DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

 (a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-4 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Bueno (U.S Patent Application Publication No. 2020/0382311 A1), hereinafter Bueno.

Regarding claim 1, Bueno discloses An apparatus comprising: 
a processor to execute an application to access a web page on the Internet in response to user input (Par. [0030], A web browser (i.e. an application) executed by the user computer can receive a request from a user to open website code and display a website), the web page having one or more resource descriptors and/or code descriptors associated therewith (Par. [0030] –[0031], Before transmitting the website code to the user computer to be opened, the web server is caused by the request to return a hash associated with the requested website code (i.e. code descriptor) to the user computer. The hash validation module uses the hash returned by the web server to determine if the returned hash has been validated and included in an authenticating record in the Blockchain and related to the domain of the website code, as described above (i.e. a hash associated with the requested website code was returned by the webserver implies that the webpage have one or more resource descriptors and/or code descriptors ).
an authentication engine (Fig.1, Hash validation module (160), and content validation module (170)) to validate the web page based, at least in part, on the resource descriptors and/or code descriptors, by connecting to a trusted entity (Par. [0048 - 0049], user terminal 115 includes a hash validation module 160, which can form a component of a web browser application. As a result of a user inputting an instruction to open the website code into the user terminal 115, the hash validation module 160 requests a hash of the website from a web server 165 hosting the website code The web server 165 answers the request by transmitting the hash of the website back to the hash validation module 160. The returned hash of the website includes the hash of the website code (i.e. code descriptor), and the domain associated with the website. In turn, the hash validation module 160 validates authenticity of the received website hash with the Blockchain 125 (i.e. connecting to a trusted entity)); and
Bueno further disclose that the ownership and authenticity is established by the administrative terminal, and that the block chain is used to store the authenticating record 120 ( Par. [0035], Ownership and authenticity,5 once established by the administrative terminal, is documented in an authenticating record 120 included in the Blockchain 125). Therefore, the administrative terminal and the blockchain will be interpreted as the  trusted entity. 
wherein the trusted entity ( Fig.1, Administrative terminal (105) and Blockchain 125) is configured to generate a signature on a cryptographic assertion that includes one or more resource descriptor objects associated with the one or more resource descriptors and/or one or more code descriptor objects associated with the one or more code descriptors ( Par. [0021], To accomplish this, a hash module (i.e. part of the Administrative terminal (105)) of a computing device generates a hash of the authentic website code related to the website domain (i.e. Code descriptor object) where the authentic website code will be hosted. The hash for the website code is encrypted and signed by an encryption module (i.e. part of the Administrative terminal (105))  of the computing device utilizing: (i) a private key associated with the administrator, developer of the website code, or other authoritative party; and (ii) a public key associated with a registrar of the website domain.).  

Regarding claim 2, Bueno discloses the apparatus of claim 1. Bueno further discloses wherein the authentication engine (Fig.1, Hash validation module (160), and content validation module (170)) is to validate the web page using the signature on the cryptographic assertion (Par. [0050], For example, the hash validation module 160 transmits the received hash of the website to the Blockchain 125. The Blockchain 125 determines whether the authenticating record 120 includes the hash of the website. If so, the Blockchain also determines whether the domain transmitted by the hash validation module 160 is related to the domain in the authenticating record 120. If so, then the Blockchain 125 transmits, to the user terminal 115, a validation notice such as the hash of the website related to the domain to be opened from the authenticating record 120. Because the authenticity and integrity of the authenticating record 120 has already been validated, the hash transmitted by the Blockchain corresponds to the website, without malicious code.) .
Bueno further discloses that the authenticating record 120 is established using the signature on the cryptographic assertion (Par. [0025], To approve the authenticating record for inclusion in the Blockchain, the registrar is requested in the smart contract to decrypt the hash using the private key associated with the authentic website code. The registrar analyzes the decrypted hash to determine if the signature matches the actual signature known to be associated with the owner of the website domain for hosting the authentic website code. ).  

