Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1-20 are presented for the examination. 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


2.	Claims 1, 9 are rejected under 35 U.S.C. 103 as being unpatentable over Hughes(US 20100211907 A1) in view of Sobel(US 8281410 B1).
 
As to claim 1, Hughes teaches  identifying, by executing an application, an entry point corresponding to a Universal Resource Locator (URL) path( Client applications to detect a certified webform 14 and provide facts[entry point] associated with the certified webform, para[0103], ln 2-5/ the plug-in recognizes a general webform 14 that might be certified through one or more of several methods such as by asking the Certifier 90 if the Certifier 90 has a signed declaration of facts for the webform 14, para[0104]/  divides the universe of URLs 60 into two sets--those fraud-prone 74 and those not fraud-prone 72--and of those fraud-prone, three subsets--those having certified facts 78[entry point], para[0066], ln 2-7), extracting, from the application, an entry point declaration corresponding to the entry point(  if the Certifier 90 has a signed declaration[entry point declaration] of the facts for the webform. At 106, the Certifier 90 returns the signed declaration including the facts given to it by the Declarant and may include an indication of the Certifier's confidence that the facts are true, para[0068], ln 6-16/ retrieve a signed declaration of facts associated with a certified webform), para[0108], ln 1-5).
Hugher  does not teach determining, by performing a static analysis starting at the entry point declaration, that a first parameter is accessible by the application; and inferring, by the static analysis, a first type of the first parameter by analyzing usage of the first parameter by the application. However, Sobel teaches determining, by performing a static analysis starting at the entry point declaration, that a first parameter is accessible by the application; and inferring, by the static analysis, a first type of the first parameter by analyzing usage of the first parameter by the application(the resource-access scope[]entry point declaration may be access scope declared by a software application , col 1, ln 53-55/ an application monitor may determine a resource-access scope[entry point declaration] of a software application, determine whether a resource[first parameter] is within the resource-access scope, and retrieve resource information associated with the resource from a resource-information database. The application monitor may then provide a user with a notification that includes the resource information and indicates whether the resource is within the resource-access scope. The resource information may provide information that helps a user determine whether to allow the software application to execute or access the resource, col 1, ln 36-50/ The access rule may prohibit a specific software application, such as software application 116, from accessing a specific resource, such as resource 132. The access rule may also prohibit software application 116 from accessing a type of resource[first type of the first parameter]. For example, if usage of the first parameter], application monitor 112 may query the user about whether to prohibit software application 116 from accessing all financial documents, col 4, ln 45-55).
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of   to incorporate the feature of determining, by performing a static analysis starting at the entry point declaration, that a first parameter is accessible by the application; and inferring, by the static analysis, a first type of the first parameter by analyzing usage of the first parameter by the application because this simplifies the advertisement creation process by minimizing the amount of data that an advertiser needs to provide to generate different types of advertisements.
As to claim 9, it is rejected for the same reason as to claim 1 above. In additional,  
teaches Hugher teaches a repository configured to store an application( Software on the user's computer 22 determines if a general webform's posting URL 18 appears on blacklists either in a local file resident on the user's computer 22, para[0060], ln 6-16/  webform might for example have one set of facts associated with it asserted by Declarant A, and a different set of facts associated with it asserted by Declarant B, para[0114], ln 5-10).    

3.	Claims 2, 10 are rejected under 35 U.S.C. 103 as being unpatentable over Hughes(US 20100211907 A1) in view of Sobel(US 8281410 B1) and further in view of KIM(KR 20160089995 A).

As to claim 2, Hughes and Sobel do not teach  detecting a vulnerability in the application by executing the application using the first type of the first parameter. However, Kim teaches 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of Hughes and Sobel with Kim to incorporate the feature of detecting a vulnerability in the application by executing the application using the first type of the first parameter because this collects and analyses HTML5 documents based a distributed parallel processing.
As to claim 10, it is rejected for the same reason as to claim 2 above.

4.	Claims 3, 4, 11, 12 are rejected under 35 U.S.C. 103 as being unpatentable over Hughes(US 20100211907 A1) in view of Sobel(US 8281410 B1) and further in view of Yu (KR 20150106761 A). 

