DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment

2. 	This communication is in response to the amendment filed on 01/07/2022. The Examiner has acknowledged the amended Claims 1, 4, 5, 8-10, 13, 14, 17 and 18. No claims have been cancelled or added. Claims 1-18 are pending and Claims 1-18 are rejected.

Response to Arguments

3.	Applicant's Arguments (Remarks) filed 01/07/2022 have been fully considered but they are not persuasive.

4.	The claim interpretation 112(f) of Claim 10 has been withdrawn in view of the amended corrections.

5.	The rejection of claims 1-18 under 35 U.S.C 112 (b) has been withdrawn in view of the amended corrections. 

6. 	The rejection of claim 18 under 35 U.S.C 112 (d) has been withdrawn in view of the amended corrections. 

7.	The rejection of claims 1-18 under 35 U.S.C 103 has been maintained.  Applicant's Arguments (Remarks Pages:7-9) have been fully considered but they are not persuasive.
and  “the Examiner has not shown that this report includes request origination data that identifies a component of the “protected application” from which the request data is received.”
However, the examiner respectfully disagrees. It is noted that Al Hamami teaches that an in-application agent in communication with the agent manager for receiving rules therefrom and passing reports thereto for protecting an application (Al Hamami: [Abstract]), hook into various
interfaces between the application and the different components in the environment…, interfaces include…, the application runtime environment, included application libraries, as well as other services that are components of a web application (i.e. various components of application) (Al Hamami: ¶ [0009-0010]), determining a malicious user or malicious session (Al Hamami: ¶ [0028]), hooks 240 allow the rules processor 220 to inject rules 170 that it received…, into these points in the program (web application) being protected…, rules 170 allow reports 180 to be generated by the rules processor 220 and to be sent by the in-app agent 150 (i.e. rules processor is part of the in-app agent, see fig. 2) (Al Hamami: ¶ [0041]), and different rules 170 may be used for detecting session-tampering attacks, SQL injection attacks, HTTP parameter pollution attacks, and HTTP splitting attacks (Al Hamami: ¶ [0042]), and in-app agent 150 then applies the rules to protect the web application using the rules 170 at step 330. When the in-app agent 150 detects suspicious activity at step 340, it generates a report (i.e. recording data from requests generate from various components of the application) (Al Hamami: ¶ [0044]). Therefore, a PHOSITA would have understood that Al Hamami discloses the features applicant is arguing about.
	Applicant argues [REMARKS Page: 8] that “there is no indication in Al Hamami that the "extra logging" involves recording request origination data that identifies a component of the and “the Examiner has not shown that this "extra logging" involves recording request origination data that identifies a component of the "protected application" from which the request data is received…., cited portion of Al Hamami does not mention any specifics regarding what type of information is logged by the "extra logging."”
However, the examiner respectfully disagrees. Similar to the previous argument, Al Hamami discloses that hook into various interfaces between the application and the different components in the environment…, interfaces include…, datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application (i.e. various components of application) (Al Hamami: ¶ [0009-0010]), hooks 240 allow the rules processor 220 to inject rules 170 that it received…, into these points in the program (web application) being protected…, rules 170 allow reports 180 to be generated by the rules processor 220 and to be sent by the in-app agent 150 (i.e. rules processor is part of the in-app agent, see fig. 2) (Al Hamami: ¶ [0041]), and different rules 170 may be used for detecting session-tampering attacks, SQL injection attacks, HTTP parameter pollution attacks, and HTTP splitting attacks (Al Hamami: ¶ [0042]), and in-app agent 150 then applies the rules to protect the web application using the rules 170 at step 330. When the in-app agent 150 detects suspicious activity at step 340, it generates a report (i.e. recording data from requests generate from various components of the application) (Al Hamami: ¶ [0044]). 
In addition, Al Hamami discloses determining a malicious user or malicious session (Al Hamami: ¶ [0028]), and if there is an attempted SQL injection string, or a session modification attack, then extra logging for that user is performed and that user session is streamed to the cloud service for further inspection (i.e. logging user data) (Al Hamami: ¶ [0014]). 
not persuasive for the same reasons discussed above with respect to independent Claim 1.