Regarding claim 3, Bueno discloses the apparatus of claim 1. Bueno further discloses wherein the signature comprises a cryptographic hash value of the one or more resource descriptors and/or code descriptors (Par. [0021], To accomplish this, a hash module of a computing device generates a hash of the authentic website code related to the website domain (i.e. the website domain identifier in the website code is the resource descriptor) where the authentic website code will be hosted. The hash for the website code is encrypted and signed by an encryption module of the computing device utilizing: (i) a private key associated with the administrator, developer of the website code, or other authoritative party; and (ii) a public key associated with a registrar of the website domain.).  

Regarding claim 4, Bueno discloses the apparatus of claim 1. Bueno further discloses wherein the trusted entity (Fig.1, Administrative terminal (105) and Blockchain 125) comprises a server ( i.e. Blockchain 125) running a server-side authentication engine (Fig.3 describes the authentication procedures done by the block chain (i.e. authentication engine)) to verify the cryptographic assertion including verification that the cryptographic assertion only includes those one or more resource descriptors and/or code descriptors specified as expected resource descriptors and/or code descriptors (Par. [0057], The encrypted and signed hash 145 is transmitted over a communication network 110 to the Blockchain at block 210. A smart contract defining rules or terms for authenticating the website code in a form free from malicious code is transmitted with the encrypted and signed hash 145. The encrypted and signed hash 145 and smart contract cause the Blockchain 125 to execute a multi-step authentication process, as described with reference to FIG. 3, to include an authenticating record 120 for the website code in the Blockchain 125.).  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 5, 12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Bueno in view of Li et. al. (U.S Patent Application Publication No. 2020/0104488 A1), hereinafter Li.

Regarding claim 5, Bueno teaches the apparatus of claim 4 .
Bueno discloses a server side authentication engine capable of identifying malicious resource descriptors and/or code descriptors. Bueno does not disclose generating a risk score for the identified malicious resource descriptors and/or code descriptors.
However,  Li teaches  responsively generate a risk score indicating a likelihood that malicious resource descriptors and/or code descriptors have been identified ( Par. [0077], Various factors may be used to assign priority to potentially malicious iframes that are detected by the frame classification module 116. In some embodiments, two factors are considered: the score produced by the machine learning model; and the size of the cluster (e.g., how many web pages containing the same iframe are detected). ). 
Bueno and Li are analogous references to the claimed invention since they both pertain to validating webpages using resource/code descriptors. Therefore,  it would have been obvious to one of ordinary skilled in the art before the effective filling date of the claimed invention to modify Bueno using the method of scoring taught by Li. Doing so will enable classifying and prioritizing resource/code descriptors based on the score, and to decide what further actions to take.

Apparatus claim 12 is drawn to the corresponding apparatus claimed in claim 5.  Therefore, apparatus claim 12 corresponds to apparatus claim 5 and is rejected for the same reasons of obviousness as used above.

Method claim 19 is drawn to the method of using the corresponding apparatus claimed in claim 5.  Therefore, method claim 19 corresponds to apparatus claim 5 and is rejected for the same reasons of obviousness as used above.

Claims 6, 13 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bueno in view of Li and further in view of Karin et. al. (U.S Patent Application Publication No. 2020/0014697 A1), hereinafter Karin.