As to claim 3,  Hughes and Sobel do not teach observing, for the entry point, one or more requests processed by the application; deriving, from the one or more requests, a dynamically generated Application Programing Interface (API) specification corresponding to the entry point; and deriving, by the static analysis, a statically generated API specification corresponding to the entry point, wherein the statically generated API specification assigns the first type to the first parameter. However, Yu teaches observing, for the entry point, one or more requests processed by the application; deriving, from the one or more requests, a dynamically generated Application 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of  Hughes and Sobel with Yu   to incorporate the feature of  observing, for the entry point, one or more requests processed by the application; deriving, from the one or more requests, a dynamically generated Application Programing Interface (API) specification corresponding to the entry point; and deriving, by the 
As to claim 4, Yu teaches the dynamically generated API specification further comprises a second parameter, the method further comprising: merging the dynamically generated API specification and the statically generated API specification into a merged API specification comprising, for the entry point, the first parameter and the second parameter( Editing unit 112 generates the authoring tool interface, based on the component palette list that includes an API component generated by the palette component 111, and the resulting authoring interface is displayed on the screen is provided to the user. The user combines the component corresponding to one or more API functions for a number of components of the API through the authoring interface to create a mashup service logic, Description, ln 106-120).  
As to claims 11, 12, they are rejected for the same reasons as to claims 3, 4  above.
 
 5.	Claims 7, 8, 15, 16, 17, 19, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hughes(US 20100211907 A1) in view of Sobel(US 8281410 B1) and further in view of Koved(US 20050039158 A1).

As to claim 7,   Hughes , Sobel do not teach deriving, from the entry point declaration, a type propagation graph comprising a plurality of nodes; and injecting a test request into a node of the plurality of nodes, wherein determining that the first parameter is accessible by the application comprises determining, by traversing the type propagation graph starting with the 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of Hughes, Sobel with Koved to incorporate the feature of software application function as a callback function to access the resource because this  allows a ProtectionDomain to "adopt" a required Permission for accessing the resource.    
As to claim  8,  Koved teaches  analyzing the usage of the first parameter by the application comprises determining that the programming element is associated with a type constraint indicating that the programming element expects an input of the first type( when the Java 2 authorization system, implemented by the AccessController.checkPermission- ( ) method call, is invoked to check the Permissions of methods in a thread stack, a determination is 
As to claims 15-16, they are rejected for the same reasons as to claims 7-8 above. 
As to claim 17, Hughes teaches  identifying, by executing an application, an entry point corresponding to a Universal Resource Locator (URL) path( Client applications to detect a certified webform 14 and provide facts[entry point] associated with the certified webform, para[0103], ln 2-5/ the plug-in recognizes a general webform 14 that might be certified through one or more of several methods such as by asking the Certifier 90 if the Certifier 90 has a signed declaration of facts for the webform 14, para[0104]/  divides the universe of URLs 60 into two sets--those fraud-prone 74 and those not fraud-prone 72--and of those fraud-prone, three subsets--those having certified facts 78[entry point], para[0066], ln 2-7), extracting, from the application, an entry point declaration corresponding to the entry point(  if the Certifier 90 has a signed declaration[entry point declaration] of the facts for the webform. At 106, the Certifier 90 returns the signed declaration including the facts given to it by the Declarant and may include an indication of the Certifier's confidence that the facts are true, para[0068], ln 6-16/ retrieve a signed declaration of facts associated with a certified webform), para[0108], ln 1-5).
 Hugher  does not teach function processes a request, and wherein the request comprises a parameter,  determining, by performing a static analysis starting at the entry point declaration, that a first parameter is accessible by the application; and inferring, by the static analysis, a first  function processes a request, and wherein the request comprises a parameter, determining, by performing a static analysis starting at the entry point declaration, that a first parameter is accessible by the application; and inferring, by the static analysis, a first type of the first parameter by analyzing usage of the first parameter by the application( application monitor 112 may query the user about whether to allow software application 116 to access the resource. For example, software application 116 may request access to resource 132 of server 130 , col 4, ln 32-38/ the resource-access scope[entry point declaration] may be access scope declared by a software application , col 1, ln 53-55/ an application monitor may determine a resource-access scope[entry point declaration] of a software application, determine whether a resource[first parameter] is within the resource-access scope, and retrieve resource information associated with the resource from a resource-information database. The application monitor may then provide a user with a notification that includes the resource information and indicates whether the resource is within the resource-access scope. The resource information may provide information that helps a user determine whether to allow the software application to execute or access the resource, col 1, ln 36-50/ The access rule may prohibit a specific software application, such as software application 116, from accessing a specific resource, such as resource 132. The access rule may also prohibit software application 116 from accessing a type of resource[first type of the first parameter]. For example, if resource 132 is a financial document[usage of the first parameter], application monitor 112 may query the user about whether to prohibit software application 116 from accessing all financial documents, col 4, ln 45-55).

