DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to Application No. 16/914,183 filed on 06/26/2020.
Claims 1-20 have been examined and are pending in this application.
Information Disclosure Statement
The information disclosure statement  (IDS), submitted on 05/03/2022, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.
	
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim(s) 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Pickett et al. (US 2015/0082440; Hereinafter “Pickett”).
Regarding claim 1, Pickett teaches a computer system comprising: one or more hardware processors; a memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to (Pickett: Fig. 1, Para. [0046]-[0048]): 
provide instrumentation code for serving to a client computing device with a web page requested by the client computing device, the instrumentation code configured to monitor web code execution at the client computing device when a script referenced by the web page is processed (Pickett: Fig. 1, Para. [0046]-[0048], claim 1, a system, comprising: a memory device storing user account information; and one or more processors in communication with the memory device and operable to: receive a request for a webpage from a user device; generate or retrieve the webpage including a document object model (DOM) inspector and/or a JavaScript (JS) namespace inspector; communicate the webpage with the DOM inspector and/or the JS namespace inspector to the user device; and detect an anomalous DOM element and/or anomalous JS namespace element in a webpage rendered);
receiving script activity data generated by the instrumentation code at the client computing device, the script activity data describing one or more script actions detected by the instrumentation code; obtain prior script activity data generated by a prior instance of the instrumentation code served with the web page to one or more other client computing devices; detect a malicious change in the script based on comparing the script activity data and the prior script activity data (Pickett: Claim 5, The system of claim 1, wherein the one or more processors detects an anomalous DOM element and/or an anomalous JS namespace element by enumerating DOM elements and/or JS namespace elements in the webpage rendered. Para. [0035], The DOM inspector checks the DOM of the webpage rendered on the user device 120 for anomalous DOM elements. For example, the DOM inspector can search for specific, known malicious DOM elements, or can compare the normal DOM elements (i.e., the DOM elements that should be on the webpage) to the DOM elements on the webpage rendered. In one embodiment, the DOM inspector enumerates all the DOM elements on the webpage rendered so that a comparison can be made. DOM elements that should not be present can then be sent to the service provider server 180. The DOM inspector uses JS or any other suitable language to inspect the DOM. The JS namespace inspector checks the JS namespace elements of the webpage rendered on the user device 120 for anomalous JS namespace elements. For example, the JS namespace inspector can enumerate all the functions and variables found on the rendered webpage. If the JS namespace inspector finds functions and/or variables that are not in the normal webpage, it is likely that malicious JS has been injected into the webpage. A message can then be sent to the service provider server 180 and/or the user device 120. Para. [0044]); 
in response to detecting the malicious change in the script, perform a threat response action (Pickett: Claim 16, The non-transitory machine-readable medium of claim 15, wherein the method further comprises transmitting a message that the webpage is compromised.).
Regarding claim 2, Pickett teaches the computer system of claim 1, wherein the one or more script actions include the script using a Web API interface that accesses a form field (Pickett: Para. [0036], Turning now to FIGS. 2A-2C, illustrated are webpages that may be rendered on the user device 120. FIG. 2A shows the normal webpage 200, which includes an HTML header 202, legitimate JS 204, HTML body 206 and account login form 208. FIG. 28 shows an altered webpage 201 that includes injected malicious JS 209 and malicious DOM elements 211. The malware 128 modifies the normal webpage 200 to include the malicious components. FIG. 2C shows the webpage 220 with countermeasures according to the present disclosure to detect and report the malicious JS 209 and malicious DOM elements 211. The countermeasures include the DOM inspector 222 and the JS namespace inspector 224.).
Regarding claim 3, Pickett teaches the computer system of claim 1, wherein the one or more script actions include the script using a Web API interface that performs an outbound network request (Pickett: Para. [0030], For example, a normal log in webpage may include a box for a username, and another box for the user password. The normal log in webpage, however, may be intercepted by malware 128 to produce and display a different webpage on the user device 120 that includes a third box that requests account verification information. The user device 120 sends the username, password, and account verification information back to the service provider server 180, and also sends this information to the fraudulent server 130. The user 102 and the operator of the service provider server 180 are unaware that the fraudulent server 130 has fraudulently obtained the account verification information, username, and password.).
