DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This office action is a response to Remarks filed 03/17/2021, which is a 371 national stage entry of PCT application PCT/EP2017/055084 filed on 03/03/2017, wherein claims 1-7 are pending and ready for examination.  

Response to Arguments
Applicant's arguments filed 03/07/2022 have been fully considered but they are not persuasive. 	

Applicant Asserts: On an administrative note, the secondary reference identified on page 3 of the Office Action is U.S. Pat Pub. No. 2017/0083703 to Abbasi et al. ("Abbasi"). However, Abbasi is not cited as a reference in any of the rejections (with the exception of two occurrences on page 5, both of which appear to be typos, as the surrounding paragraphs and elements cited correspond with Suleman and not Abbasi), and the Response to Arguments on page 2 of the Office Action identifies "Suleman" as providing new grounds of rejection. Applicant has therefore identified U.S. Pat. Pub. No. 2017/0140027 to Suleman et al. as the most likely intended secondary reference and addresses the rejections accordingly herein. Applicant respectfully requests that the Examiner contact the undersigned if this is incorrect.

Examiner Response: The examiner apologizes for the obvious clerical mistake and thanks applicant for being proactive in identifying that it is the Suleman reference and not the Abbasi reference that was intended in the office action mailed 12/07/2021. The examiner has corrected the typographical errors to reflect this.  
Applicant Asserts: Claim 1 recites, inter alia, that classification of the query occurs “prior to the execution of the database query.” (Emphasis added.) Page 3 of the Office Action asserts that this is taught by Gupta at para. [0046], but the Office Action only address the classification of the query and not the timing of the classification. However, as previously noted by the Applicant, “the correlation taught by Gupta ‘400 only occurs after execution of the database query.” 
Examiner Response:  Respectfully, Gupta indeed addresses the timing of the of classification.  When the claims cite the phrase “prior to” the Examiner interprets this phrase to impose a feature whereby a condition must exist before another action is to occur.  In this case, the condition is presence of a golden table which must exist prior to the analysis and/or instrumentation engine performing their functions.  Their functions include performing database queries by “checking each web request” to determine if the captured data is present in the golden table.  One of ordinary skill in the art would understand that checking for the presence of data in a database can include a data base query.   For ease of reference Gupta 400 at the cited location [0046] is provided below:
[0046] Once a golden table is present at the analysis engine, at step 340, web requests, and corresponding database entries, may be captured from network traffic received in the web application infrastructure. In some embodiments, the analysis engine may capture the requests and database queries, and in other embodiments the instrumentation engine may capture the requests and database queries. The instrumentation engine or analysis engine may capture the request by instrumenting strategic code, such as the HTTP Event pipeline, to detect and intercept traffic at the web server or application server or monitoring specific APIs at the web server or application server. The instrumentation engine or analysis engine checks each captured web request at step 360 to determine if it matches a valid web request when cross correlated against the golden table. If the captured web request does not match a valid web request in the golden table, the instrumentation engine may perform validation to determine if the captured request actually represents a valid request for the web application. If the analysis engine made the determination, then it may request the instrumentation engine to perform the validation. The instrumentation engine may compare the request to the methods contained in a directory structure of the application, and if the request is determined to be a valid request, the instrumentation engine may simulate the request to capture database queries triggered in response to the request. The instrumentation engine may add the mapping of the web request to the captured database queries in the golden table in the golden table in a database on the security monitoring agent, and then copies the golden table to a database on the analysis engine. The instrumentation engine may also parse the request and database queries into regular expressions for matching against network traffic. The regular expressions may be added to the regular expression files which are stored in the golden table, or in another memory location, on the analysis engine.


The Examiner interprets Gupta 400 above disclosing the timing feature ‘prior to’ as “once” for sequence of actions whereby no decision can be made as to the maliciousness of the code unless a reference is present such as the golden table. 

Applicant Asserts:  Further, assuming (for the sake of argument and despite the lack of support) that Suleman does teach “classifying ... prior to the execution of the database query,” incorporation of such a teaching into Gupta would require a change in Gupta’s principal of operation, leading one of skill in the art away from the suggested  combination of these references. Gupta relies on both the output and a success/failure flag in characterizing database queries using its golden table. See, e.g., Gupta
at paras. [0008-09], [0041], [0047], [0058], [0061], and [0071]. This is tied to Gupta’s principle of executing the query and, only after execution, performing a correlation between the executed query and those stored in the golden table.