Claim Rejections - 35 USC § 103
8.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



9.	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

10.	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of 

11.	Claims 1-18 are rejected under 35 U.S.C. 103 as being unpatentable over Cho et al. (US 2017/0279609 A1, hereinafter Cho) in view of AL HAMAMI (US 2015/0052607 A1, hereinafter Al Hamami). 

Regarding Claim 1,
Cho discloses a method for improving security of computer application logic that is configured to provide a network service (Cho: [Abstract] a data management method…, method is executed by a user client that is network-linked to a DB server and a security policy server, ¶¶ [0010, 0019, 0022, 0040]), the method comprising: 
receiving request data from the computer application logic at an agent (Cho: ¶ [0010] a DB control application is executed; 3) determining whether the DB control application, of which the execution is detected, is allowed to be used for the user ID, determining that the DB control application is allowed to be used, ¶ [0019] a DB control application that is allowed to be used for each user ID of the user client…, performing a user authentication in response to a request of the user client for the user authentication…, access to the DB server from the user client is managed based on at least one of the first security information and the second security information, ¶ [0040] DB access control unit 2012 performing
an access control function when the user client 3000 wants access through a DB application) wherein the request data represents a request to create a network connection in a session between the computer application logic and a remotely-located resource that is authenticated by the agent (Cho: ¶ [0010] recognizing a user ID through a user authentication; 2) detecting whether a DB control application is executed; 3) determining whether the DB control application, of which the execution is detected, is allowed to be used for the user ID…, the DB server, to which access is attempted, is allowed to be accessed by the user ID when determining that the DB control application is allowed to be used, ¶ [0015] a session connection between the user client and the DB server that is allowed to be accessed by the user ID may be performed based on the second security information, ¶ [0022] a user client, in which a security program having a user right policy management function is installed and which is network-linked to both a DB server…, See Fig. 1--DB server); 
determining that the requested network connection is not one of one or more predetermined authorized network connections associated with the computer application logic (Cho: ¶ [0010] allowing access to the DB server when determining that the DB server is allowed to be accessed, ¶ [0064] after the user authentication of step S1, a session connection between the user client and the DB server that is allowed to be accessed by the user ID is performed based on the second security information at step Sl00, ¶ [0054] second security information includes at least one of information of an IP address, a port address, a used protocol of the DB server that is allowed to be accessed by each user ID, also see ¶¶ [0013]).
However, it is noted that Cho does not explicitly disclose:
in response to the determining, generating and recording exception report data by the agent, wherein the exception report data includes: 
request origination data that identifies a component of the computer application logic from which the request data is received; and 
user identification data that identifies a user.
(Al Hamami: [Abstract], also see ¶¶ [0019, 0044]), agent library is able to hook into various interfaces between the application and the different components in the environment…, Such interfaces include, but are not limited to datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application, such as templating engines, and email service (Al Hamami: ¶¶ [0009-00010], also see ¶ [0041]), determining a malicious user or malicious session (Al Hamami: ¶ [0028]), a collection of detection logic (code), action logic (code) and associated data e.g., list of bad IPs, malicious users, vulnerable components, which are generated in the cloud service side of the system, and implemented by the agent library (Al Hamami: ¶ [0032]), provide information about important events such as malicious users, threat level of site, database misconfiguration (Al Hamami: ¶ [0012]), if there is an attempted SQL injection string, or a session modification attack, then extra logging for that user is performed and that user session is streamed to the cloud service for further inspection (Al Hamami: ¶ [0014]), and detecting session- tampering attacks, SQL injection attacks, HTTP parameter pollution attacks, and HTTP splitting attacks (Al Hamami: ¶ [0042]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).

Regarding Claim 2,
Claim 2 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. Cho further discloses wherein the predetermined authorized network connections are specified by one or more selected from the group consisting essentially of: remote host identification data, port identification data, and network protocol identification data (Cho: ¶ [0012] the second security information may include at least one of information of an IP address, a port address, and a used protocol of the DB server that is allowed to be accessed by each user ID, ¶ [0064] a session connection between the user client and the DB server that is allowed to be accessed by the user ID is performed based on the second security information See also ¶ [0054]).