 Hughes and Sobel do not teach the software application function as a callback function to access the resource. However, Koved teaches the software application function as a callback function to access the resource( AccessControlContext must imply the Permission being checked in order for the access request to be granted, para[0060], ln 6-10/  provides a mechanism by which a new Permission is employed to allow methods in a class that perform callback operations to be authorized for accessing a privileged resource, para[0029], ln 1-5/ when the Java 2 authorization system, implemented by the AccessController.checkPermission- ( ) method call, is invoked to check the Permissions of methods in a thread stack, a determination is made as to whether at least one of the method calls in the thread stack has the associated ProtectionDomain that implies the required Permission for accessing the protected resource, para[0062], ln 1-15/ access a protected resource, such as the file system, network, etc. When such a call is made by the applet's thread of execution, the underlying API calls a SecurityManager.checkPermission( ) method or another "check" method (e.g., SecuriyManager.checkRead( ) or SecurityManager.checkConnect( )), based on the type of resource being accessed, para[0047]/ give class "B" in the library the Java 2 AllPermission Permission, which is equivalent to the Permission to perform any Java 2 privileged operation, so 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of  Hughes and Sobel with Koved to incorporate the feature of software application function as a callback function to access the resource because this   allows for callback methods to be authorized using the Java authorization system while not over privileging other code and thereby creating security holes. 
As to claim 19, Koved teaches  deriving, from the entry point declaration, a type propagation graph comprising a plurality of nodes; and injecting a test request into a node of the plurality of nodes, wherein determining that the parameter is accessible by the callback function comprises determining, by traversing the type propagation graph starting with the node injected with the test request, that a programming element of the callback function accesses the parameter( AccessControlContext must imply the Permission being checked in order for the access request to be granted, para[0060], ln 6-10/  provides a mechanism by which a new Permission is employed to allow methods in a class that perform callback operations to be authorized for accessing a privileged resource, para[0029], ln 1-5/ when the Java 2 authorization system, implemented by the AccessController.checkPermission- ( ) method call, is invoked to check the Permissions of methods in a thread stack, a determination is made as to whether at least one of the method calls in the thread stack has the associated ProtectionDomain that implies the required Permission for accessing the protected resource, para[0062], ln 1-15/ access a protected resource, such as the file system, network, etc. When such a call is made by the applet's thread of execution, the underlying API calls a SecurityManager.checkPermission( ) method or another "check" method (e.g., SecuriyManager.checkRead( ) or SecurityManager.checkConnect( 
As to claim 20,   Koved teaches analyzing the usage of the parameter by the callback function comprises determining that the programming element is associated with a type constraint indicating that the programming element expects an input of the type( when the Java 2 authorization system, implemented by the AccessController.checkPermission- ( ) method call, is invoked to check the Permissions of methods in a thread stack, a determination is made as to whether at least one of the method calls in the thread stack has the associated ProtectionDomain that implies the required Permission for accessing the protected resource. If none of the methods in the thread stack have the associated ProtectionDomain implying the required Permission, the access attempt is denied and a SecurityException is thrown, para[0062]).  

6.	Claim 18 is  rejected under 35 U.S.C. 103 as being unpatentable over Hughes(US 20100211907 A1) in view of Sobel(US 8281410 B1) and further in view of KIM(KR 20160089995 A).

As to claim 18,  Hughes, Sobel do not teach  detecting a vulnerability in the application by executing the application using the first type of the first parameter. However, Kim teaches (parsing) when the module, a filter (filter) module for receiving providing the parsing result information from the parsing module determines whether the document type of the web page is 
It would have been obvious to one of the ordinary skill in the art before the effective filling date of claimed invention was made to modify the teaching of  Hughes, Sobel  with Kim to incorporate the feature of detecting a vulnerability in the application by executing the application using the first type of the first parameter because this collects and analyses HTML5 documents based a distributed parallel processing.
Allowable Subject Matter
7.	Claims  5-6, 13-14  are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
                                                                      Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LECHI TRUONG whose telephone number is ( 571) 272-3767.  The examiner can normally be reached on 10-8PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,  Chow, Dennis can be reached on ( 571) 272-7767   . The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR of Public PAIP. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR 
/LECHI TRUONG/               Primary Examiner, Art Unit 2194