Examiner Response: The Examiner did not introduce Suleman to teach classifying prior to execution of the database query.  Gupta 400 teaches prior to executing a database query ensuring a reference (golden table) is present.  Applicant asserts that Gupta teaches executing the query when Gupta does not execute the query but examines/parses the database query contents.  Once parsed, the analysis and/or instrumentation engines performs some classification.  As provided, Suleman was introduced to further teach the classification feature 

Applicant Asserts:  Further, such a teaching (adjusting timing such that classification occurs before execution) would be counter to another of Gupta’s principles of operation, which looks specifically for malicious code injected during execution of a query. See, e.g., Gupta at para. [0029] (“While a few of the attack categories involve attacks resulting from negligence or misconfiguration, the largest number of attack categories involve a malicious actor purposely injecting, and later causing execution of, malicious content in an executing process.”

Examiner Response:  Respectfully, the Examiner disagrees with applicant representative interpretation of Gupta at cited location [0029].  The assertion that Gupta 400 principle of operation specifically looks for malicious code injected during execution of a query is not disclosed at the cited location.  The Examiner, interprets the cited location of Gupta 400 [002] as disclosing that a survey of past vulnerabilities identified by the  National Vulnerability Database (NVD) were content and size related validations.  Gupta does not disclose any principle of operation at this cited location by applicant.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 are rejected under 35 U.S.C. 103 as being unpatentable over Gupta; Satya Vrat, US 20160337400 A1, November 17, 2016, hereafter referred to as Gupta in view of Suleman et al., US 20170140027 A1, hereinafter referred to as Suleman.

           As to claim 1, Gupta teaches a computer implemented method to identify a malicious database request – Gupta [0043] FIG. 3A illustrates a flowchart depicting an example method of detecting (and preventing) injection attacks) with a computer  platform including computing hardware of at least one processor and memory operably coupled to the at least one processor - Gupta [0157] FIG. 9 is a diagram of an example internal structure of a computer (e.g., client processor/device 50 or server computers 60.  Here, the claimed ‘processor and memory’ is taught by Gupta as ‘internal structure’ illustrated for both client/server device), the method comprising:
           receiving, using the computing platform, a database query for retrieving data from a database – Gupta [0046] Once a golden table is present at the analysis engine…, web requests, and corresponding database entries, may be captured from network traffic received in the web application infrastructure.  Here, the claimed ‘database query’ is taught by Gupta as ‘database entries’ whereas the claimed ‘retrieving’ is taught by Gupta as ‘capture’);
           classifying, using the computing platform and prior to the execution of the database query, the database query based on query instructions contained in the database query to identify a class of query for the database query – Gupta [0046] Once a golden table is present at the analysis engine…, web requests, and corresponding database entries, may be captured from network traffic received in the web application infrastructure.… The instrumentation engine or analysis engine checks each captured web request …to determine if it matches a valid web request when cross correlated against the golden table.  Here, the claimed ‘prior to’ is taught by Gupta as ‘Once’ because the once indicates a condition before the instrumentation or analysis engines can perform their functions.  The claimed ‘classifying’ is suggested by Gupta as ‘cross correlated’ because the queries in the golden table are in a ‘valid’ class whereas the claimed ‘class’ is akin to Gupta’s ‘golden table’ defined by Gupta as ‘valid web requests’ containing golden references for all application requests), the class of query having associated attributes defining expected characteristics of queries of the class when executed by the database – Gupta [0041] …the information of the respective database queries (or other database activities) correlated/matched to a particular user, user data, context, URL, and session may be sent to an analysis engine (or security monitoring agent in other example embodiments) to check for a potential database injection attack (e.g., SQL injection attack.  Here, the claimed ‘expected characteristics’ is taught by Gupta as ‘user data, context, URL’ because these characteristics must match data stored in the golden table; the claimed ‘class of query’ is taught by Gupta as ‘correlated/matched’ because a criteria classifies the query);
            monitoring, using the computing platform,  characteristics of the database query execution by the database - Gupta [0043]… security monitoring agent forms the golden table to prepare for detecting and preventing injection attacks that trigger invalid database queries.  Here, the claimed ‘characteristics’ is taught by Gupta as ‘injection attacks’ whereas the claimed ‘data’ is the SQL query); and
            responsive to a determination that the monitored characteristics deviate from the
expected characteristics, identifying, using the computing platform, the database query as malicious – Gupta [0050]… If the URL match fails, at step 311, the instrumentation engine checks for code at the URL path (e.g., methods of the web application for processing the web request), and if no such code exists for the web application, the instrumentation engine may communicate with the analysis engine, at step 312, to declare an attack; and
         responsive to the database query being identified as malicious, implementing, using the computing platform, at least one protective measure. GUPTA SUGGESTS classifying, using the computing platform, the received query based on database query instructions contained in the database query to identify a class of query for the database query HOWEVER SULEMAN TEACHES 
             classifying, using the computing platform,  the received database query based on query instructions contained in the database query to identify a class of query for the database query – Suleman [0038 and 0041] since at ’38 Block 510 comprises receiving a query for classification at the server 54 from the client device 70. In the present embodiment, the query comprises a text string received from the client device 70…since at ‘41 Block 520 comprises applying a plurality of support vector machine models to the query. It is to be appreciated that each application of a support vector machine model makes a binary determination of which of two classes the query is more likely to be classified. .   Here, the claimed ‘computing platform’ is taught by Suleman as ‘server 54’ because queries are identified/associated with a known class at Block 530.   It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Gupta Golden Table construct to include Suleman class constructs.  Gupta already attempts to identify SQL injections targeted to exploit specific vulnerabilities in target applications.  Gupta with Suleman now has a classification mechanism which would allow the detection of malware in a more timely fashion as taught by Gupta at location [0002]).