Regarding claim 4, Pickett teaches the computer system of claim 1, wherein the one or more script actions include the script using a Web API interface that accesses data from an event object (Pickett: claim 7, The system of claim 5, wherein the one or more processors detects an anomalous JS namespace element by comparing normal JS namespace elements to the JS namespace elements of the webpage rendered, searching for specific malicious JS namespace elements, determining whether the JS namespace elements of the webpage rendered have a correct value, or combinations thereof.).
Regarding claim 5, Pickett teaches the computer system of claim 1, wherein detecting the malicious change includes detecting that the script uses a new Web API interface in the script activity data compared to the prior script activity data (Pickett: Claim 7, wherein the one or more processors detects an anomalous JS namespace element by comparing normal JS namespace elements to the JS namespace elements of the webpage rendered, searching for specific malicious JS namespace elements, determining whether the JS namespace elements of the webpage rendered have a correct value, or combinations thereof.).
Regarding claim 6, Pickett teaches the computer system of claim 1, wherein detecting the malicious change includes detecting that the script accesses a new form field in the script activity data compared to the prior script activity data (Pickett: Para. [0035], Para. [0015], For example, in some embodiments, the DOM inspector enumerates all the DOM elements on a webpage rendered and compares those elements with the normal or expected DOM elements (i.e., the DOM elements that should be on the webpage).
Regarding claim 7, Pickett teaches the computer system of claim 1, wherein detecting the malicious change includes detecting that the script performs a new outbound network request in the script activity data compared to the prior script activity data (Pickett: Claim 7, wherein the one or more processors detects an anomalous JS namespace element by comparing normal JS namespace elements to the JS namespace elements of the webpage rendered, searching for specific malicious JS namespace elements, determining whether the JS namespace elements of the webpage rendered have a correct value, or combinations thereof.).
Regarding claim 8, Pickett teaches the computer system of claim 1, wherein detecting the malicious change includes detecting that the script accesses a new event object compared to the prior script activity data (Pickett: Claim 7, wherein the one or more processors detects an anomalous JS namespace element by comparing normal JS namespace elements to the JS namespace elements of the webpage rendered, searching for specific malicious JS namespace elements, determining whether the JS namespace elements of the webpage rendered have a correct value, or combinations thereof.).
Regarding claim 9, Pickett teaches the computer system of claim 1, wherein the threat response action includes providing threat response code for serving to a second client computing device with the web page, the threat response code configured to performing a blocking action on the script (Pickett: Para. [0045] At step 310, the DOM inspector and/or the JS namespace inspector detect an anomalous DOM element and/or anomalous JS namespace element in the webpage displayed to the user 102. At step 312, the DOM inspector and/or the JS namespace inspector transmit a message back to the service provider server 180 and/or the user device 120 that the web page is compromised. The service provider may then take such action in response as it deems appropriate or is agreed with the user 102. This may include denial of any access, limiting access, preventing certain types of transactions, or any other response suitable to the circumstances.).
Regarding claim 10, Pickett teaches the computer system of claim 9, wherein the blocking action includes at least one of: blocking the script from loading at the second client computing device; blocking the script from using one or more APls at the second client computing device; blocking the script from accessing one or more elements of the web page at the second client computing device; and blocking the script from initiating one or more outbound network requests at the second client computing device (Pickett: Para. [0045], At step 312, the DOM inspector and/or the JS namespace inspector transmit a message back to the service provider server 180 and/or the user device 120 that the webpage is compromised. The service provider may then take such action in response as it deems appropriate or is agreed with the user 102. This may include denial of any access, limiting access, preventing certain types of transactions, or any other response suitable to the circumstances.).
Regarding claims 11-20, claims 11-20 are rejected under the same rational as claims 1-10, respectively.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Nelson Giddins whose telephone number is (571)272-7993.  The examiner can normally be reached on Monday - Friday, 9:00 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached at (571) 272-4063.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/NELSON S. GIDDINS/            Primary Examiner, Art Unit 2437