Regarding Claim 3,
Claim 3 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. However, Cho does not explicitly wherein the agent is within the application logic as a plugin capable of intercepting application telemetry and sensitive outbound data types, wherein the application telemetry and sensitive outbound data types are used in the determination.
However, Al Hamami further discloses the in-app agent 150 receives rules 170 from the cloud service 110 via the agent manager 130. The rules 170 provide the detection and protection functionality. The in-app agent 150 also sends reports 180 to the agent manager 130. The agent manager 130 is responsible for the communications between the cloud service 110 and the protected
(Al Hamami: ¶ [0037]), hook into various interfaces between the application and the different components in the environment…, Such interfaces include, but are not limited to datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application, such as templating engines, and email service (Al Hamami: ¶¶ [0009-00010]), uses a middleware mechanism 230 to hook into various points of the application 160 and the web application…, hooks 240 allow the rules processor
220 to inject rules 170 that it received from the cloud service 110 via the link manager 130 into these points in the program (web application) being protected. In turn, these rules 170 allow reports 180 to be generated by the rules processor 220 and to be sent by the in-app agent (Al Hamami: ¶ [0041]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).

Regarding Claim 4,
Claim 4 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. Cho does not explicitly disclose wherein the request origination data identifies the component of the computer application logic from which the request data is received by specifying one or more selected from the group consisting essentially of: a source code data file, a line number identifying a particular line of the source code data file from which the request data 
However, Al Hamami further discloses hook into various interfaces between the application and the different components in the environment…, Such interfaces include, but are not limited to datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application, such as templating engines, and email service (Al Hamami: ¶¶ [0009-00010]), uses a middleware mechanism 230 to hook into various points of the application 160 and the web application framework  (Al Hamami: ¶ [0041]), and an application stack having various hooks 24 (Al Hamami: ¶ [0043], See also Fig. 2).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).

Regarding Claim 5,
Claim 5 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. Cho does not explicitly disclose wherein the user identification data identifies the user by specifying one or more selected from the group consisting essentially of: a user name associated with the user within the computer application logic, a role of the user, and data identifying the session.
(Al Hamami: ¶ [0028]), a collection of detection logic (code), action logic (code) and associated data e.g., list of bad IPs, malicious users, vulnerable components, which are generated in the cloud service side of the system, and implemented by the agent library (Al Hamami: ¶ [0032]), provide information about important events such as malicious users…, generic malicious-user/session detection function can be enhanced over time by utilizing advanced algorithms using key application/user specific metrics (number of server faults generated in a time period, number of web
requests in a time period, etc.) (Al Hamami: ¶ [0012], also see ¶ [0014]), and detecting session- tampering attacks, SQL injection attacks, HTTP parameter pollution attacks, and HTTP splitting attacks (Al Hamami: ¶ [0042]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).

Regarding Claim 6,
Claim 6 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. Cho further discloses wherein the remotely-located resource includes any of applications, APIs, rest services, micro services, databases and data stores (Cho: ¶ [0040] DB server 2000 is a server managing data, to which the user client 3000 wants to access…, performing an access control function when the user client 3000 wants access through a DB application, ¶ [0041] Data, which the user client 3000 wants to access, may be, for example, customer personal information data, and financial transaction information data, See Fig. 1).

Regarding Claim 7,
Claim 7 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. Cho further discloses wherein the one or more network connections are predetermined to be authorized or not by customer definition or IP reputation assessment (Cho: ¶ [0038] setting a user right for file or data is different depending on a user, ¶[0039] a user right identification process based on identification of a user ID; a process of allowing a user, of which a right is
identified, to perform use actions).
Al Hamami further discloses a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs (Al Hamami: ¶ [0013]), and in-app agent 150 then applies the rules to protect the web application using the rules…, an improvement in the rule set, which could be a better algorithm, data external to the application (e.g., IP reputation, vulnerable library information). In this case, the flow is straight from the cloud service to the agent (step 460). Finally, the in-app agent applies the new rules to protect the web application (Al Hamami: ¶ [0045]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).
Regarding Claim 8,
Claim 8 is dependent on Claim 7, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. However, Cho does not explicitly disclose wherein the IP reputation assessment is performed by machine learning algorithms, publicly available information, specific flags, or a combination thereof.
Al Hamami further discloses a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs (Al Hamami: ¶ [0013]), receives the reports 180 from the various agent managers 130 (only one shown inFIG.1), as well as from other external sources, for example third party threat intelligence feeds and new algorithms developed by security researchers and generates new rules to be deployed to the in-app agents 150 (Al Hamami: ¶ [0039]), and in-app agent 150 then applies the rules to protect the web application using the rules…, an improvement in the rule set, which could be a better algorithm, data external to the application (e.g., IP reputation, vulnerable library information). (Al Hamami: ¶ [0045]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).




