment presented in the request for continued examination dated on February 14, 2022 and the examiner’s amendment dated on March 04, 2022.
Specifically, the independent claim 1 now recites limitations as follows:

“A computerized method of automatically detecting and blocking at least one attack on an application comprising:
wherein the at least one attack is on the application;
modifying, from within the application, instructions of the application to include at least one sensor, wherein the sensor generates a set of events related to detecting an attack on the application, when executed by one or more processors, or a computing system implementing the application, wherein the at least one sensor is configured to create an event based on a configuration information for the application, and wherein the sensor comprises a passive sensor that generates an event that is collected and analyzed whenever an instrumented method is invoked;
reviewing, from within the application, the set of events generated by the at least one sensor;
detecting, from within the application, a presence of the at least one attack on the application based on the review of the set of events; and
invoking, from within the application, an attack response action, wherein the step of invoking an attack response action further comprises:
enabling a custom set of rules and responses to be enforced as a virtual patch,

dynamically patching a code segment at a run-time of the application, and
wherein the sensors and the attack response actions are controlled by a set of custom rules created by a user, and
wherein the set of custom rules are used to implement the virtual patch to the application”.

The cited reference Chess et al. (US PGPUB. # US 2005/0273861) discloses, a security development module performs a form of semantic analysis across multiple tiers and languages to find security vulnerabilities, such as stack buffers, tainted variables, SQL injection and custom-defined security flaws. The tiers range from the operating system to the database, application server to user interface, in applications that span multiple languages, including Java, C/C++, HTML, JSP and PL/SQL. The invention's analysis of diverse program instruction formats and systems that include multiple software applications is a significant advance over prior art systems. (¶33). A malicious user can exploit vulnerability in the application in order to see account balances that they are not authorized to see. The vulnerability is simple: the application never checks to see (¶40). Sensors are inserted into source or executable code 400. The sensor insertion module 136 may be used to perform this operation. As shown in FIG. 4, security development module input 402 and security test module input 404 may be used to determine sensor locations within code. Each sensor is executable code to identify and report selected performance criteria associated with the original source or executable code. (Fig. 4(402,404, 400), ¶78). The code is then executed with the sensors 406. The sensors generate a stream of security events. The performance of the code is then monitored from a security perspective 408. In particular, a stream of security events from the sensors is processed to detect fraud and misuse. The monitoring analysis module 138 and security monitoring rules 137 may be used to perform this operation. The results may then be reported using the monitoring report generator 140. Alternately or additionally, the results may be fed back to the sensor insertion module 136 to refine the sensor insertion process and to otherwise modify the behavior of the application (operation 400 of FIG. 4). (Fig. 4(406, 408), ¶79). The potential vulnerabilities identified by the (¶76-¶77). The technology provides a mechanism for responding in real time to both attacks and misuse. The approach is based on the combination of aspect-oriented programming, runtime instrumentation, real-time event correlation, and application-based intrusion detection. (¶84). 
The reference by Mualem et al. (US PGPUB. # US 2005/0018618) discloses, a threat signature detection module in step S45 provides a library of rules which evaluate every packet, looking for a variety of signatures for threats including but not limited to viruses, worms, reconnaissance activity, backdoor usage, and buffer overflows. The library of rules can be updated as new attack signatures are identified. Threat signatures that are relevant only to one specific network can be added to provide customized monitoring of that specific network. The rule set in the library can be updated at any time with zero network downtime. In one embodiment of the invention, a custom rule can be created to block access to a particular web application except from the IP addresses of a limited number of authorized users. Access to the application is based on packet content, which is specified in the custom rule. (¶34).
The reference by Dadhia (US PGPUB. # US 2005/0188419) discloses, the protection system may operate in conjunction with a security engine that checks for the exposing of a vulnerability, for example, via a message sent to the instance of the application with a certain signature or via an invocation of an application programming interface with certain actual parameters. The security engine may enforce a security policy specified (¶16-¶17).
However, each of the cited references or reference from the updated search, at least, fails to teach or suggest the limitations regarding “…………modifying a set of instructions of the application snapshot to include at least one sensor adapted to generate an action selected by testing and analyzing a runtime behavior of a run-time library or run time component, and
dynamically patching a code segment at a run-time of the application, and wherein the sensors and the attack response actions are controlled by a set of custom rules created by a user, and wherein the set of custom rules are used to implement the virtual patch to the application…”, in combination with the rest of the limitations recited in the independent claim(s).
None of the previous cited prior art references or reference(s) from the updated search yield any specific references that would reasonably, either singularly or in combination with previous cited reference, result a reasonable and proper rejection for each of the cited feature limitations of the independent claim 1 under 35 U.S.C. 102 or 35 U.S.C. 103 with proper motivation.
Claims 19 is a system claim of above method claim 1 and Claim 20 is also a method claim of above method claim 1, and therefore, they are also allowed.
Claims 2-4, 6-11, 14 and 18 depend on the allowed claim 1, and therefore, they are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DARSHAN I DHRUV whose telephone number is (571)272-4316. The examiner can normally be reached M-F 9:00 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/DARSHAN I DHRUV/Primary Examiner, Art Unit 2498