Regarding claim 6, The combination of Bueno and Li teaches the apparatus of claim 5 .
Li further taches, wherein the server-side authentication engine (Par. [0038], In some embodiments, the threat detection and remediation system 110 may be part of or otherwise associated with a system other than the enterprise SOC 102, such as, for example, a critical incident response center (CIRC), a security analytics system, a security information and event management (SIEM) system, etc.) comprises a machine learning engine (Par. [0040] …the process includes steps 200 through 208. These steps are assumed to be performed by the threat detection and remediation system 110), (Par. [0045],  The model used in step 206 may comprise a machine learning model trained using a training data set comprising a plurality of benign frame tags and a plurality of malicious frame tags.) to verify that the cryptographic assertion (i.e. hashing resource and/or code descriptors is disclosed by Bueno), wherein the machine learning engine is to perform machine learning to continually update the determined number of prior times and the determined set of trusted locations (Par. [0076], The first step in building the model is to collect web pages containing iframe tags, which are divided into a malicious set known to be compromised and a benign set belonging to reputable domains. Different machine learning methods are tested and a tuning approach (i.e. continually updating), such as 10-fold cross validation, is leveraged to find an optimal setting.).  
Bueno and Li are analogous references to the claimed invention since they both pertain to validating webpages using resource/code descriptors. Therefore,  it would have been obvious to one of ordinary skilled in the art before the effective filling date of the claimed invention to modify Bueno using the machine learning engine taught by Li. Doing so will enable dealing with non-extensive changes to payload content that may be missed by conventional techniques (Li, Par. [0065]).
Li teaches a machine learning engine to detect malicious resource descriptors and/or code descriptors. Li does not explicitly teach the determination depends on observing said resource descriptors and/or code descriptors certain number of times from a determined set of trusted locations. However, Karin teaches   only Appl. No.: 16/719,5992Atty. Docket No.: 9502P038 Amdt. Dated 02/24/2022 Reply to the Office Action of 11/24/2021includes resource descriptors and/or code descriptors previously observed a determined number of prior times from a determined set of trusted locations (Par. [0019], Characteristics such as but not limited to crawling to a particular web page but not doing anything there (called fast crawling) and numerous error status codes being returned to a particular requestor can be used by a machine learning (ML) system to identify potentially malicious external computing devices and/or sensitive URIs. An alert can be raised for an application that returns a valid response to the potential attacker (e.g., when an http status code of 200 is returned to the requestor). Sensitive URIs tend to be scanned by remote entities that are performing scanning or that are making brute force attacks on the URI. Access attempts from an accessor determined to be a scanner or from an accessor that is making a brute force attack can be filtered out. URIs that are determined to have access attempts from many remote entities can be filtered out. Of the remaining accessors in the collection of potentially trusted accessors that accessed the sensitive URI for at least a configured number of days during the learning period can be tagged as trusted and can be placed in the whitelist of trusted accessors for the website. If an access attempt is made to a restricted-access URI, if the access attempt originates from an accessor in the whitelist (trusted), access can be granted.).
Therefore, it would have been obvious for one of ordinary skill in the art, before the effective filing date of the claimed invention to modify the machine learning engine taught by the combination of Bueno and Li by incorporating the teaching of Karin to train the machine learning engine to verify that the cryptographic assertions only Appl. No.: 16/719,5992Atty. Docket No.: 9502P038 Amdt. Dated 02/24/2022Reply to the Office Action of 11/24/2021includes resource descriptors and/or code descriptors previously observed a determined number of prior times from a determined set of trusted locations. This is a known technique of training machine learning engines to allow identification of trusted websites. Therefore, it would be obvious to improve Li using the technique taught by Karin.

Apparatus claim 13 is drawn to the corresponding apparatus claimed in claim 6.  Therefore, apparatus claim 13 corresponds to apparatus claim 6 and is rejected for the same reasons of obviousness as used above.

Method claim 20 is drawn to the method of using the corresponding apparatus claimed in claim 6.  Therefore, method claim 20 corresponds to apparatus claim 6 and is rejected for the same reasons of obviousness as used above.

Claims 7 , 14 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Bueno in view of Li and Karin and further in view of Paya et. al. (U.S Patent No. 8931084 B1), hereinafter Paya.