Regarding Claim 9,
Claim 9 is dependent on Claim 1, and the combination of Cho and Al Hamami discloses all the limitations of Claim 1. However, it is noted that Cho does not explicitly disclose in response to the determining: denying the request by declining to create the network connection; and 
sending exception data to the computer application logic to report the denial of the request.
However, Al Hamami further discloses determining a malicious user or malicious session (Al Hamami: ¶ [0028]), provide information about important events such as malicious users, threat level of site, database misconfiguration. This information can then be used for alerting the developer, or as factors into generating the detection or action functions dynamically (Al Hamami: ¶ [0012]), a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013], also see ¶ [0014]), and e.g., list of bad IPs, malicious users, vulnerable components, which are generated in the cloud service side of the system, and implemented by the agent library (Al Hamami: ¶ [0032], also see ¶¶ [0044, 0049]).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Al Hamami in the teachings of Cho. A person having ordinary skill in the art would have been motivated to do so because a filter based on known-malicious-IP addresses or IP reputation, can be updated in real time as the cloud side learns about these malicious IPs and blocks application access to these IP addresses (Al Hamami: ¶ [0013]), dynamically update the rules based on the reports (See Al Hamami: ¶ [0039]).

Regarding Claim 10,
Cho discloses a system for improving security of computer application logic that is configured to provide a network service, the system comprising (Cho: [Abstract] a user client that is network-linked to a DB server and a security policy server, ¶ [0027] a systemic configuration view for executing a data management method, See Fig. 1, ¶ [0037]), a network monitor of a server computer (Cho: ¶ [0070] embodiments of the present invention may be implemented in a form of program instructions, which are executable by various computer means, and stored in a computer-readable storage medium, ¶ [0047]), an authorization determiner of the server computer (Cho: ¶ [0070] embodiments of the present invention may be implemented in a form of program instructions, which are executable by various computer means, and stored in a computer-readable storage medium, ¶ [0049] DB access management unit 3018 includes: a function for detecting whether the DB control application is executed; a function for determining whether the DB control application, of which the execution is detected, is allowed to be used for the user ID, ¶ [0047]). Al Hamami discloses a report generator of the server computer (Al Hamami  ¶ [0049] Any of the methods disclosed herein may be implemented in hardware, software, firmware or any combination thereof, ¶  [0044, 0048]), and the combination of Cho and Al Hamami discloses all the limitations of Claim 10 as discussed in Claim 1. Therefore, Claim 10 is rejected using the same rationales as discussed in Claim 1.

Regarding Claims 11-6 and 18,
Claims 11-16 and 18 are dependent on Claim 10, and the combination of Cho and Al Hamami discloses all the limitations of Claim 10. The combination of Cho and Al Hamami discloses all the limitations of Claims 11-16 and 18 as discussed in Claims 2-7 and 9. Therefore, Claims 11-16 and 18 are rejected using the same rationales as discussed in Claims 2-7 and 9.


Regarding Claim 17,
Claim 17 is dependent on Claim 16, and the combination of Cho and Al Hamami discloses all the limitations of Claim 16. The combination of Cho and Al Hamami discloses all the limitations of Claim 17 as discussed in Claim 8. Therefore, Claim 17 is rejected using the same rationales as discussed in Claim 8.

Conclusion
12.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US-20090199276-A1
US-20160164837-A1
US-20170316202-A1
US-20180107821-A1
US-20160119344-A1
THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/SAMEERA WICKRAMASURIYA/
Examiner, Art Unit 2494

/Jeremy S Duffield/Primary Examiner, Art Unit 2498