             As to claim 2, the combination of Gupta and Suleman teaches the method of claim 1 wherein the class of query further comprises a class query including the query instructions of the database query – Gupta [0035] SQL injection attacks succeed because without having a deep understanding of the application, a cyber-security solution cannot determine if a malicious actor has inserted additional expressions into an SQL query.  Here, the claimed ‘query instructions’ is taught by Gupta as ‘SQL’ because in protocol provides for a ‘where clause’ which one of ordinary skill in the art would understand contains the instructions of the query) and the expected characteristics are defined based on the execution of the class query – Gupta [0035] …Cyber-security solutions, such as web application firewalls and intrusion detection/prevention engines, may only detect SQL keywords in web requests.  Here, the claimed ‘expected characteristics’ is taught by Gupta as ‘may only detect’ because the instructions are not thought to return nothing but what is expected).

           As to claim 3, the combination of Gupta and Suleman teaches the method of claim 1 wherein the database query is received from a software application – Gupta [0045] using the extracted methods and corresponding data types for the expression parameters, the instrumentation engine may form the web requests for the web application) and responsive to the determination the software application is identified as a malicious application – Gupta [0041] ….the analysis engine may use the matched information (together with a generated golden table or AppMap table) to perform deep context aware searches for detecting a database injection attack.  Here, the claimed ‘software application’ is taught by Gupta as ‘injection attack’ whereas the claimed ‘identified’ is taught by Gupta as ‘detecting’).

              As to claim 4, the combination of Gupta and Suleman teaches the method of claim 3, wherein the at least one protective measure includes rejecting subsequent queries received from the identified malicious application - Gupta [0089] New events can also be created and linked into the Event and Event Chain database 722 with a severity and remedial action recommended to the analyst. This allows unique events and event chains for a new attack at one installation to be dispatched to other installations. For this purpose, all new events and event chains are loaded into the Event Upgrade Server 735. Here, the claimed the claimed ‘protective measure’ is taught by Gupta as ‘remedial action’ whereas the claimed ‘subsequent queries’ are taught by Gupta as ‘new events’ whereby the claimed ‘rejecting’ is taught by Gupta as ‘remedial actions’).

            As to claim 5, the combination of Gupta and Suleman teaches the method of claim 1 wherein the at least one protective measure includes rejecting subsequent queries belonging to the same class as the database query - Gupta [0089] New events can also be created and linked into the Event and Event Chain database 722 with a severity and remedial action recommended to the analyst. This allows unique events and event chains for a new attack at one installation to be dispatched to other installations.  Here, the claimed the claimed ‘protective measure’ is taught by Gupta as ‘severity and remedial action’ whereas the claimed ‘same class’ are taught by Gupta as ‘event chains’) and having attributes determined to be similar to attributes of the database query – Gupta [0071] …the output of the captured database query may also be referenced against an additional file on the REGEX engine to determine whether the captured query output matches valid output (e.g., in format or content) for the query) based on predetermined threshold degree of similarity of attributes – Gupta [0073] In addition, these cyber security tools depend on security analysts to set the threshold of events that signify an attack.  Here, the claimed ‘attributes’ are taught by Gupta as ‘events’ because the forensics of the events are captured/classified as further taught by Gupta at [0074]).

           As to claim 6, claim 6 is a system that is directed to the method of claim 1.  Therefore claim 6 is rejected for the reasons as set forth in claim 1.

            As to claim 7, claim 7 is a non-transitory computer readable medium that is directed to the method of claim 1.  Therefore, claim 7 is rejected for the reasons as set forth in claim 1. 

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM B. JONES whose telephone number is (571) 272-9637.  The examiner can normally be reached on Mon - Fri., 5:30 a.m. to 2:00 p.m.  If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-272-3900.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
 /WILLIAM B JONES/Examiner, Art Unit 249105/20/2022
/ALEXANDER LAGOR/Primary Examiner, Art Unit 2491