Regarding claim 7, the combination of Bueno, Li and Karin teaches the apparatus of claim 6.  Paya further teaches wherein the processor is to execute program code comprising a function included in the web page to verify that one or more security-relevant portions of a document object model (DOM) tree have not been modified  ( Col. 11, lines 56-63, In an embodiment, script verifier 312 modifies the browser 150's scripting engine 212 (which may be a JavaScript engine) so that every single time that JavaScript on a web page makes a call to one of the functions provided via the DOM, scripting engine 212 calculates the HMAC of the JavaScript or other executable content running within the context of the page, integrity checker 370 checks that it matches the expected HMAC embedded by server 110 in tagged content.), the program code to be validated using the signature ( Col. 11, lines 52 -55, …to prevent DOM-based XSS attacks,  server 110 tags the page with integrity verifying HMACs that allow script verifier 310 to identify the signature of the JavaScript expected to run on the page).
Paya further teaches what a Dom-based XSS attack is ( Col. 11, lines 25 -31,  … As an example, in DOM based XSS attacks, executable code is injected into a web page after the web page has been downloaded by a different malicious web page (or frame or iframe) in the same or a different browser window. DOM-based XSS attacks, for example, may leverage a vulnerability in JavaScript code associated with cross-site issues.).
Bueno, Li, Karin and Paya are analogous references to the claimed invention since they all pertain to validating webpages using resource/code descriptors. Therefore,  it would have been obvious to one of ordinary skilled in the art before the effective filling date of the claimed invention to modify the combined teaching of Bueno, Li and Karin in claim 6 using the method of cross-site scripting (XSS) defense  taught by Paya. DOM based XSS attacks are well known strategy used by attackers to modify the structure of webpages returned by servers, therefore this method will complement the method of teaching in claim 6 to authenticate webpages before they are opened by users.

Apparatus claim 14 is drawn to using the corresponding apparatus claimed in claim 7.  Therefore, claim 14 corresponds to apparatus claim 7 and is rejected for the same reasons of obviousness as used above.

Method claim 21 is drawn to the method of using the corresponding apparatus claimed in claim 7.  Therefore, method claim 21 corresponds to apparatus claim 7 and is rejected for the same reasons of obviousness as used above.

Claims 8 -11 and 15 -18 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Bueno in view of Smith et. al. (U.S Patent Application Publication No. 2014/0282945 A1), hereinafter Smith.

Regarding claim 8, Bueno discloses A server apparatus (Par. [0053], In one embodiment, one or more of the administrative terminal 105, user terminal 115, registrar terminal 150, DNS 155, and web server 165 (each of which generically referred to as a device) can be a computing/data processing system including an application or collection of distributed applications for enterprise organizations. The applications and device(s) may be configured to operate with or be implemented as a cloud-based networking system, a software as a service (SaaS) architecture, or other type of networked computing solution. In one embodiment the device(s) is/are a centralized server-side application that provides at least the functions disclosed herein) comprising: 
an interface (Par. [0111], An “operable connection”, or a connection by which entities are “operably connected”, is one in which signals, physical communications, and/or logical communications may be sent and/or received. An operable connection may include a physical interface, an electrical interface, and/or a data interface.);  to receive an authentication request from a client ( Par. [0042], To approve the authenticating record 120 for inclusion in the Blockchain 125, the registrar server 150 is requested in the smart contract (or by the Blockchain 125 (i.e. client) in accordance with the smart contract) to decrypt the hash using the registrar's private key.
an authenticator engine to generate a signature on a cryptographic assertion that includes one or more resource descriptor objects associated with one or more resource descriptors of a web page received by the client and/or one or more code descriptor objects associated with the one or more code descriptors of the web page (Par. [0056], The hashed code is encrypted and signed at block 205. The hashed code is encrypted and signed using: (i) a private key associated with a developer or other source of the website code, and (ii) a public key associated with a registrar of the domain. ); and 
Bueno teaches an authentication method wherein the server side authenticator engine generates a signature and authenticates the webpage using the signature by using a blockchain. Bueno does not disclose a method of sending the signature to the client for authentication. However, Smith teaches the authenticator engine to transmit the signature to the client over the interface for validation of the web page (Par. [0051-0052], The signed attestation information may then be transferred to client device 101. In response to receiving signed attestation information from authentication device 102, client device 101 may verify the authenticity of authentication device 102 using its public keys. For example, if authentication device 102 signs its attestation information with a DAA or EPID private key (e.g., stored in TEE 213 or memory enclave 214), CAM 207 when executed may cause client device 101 to verify the authenticity of the private key using a corresponding DAA or EPID public key (e.g., stored in memory 203)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Bueno using the method of authenticating the signature on the client side as taught by Smith. Doing so will give the client control over the authentication information and increases the reliability of the authentication (Smith Par. [0005]).

