DETAILED ACTION
Applicant’s amendment filed 2/14/2022 has been fully considered. 
Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
The objection to the specification is withdrawn.
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Regarding the rejection under 35 USC 112, claim 1 introduces “the parameter values”, lacking antecedent basis. Later on claim 2 introduces a new instance “masked parameter values”, again making it indefinite if they are the same as before or different.
Regarding the rejection under 35 USC 103, Kim teaches since the detection device stores generated information for pattern matching parameter values against stored parameter permitted or proper range or data types (fig.2-3, par.16-32). Even assuming arguendo Kim does not expressly teach this, adding to the “dictionary” of Kim additional means of checking parameter values would have been obvious to someone of ordinary skill in the art. The cited portions are reproduced below for Applicant’s benefit:
[0016] First, an input value parameter is not authenticated. When a client requests a Web application, if it is not authenticated whether the request of the client is a proper value, an unauthorized resource in a backend can be accessed. Security mechanism can be bypassed by forcibly browsing HTTP requests such as a URL, a query text, a HTTP header, a form field, a cookie, a hidden filed, etc., or inserting a command language, forging/modifying cookies, etc.
[0017] Second, cross-site scripting occurs due to modifications made when the Web application permits a JAVA script text, HTML tags into a user's input value.
[0018] Third, an SQL injection occurs when the Web application requests a query for database. When special characters such as--(space), %, etc. which are not allowed by SQL are included in the user's input value, an error is not processed, which fails to filter offensive content of the query.
[0019] Fourth, IDS can be bypassed by using a Hexar code, a Unicode, and a Windows %u code in a URL field for an attack against the Web application.
[0020] The attack against the Web application frequently occurs when a Web application program codes doe not properly filter the user's input value, and can modify Web service request data in a variety of forms. However, conventional signature-based security solution cannot effectively defend the attack against the Web application. A firewall must allow an access to a TCP 80 port to properly provide a service of a Web server. An IPS can defend an attack having a regular signature pattern since the IPS is analysed in a packet which is the smallest communication unit.
[0021] To most effectively prevent these defects of the Web application, it is necessary to authenticate all parameters such as the header, the cookie, the query text, the form field, the hidden filed, etc. under strict allowable regulations and convert them into normal equations.
[0022] FIG. 1 is a diagram for explaining an apparatus for blocking an attack against a Web application according to an embodiment of the present invention. Referring to FIG. 1, the apparatus for blocking the attack against the Web application is disposed between a Web service request client and a Web server, hijacks a web service request data from the client system, authenticates an input parameter value used to perform the attack against the Web application included in the web service request data, and the web service request data determined as the attack by removing an attack element from the web request service data, and transfers the filtered web service request data to the web server system.
[0023] FIG. 2 is a block diagram of an apparatus for blocking an attack against a Web application according to an embodiment of the present invention. Referring to FIG. 2, the apparatus for blocking the attack against the Web application comprises a client system 200, a manager input unit 210, an attack regulation database 220, a service request reception unit 230, an input value authentication unit 240, an input value filtering unit 250, a data transfer unit 260, and a Web server system 270.
[0024] The client system 200 transmits Web service request data.
[0025] The manager input unit 210 receives Web application attack pattern regulations from a manager and transfers it to the attack regulation database 220.
[0026] The attack regulation database 220 stores the received Web application attack pattern regulations such as an SQL query data format (characters, fixed numbers, real numbers, etc.), allowable character sets (special characters), minimum/maximum allowable length, whether a NULL value is allowed, whether a parameter is allowed, an allowable number range, a normal equation, etc., which are determined as the attack against the Web application.
[0027] The service request reception unit 230 receives Web service request data transmitted from the client system 200.
[0028] The input value authentication unit 240 authenticates input values included in the Web service request data received by the service request reception unit 230 and determines whether the Web service request data is the attack against the Web application. In detail, the input value authentication unit 240 authenticates user input values by checking an URL input parameter, a form/script variable value, IDS bypass encoding, SQL query, etc. with respect to the Web service request data through a URL, a query text, a HTTP header, a form/script field, a cookie and hidden field, etc. The input value authentication unit 240 determines whether the Web service request data includes an attack element based on the attack pattern regulations stored in the attack regulation database 220. However, if the input value authentication unit 240 stores the attack regulations, the attack regulation database 220 can be omitted. If the input values authenticated by the input value authentication unit 240 are identical to the Web application attack pattern regulations, the Web service request data is determined as the attack against the Web application, and is transferred to the input value filtering unit 250. If it is determined that the Web service request data is not the attack against the Web application, the Web service request data is transferred to the data transfer unit 260.
[0029] The input value authentication unit 240 can comprise a URL input parameter authentication unit 242, a form/script variable field authentication unit 244, an IDS bypass encoding authentication unit 246, and a SQL query authentication unit 248.
[0030] If the URL input parameter authentication unit 242 detects an erroneous URL input parameter value, the Web service request data is determined as the attack against the Web application. An example of the erroneous URL input parameter is a "//////////" request, which is a pattern for exploiting an Apatch bug.
[0031] The form/script variable field authentication unit 244 authenticates a form/script variable value (POST, GET, &lt;script&gt;, $ variable). In detail, if the form/script variable field authentication unit 244 detects a form/script variable value used to attack a cross-site script, the Web service request data is determined as the attack against the Web application. An example of the form/script variable value is a "( and )" request, which is a pattern used to attack the cross-site script.
[0032] If the IDS bypass encoding authentication unit 246 detects a modified coding value for the IDS bypass, the Web service request data is determined as the attack against the Web application. An example of the modified coding value for the IDS bypass is a bypass using a Hexar code, [0033] http://xxx/script.ext?template=%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%- 61%73%73%77%64, which indicates http://xxx/script.ext?template=../../etc/passwd.

Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.
Applicant's arguments filed have been fully considered but they are not persuasive.
Information Disclosure Statement
It is noted that no Information Disclosure Statement has been filed.
No IDS has been received for this application. Applicants are reminded of the Duty to Disclose, from section 2001 of the MPEP (emphasis added). MPEP 2001 Duty of Disclosure, Candor, and Good Faith [R-08.2012] 37 C.F.R. 1.56 Duty to disclose information material to patentability. 
(a) A patent by its very nature is affected with a public interest. The public interest is best served, and the most effective patent examination occurs when, at the time an application is being examined, the Office is aware of and evaluates the teachings of all information material to patentability. Each individual associated with the filing and prosecution of a patent application has a duty of candor and good faith in dealing with the Office, which includes a duty to disclose to the Office all information known to that individual to be material to patentability as defined in this section.

Claim Rejections - 35 USC § 112
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 9, and 15 recite the limitation "the parameter values", “the masked parameter values”.  There is insufficient antecedent basis for this limitation in the claim.
The claims further recite multiple instances of “masked parameter values” making it indefinite if there are intended to be the same or different. 
This is not intended to be a complete list of such indefinite issues.

Claim Rejections - 35 USC § 103
Claims 1, 8-9, 14-15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Kim (20070136809), and further in view of Orihara (20200012784).
Regarding claims 1, 9, and 15, Kim teaches 1. A method by one or more network devices communicatively coupled to a web application layer proxy for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy, the method comprising: / 9. A set of one or more non-transitory machine-readable storage media storing instructions which, when executed by one or more processors of one or more network devices communicatively coupled to a web application layer proxy, causes the one or more network devices to perform operations for profiling parameters of web application layer requests received by the web application layer proxy while preserving privacy, the operations comprising: / 15. A network device configured to profile parameters of web application layer requests received by a web application layer proxy while preserving privacy, the network device comprising: one or more processors; and a non-transitory machine-readable storage medium having instructions stored therein, which when executed by the one or more processors, causes the network device to (abstract, fig.2, par.25-29):
obtaining masked parameter values associated with a first parameter of the web application layer requests, wherein the masked parameter values associated with the first parameter are generated by the web application layer proxy based on masking parameter values associated with the first parameter while preserving lengths of the parameter values associated with the first parameter and character types of characters in the parameter values associated with the first parameter (par.16-21, 28-32, obtain validation information to validate parameter values in a url/request); 
providing the profile of the first parameter to the web application layer proxy, wherein the web application layer proxy uses the profile of the first parameter to detect when parameter values associated with the first parameter of future web application layer requests received by the web application layer proxy do not conform to the profile of the first parameter (par.30-36, filtering unit uses validation information to sanitize requests). 
Kim does not expressly disclose, however, Orihara teaches determining whether a profile of the first parameter can be generated based on analyzing the masked parameter values associated with the first parameter; generating the profile of the first parameter in response to a determination that the profile of the first parameter can be generated based on analyzing the masked parameter values associated with the first parameter (abstract, par.30-36, 90-95). 
Therefore, one of ordinary skill in the art would have found it obvious before the effective filing date of the claimed invention to modify Kim to generate profiles for different parameters associated with requests as taught by Orihara.
One of ordinary skill in the art would have been motivated to perform such a modification to further protect access to resources (Orihara, par.1-11, 27-35).
Regarding claim 8, 14, and 20, Kim/Orihara teaches wherein the lengths of the masked parameter values associated with the first parameter and the character types of characters in the parameter values associated with the first parameter are preserved based on representing digits in the parameter values associated with the first parameter using a first designated character, representing letters in the parameter values associated with the first parameter using a second designated character, and representing special characters in the parameter values associated with the first parameter using a third designated character (Kim, par.26-35, Orihara, par.31-36). 
Allowable Subject Matter
Claims 2-7, 10-13, and 16-19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Pivovarov (20180316491) teaches format-preserving encryption (FPE) can satisfy additional criteria including: prefix preservation, consistency, irreversibility, one-to-one correspondence between plaintext and ciphertext, pseudo-randomness and checksum, provide fast and secure FPE for plaintext of arbitrary length by using a polygraphic substitution cipher to map a plaintext block of digits to a ciphertext block of digits.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Garcia Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI ARMOUCHE can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/David Garcia Cervetti/Primary Examiner, Art Unit 2419