Regarding claim 15,  Bueno discloses A method comprising: 
receiving an authentication request from a client ( Par. [0030], The system includes an administrative terminal 105 operatively connected to a communication network 110 such as the Internet. The administrative terminal 105 is operable to control the establishment of ownership and authenticity of website code, allowing for reliable validation of the website code before the website code is permitted to be opened by a user terminal 115.); and 
identifying a cryptographic assertion including one or more resource descriptor objects associated with one or more resource descriptors of a web page received by the client and/or one or more code descriptor objects associated with the one or more code descriptors of the web page (Par. [0055], The administrative terminal 105 hashes, at block 200, website code  (i.e. code descriptor)  that is to be hosted at a network address for a domain registered to a party affiliated with the website code); and 
generating a signature over the cryptographic assertion (Par. [0056], The hashed code is encrypted and signed at block 205. The hashed code is encrypted and signed using: (i) a private key associated with a developer or other source of the website code, and (ii) a public key associated with a registrar of the domain. ), the signature usable to validate the web page (Par. [0057], A smart contract defining rules or terms for authenticating the website code in a form free from malicious code is transmitted with the encrypted and signed hash 145.); and 

Bueno teaches an authentication method wherein the authenticator engine generates a signature and authenticates the webpage using the signature by using a blockchain. Bueno does not disclose a method of sending the signature to the client for authentication. However, Smith teaches transmitting the signature to the client for validation of the web page (Par. [0051-0052], The signed attestation information may then be transferred to client device 101. In response to receiving signed attestation information from authentication device 102, client device 101 may verify the authenticity of authentication device 102 using its public keys. For example, if authentication device 102 signs its attestation information with a DAA or EPID private key (e.g., stored in TEE 213 or memory enclave 214), CAM 207 when executed may cause client device 101 to verify the authenticity of the private key using a corresponding DAA or EPID public key (e.g., stored in memory 203)).  
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Bueno using the method of authenticating the signature on the client side as taught by Smith. Doing so will give the client control over the authentication information and increases the reliability of the authentication (Smith Par. [0005]).

Server Apparatus claim 9 is drawn to the corresponding apparatus claimed in claim 2.  Therefore, server apparatus claim 9 corresponds to apparatus claim 2 and is rejected for the same reasons of obviousness as used above.

Server Apparatus claim 10 is drawn to the corresponding apparatus claimed in claim 3.  Therefore, server apparatus claim 10 corresponds to apparatus claim 3 and is rejected for the same reasons of obviousness as used above.

Server Apparatus claim 11 is drawn to using the corresponding apparatus claimed in claim 4.  Therefore, server apparatus claim 11 corresponds to apparatus claim 4 and is rejected for the same reasons of obviousness as used above.

Method claim 16 is drawn to the method using the corresponding apparatus claimed in apparatus claim 2.  Therefore, Method claim 16 corresponds to apparatus claim 2 and is rejected for the same reasons of obviousness as used above.

Method claim 17 is drawn to the method using the corresponding apparatus claimed in apparatus claim 3.  Therefore, Method claim 17 corresponds to apparatus claim 3 and is rejected for the same reasons of obviousness as used above.

Method claim 18 is drawn to the method using the corresponding apparatus claimed in apparatus claim 4.  Therefore, Method claim 18 corresponds to apparatus claim 4 and is rejected for the same reasons of obviousness as used above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Amaro (U.S Patent Application Publication No. 2014/0298443 A1) teaches a method of authenticating browsing sessions by comparing and verifying authorization tokens.
Hunt  (U.S Patent Application Publication No. 2018/0124110 A1) teaches a model based approach for authenticating webpages using attributes found in the URI.

 Any inquiry concerning this communication or earlier communications from the examiner should be directed to Dawit Woldemariam whose telephone number is (571)272-2560. The examiner can normally be reached on 7:30 AM - 5:00 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado, can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/Dawit Woldemariam/
Art Unit 2496

 /JORGE L ORTIZ CRIADO/               Supervisory Patent Examiner, Art Unit 2496